HackTheBox : Cicada
Cicada is a beginner-friendly windows machine that covers some interesting techniques. To get our initial access, we took advantage of a SMB guest session. This guest session then allowed us to access a readable public share that contained the company default password. To be able to authenticate, we needed to find a list of usernames that we obtained after performing a RID cycling attack. Using this first set of credentials, we have been able to enumerate other domain information and found a password in the description field of another domain user. With this new password, we got read access to a new share that stored the credentials of another user in a powershell script. After some enumeration, we noticed that this new user was part of the Backup Operators group which allowed us to backup any file in the domain included the SAM and NTDS.dit databases which stores sensitive information such as NT hashes. Once the NT hashes extracted, we performed a pass-the-hash attack and fully compromised the domain.
That being said, in this box you will learn the following techniques :
→ Enumerate guest/null sessions using enum4linux-ng
→ Enumerate SMB shares with netexec and manspider
→ Perform a RID cycling attack using netxec and impacket’s lookupsid.py
→ Perform password spraying attack
→ Collect domain information with rusthound
→ Extract useful domain information using bloodhound-quickwin
→ Extract SAM and SYSTEM files from the hive using living off the land technique
→ Perform a pass-the-hash attack
Reconnaissance
Nmap
DNS — TCP/53
Let’s first query all the domain entries using dig :
We got a new domain : cicada-dc.cicada.htb
Let’s add that to our /etc/hosts file :
Once done, let’s try to perform a DNS zone transfer against cicada.htb :
The DNS zone transfer failed !
Let’s now move on with SMB enumeration.
SMB — TCP/445
In this section, we will first run enum4linux-ng. This tool will perform various checks like enumerating null/guest sessions, domain information (domain name, FQDN), RPC information (users, groups, password policy, OS information, printer information) and so on :
The -A and -C options are respectively used to perform all simple enumeration and services enumeration.
Note : If you run enum4linux-ng without providing any option, it will automatically use the -A option to perform all simple enumeration.
From the output above, you can see that the server allows SMB guest session. This is quite different from SMB null session. Feel free to read this blog post if you want to learn more about the topic.
That said, let’s check the guest session using netexec :
Here, we can try to enumerate the shares :
Interesting ! We have read permission over the HR share which is not a default share on Active Directory. Let’s take a look at its content :
After downloading the HR share, we can check if it stores any sensitive information that could help us get higher privileges :
Awesome ! The share stores the company default plaintext password. Nevertheless, we don’t have a list of usernames against which we can check this password. Therefore, our next goal will be to find a way of getting usernames. For instance, we can try to enumerate users using rpcclient :
Unfortunately, this method failed !
Another method consists of performing a RID cycling attack. Simply put, this is how it works :
By default, every domain account or group has a Security IDentifier (SID). This is a unique identifier that is issued by the domain controller to differentiate different domain accounts. Generic accounts such as Administrator and Guest are part of a list of well-known SIDs that you can find here. To picture that, let’s take a look at the figure below :
As illustrated on the figure above, we used a rpcclient’s command called lookupnames that allowed us to convert account usernames to SIDs. We could even convert group names if we wanted to :
Here is a quick breakdown of the different parts of an SID :
- S : stands for SID
- 1 : the SID version (1 in modern Windows machines)
- 5 : an identifier authority
- 21–917908876–1423158569–315903872 : represents the domain identifier (unique for each domain)
- 513 : the Relative IDentifer (RID) which identifies a specific user, group, or system account. This identifier is unique within a domain.
That said, we can reverse the lookup process which means that we can also convert SIDs to names. This is where things get really interesting. Indeed, we can perform an attack called RID cycling which consists of adding random RIDs to the end of an SID and hope to come across a valid domain object (user, group, alias, etc). The rpcclient command to do that is called lookupsids. For instance, on the figure below I tried to lookup different RIDs like 501, 1000, and 1200 :
As you can see, the latest RID (1200) provided me nothing. Instead of doing that manually, we can use nxc to automate the process :
Our attack worked and we’ve been able to get a list of usernames, groups and aliases.
Note : By default, nxc performs a rid cycling against the 4000 first RIDs.
Here is another way of performing a RID cycling attack using impacket’s lookupsid :
Well, let’s now try to perform a password spraying attack using the list of usernames we enumerated above and the password found in the HR share :
Note : I used the --continue-on-success flag to prevent nxc to stop the attack after finding a valid credential.
Great ! We obtained a valid credential for the user michael.wrightson.
Let’s check if we can authenticate to other open ports to see if we can eventually get a shell :
Unfortunately, the authentication failed for WinRM. Nevertheless, we can still do more with this access. For instance, we can try to enumerate michael.wrightson’s shares :
We have read access to Netlogon and Sysvol shares. However, after checking their content, I found nothing interesting. We can also try enumerating michael.wrightson’s group membership :
Well, this led nowhere. Let’s try to collect the domain information using rusthound. RustHound is a cross-platform bloodhound collector written in Rust programming language. It comes in two versions : Rusthound legacy for bloodhound legacy version and Rusthound-CE for bloodhound Community Edition. Here, I used the latter one because I use bloodhound Community Edition :
Once the execution done, RustHound will generate a zip file containing json files that we can then upload in Bloodhound.
Prior uploading the zip file in Bloodhound, I will show you a quick way to enumerate the collected domain information. To do that, I will use a great tool called bloodhound-quickwin :
Make sure to start your neo4j database before running bloodhound-quickwin.
Once done, you can run bloodhound-quickwin as follows :
1/ Enumerate all available domains
2/ Running bloodhound-quickwin against a specific domain :
This didn’t retrieve anything really interesting but it is worth knowing this tool as it can be useful in other scenarios. Let’s now check what we can find in bloodhound :
Seeing all these certificates made me think of AD CS. Let’s try to enumerate vulnerable templates using certipy :
No vulnerable template was found !
We can also enumerate users’ description field as it sometimes contains sensitive information stored by admins :
Interesting ! A password is stored in the description field of the user david.orelious. Let’s check if this password is still valid :
Awesome, the password is valid.
Now let’s check if we can authenticate on other open ports :
As you can see, the authentication only worked for LDAP.
That said, let’s enumerate the shares :
David.orelious has read access to the DEV share.
Let’s check the content of this share using smbclient.py :
Awesome ! We found a password that seems to belong to the user emily.oscars. Let’s check if these credentials are valid :
Hoorah, the credentials are valid.
Note : Rather than enumerating the DEV share manually, we could use a great tool called manspider to automate the research of sensitive information in shares. Here is how to use it :
That said, let’s try to authenticate against other open ports :
This time, we got a successful authentication for winrm which mean that we can get a shell for emily.oscars. That said, let’s authenticate to winrm using evil-winrm :
Haha, emily.oscars is part of the Backup Operators group. Users of this group can backup any file they want in the domain included sensitive files such as SAM or NTDS.dit. This means that it’s game over !! Furthermore, you can see below that we have the SeBackupPrivilege and SeRestorePrivilege which are generally related to Backup Operators. Here is great resource that explains it.
Well, let’s first retrieve the user flag :
Privilege Escalation
In this section, we are going to escalate our privileges by taking advantage of being part of the Backup Operators group.
Let’s first try to download the SAM and SYSTEM registry files :
Let’s check if we can authenticate as Administrator using the above NT hash :
Wonderful ! It works !
Let’s authenticate to the Administrator account using evil-winrm :
Well, let’s retrieve now the root flag :
Wrap Up
That’s it guys. Congrats on having made it so far 👏
I hope you enjoyed the writeup and learned new techniques.
That said, do not forget to click on the little clap icon below to support me and subscribe to my newsletter to keep up with my latest articles !
Resources
https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets
https://sensepost.com/blog/2024/guest-vs-null-session-on-windows/
https://www.hackingarticles.in/active-directory-enumeration-rpcclient/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
https://yogesh-verma.medium.com/zone-transfer-attacks-a-practical-guide-to-detection-and-prevention-2e8346d0297e
Contact
GitHub : https://github.com/0liverFlow
