Hack the Box Cicada

Malarum,

Today I will be doing a blog post for the Hack the Box machine Cicada! As of writing this blog post, Cicada has recently been retired. We add the ip and cicada.htb to our /etc/hosts file and off we go!

Enumeration

NMAP Scan

As always we start off our enumeration with an nmap scan of all ports which yields the following results:

Based on this it seems to be a windows machine! but let’s do a deeper scan of these open ports

This gives us a lot more information! so we know for a face that it is a Windows Domain controller and the name of the device is Cicada-DC! we also know it runs all the main services and i see port 445 is open as well which indicates smb. I am going to try logging in with guest credentials using smbclient.

SMB

We are able to look at the shares! we see 2 abnormal shares. HR and Dev. trying to see if we can get access to either of these shares:

we have access to the smb share for HR and notice an interesting file – Notice from HR.txt
I download the file and read it and we see:

Exploitation

RID Brute Forcing

The important takeaway here is the default password! So we have a default password we know of we just need to get usernames. We can enumerate usernames using netexec and brute forcing RIDs. We know we have smb logon with a guest user so we can also bruteforce RIDs using the same guest username and no password. We get the following:

We get a list of all the users for this domain! let’s take the list and get it outputted to a file and put only the users in there.

Password Spraying

We can next perform a password spraying attack against the users to see if any of them work with the default password

It looks like this worked and we have a password for the user michael.wrightson! let’s see what he has access to:

He doesn’t have access to the dev share so we keep looking. using rpcclient, I decided to see i there were any interesting attributes for users. First I used enumdomusers and got a list of users to query

RPC Client

I then queried users until I found something interesting

We now have credentials for david.orelious! let’s see what he has access to

David’s SMB Shares

We find that David has read access to the Dev share! let’s look at whats inside it!

We find a file called Backup_script.ps1. I then download the file and read it

## Bloodhound

Interesting, this file has a username and password for emily.oscars hard coded in it! let’s see what we have with Emily. I decide to enumerate using bloodhound with Emily

loading up bloodhound and the collected data, I look to see what groups Emily is a part of

Emily is a part of Remote Management users! this means we can remotely login as Emily! I used evil-winrm to do this and I found the user flag on Emily’s desktop!

Post Exploitation

now continuing on to look further for our escalation to administrator. The most important is that we are a backup operator which means we can dump important gives that contain hashes

We are able to dump the sam and system hives and then downloads them for offline cracking or other attacks

we have the administrator hash! Instead of worrying about cracking it, we can just perform a pass-the-hash attack and login directly with evil-winrm!

just like that we are logged in as administrator! remember, when using pass-the-hash with evil-winrm it only wants the LM hash. We can now just go get the flag!

I hope you enjoyed this walkthrough for this easy box! Happy Hacking!

Hack the Box

Leave a Reply

Your email address will not be published. Required fields are marked *