Fluffy is an Easy-rated Windows machine and my first box from the new CPTS Preparation Track on HackTheBox. It’s a great box if you want to get hands-on with modern Active Directory attacks. We start from an assumed-breach perspective, inject a crafted .library-ms file via an SMB share to harvest NTLM hashes, and continue by abusing Generic Write privileges through Shadow Credentials. The final step to Domain Takeover is exploiting an AD CS ESC16 vulnerability.
Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.
After spawning the machine and connecting to the VPN, we start with the initial enumeration.
We begin by running an initial nmap scan with the following command:
nmap -sC -sV -vv -oA nmap/initial_scan <Target-IP>
-sC Default script scan-sV Service version detection-vv Verbose output-oA Output all formatsNmap reports only Port 80 open: