Access

Access - 10.10.10.98

Target Enumeration:

OS: Windows

IP: 10.10.10.98

User: ff1f3b48913b213a31ff6756d2553d38

Root: 6e1586cc7ab230a8d297e8f933d904cf

Ports / Services / Software Versions Running

FTP

Telnet

HTTP

Vulnerability Exploited:

Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file.

Once zip file is extracted there is a telnet password for security in the outlook backup file.

Privilege Escalation:

Runas to get reverse nc shell.

Exploiting the host:

Nmap

Anonymous access to FTP allowed so download the files

Open the mdb file with the following url https://www.mdbopener.com/

Found the password within the backup.mdb file access4u@security

Use this password to extract access control.zip

Which gives you what looks to be an outlook backup

Install outlook in a windows vm and import the pst file

Use these creds to login via telnet security:4Cc3ssC0ntroller

Grab the user flag

User is low priv

There is a sql service script within the C:\temp dir

Which has credentials of sa:htrcy@HXeryNJCTRHcnb45CJRY

Good chance we have to open the mssql service and exploit that to get root

Can’t find sql server running so must be a false positive/ rabbit hole.

Download nc to the machine and run with runas

Receive a root shell

Collect your flag