Access

Access - 10.10.10.98
Target Enumeration:
OS: Windows
IP: 10.10.10.98
User: ff1f3b48913b213a31ff6756d2553d38
Root: 6e1586cc7ab230a8d297e8f933d904cf
Ports / Services / Software Versions Running
FTP
Telnet
HTTP
Vulnerability Exploited:
Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file.
Once zip file is extracted there is a telnet password for security in the outlook backup file.
Privilege Escalation:
Runas to get reverse nc shell.
Exploiting the host:
Nmap
Anonymous access to FTP allowed so download the files
Open the mdb file with the following url https://www.mdbopener.com/​
Found the password within the backup.mdb file [email protected]
Use this password to extract access control.zip
Which gives you what looks to be an outlook backup
Install outlook in a windows vm and import the pst file
Use these creds to login via telnet security:4Cc3ssC0ntroller
Grab the user flag
User is low priv
There is a sql service script within the C:\temp dir
Which has credentials of sa:[email protected]
Good chance we have to open the mssql service and exploit that to get root
Can’t find sql server running so must be a false positive/ rabbit hole.
Download nc to the machine and run with runas
Receive a root shell
Collect your flag

Last modified 3yr ago