Cicada

#

User

#

netexec smb 10.10.11.35 -u guest -p '' --rid-brute 10000 --log rid-brute.txt


john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

What we are doing here is brute forcing the smb users to find all users that are registered in the active directory network

Then we scan the shares to see if theres any we have read access to Which we do on the hr directory

We see a file called “Notice from HR” so we pull it down

We see inside it a default password

Cicada$M6Corpb*@Lp#nZp!8

We have previously made a “users.txt” file with all interesting accounts and we run it with the password using netexec as a way of checking if any of the users still use the default password

We preform a ldap dump and see that inside domain_user.html David orelius has made a comment reminding him of his password

Just in case I forget my password is aRt$Lp#7t*VQ!3

david.orelious
aRt$Lp#7t*VQ!3

We recheck davids permission on the smb shares

We see a backup script and pull it down to find emilys password

emily.oscars

Q!3@Lp#M6b*7t*Vt

We recheck emilys permissions to see she has read write on the C$ share

We get the user flag

Root

#

There is lots of ways to priv esc as a Backup operator but i just imported a module called SeBackupPrivilegeCmdLets and SeBackupPrivilegeUtils which let me copy a file so i copied root.txt and read it