Access – 10.10.10.98

Target Enumeration:

OS: Windows

IP: 10.10.10.98

User: ff1f3b48913b213a31ff6756d2553d38

Root: 6e1586cc7ab230a8d297e8f933d904cf

FTP

Telnet

HTTP

Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file.

Once zip file is extracted there is a telnet password for security in the outlook backup file.

Runas to get reverse nc shell.

Nmap

Anonymous access to FTP allowed so download the files

Open the mdb file with the following url

Found the password within the backup.mdb file access4u@security

Use this password to extract access control.zip

Which gives you what looks to be an outlook backup

Install outlook in a windows vm and import the pst file

Use these creds to login via telnet security:4Cc3ssC0ntroller

Grab the user flag

User is low priv

There is a sql service script within the C:\temp dir

Which has credentials of sa:htrcy@HXeryNJCTRHcnb45CJRY

Good chance we have to open the mssql service and exploit that to get root

Can’t find sql server running so must be a false positive/ rabbit hole.

Download nc to the machine and run with runas

Receive a root shell

Collect your flag