Tsuki’s capture the flag Speedruns of HackTheBox machines are WAY too fun, and addictive as candy. I’m going to use this particular vid as a test, to see how useful a full explanation is for my Hacking 101 students.
Hacking Access Database Files in Kali
00:00 – Port Scan
nmap -sC -sV 10.10.10.98
You’ll see this recipe again and again. The -sC option runs the default set of scan scripts, which will identify the most common services. -sV does host enumeration and version detection. In this case, the anonymous-login FTP service is the most tempting target.
00:16 – FTP Enumeration
So Tsuki goes straight to that anonymous login. User: anonymous, password: nothing (not the word “nothing”, but literally nothing, an empty string).
A dir command reveals two directories, Backups and Engineer.
cd Backups dir
Oh look: there’s backup.mdb. An mdb file is, of course, an Access database file. Get files like this in binary, not text, mode.
binary get backup.mdb
Can’t forget that other directory:
cd ../Engineer dir get "Access Control.zip"
Because there’s a space in the file name, we need quotation marks. Otherwise FTP will think we’re asking for two files. Another way to do the same thing is to use the escape character, the backslash, in front of the space to “escape” its normal meaning (a divider) and turn it into a hard space (not a divider).
Time to leave FTP:
Okay, check our local directory:
… and there it is. Good.
Now Tsuki opens a second terminal and takes advantage of the Linux command apropos. Look up apropos in the dictionary: it basically means “having to do with” or “about”.
Check out the gold mine of utilities to run SQL, list tables, get the version etc. See, you don’t need Access (the Office application) to get into these files!
This command puts us into SQL mode, where we can run queries.
Bingo: here are our tables. Scan the list for obvious targets, like user and password tables. Yippee! auth_user looks like what we need. Time to leave the SQL interface with this simple command:
00:55 – Plain Text Password Dump 1 (backup.mdb)
Back in the shell, Tsuki exports the table.
mdb-export backup.mdb auth_user
The first line of output is column names. The following lines are entries (tuples). And oh man, someone is lazy: passwords in plain text! Does this happen in real life? Yeah. Oh, yeah. So copy engineer’s password.
02:04 – Plain Text Password Dump 2 (Access\ Control.mbox)
Remember that Access Control.zip file we grabbed earlier? Unzip:
unzip Access\ Control.zip
Oops, got a compression type error. Try a different algorithm:
7z x Access\ Control.zip
The syntax is first the 7z command, then the “x” switch to extract, then the file name. Note that escape character.
Ah, we get prompted for a password. Tsuki pastes in engineer’s password, and out comes the file “Access Control.pst”. Once again we need to know what this file extension means (DuckDuckGo is your friend). In this case, it’s an MS Outlook file that holds a user’s emails.
In the second terminal window, Tsuki asks about utilities that can open pst files. Once again, we don’t need Outlook to peel open these files in Linux.
The one we want is readpst.
readpst Access\ Control.pst
Now less the file that was output, “Access Control.mbox”, a plain-text format.
less Access\ Control.mbox
And here it is: a message with a username and password in the clear! Copy them.
02:44 – Telnet Remote Login
Enter the username and password.
whoami dir cd Desktop type user.txt
Type is like cat in Windows, and gets us the first flag. Way cool! Copy and save it to validate the challenge when we’re done.
03:27 – Running Commands As Administrator
… gets you local credentials. (Run cmdkey by itself in the CLI for the help screen.)
C:\Windows\System32\runas.exe /env /savecred /user:Administrator "cmd /k more C:\Users\Administrator\Desktop\root.txt > flag.txt"
Now this is meaty. Tsuki invokes runas, which as you’d expect runs a command as another user. We’re using the local environment’s saved credentials for the user Administrator to more (output the text of) the file root.txt. In most CTF situations, even under Windows, the “God” flag is in root.txt. The output is written to flag.txt.
Let’s see the flag!
Let me know if you find this explanation useful, and if it is I’ll do more of these on Tsuki CTF’s excellent videos.
If you’re learning hacking and/or capture the flag, I’d highly recommend you go through all of Tsuki’s videos. Subscribe to his channel so he’ll keep doing them: https://www.youtube.com/user/Weeners0323