Cicada Discussion [HINTS] [HTB]

Let’s talk about Cicada. Please do not share any flags or writeups.

The creator of this challenge is theblxckcicada.

This is their very own challenge and I hope it will be a great experience.

Open ports:

PORT     STATE SERVICE       REASON  VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-09-29 02:01:14Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
636/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)

SMB shares :

$ smbclient -L 10.129.174.13       

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	DEV             Disk      
	HR              Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.174.13 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
$ smbclient  //10.129.174.13/HR 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 13:29:09 2024
  ..                                  D        0  Thu Mar 14 13:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 18:31:48 2024

		4168447 blocks of size 4096. 290935 blocks available

The default password is revealed in the text file Notice from HR.txt.

Users on the box :

SMB                      10.129.174.13   445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)
1 Like

How did you get those usernames?

Doing an RID bruteforce using nxc will give us the different users on the box.

$ nxc smb 10.129.174.13 -u "guest" -p '' --rid-brute
1 Like

Did you find a valid username for the default password? Password spraying didn’t yield a positive result for me

im getting no session setup failed: NT_STATUS_LOGON_FAILURE for michael and dev support when doing logon within the smb: \> shell but not sure where to go next from here

Yes, nxc again. passing a user list and the password obtained you’ll be able to find to whom the password is.

1 Like

impacket-lookupsid guest@10.10.11.35 -no-pass
another way to get users

2 Likes

are there hidden shares that im missing for emily?
edit: maybe i would succeed in trying other shares :slight_smile:

any hints on what to do to begin looking for root after getting user?

2 Likes

Any hints on how to get from David to another user?

Try looking for things you didn’t have access to before.

1 Like

Use David Orelious creds to access DEV shares and download the Backup_script.ps1
cat Backup_script.ps1
Inside you will find emily.oscars creds

Evil-winrm and then exploit SEBackupprivilege for root.

3 Likes

where do you get davids creds - default didnt work

davids account, as well as the others, should have an account description associated with it that you need to find - or query for