Nmap

Initial Nmap scan revealed HTTP, TELNET and FTP ports.

00 - nmap

FTP Anonymous

There was an FTP anonymous login. Inside the FTP there was ‘.mdb’ file and an encrypted zip file.

01 - anonymous

MDB File

‘.mdb’ is format for legacy Microsoft Access database. I tried to open the file but it did not work, so I did strings and one of the strings seemed like it was a password.

02 - password

Unzip Encrypted Zip

So using ‘7z’ I decrypted and unzipped the zip file.

03 - extracted

PST File

Inside the zip there was a PST file. The ‘.pst’ files are files that store the copied of Outlook messages. So I used online ‘.pst’ interpreter and got the password.

04 - password

But I could also use ‘readpst’ command line application to read the pst file.

04 - password 2

Exploitation

So the PST file revealed a username and password. I simply connected to telnet and got the user flag.

05 - got the user

06 - got the user

Privilege Escalation

Then I set up an SMB Share and tried to run winPEAS.exe which did not work. Then tried to copy reverse shell on the website’s directory which also did not work. Then I opened windows privilege escalation cheatsheet and started to try one by one. The stored credentials worked. I ran ‘cmdkey /list’ to check if there are any stored credentials.

07 - cmdkey stored password

Then using the SMB Share I transfered nc64.exe file.

08 - smb share

09 - copy

And then simply used ‘runas’ application to run nc64 as Administrator and get a reverse shell.

10 - got it

Pwned

The machine was fully compromised.

pwned

<
Previous Post
Flight - Hack The Box
>
Next Post
Manager - Hack The Box