Fluffy- HackTheBox (HTB) CTF Walkthrough

HackTheBox Fluffy CTF Walkthrough with explanation for beginners!

Fluffy is another fantastic HTB machine for learning about enumerating and attacking AD. Join me as we learn about exploiting malicious archives via SMB shares, bloodhound, and abusing Active Directory Certificate Services (ADCS).

HTB Machine - https://app.hackthebox.com/machines/Fluffy

My Github (More walkthroughs!) - https://github.com/NTHSec/CTF-Writeups
My Medium (More walkthroughs!) - https://medium.com/@NTHSec

--------------------------------------------------------------------------------------------------
Time Stamps:

0:00 - Intro
0:50 - Initial Nmap Scans
1:15 - Exploring our initial credentials to find a writable SMB share
2:30 - Explaining a possible watering hole attack with the writable SMB share
4:30 - Dropping a malicious LNK file into the SMB share with slinky
6:15 - Enumerating the IT share to find possible CVEs that the server is vulnerable to
9:00 - Searching for CVE PoC's that the server may be vulnerable to.
13:30 - Exploiting CVE-2025-24071 to obtain p.agila's NTLMv2 hash
16:40 - Cracking p.agila's hash and starting enumeration as p.agila
21:00 - Starting up bloodhound for additional enumeration as p.agila
25:00 - Finding p.agila has genericAll over the Service Management Group. Abusing this to perform a shadow credential attack on all service accounts
30:40 - Using certipy to perform a shadow credential attack to obtain ca_svc's hash
35:45 - Enumerating vulnerable CA templates with certipy using the ca_svc account
38:30 - Finding that the CA is vulnerable to ESC16. Briefly explaining ESC16
40:45 - Exploiting ESC16 to retrieve the Domain Administrator hash (very painful)
54:45 - Evil-winrm in as administrator to grab flags
55:45 - Outro

Видео Fluffy- HackTheBox (HTB) CTF Walkthrough канала NTH Security