Puppy - HackMD

# Puppy ## Recon Start witn nmap for information gathering. Many port open and try poking around. ```bash # Nmap 7.94SVN scan initiated Wed May 21 10:57:37 2025 as: nmap -sC -sV -vv -oN ./nmap/nmap_tcp.out -Pn 10.10.11.70 Nmap scan report for 10.10.11.70 Host is up, received user-set (0.26s latency). Scanned at 2025-05-21 10:57:37 EDT for 200s Not shown: 989 filtered tcp ports (no-response) Bug in iscsi-info: no string output. PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack Simple DNS Plus 111/tcp open rpcbind syn-ack 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack 2049/tcp open nlockmgr syn-ack 1-4 (RPC #100021) 3260/tcp open iscsi? syn-ack Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-05-21T22:00:08 |_ start_date: N/A |_clock-skew: 7h00m01s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 62785/tcp): CLEAN (Timeout) | Check 2 (port 47994/tcp): CLEAN (Timeout) | Check 3 (port 26380/udp): CLEAN (Timeout) | Check 4 (port 46192/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed May 21 11:00:57 2025 -- 1 IP address (1 host up) scanned in 199.89 seconds ``` ## Enumeration ### SMB As the box, provide us a credentials we can see the share folder in SMB as levi.james user. One file stand out which is 'DEV' however levi.james did not have read ACCESS. ![image](https://hackmd.io/_uploads/ByGLyEeGle.png) ### bloodhound.py Since we have valid credentials and can access towards the SMB service. We can use bloodhound.py to learn more about the user and the network AD. ```bash! python3 bloodhound.py -d puppy.htb -u levi.james -p 'KingofAkron2025!' -ns 10.10.11.70 -c All ``` It turns out HR@PUPPY.HTB group have **GeneritWrite** towards DEVELOPERS@PUPPY.HTB As levi.james group member of HR@PUPPY.HTB we can abuse it to add levi.james user to DEVELOPERS groupmember. ![image](https://hackmd.io/_uploads/H18IxNlfeg.png) ### bloodyAD Use [bloodyAD](https://github.com/CravateRouge/bloodyAD) to add levi.james user into DEVELOPERS group ![image](https://hackmd.io/_uploads/Sk5zBNlGxe.png) ### SMB As the result we can read the 'DEV' folder with levi.james ![image](https://hackmd.io/_uploads/S1m6H4gMlg.png) ### keepass An interesting folder that we got access too. We can extract it to our local and play around with the keepass file. ![image](https://hackmd.io/_uploads/Sy1ND-RWle.png) Try keepass2john but instead got an error. Found a keepass brute-force tools to try crack the that password of the 'recovery.kdbx' file. As a result we get a password of the keepass db. ![image](https://hackmd.io/_uploads/ByjYIbCbee.png) Found a bunch of valid users for the domain. ![image](https://hackmd.io/_uploads/By-Jv4gMel.png) ## Initial Foothold ### Password Spraying Use netexec to password spray the credentials by using the credentials found. We can use [username-anarchy](https://github.com/urbanadventurer/username-anarchy) to generate our own username with our own creativity. As a result, we can get combination of the username generated and do our password spraying. ![image](https://hackmd.io/_uploads/H1wYu4xGxl.png) Found another valid credentials with our username generated and password found from the keepass db ![image](https://hackmd.io/_uploads/HJ045NgGee.png) ### bloodhound (ant.edwards) We can enumerate more of the new valid user that we found which is ant.edwards. As for the bloodhound graph, we can see that ant.edwards is a group member of SENIOR DEV@PUPPY.HTB and the SENIOR DEVS group have **GenericAll** towards adam.silver. ![image](https://hackmd.io/_uploads/SJiRn4gzll.png) bloodhound have suggested some of the abuse that we can do and we can do it to Abuse the Permissions. With the reference from [hacking article](https://www.hackingarticles.in/forcechangepassword-active-directory-abuse/) we can do the exploitation. ![image](https://hackmd.io/_uploads/SkJa6ExGel.png) ### GenericAll (ForceChangePassword) We use bloodyAD to change adam.silver password to our own setup password. ![image](https://hackmd.io/_uploads/rywvAHxMxe.png) However we cannot authenticate thru evil-winrm as we check through netexec smb the adam.silver account disabled. ![image](https://hackmd.io/_uploads/rJKa0rxGlg.png) After research, we know that the error prompt because of the UAC is either expired or disabled? We use bloodyAD to remove the UAC from the adam.silver user. We can find the command reference from [here](https://github.com/CravateRouge/bloodyAD/wiki/User-Guide?utm_source=chatgpt.com#remove-uac) ![image](https://hackmd.io/_uploads/HJglfIxfxx.png) We can ForceChangePassword of the adam.silver user and try evil-winrm into the user account. Thus, we can get into adam.silver account. ![image](https://hackmd.io/_uploads/rkWSG8gzll.png) ## adam.silver ### Sensitive Credentials Hardcoded In C:/ directory we found a Backups folders and we can download it to our local machine to look the content of the file. The content have a xml code where hardcoded credentials can be found. ![image](https://hackmd.io/_uploads/ryj4XIxzll.png) ## steph.cooper Got into steph.cooper shell ![image](https://hackmd.io/_uploads/S1XtX8eGxx.png) ### DPapi - Extracting Passwords After enumerate steph.cooper, we found a masterkey in `C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107` Once found we can transfer it to our local file to proceed exploit it. ![image](https://hackmd.io/_uploads/SJ_LBGfzll.png) Use impacket-dpapi to decrypt the masterkey. ![image](https://hackmd.io/_uploads/BkV9SGzfxx.png) After that, we can search for DPapi encrypted data within the machine and copy to our machine. Then we can decrypt it with our masterkey that have we decrypt. ![image](https://hackmd.io/_uploads/ByGVPGzMex.png) ## steph.cooper_adm Now we can get into steph.cooper_adm shell. ![image](https://hackmd.io/_uploads/Syx5wGMzgl.png) ### DCSync Attack As we pawn step.cooper_adm, we can enumerate more of the user in bloodhound. We find out that the user can perform DCsync attack. ![image](https://hackmd.io/_uploads/Bk6foGGfee.png) Finally, use impacket-secretsdump to dump NTDS.dit credentials and gain administrator user. ![image](https://hackmd.io/_uploads/S1FPoMGfex.png) We finally pawn domain admins user. ![image](https://hackmd.io/_uploads/SJ8hizfMeg.png)