Access
Access is an "easy" difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares can often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials.
Overview
Access is an easy-difficulty Windows box themed around a physical-security access-control system. The path to user is a chain of “saved credential” lessons: anonymous FTP hands over a Microsoft Access database and an encrypted ZIP, the database stores account passwords in cleartext, one of those passwords opens the ZIP, and an Outlook mailbox inside the ZIP contains an email that leaks a Telnet login. No exploits, no shellcode — just enumerating proprietary Microsoft file formats on Linux and following the breadcrumbs. This post covers recon through the user flag.
Machine Matrix
Access is pure enumeration: anonymous FTP, proprietary Microsoft file formats, and plaintext-credential reuse — no CVE, no custom exploit. The skills it drills (chasing saved credentials across file shares) map cleanly onto real-world engagements.
Recon
| Port | Service | Notes |
|---|---|---|
| 21/tcp | Microsoft ftpd | anonymous login allowed |
| 23/tcp | Telnet | Windows |
| 80/tcp | IIS httpd 7.5 | “MegaCorp” data-centre still image |
1
nmap -Pn -sV -sC -p21,23,80 10.10.10.X
The scan flags the key finding immediately: ftp-anon: Anonymous FTP login allowed (FTP code 230). IIS 7.5 places the host on Windows Server 2008 R2. The website is just a static image of a data-centre camera feed — a hint at the access-control theme, nothing exploitable.
Enumeration
Anonymous FTP exposes two files in separate directories:
1
2
3
4
5
ftp 10.10.10.X
# login: anonymous / anonymous
# binary
# get Backups/backup.mdb
# get "Engineer/Access Control.zip"
backup.mdb is a Microsoft Access database; Access Control.zip is encrypted. Both are binary, so transfer in binary mode.
The Access database parses on Linux with mdbtools — no Windows needed. List tables and look for anything credential-shaped:
1
mdb-tables backup.mdb | tr ' ' '\n' | grep -i user
An auth_user table stands out — this is a backup of a ZKAccess install (the card-reader / physical-security software). Dump it:
1
mdb-export backup.mdb auth_user
The table stores passwords in plaintext:
admin:adminengineer:access4u@securitybackup_admin:admin
perfection
Foothold
1 — Crack the ZIP with the engineer password. unzip fails because the archive uses an unsupported compression method; 7z reveals it is AES-256 encrypted and contains a single file, Access Control.pst:
1
7z l -slt "Access Control.zip" # Encrypted = + , Method = AES-256
The engineer password from the database unlocks it:
1
7z x -p'access4u@security' "Access Control.zip"
2 — Read the Outlook PST. Access Control.pst is an Outlook Personal Folders mailbox. readpst (from pst-utils) renders it to a text mbox on Linux:
1
readpst -tea -m "Access Control.pst"
The mailbox contains one email from “John” stating the password for the security account has been changed and asking that it be passed to the engineers:
1
The password for the "security" account has been changed to 4Cc3ssC0ntr0ller.
That gives security:4Cc3ssC0ntr0ller.
3 — Telnet in as security. Port 23 is open and security is a valid local account:
1
2
3
telnet 10.10.10.X
# login: security
# password: 4Cc3ssC0ntr0ller
User flag
The security shell can read the flag directly:
type C:\Users\security\Desktop\user.txt
1
[redacted]
User is ours — anonymous FTP plus plaintext-credential leakage walked straight from an open port to an interactive shell.
Privilege escalation (runas /savecred cached ACCESS\Administrator credentials → DPAPI credential extraction) is left as an exercise — this post stops at user.