The Cicada machine on Hack The Box involves gaining initial access through SMB exploitation and using the SeBackupPrivilege feature for privilege escalation.
The attacker starts by performing a port scan using Nmap and using the smbclient tool to discover an open SMB share.
The “HR” share contains a file with a password that turns out to be associated with the user “Michael.wrightson,” allowing the attacker to obtain a username.
Using the nxc tool from the Nmap scripting engine, the attacker brute forces RIDs to find additional usernames and stores them in a file.
The attacker then uses the enum4linux-ng tool to attempt to log in to the SMB server with the discovered password and username, which succeeds for the user “david.orelious.”
This grants the attacker access to another share, “DEV,” which contains a ps1 file with another password for the user “emily.oscars.”
Using the evil-winrm tool, the attacker logs in as “emily.oscars” and receives a user flag.