We start box with the usual nmap -sC -sV -oA ./Access 10.10.10.98 and we get the following results.
FTP Anonymous, Telnet, and a Web portal. Let's take it from the top. FTP to the box with anonymous and no password. We see two folders (Backup and Engineer). In Backups, we have backup.mdb and in Engineer, we have 'Access Control.zip'. Get them both.
We can use an online converter like https://www.mdbopener.com/ to convert the old MDB Jet database over to a CSV and in the auth_user table we get a set of passwords.
If we use access4u@security as the password for the Access Control.zip file, we get a new PST file. Here, I switched over to my Windows host, but it can easily be done in Evolution on a Linux machine. There is exactly ONE message in the PST.
So we know the "security" account password is '4Cc3ssC0ntr0ller'. Let's try to Telnet with it. Success! Now navigate to the Desktop can 'type user.txt' to get the user flag.
Now, we need to look around for a privesc path. Running 'cmdkey /list' will show you if any credentials are stored on Windows boxes. Lo and Behold! Stored Administrator credentials. That means we can do 'runas' as a privesc path.
Hmmm. Running 'runas /savecred /user:ACCESS\Administrator "cmd /c type C:\Users\Administrator\Desktop\root.txt"' did absolutely nothing. Let's try and pipe that to a more accessible file with:
That's all, folks!