Let’s talk about Cicada
. Please do not share any flags or writeups.
The creator of this challenge is theblxckcicada.
This is their very own challenge and I hope it will be a great experience.
Open ports:
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-09-29 02:01:14Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
SMB shares :
$ smbclient -L 10.129.174.13
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.174.13 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
$ smbclient //10.129.174.13/HR
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 18:31:48 2024
4168447 blocks of size 4096. 290935 blocks available
The default password is revealed in the text file Notice from HR.txt
.
Users on the box :
SMB 10.129.174.13 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.174.13 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
How did you get those usernames?
Doing an RID bruteforce using nxc
will give us the different users on the box.
$ nxc smb 10.129.174.13 -u "guest" -p '' --rid-brute
Did you find a valid username for the default password? Password spraying didn’t yield a positive result for me
im getting no session setup failed: NT_STATUS_LOGON_FAILURE
for michael and dev support when doing logon
within the smb: \>
shell but not sure where to go next from here
Yes, nxc again. passing a user list and the password obtained you’ll be able to find to whom the password is.
impacket-lookupsid guest@10.10.11.35 -no-pass
another way to get users
are there hidden shares that im missing for emily?
edit: maybe i would succeed in trying other shares
any hints on what to do to begin looking for root after getting user?
Any hints on how to get from David to another user?
Try looking for things you didn’t have access to before.
Use David Orelious creds to access DEV shares and download the Backup_script.ps1
cat Backup_script.ps1
Inside you will find emily.oscars creds
Evil-winrm and then exploit SEBackupprivilege for root.
where do you get davids creds - default didnt work
davids account, as well as the others, should have an account description associated with it that you need to find - or query for