# Access ## Access - 10.10.10.98 ### Target Enumeration: OS: Windows IP: 10.10.10.98 User: ff1f3b48913b213a31ff6756d2553d38 Root: 6e1586cc7ab230a8d297e8f933d904cf ### Ports / Services / Software Versions Running FTP Telnet HTTP ### Vulnerability Exploited: Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file. Once zip file is extracted there is a telnet password for security in the outlook backup file. ### Privilege Escalation: Runas to get reverse nc shell. ### Exploiting the host: Nmap ![](https://lh5.googleusercontent.com/U0TRxtwBcU1hC1GaasU1_-mvcqaQCqpXLzU_y46Kh957e744lgNsFEioJZImycu4vB2A-7ULbpxoFHzbAlrSWLAnAYIh2KcBdLQPIlap3DpSVTHOA8IAVnvPw2MmoXLPh8BWFPF-) Anonymous access to FTP allowed so download the files

Open the mdb file with the following url

Found the password within the backup.mdb file access4u\@security

Use this password to extract access control.zip Which gives you what looks to be an outlook backup

Install outlook in a windows vm and import the pst file

Use these creds to login via telnet security:4Cc3ssC0ntroller

Grab the user flag

User is low priv There is a sql service script within the C:\temp dir ![](https://lh6.googleusercontent.com/pXquHkCDGJjOHN7_QrOukE5UACZ6EOPI11YVpHHAQwJA3FUE_-kl-lJMIq04TBZ2CLbJUsljiLcmZTC2hJ3xmwy352t56KpyRhUgZMRZ6EHpBy4qCGSfuw7EN3JZ3ywaaIzNZsFl) Which has credentials of sa:htrcy\@HXeryNJCTRHcnb45CJRY Good chance we have to open the mssql service and exploit that to get root Can’t find sql server running so must be a false positive/ rabbit hole. Download nc to the machine and run with runas ![](https://lh3.googleusercontent.com/RFuqEFbQ1OY9Q1DQInMvvh6WA9nnKaJ2HdZPPkgSv0TjECWKaaGr4wAKwh88K5maVylxvplXYKomzQCAkEGXhHBO01-5rOxv5b92-pzIbpklCvoHLe6rzj129W6_553j4_WhhCzj) Receive a root shell

Collect your flag