HackTheBox: Fluffy
An assumed-breach Windows AD box: steal a second user's NTLM hash with CVE-2025-24071, map ACLs in BloodHound, abuse GenericAll/GenericWrite with bloodyAD + Certipy shadow credentials to reach winrm_svc, then exploit an ADCS ESC16 misconfiguration to impersonate the Administrator.
Read 