039#:HTB - Cicada
Up next I am tackling Cicada on Hack the Box. I have spent the past month working on the easy Active machines on HTB so I could reach Hacker rank. With that done, I figured I would start targeting the machines from TJNull’s OSCP prep with more intention.
I added all the machines to my HTB to-do list, then sorted by System Owns. I am less skilled in attacking Windows machines so I will probably hit some road blocks along the way.
Theres a lot going on, but I start just by noting software and versions that I see. I noticed the cicada-dc.cicada.htb subdomain, so I added that and cicada.htb to my hosts file. In pursuing the OSCP, I also need to break the habit of using auxiliary modules in metasploit, so I brushed off enum4linux and ran a scan.
I explored the null SMB session command that was used and tweaked it a bit. I then tried to connect to the available shares.
We get a password but not a username which means we are probably going to brute force a service with a username list and this password. It looks like we can use crackmapexec to brute force potential login names for WinRM.
This finished without finding a working name though. I reran it with another username list without luck. I then tried brute forcing SMB but hit some issues. Looking over Hacktrick’s notes, I decided to try to enumerate users next with nmap. Then tried with crackmapexec but I am having issues getting anything.
I began googling how to enum windows users. I started working through PentestEverything’s notes on the topic. These methods used powershell though or required access to the machine already. This HTB article mentions using Impacket which I recall using before. I actually had some Impacket notes from when I did the Active room recently. I’m failing to get anything going here though, so I did some of the Guided Mode questions to get back on track.
I was in the right thought process, but I haven’t seen these specific Impacket tools before. I checked multiple impacket cheat sheets after seeing that hint and none of them mentioned those tools. But its good that I am learning it here.
I had some trouble with netexec but didn’t spend too much time with it. I kept looking into enumerating AD users without credentials and found a method that worked using crackmapexec. I think my issue here was two fold, I was mostly targeting WinRM for this enumeration and I didn’t think to use the anonymous “credentials” as command arguments.
This gives us users and some group info. I pulled the users out and put them in their own txt file. I tried to brute force WinRM again now that I had a user list, but I was still coming up empty handed. I instead attempted to brute force smb and discovered our username.
I tried to log in to this account using evil-winrm and then tried accessing the SMB shares as this account. This didn’t yield anything though so I returned to Hacktrick’s notes. I checked for ASReproast but the account we have isn’t susceptible. I also checked if any of the other users we found were.
Alright, what else can we do with this account. I ran another crackmapexec enumeration scan, this time using the credentials we have.
Surprisingly, someone left their password in a data field that got scraped. I tried evil-winrm with this account now too. I failed to get anything here so I moved back to the SMB shares.
Looks like we have another set of credentials. I tried checking SMB first this time and it looks like this user can access the C$ share.
I started poking around and got the first flag on emily’s desktop. Since this worked, I tried evil-winrm as emily and got in.
Alright, now that we have a connection I am going to get bloodhound running. Once logged in, we can download our data collector.
I then started a python http server on my machine and downloaded through the winrm session.
I saw in my evil-winrm notes after that I could have used the upload function instead, but we will use the download function now before importing into bloodhound.
Great, now we can start poking around bloodhound for interesting relations. First, I found emily.oscars’ object and marked it as owned as well as the starting point. Then I used the Cipher saved queries “Shortest paths from Owned objects to Tier Zero.
I know from my personal notes that DCSync rights are good for getting us credentials, so let’s start there. When I tried to run mimikatz on the victim, it looped and wouldn’t run correctly. But I encountered this in the past and found I can pass commands as I run it.
I’m getting some errors with this though. I decided to give adPEAS a shot. At this point, I am bouncing a bit between bloodhound and this report to check different things, reading linked articles and researching. I saw that this Dev Support group has access to add a machine to the domain which I have used for privilege escalation before.
I used the Pathfinder feature in bloodhound to map my route from emily’s account to the Dev Support group. In there, I started reading a link they included. In there they discuss some potentially dangerous built in groups, one of which our user happens to be in.
That led me to google “Backup Operator privilege escalation” where I saw this article mentioning at this group allows users to backup any files regardless of rights. They use it to dump the SAM database, but we just need the root flag. I tried using robocopy for this but I don’t have the rights.
Alright, maybe I need to just dump the SAM database then. I used this article again to walk through this process.
Awesome, we have the admins hash. What’s nice is that we don’t have to crack this because we can perform a pass the hash attack with evil-winrm.
There we have our root flag. This room was a lot of fun. I have less experience attacking Windows, I’m currently pretty rusty too so I could definitely use the practice. I’ve got some decent Windows notes from when I studied for the eJPT, but I am updating all of that now in preparation for the OSCP.