⇒ There was nothing on the webpage…..
⇒ From ftp we found 2 files :
→ The zip file has a password.
→ We ran strings on backup.mdb and found password :
→ Unzipped the file and got a .pst file.
⇒ Opened the file in an pst viewer :
Password for security user :
⇒ We have a login on port 23
→ Logged in using the credentials we found :
⇒ On public user desktop we find an lnk file :
→ Its runs runas.exe on a file as administrator using /savecred
→ We can run our msfvenom shell and get administrator shell :
runas.exe /user:ACCESS\Administrator /savecred "C:\temp\jake.exe"