# Access

## Access - 10.10.10.98

### Target Enumeration:

OS: Windows

IP: 10.10.10.98

User: ff1f3b48913b213a31ff6756d2553d38

Root: 6e1586cc7ab230a8d297e8f933d904cf

### Ports / Services / Software Versions Running

FTP

Telnet

HTTP

### Vulnerability Exploited:

Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file.

Once zip file is extracted there is a telnet password for security in the outlook backup file.

### Privilege Escalation:

Runas to get reverse nc shell.

### Exploiting the host:

Nmap

![](https://lh5.googleusercontent.com/U0TRxtwBcU1hC1GaasU1_-mvcqaQCqpXLzU_y46Kh957e744lgNsFEioJZImycu4vB2A-7ULbpxoFHzbAlrSWLAnAYIh2KcBdLQPIlap3DpSVTHOA8IAVnvPw2MmoXLPh8BWFPF-)

Anonymous access to FTP allowed so download the files

<div align="left"><img src="https://lh5.googleusercontent.com/FYxPVvjp6S788u5wpnopzieddbujoD596R-4HlZd_eOpHs2dCBVTXaNrJrxE9QYDVtszyuKoNLIeuifMQvGZ_jpeE0YvbymcRHdw0jzbVQx21SPwGb6RQSLwniqPBQlhBbQS6_Gk" alt=""></div>

Open the mdb file with the following url <https://www.mdbopener.com/>

<div align="left"><img src="https://lh5.googleusercontent.com/0sS9jU2jiZj6I32wvnYADvh_uCkwUqBpm2RBcDYagntHlWcY6sg-48Drv-r9rzddLvxKpAzh-TGBm5UnjOCth8bATA2ZtDar_1_BpMjyGRJzsHVuTQMCj2oariZZS2FqBRKpnJk7" alt=""></div>

Found the password within the backup.mdb file access4u\@security

<div align="left"><img src="https://lh6.googleusercontent.com/67R4chRZGC1dbxF8cC_LMIWNDJs9G4Wo2sWhDXJJzYKRGC0eHgJTCC6cJD57x0XMweK9WxeY6YDi7AFkjLYawVLE4zPOR4t8c8om7HSgs_c3JZIxnbfe8AfCMcV2oSbQ8oyeX-gb" alt=""></div>

Use this password to extract access control.zip

Which gives you what looks to be an outlook backup

<div align="left"><img src="https://lh5.googleusercontent.com/TJKlDah9GqTbJgy-iv4vwgKndzO3_mvpOcCpTvCL3fhZyWu-xWgDT2UmivTs_3A0_eyxaCX-lxuD4ttYT7aaZ4mFcoHE9bI3a4OiqYC9EJT6bcZwBetVWjrGrgeVNeGiIAHqdLgi" alt=""></div>

Install outlook in a windows vm and import the pst file

<div align="left"><img src="https://lh4.googleusercontent.com/gE02pbLX1j2wg82xpq22iL8LXkpJx8rioM_OR_hG5CQIy1ueCy7mbc3FaECqJs5XwIuyqiDPEOZ24u-Y5FwOlytjYAZZ4WO8WEO6DDh8ZWM2caISAbW2ICPwG8gE0Pub5FepKVeS" alt=""></div>

Use these creds to login via telnet security:4Cc3ssC0ntroller

<div align="left"><img src="https://lh5.googleusercontent.com/5SqpoPU6TxZItiLu9cF5enQB4N57a1DD01gYH_DOldum4KarCtnbyaVEyJTIiMConLpT2VtM6uRdkjdf1gm8L4BFOXZD8FPSLWOJuETMjG_MHDPtcRshU7_K3FCBPKMjVvbgk7vB" alt=""></div>

Grab the user flag

<div align="left"><img src="https://lh4.googleusercontent.com/PyLrjRhFjO7LQKNkYpQ-ORRZFxohdlv9h2Qsy0m3RcgrOO1QUjNbQnqfQj21xSSSOv5-CW5HboBs17P2Q8ojM1JJ7TNsmvigUExTVPQOYsYbWQxJpMQ_HnE9Uwt5vQ6sghPmFsMM" alt=""></div>

User is low priv

There is a sql service script within the C:\temp dir

![](https://lh6.googleusercontent.com/pXquHkCDGJjOHN7_QrOukE5UACZ6EOPI11YVpHHAQwJA3FUE_-kl-lJMIq04TBZ2CLbJUsljiLcmZTC2hJ3xmwy352t56KpyRhUgZMRZ6EHpBy4qCGSfuw7EN3JZ3ywaaIzNZsFl)

Which has credentials of sa:htrcy\@HXeryNJCTRHcnb45CJRY

Good chance we have to open the mssql service and exploit that to get root

Can’t find sql server running so must be a false positive/ rabbit hole.

Download nc to the machine and run with runas

![](https://lh3.googleusercontent.com/RFuqEFbQ1OY9Q1DQInMvvh6WA9nnKaJ2HdZPPkgSv0TjECWKaaGr4wAKwh88K5maVylxvplXYKomzQCAkEGXhHBO01-5rOxv5b92-pzIbpklCvoHLe6rzj129W6_553j4_WhhCzj)

Receive a root shell

<div align="left"><img src="https://lh6.googleusercontent.com/lmUH7w5708vXz8ykyXaYBo4dQ3lCw8kigCpaKYE2ZAGL-MMiM3CJrewYzeR7r6tlO2OJ5NFWg0R6Qz4LNEgorpOG7dsy-LFQvBejSP_5T3t1C8EQP3DhvXKiwX9sRsEZ-HB5UUR8" alt=""></div>

Collect your flag

<div align="left"><img src="https://lh6.googleusercontent.com/bIOlOnEZaqqT6OYEtREAh0IwLYrcNGzChAIAJiKWzjyZvnERHUejP7SEdFx8D9_Shh_pxNBbXDOzTBP_Fc9WooMdk_x8wBjqLA-DLbemC1xe9WRtC9lKXc0SdFuhH1br_nlvVyKw" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.