image.png

levi.james / KingofAkron2025!

NMAP Results

❯ nmap -sC -sV -Pn PUPPY.HTB

image.png

okay so i see LDAP & few others services running, clearly its an Active Directory machine

so first let’s populate our /etc/hosts with the machine’s domain names using nxc

❯ sudo nxc smb 10.129.199.60 --generate-hosts-file /etc/hosts

image.png

perfect! now we have a valid credential given as starting of the box , we will be using it to enumerate more users , smb shares etc to see what we get .. & yes we will dump the bloodhound data for the machine too using the given creds

Enumerate Users

❯ nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --users
SMB         10.129.199.60   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.129.199.60   445    DC               [+] PUPPY.HTB\\levi.james:KingofAkron2025!
SMB         10.129.199.60   445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.129.199.60   445    DC               Administrator                 2025-02-19 19:33:28 0       Built-in account for administering the computer/domain
SMB         10.129.199.60   445    DC               Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.129.199.60   445    DC               krbtgt                        2025-02-19 11:46:15 0       Key Distribution Center Service Account
SMB         10.129.199.60   445    DC               levi.james                    2025-02-19 12:10:56 0
SMB         10.129.199.60   445    DC               ant.edwards                   2025-02-19 12:13:14 0
SMB         10.129.199.60   445    DC               adam.silver                   2025-05-23 18:04:29 0
SMB         10.129.199.60   445    DC               jamie.williams                2025-02-19 12:17:26 0
SMB         10.129.199.60   445    DC               steph.cooper                  2025-02-19 12:21:00 0
SMB         10.129.199.60   445    DC               steph.cooper_adm              2025-03-08 15:50:40 0
SMB         10.129.199.60   445    DC               [*] Enumerated 9 local users: PUPPY

image.png

alright we got our users! time to check SMB shares

Enumerate SMB Shares

❯ nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --shares
SMB         10.129.199.60   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.129.199.60   445    DC               [+] PUPPY.HTB\\levi.james:KingofAkron2025!
SMB         10.129.199.60   445    DC               [*] Enumerated shares
SMB         10.129.199.60   445    DC               Share           Permissions     Remark
SMB         10.129.199.60   445    DC               -----           -----------     ------
SMB         10.129.199.60   445    DC               ADMIN$                          Remote Admin
SMB         10.129.199.60   445    DC               C$                              Default share
SMB         10.129.199.60   445    DC               DEV                             DEV-SHARE for PUPPY-DEVS
SMB         10.129.199.60   445    DC               IPC$            READ            Remote IPC
SMB         10.129.199.60   445    DC               NETLOGON        READ            Logon server share
SMB         10.129.199.60   445    DC               SYSVOL          READ            Logon server share