Access
OS: Windows
IP: 10.10.10.98
User: ff1f3b48913b213a31ff6756d2553d38
Root: 6e1586cc7ab230a8d297e8f933d904cf
FTP
Telnet
HTTP
Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file.
Once zip file is extracted there is a telnet password for security in the outlook backup file.
Runas to get reverse nc shell.
Nmap
Anonymous access to FTP allowed so download the files
Open the mdb file with the following url https://www.mdbopener.com/​
Found the password within the backup.mdb file [email protected]
Use this password to extract access control.zip
Which gives you what looks to be an outlook backup
Install outlook in a windows vm and import the pst file
Use these creds to login via telnet security:4Cc3ssC0ntroller
Grab the user flag
User is low priv
There is a sql service script within the C:\temp dir
Which has credentials of sa:[email protected]
Good chance we have to open the mssql service and exploit that to get root
Can’t find sql server running so must be a false positive/ rabbit hole.
Download nc to the machine and run with runas
Receive a root shell
Collect your flag
