https://old.frang4.tech/tags/adcs/ Recent content in ADCS on Hugo en-us Sat, 20 Sep 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/fluffy/writeup/ Sat, 20 Sep 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/fluffy/writeup/ <h2 id="summary-how">Summary (How?)</h2> <p>We started by enumerating the provided credentials for the user <code>j.fleischman</code> and identified an SMB share named <code>IT</code>. After downloading files from the share, we discovered a PDF detailing vulnerabilities, including CVE-2025-24071, which enabled me to craft a malicious <code>.zip</code> file to leak NTLM hashes via Windows Explorer&rsquo;s automatic file parsing. Using this exploit, we captured the NTLM hash for the user <code>p.agila</code> and cracked its password.</p> <p>With <code>p.agila</code>&rsquo;s credentials, we found that the user had <code>GenericAll</code> permissions over the <code>SERVICE ACCOUNTS</code> group. This allowed us to add <code>p.agila</code> to the group and, subsequently, perform a Shadow Credentials attack to impersonate the <code>WINRM_SVC</code> account, successfully gaining access to the system as that user.</p>