[ Capture the Flag ] :: Tsuki Pwns Access on HackTheBox

Tsuki CTF HackTheBox: Access
This entry is part 5 of 5 in the series [ Hacking 101 ]

Tsuki’s capture the flag Speedruns of HackTheBox machines are WAY too fun, and addictive as candy. I’m going to use this particular vid as a test, to see how useful a full explanation is for my Hacking 101 students.

Hacking Access Database Files in Kali

00:00 – Port Scan

nmap -sC -sV 10.10.10.98

You’ll see this recipe again and again. The -sC option runs the default set of scan scripts, which will identify the most common services. -sV does host enumeration and version detection. In this case, the anonymous-login FTP service is the most tempting target.

00:16 – FTP Enumeration

ftp 10.10.10.98

So Tsuki goes straight to that anonymous login. User: anonymous, password: nothing (not the word “nothing”, but literally nothing, an empty string).

dir

A dir command reveals two directories, Backups and Engineer.

cd Backups
dir

Oh look: there’s backup.mdb. An mdb file is, of course, an Access database file. Get files like this in binary, not text, mode.

binary
get backup.mdb

Can’t forget that other directory:

cd ../Engineer
dir
get "Access Control.zip"

Because there’s a space in the file name, we need quotation marks. Otherwise FTP will think we’re asking for two files. Another way to do the same thing is to use the escape character, the backslash, in front of the space to “escape” its normal meaning (a divider) and turn it into a hard space (not a divider).

Time to leave FTP:

goodbye

Okay, check our local directory:

ls

… and there it is. Good.

Now Tsuki opens a second terminal and takes advantage of the Linux command apropos. Look up apropos in the dictionary: it basically means “having to do with” or “about”.

apropos mdb

Check out the gold mine of utilities to run SQL, list tables, get the version etc. See, you don’t need Access (the Office application) to get into these files!

mdb-sql backup.mdb

This command puts us into SQL mode, where we can run queries.

list tables

Bingo: here are our tables. Scan the list for obvious targets, like user and password tables. Yippee! auth_user looks like what we need. Time to leave the SQL interface with this simple command:

#

00:55 – Plain Text Password Dump 1 (backup.mdb)

Back in the shell, Tsuki exports the table.

mdb-export backup.mdb auth_user

The first line of output is column names. The following lines are entries (tuples). And oh man, someone is lazy: passwords in plain text! Does this happen in real life? Yeah. Oh, yeah. So copy engineer’s password.

02:04 – Plain Text Password Dump 2 (Access\ Control.mbox)

Remember that Access Control.zip file we grabbed earlier? Unzip:

unzip Access\ Control.zip

Oops, got a compression type error. Try a different algorithm:

7z x Access\ Control.zip

The syntax is first the 7z command, then the “x” switch to extract, then the file name. Note that escape character.

Ah, we get prompted for a password. Tsuki pastes in engineer’s password, and out comes the file “Access Control.pst”. Once again we need to know what this file extension means (DuckDuckGo is your friend). In this case, it’s an MS Outlook file that holds a user’s emails.

In the second terminal window, Tsuki asks about utilities that can open pst files. Once again, we don’t need Outlook to peel open these files in Linux.

apropos pst

The one we want is readpst.

readpst Access\ Control.pst

Now less the file that was output, “Access Control.mbox”, a plain-text format.

less Access\ Control.mbox

And here it is: a message with a username and password in the clear! Copy them.

02:44 – Telnet Remote Login

telnet 10.10.10.98

Enter the username and password.

whoami
dir
cd Desktop
type user.txt

Type is like cat in Windows, and gets us the first flag. Way cool! Copy and save it to validate the challenge when we’re done.

03:27 – Running Commands As Administrator

cmdkey /list

… gets you local credentials. (Run cmdkey by itself in the CLI for the help screen.)

C:\Windows\System32\runas.exe /env /savecred /user:Administrator "cmd /k more C:\Users\Administrator\Desktop\root.txt > flag.txt"

Now this is meaty. Tsuki invokes runas, which as you’d expect runs a command as another user. We’re using the local environment’s saved credentials for the user Administrator to more (output the text of) the file root.txt. In most CTF situations, even under Windows, the “God” flag is in root.txt. The output is written to flag.txt.

Let’s see the flag!

type flag.txt

Sweet, huh?

Let me know if you find this explanation useful, and if it is I’ll do more of these on Tsuki CTF’s excellent videos.

If you’re learning hacking and/or capture the flag, I’d highly recommend you go through all of Tsuki’s videos. Subscribe to his channel so he’ll keep doing them: https://www.youtube.com/user/Weeners0323

Thanks –