Ftp

Old school. Access is a machine that takes you through a chain of credential pivoting across legacy protocols and file formats you do not see every day - no exploits, no CVEs, just enumeration and following the breadcrumbs wherever they lead. Machine info Name Access Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes backup.mdb (Microsoft Access database) and Access Control.zip (AES-encrypted) backup.mdb contains an auth_user table with credentials - including the password to decrypt the ZIP The ZIP holds a PST file; reading the extracted email reveals the security account password in plaintext Telnet login as security -> user shell cmdkey /list shows saved credentials for ACCESS\Administrator; runas /savecred gives Administrator access Enumeration Port 21 was open and I went straight for it - anonymous FTP is one of those findings you want to verify immediately. ...

This one plays out like a relay race - each user passes the baton to the next. No exploitation, no CVEs. Just ACL abuse all the way down until you’re dumping the domain. Machine info Name Administrator Platform HackTheBox OS Windows Difficulty Medium Starting credentials olivia / ichliebedich TL;DR Starting with pre-provided credentials for Olivia, we RID-brute SMB to enumerate domain users, then log in via WinRM and run SharpHound to feed BloodHound. The graph reveals a chain of ACL abuse: Olivia holds GenericAll over Michael, Michael holds ForceChangePassword over Benjamin. We reset their passwords in sequence. Benjamin’s only access is FTP - where he has a Backup.psafe3 file. We crack the master password with john and pull credentials for three more users from the vault. Emily’s credentials are the key - she has GenericWrite over Ethan, which enables targeted Kerberoasting. After syncing the clock with the DC, we roast Ethan’s TGS and crack it to limpbizkit. Ethan has DCSync rights on the domain, so we dump all NTLM hashes with secretsdump, then psexec in as Administrator. ...

Netmon is a good reminder that “stale” does not mean “useless.” An old config backup with a 2018 password becomes the key to everything once you notice the pattern in the timestamps. Machine info Name Netmon Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes the full C:\ drive, including PRTG Network Monitor config backups Old backup (PRTG Configuration.old.bak) leaks the password PrTg@dmin2018 Other config files are dated 2019 - guessing PrTg@dmin2019 logs into the PRTG web interface PRTG 18.1.37 is vulnerable to CVE-2018-9276 (authenticated RCE) - the exploit creates a local admin user Dump SAM with nxc, psexec as Administrator Recon RustScan 1 rustscan -a 10.129.230.176 ...