Cicada Discussion [HINTS] [HTB]

you don’t need to do that, there were other files of interest as soon as you evil-winrm that make it way easier

Can anyone tell me how to get user? I also didn’t found the David creds

1 Like

Using the credentials you have, check other people’s descriptions remotely

How to check description, there is no web?

with active directory utilities

Exclusive content is now available for Cicada by @7eleven and @macavitysworld

What is Exclusive Content?


You can still ask for help and specific hints in this thread.

2 Likes

I’m trying to get the file but no success

maybe,when you using smbclient with user guest . you have to smb: \> get "Notice from HR.txt"

plz check account description,u will found it

i’ve used bloodhound to get all the informations and a custom query to view the users.
i guess there are simpler methos to do this but this was my first idea :D…

Finally rooted the machine!!

how to go from michael to david

You need to enumerate the different users info, more specifically david's infos. Once done, you’ll find his password. You can use nxc or ldapdomaindump for example.

1 Like

You leveraged Michael Wrightson’s credentials to dump domain information via ldapdomaindump, found David Orelious’s password in the user descriptions, accessed the DEV share to retrieve a PowerShell backup script with Emily Oscars’ credentials, and then used her SeBackupPrivilege to exploit Windows shadow copies, extracting the SAM and SYSTEM files for offline password cracking—an approach that could be further streamlined by using automated tools like GetUserSPNs, crackmapexec, and Invoke-BackupPrivilege.ps1

1 Like

Summary

  • Enumerate SMB shares, brute-force RIDs, and perform password spraying

  • Use LDAP and SMB enumeration to gather credentials

  • Exploit SeBackupPrivilege to dump registry hives

  • Extract secrets with secretsdump and log in as Administrator

1 Like

how to check for it?

using enum4linux with michael creds,that’s how i get it

enum4linux -a -u michael.wrightson -p <michael.wrightson creds> <ip>