Access - 10.10.10.98
Ports / Services / Software Versions Running
Anonymous ftp access allows you to download a mdb file which once reviewed gives you a password for the zip file.
Once zip file is extracted there is a telnet password for security in the outlook backup file.
Runas to get reverse nc shell.
Exploiting the host:
Anonymous access to FTP allowed so download the files
Open the mdb file with the following url https://www.mdbopener.com/
Found the password within the backup.mdb file access4u@security
Use this password to extract access control.zip
Which gives you what looks to be an outlook backup
Install outlook in a windows vm and import the pst file
Use these creds to login via telnet security:4Cc3ssC0ntroller
Grab the user flag
User is low priv
There is a sql service script within the C:\temp dir
Which has credentials of sa:htrcy@HXeryNJCTRHcnb45CJRY
Good chance we have to open the mssql service and exploit that to get root
Can’t find sql server running so must be a false positive/ rabbit hole.
Download nc to the machine and run with runas
Receive a root shell
Collect your flag