HTB | Cicada
This is a Windows box. You can find it here.
Skill Learned
ldapdomaindump / bloodhound
SeBackupPrivelege
NMAP
IP: 10.10.11.35
nmap -sT -p- --min-rate 10000 10.10.11.35 -Pn
SMB & RPC
There was a file in the HR share
Since we have a password we can enum for the user
LDAP - TCP 389
Foothold/shell
Without creds, one thing I can check for is usernames via Kerberos brute-forcing. I’ll use Kerbrute to give this a run, and it finds four unique usernames:
It is taking alot of time. we can use crackmapexec to brute-force rid
from this, we have 5 users
Let's see if the password we got has a valid user or not for smb
and we get a user michale.wrightson. Let's take a look at what share access michale have
It's the same access we have before Let's try Evilwinrm, but no luck
Bloodhound/ ldapdomaindump
Since we have valid domain cred we can use bloodhound
Let's load the files in Bloodhound
Not able to find anything useful from the owned user (michale.wrightson)
Let's try ldapdomaindump because it gives us a nice HTML file
We found the password for david.orelious
Let's try for SMB and WinRm, we can only validate for smb
This time we have READ ONLY to DEV share
We found backup_script.ps1 in DEV share. Lets download the script to our system and take a look.
The file has cred for emily.oscar Let's try for SMB and WinRm, we can validate for both
Let's use EvilWinRM
and we are in
found user.txt
Priv Esc
SeBackupPrivelege
we have SeBackupPrivelege privilege, we have seen the same privilege in Blackfield.
SeBackUpPrivilege basically allows for a full system read. This is because emily.oscars is in the Backup Operators group:
This repo has a nice set of PowerShell tools for abusing the SeBackupPrivilege. I’ll clone it, and then I’ll need to upload two files to Cicada:
Now I'll import them into my current session:
now we can copy root.txt
Beyond root.txt
We can copy ntds.dit and system
and transfer it to kali and use secretsdump.py from secretsdump.py we will get the hash for the Administrator.
Last updated