AdSense

Sunday, March 31, 2019

Access


ACCESS

- Layout for this exercise:





1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Access, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

2.1 - Ports enumeration

- The IP for Access is 10.10.10.82:




- Scanning with Nmap:




- Scanning deeper ports  21, 23 and 80:





2.2 - FTP enumeration

- From previous image we learn that the FTP server allows anonymous connection.

- Connection to the FTP server is successful:




- There are two directories available: Backups and Engineer




- Let's explore first Backups where there is a file called backup.mdb:





- Trying to download backup.mdb it seems that there are some problems related with the transfer in FTP ASCII mode:




- However changing to FTP binary mode the transfer is successful:






- Going to the Engineer folder the transfer is also problematic, in this case due to the name of the file Access Control.zip:




- Changing to Access\ Control.zip the transfer of the .zip file is successul:




- Finally we've got both files available to study at Kali:





2.3 - Microsoft Access database enumeration


- Let's start trying to unzip 'Access Control.zip':



- A password is required for extracting the .zip file:






- Going to backup.mdb, the easiest way to open it is with a Microsoft application, for instance using Access or even Excel.

- Once selected backup.mdb and the table auth_user:







- Also, there are some Linux tools to handle Access databases:

https://github.com/brianb/mdbtools


- For instance, extracting all the tables with mdb-tables from backup.mdb and writing them to the file backup_tables:




- The text file is a little bit messy:






- To clarify the content, looking for "user" related information:




- Exporting the content of table auth_user with mdb-export the result is the same as before:





- So it seems that we have discovered two potentials passwords: admin and access4u@security

- Now, going back to the .zip file and applying the password access4u@security the extraction is succesful:





- As a result of the extraction we have the file Access Control.pst:



 


- The .pst file extension means Personal Storage Table, an open proprietary file format used to store copies of messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook:

https://en.wikipedia.org/wiki/Personal_Storage_Table


- The readpst Linux command helps to read content of Access Control.pst:

https://linux.die.net/man/1/readpst


- Applying readpst on Access Control.pst the result is another file called Access Control.mbox:



- Reading the .mbox (MailBox) file is trivial with cat, and we find the promising password 4Cc3ssC0ntr0ller for the user account security:




3 - EXPLOITATION


- Now, taking advantage of the user account security and the password 4Cc3ssC0ntr0ller and connecting to the Telnet service the result is a remote shell from Access:

 

4 - CAPTURING THE 1st FLAG

- Reading user.txt is easy:





5 - PRIVILEGE ESCALATION


- However access to the Administrator's folder is denied, so we will need some Privilege Escalation method:




- At this moment the current user is security, whose Desktop only holds the previously file found user.txt:





- The Privilge Escalation technique to be used is based on the command runas /savecred.


- The runas command lets to run a program from a command prompt using the credentials of another user account.

- cmdkey lists the stored credentials in the Credential Manager Database:





- In our case the command runas /savecred impersonates the user Administrator without using his password.

- For instance, to ouput the file root.txt from Administrator's Desktop to user security's Desktop:




- Now the root.txt is available at the user security's Desktop:





6 - CAPTURING THE 1st FLAG


- Reading root.txt:









Silo


SILO

- Layout for this exercise:




1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Silo, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Silo's IP is 10.10.10.82:





- Scanning with Nmap:




- So we have a Windows machine running the database Oracle listening on ports 1521 and 49161, and also IIS at port 80.

- Metasploit helps with the module sid_brute to bruteforce the Oracle SID's to connect to the database:





- The ODAT (Oracle Database Attacking Tool) yields similar result when guessing the SID's:

https://github.com/quentinhardy/odat


- Along this exercise I will be using the standalone version for ODAT.

https://github.com/quentinhardy/odat/releases/




- Also, we know that default credentials for Oracle are scott:tiger, as explained here:

http://www.orafaq.com/wiki/SCOTT

http://www.dba-oracle.com/t_oracle_scott_tiger_user.htm






3 - EXPLOITATION

Msfvenom helps to create an .aspx backdoor:









- ODAT uploads backdoor.aspx at Silo's web root directory:




- Starting a listening session:




- Running backdoor.aspx from the browser:




- The consequence is a low privileged Meterpreter session:




- Also, we can spawn a shell:





- Going to Phineas user's Desktop there are two interesting files: user.txt and Oracle issue.txt:







4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- There are different ways of getting a remote root shell, let's see two of them.


5.1 - Uploading and running a backdoor with Odat

- Let's create now an executable backdoor.exe with Msfvenom:







- Copying backdoor.exe to Odat's working directory:




- Odat's utlfile --putFile option uploads the executable to Silo's C:/





- Setting a listening session:





- Running backdoor.exe with Odat's option externaltable --exec:





- Once backdoor.exe is executed we get a root Meterpreter session:







5.2 - Pass The Hash (PTH)

- First, we need to get the credential hashes with Volatility.

- Reading the text file Oracle issue.txt we find a link to Dropbox and an associated password:



- However the first character of the password needs to be found:




- Backgrounding the shell and going back to the Meterpreter session we can download the Oracle issue.txt text file to Kali:

















- Opening with gedit, now  the 1st character of the password is clear:






- Using the password there is access to the Dropbox link:







- We find a Memory Dump for Silo:





- Saving the file:




- Unzipping twice:







- Finally we get a .dmp file:







- The forensics tool Volatility can help to read the dump content:


https://www.volatilityfoundation.org/


- Some options for Volatility:











- Getting virtual addresses for some files:




- Actually, adresses of SYSTEM and SAM are of our greatest interest:








- Hashdumping to a text file:




- Finally, we can read the hashes for 3 of the users, Administrator, Guest, Phineas:



Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.



- We will use Pass The Hash (PTH) in two ways , the first using the Metasploit module psexec, the second using pth-winexe:


5.2.1 - Pash the Hash (PTH) with Metasploit psexec

- The psexec module can be used to obtain access to a given system when credentials like username and password hash are known:

https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/


5.2.2 - Pash the Hash (PTH) with pth-winexe

- pth-winexe is a patched version of winexe that can be used to get a remote shell by just providing the username and the hash of the password, so no cleartext password is needed:

https://www.whitelist1.com/2017/10/pass-hash-pth-attack-with-pth-winexe.html




- Also, passing the username and hashed password on the command-line:







6 - CAPTURING THE 2nd FLAG

- Reading root.txt: