Cicada Discussion [HINTS] [HTB]

ctftalks · September 26, 2024, 10:50am

Let’s talk about Cicada. Please do not share any flags or writeups.

Hex · September 28, 2024, 1:23pm

The creator of this challenge is theblxckcicada.

This is their very own challenge and I hope it will be a great experience.

7eleven · September 28, 2024, 7:07pm

Open ports:

PORT     STATE SERVICE       REASON  VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-09-29 02:01:14Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
636/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)

7eleven · September 28, 2024, 7:11pm

SMB shares :

$ smbclient -L 10.129.174.13       

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	DEV             Disk      
	HR              Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.174.13 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

$ smbclient  //10.129.174.13/HR 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 13:29:09 2024
  ..                                  D        0  Thu Mar 14 13:21:29 2024
  Notice from HR.txt                  A     1266  Wed Aug 28 18:31:48 2024

		4168447 blocks of size 4096. 290935 blocks available

Hex · September 28, 2024, 7:14pm

The default password is revealed in the text file Notice from HR.txt.

7eleven · September 28, 2024, 7:15pm

Users on the box :

SMB                      10.129.174.13   445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB                      10.129.174.13   445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

Hex · September 28, 2024, 7:17pm

How did you get those usernames?

7eleven · September 28, 2024, 7:18pm

Doing an RID bruteforce using nxc will give us the different users on the box.

$ nxc smb 10.129.174.13 -u "guest" -p '' --rid-brute

Hex · September 28, 2024, 7:35pm

Did you find a valid username for the default password? Password spraying didn’t yield a positive result for me

caesartcs · September 28, 2024, 7:36pm

im getting no session setup failed: NT_STATUS_LOGON_FAILURE for michael and dev support when doing logon within the smb: \> shell but not sure where to go next from here

7eleven · September 28, 2024, 7:37pm

Yes, nxc again. passing a user list and the password obtained you’ll be able to find to whom the password is.

0dayworld · September 28, 2024, 7:45pm

impacket-lookupsid guest@10.10.11.35 -no-pass
another way to get users

caesartcs · September 28, 2024, 8:03pm

are there hidden shares that im missing for emily?
edit: maybe i would succeed in trying other shares

caesartcs · September 28, 2024, 8:21pm

any hints on what to do to begin looking for root after getting user?

Hex · September 28, 2024, 8:25pm

dddddddd121d21d21d1 · September 28, 2024, 8:51pm

Any hints on how to get from David to another user?

7eleven · September 28, 2024, 8:56pm

Try looking for things you didn’t have access to before.

msada6254 · September 28, 2024, 9:15pm

Use David Orelious creds to access DEV shares and download the Backup_script.ps1
cat Backup_script.ps1
Inside you will find emily.oscars creds

Evil-winrm and then exploit SEBackupprivilege for root.

venom · September 28, 2024, 9:26pm

where do you get davids creds - default didnt work

caesartcs · September 28, 2024, 9:43pm

davids account, as well as the others, should have an account description associated with it that you need to find - or query for