Machine Info
Cicada is an easy Windows machine. We started by logging in as an anonymous SMB user, which allowed us to enumerate SMB shares. From the accessible shares, we were able to extract credentials. Next, we performed Active Directory user enumeration followed by a password spraying attack, which revealed a valid set of login credentials. Using these credentials, we leveraged LDAP dumping to extract stored passwords. Among the discovered shares, we found one containing files for a low-privileged user, allowing us to obtain user access. Checking our privileges, we identified a way to extract the SAM and SYSTEM registry hives, which provided us with the Administrator's NTLM hash. Finally, we used the hash to gain full root access.
Enumeration
Nmap:
nmap -sC -sV 10.10.11.35 -oA nmap/Cicada
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-09 16:03 IST
Nmap scan report for 10.10.11.35
Host is up (0.039s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-09 17:16:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h43m15s
| smb2-time:
| date: 2025-02-09T17:17:15
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.18 seconds
The Nmap scan on 10.10.11.35 confirms it as a Windows Active Directory Domain Controller with several critical services. DNS (53), Kerberos (88), RPC (135), NetBIOS (139), and SMB (445) are active, indicating an AD environment. LDAP services (389, 636, 3268, 3269) confirm the domain cicada.htb. SMB signing is enabled, and WinRM (5985) could allow remote execution if credentials are found. The SSL certificate is valid from August 22, 2024, to August 22, 2025, and the system clock has a skew of 6 hours 43 minutes. Key attack vectors include SMB, LDAP, Kerberos, and WinRM, requiring further enumeration.
⛔ This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.
⛔ For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.
Appreciation
If my write-up helped you, I’d really appreciate it if you could show your support! 🙏 Also, if you like my content, please consider giving me respect on HTB—your support truly means a lot! 💚✨
Found a Mistake?
If you notice any errors or have feedback, feel free to email me at ashwin200323@gmail.com. Thanks for your help!