?

Cicada HTB - Writeup

ello! lots of exciting things planned for me! here's a short writeup of HTB's cicada

after port scanning you'll see a bunch of ports that are textbook AD, but this is simpler than that first you'll come across SMB shares that are open to anonymous listing, at least this one is: h in this .txt file, it gives a default password h as we don't know any usernames still, we can rid-brute our way using netexec netexec smb cicada.htb -u 'guest' -p '' --rid-brute | grep SidTypeUser h then just repeat netexec and see which one the password can be used on, in this case it's michael.wrightson with this, as you still can't access the SMB share, maybe LDAP will give something..? h h and we have the password to david.orelious! let's try to use this to access the SMB share we couldn't before (DEV) h in here is a .ps1 script which contains credentials to emily.oscars h at this point, we should be able to use evil-winrm and get a shell on it - and we do h h checking the privileges, we see that this account has SeBackupPrivilege enabled, which is written about well here h h we grabbed the admin's hash! now we can just pass the hash onto evil-winrm and login through that, grab the root.txt, bam h