Fluffy

image

Looking at the nmap scan, we can see a couple of things. We see kerberos is running… maybe kerbroasting? SMB is running maybe there’s something interesting in that. Let’s investigate further.

image

Here we can see after listing the file shares with smbclient, we have read+write access to the IT file share.

image

There is a pdf in the file share named “Upgrade_Notice.pdf”.

image

The pdf is a list of CVEs scheduled to be patched in the next update. After researching each of these, CVE-2025-24071 seems to be the most interesting in this case.

This vulnerability arises from automatic parsing of file paths in .library-ms files in Windows Explorer, which means we can pass in a UAC file path and potentially force NTLM authentication. Since we have write access over the ‘IT’ SMB share we have a method of delivering this malicious file.

image

We can clone in the PoC of this CVE then upload the file to the ‘IT’ share as I mentioned earlier. In addition, we will launch responder which should capture the NTLM Auth request from our victim user.

image

image

We captured a hash of the user ‘p.agila’

After Cracking this hash, we are left with hashcat mode 5600 we are left with the credentials p.agila / prometheusx-303

image

After running bloodhound with either the first given credentials or the new ones we have just discovered after running the exploit, we see that p.agila is a member of the ‘service account managers’ group. In addition, she has genericAll rights to all three service accounts in the domain.

image

We can then access these service accounts by adding p.agila to service accounts, abusing our genericAll privs from the “service account managers” group. Then we can use shadow credentials attack to access one of the service accounts, in this case “winrm_svc”. With this attack, I am explicitly mapping a certificate to this user and abusing my GenericWrite privs.

image

image

Now we have a valid NT hash that we can use to authenticate. If we back track to our nmap scan, we see port 5985 open. This, along with the obvious “winrm_svc” account being present means WinRM is actively running, so we can use evil-winrm.

image

We successfully authenticated with winrm and get user.

The “winrm_svc” account has essentially nothing interesting associated with it. So, shifting our attention back to bloodhound to see if anything else catches my attention.

image

We can see from this screenshot, “ca_svc” is part of the “Cert Publishers” group. What does this mean exactly?

Here we can see that “Members of this group are permitted to publish certificates to the directory.”

image

We can use certipy again to look for a vulnerable certificate template. We first need to repeat the same steps we used for “winrm_svc” to get authentication for the “ca_svc” service account:

image

We can use certipy-ad find with the “-vulnerable” flag to look for vulnerable certificate templates.

image

Viewing the output, we find that there’s a certificate vulnerable to ESC16 with a security extension disabled. The exact security extension is OID 1.3.6.1.4.311.25.2.

What does this do? The output shows that the Security Extension is disabled, specifically, the OID 1.3.6.1.4.1.311.25.2 is not set. This OID is crucial for SID-based object mapping in ADCS. When 1.3.6.1.4.1.311.25.2 is enabled, certificates are mapped to Active Directory objects using the requester’s immutable SID. Without this extension, ADCS falls back to using the requester’s UPN, which can be changed if an attacker has GenericWrite permissions over the target object. This makes it easy to impersonate other users. To exploit this, we simply need to locate a certificate template we have enrollment rights over. The User template, in this case, allows all Domain Users to enroll, making it a possible candidate for the ESC16 attack.

image

image

We first update the UPN of “ca_svc” to that of “administrator”. Then we request a certificate for “ca_svc” using the “user” template.

image

Next, we must put the upn back to “ca_svc” and then we can force authentication as admin using the ‘administrator.pfx’ we made previously.

We now have a hash for that of the admin account. We can use evil-winrm again to get the root flag for this box.

image

Ez gg.