HTB-Cicada
|
3,201
|
1
|
|
HTB-Machine

338 字
|
3 分钟

Box Info

OSWindows
DifficultyEasy

Nmap Scan

发现靶机存在 smb 网络文件共享服务

使用 smbclient 连接,发现以下的目录

并且在 HR 的目录下发现了一个 txt 文件

Dear new hire!
 
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
 
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
 
To change your password:
 
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
 
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
 
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
 
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
 
Best regards,
Cicada Corp

获取一个默认的密码:Cicada$M6Corpb*@Lp#nZp!8

RID BRUTE FORCE

使用 Rid 爆破枚举用户

使用 enum4linux-ng 通过 Michael wrightson 用户连接到服务器,并且提取各种信息

enum4linux-ng -A -u 'Michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35

发现 david 的密码:aRt$Lp#7t*VQ!3

连接 smbclient,发现备份脚本

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
 
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

使用 evil-winrm 登录得到 user.txt

Privilege Escalation

查询当前用户权限

*Evil-WinRM* PS C:\Users> whoami /all

关于这个 SeBackupPrivilege:Windows Privilege Escalation: SeBackupPrivilege – Hacking Articles

根据文章中的步骤

使用 pypykatz 得到 admin 的 hash 值

最后使用 evil-winrm 的 hash 登录到 admin,得到 root.txt

Summary

先是用 smb 免密登录获取到一个明文密码,然后使用 crackmapexec 进行 RID 爆破用户名。

对用户名进行遍历登录,发现能够进入的 SMB 账户,并且得到一个包含账户密码备份脚本。

再用 evil-winrm 进行登录下载 samsystem,通过 pypykatz 获取到 admin 的 hash 值用来进行 hash 登录,获取到 Administrator 权限

Windows 就是让人头大。。。

当前页面链接: https://www.hyhforever.top/hackthebox-cicada/
如果您对本文内容有所意见或者建议,欢迎评论。
HacktheboxWindows

评论

  1. jura
    Android Chrome
    2024-10-30
    2024-10-30 10:56:11

    woww andaa sngatt hebatt, kapan anda akan mempostingnya lagi?

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
HTB-Eureka

							
							

							
HTB-Nocturnal

							
							

							
Thehackerslabs-Black Gold