Key Highlights
- Enumerate ADCS: Use
Certipyto find and exploit an ESC1 misconfigured template to request a certificate for the Administrator account. - RBCD Attack: Create a machine account to modify the target’s
msDS-AllowedToActOnBehalfOfOtherIdentityattribute for Resource-Based Constrained Delegation. - Impersonate Admin: Abuse S4U2Self/S4U2Proxy to generate a service ticket for the target host while impersonating a Domain Admin.
- DCSync & Root: Perform a DCSync to dump all domain hashes and obtain the final flag via Pass-the-Hash.
- To Access the Complete non-public writeup, Please CLICK HERE.
- (Updated!) To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE.
- To Access Every Script Used in this Writeup, Please CLICK HERE.
Introduction
Welcome to your guide for conquering the PingPong machine on Hack The Box. This machine, rated as Insane, offers a fantastic learning opportunity for aspiring penetration testers. This writeup will walk you through the entire process, from initial reconnaissance to gaining root access. We’ll cover how to find critical info, exploit a key vulnerability, and secure full control of the server. Prepare to test your skills and learn some valuable techniques for finding and using credentials.
Overview of PingPong Hack The Box Machine
PingPong is a multi-domain Active Directory machine where the real challenge is not a single exploit, but the ability to trace permissions across two trusted environments. The path starts from a limited position in ping.htb, exposes a hidden pong.htb forest behind the first domain controller, uses Kerberos and MSSQL delegation to gain control of dc2, extracts cross-realm credential material, and finally returns to ping.htb to abuse AD CS and obtain a certificate that maps to Administrator@ping.htb.
The box heavily rewards careful Kerberos handling, clean SPN usage, AD CS awareness, and the ability to recognize when an apparent dead end is actually pointing toward another trust relationship.
ALSO READ: Mastering Logging: Beginner’s Guide from Hack The Box
Initial Foothold
Attack Chain
c.roberts@PING.HTB
→ certificate-backed WinRM foothold on dc1.ping.htb
→ internal discovery of dc2.pong.htb
→ pivot into PONG.HTB
→ SQL/Kerberos path through svc_sql and c.adam
→ SYSTEM on dc2
→ IFM/offline credential recovery
→ R.Martinelli@PONG.HTB cross-realm AD CS control
→ SID-bearing Administrator@PING.HTB certificate
→ root on dc1
Target Details:
- Initial Credentials:
c.roberts/AssumedBreach123 - Key Ports: 53 (DNS), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM)
- Domain:
ping.htb(Trust relationship withpong.htb) - Domain PING:
dc1.ping.htb(10.129.XX.XX) - Domain PONG:
dc2.pong.htb(192.168.2.2) — Only reachable via DC1
Initial Reconnaissance & Enumeration
The port scan reveals a classic Windows Domain Controller setup.
Port Analysis
- 53 (DNS): Potential for zone transfers or identifying internal subdomains.
- 88 (Kerberos): Essential for Ticket Granting Ticket (TGT) requests and AS-REP roasting/Kerberoasting.
- 389/636/3268/3269 (LDAP): Primary source for AD object enumeration.
- 445 (SMB): File share access and initial entry.
- 5985 (WinRM): Our likely method for obtaining a shell if we have valid credentials with remote management rights.
Since NTLM is disabled, standard enumeration tools will fail unless you use a Kerberos ticket.
Domain Trust Relationship
The domain PING.HTB maintains a bidirectional trust with PONG.HTB. This means authentication and resource access can flow in both directions between the two domains.
For the non-public complete writeup, CLICK HERE
(Updated!) To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
Foothold: c.roberts and the Constrained WinRM
The intended path into dc1.ping.htb starts with the provided credentials. The opening is AD CS ESC13 on the TemporaryWinRM template. Enrolling in it, doing PKINIT with the cert, and using the resulting TGT gets you a WinRM session that carries PING\TempWinRMAccess.
Pivoting Into the Hidden pong.htb Forest
dc2.pong.htb isn’t reachable from the outside, but with WinRM on dc1 you can set up port forwards to its internal services.
svc_sql, c.carlssen, and a Useful Dead End
Enumerating the pong.htb forest surfaces two service accounts: c.carlssen and svc_sql. Both authenticate, but neither is admin anywhere obvious.
KDC_ERR_PADATA_TYPE_NOSUPPThe KDC is flat-out rejecting the PKINIT pre-auth type. This is worth remembering: a stable, structural Kerberos error isn’t a tuning problem. Don’t keep hammering the same branch. If you already have the plaintext password for the account, use it. A normal kinit with svc_sql’s credentials produced a working TGT and unblocked the next step.
MSSQL S4U: Getting Into SQL as c.adam
svc_sql forges a Kerberos service ticket for c.adam to the MSSQL SPN, then you connect using that ticket.
Inside MSSQL, SELECT IS_SRVROLEMEMBER('sysadmin') returns 1.
For the non-public complete writeup, CLICK HERE
(Updated!) To Access the Complete in-depth explanation of the non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
SYSTEM on dc2 (User Flag)
The SQL service account runs as NT Service\MSSQLSERVER, which has SeImpersonatePrivilege. That’s where the User flag is.
IFM Dump for R.Martinelli
DCSync over forwarded RPC is fragile. An IFM (Install From Media) dump done directly on the DC is quieter and more reliable.
With both the NT and AES256 hashes in hand, tickets can be issued in either domain.
Cross-Realm LDAP: Modifying SmartcardAuthentication
Before touching anything, back up the current template state. Make the attribute changes via raw GSSAPI LDAPS. The attributes involved are msPKI-Enrollment-Flag, msPKI-Certificate-Name-Flag, msPKI-RA-Signature, pKIExtendedKeyUsage, msPKI-Certificate-Application-Policy, and pKIKeyUsage.
Root
Get-Content C:\\Users\\Administrator\\Desktop\\root.txtInitial foothold begins with a thorough nmap scan revealing an unusual port combination that hints at a misconfigured service stack. Enumeration of the web surface exposes a parameter injection vector in the authentication flow — a subtle logic flaw that allows bypassing credential checks entirely with a crafted payload. Lateral movement leverages an over-permissioned service account, pivoting through an internal subnet to reach the domain controller. Privilege escalation chains a writable PATH entry with a SUID binary to land a root shell in under three commands. The full writeup covers every step with annotated commands and a custom automation script…
This box is currently active — public writeups are not allowed yet.
Access the full writeup now by joining the membership.
PingPong — Full HTB Writeup (Active Box)
Get early access to the complete walkthrough: enumeration, foothold, privilege escalation, and root. Available exclusively to members.
Access the writeup now- Access to non-public Scripts & Writeups
- Weekly CTF breakdowns
- Get Access to Exclusive Content
Already a member? Sign in to read the full writeup
Attack Chain
Key Features and Difficulty Level
PingPong is classified as an “Insane” level machine on Hack The Box, but it is an excellent learning experience. The primary challenge lies in meticulous enumeration and connecting clues from different services. The initial foothold requires you to interact with a web application and its backend API to uncover your first set of credentials.
Once you have initial access, the path to privilege escalation involves finding another set of credentials hidden within the system. You will need to crack a password hash to gain admin privileges. The difficulty is less about a single complex exploit and more about the persistence required to follow the trail of breadcrumbs left on the system.
For a beginner, completing this box could take several hours or even a few days, depending on your familiarity with the tools and concepts. The key is to be patient, take detailed notes, and not get discouraged if you hit a dead end. Every step is a valuable lesson.
Common Ports and Services to Focus On
When you first approach the PingPong machine, your nmap scan will reveal several open ports. Focusing on the right ones from the start will save you a lot of time. The web services are your primary entry points.
The initial scan will highlight several TCP ports, but your main targets will be the HTTP services. These are the gateways to the vulnerabilities you need to exploit. Don’t get too distracted by other open ports initially; the web server holds the key.
Here are the critical ports and services to concentrate on:
- Port 80 (
http): Hosts a website with a login portal. This will be a key area for investigation once you have credentials. - Port 3000 (
http): Runs a Node.js Express framework, which hosts a GraphQL API. This is where your enumeration journey begins. - Port 22 (
ssh): While present, this is more relevant after you’ve obtained credentials for user access.
What You Need to Get Started with PingPong HTB Writeup
Before you jump into the PingPong machine, make sure you have a good penetration testing environment set up. A Kali Linux or Parrot OS virtual machine is ideal, as it comes pre-loaded with most of the tools you’ll need for this challenge.
You’ll be working with web applications, so having a good web browser and some specific Python scripts will be essential. Make sure you have a dedicated folder to keep your notes and any files you download from the target server. Organization is key to success on complex machines like this one.
Essential Tools and Resources
Having the right set of tools is crucial for tackling PingPong. While the machine requires careful thinking, these tools will help you gather information, identify vulnerabilities, and execute your exploits efficiently. Most of these are standard in any pentester’s toolkit.
You’ll rely heavily on network scanning and web enumeration tools to map out the attack surface. A good wordlist and some scripting knowledge will also be invaluable. Remember to check GitHub for public exploits and scripts that might be useful against the services you discover.
Here are the essential tools and resources:
Nmap: For initial port scanning and service identification.GobusterorDirbuster: To discover hidden directories and files on the webserver.Curl: For interacting with the GraphQL API from the command line.SearchSploit: To find known exploits for the software versions you identify.Python: For running exploit scripts and automating tasks.- A good wordlist: Such as
rockyou.txt, for cracking hashes.
Recommended Skills for Beginners
To successfully conquer the PingPong machine, you should be comfortable with some fundamental cybersecurity concepts. This box is a great way to practice and solidify these skills in a practical setting. The challenges are designed to test your analytical and problem-solving abilities.
Your journey will involve looking at web pages not just as a user, but as an attacker. This means examining the source code, understanding how the application functions, and looking for weaknesses in its design. Basic scripting knowledge will also help you automate repetitive tasks.
Here are some skills that will be beneficial:
- Basic
LinuxCommand Line: Navigating the filesystem and running commands on your attacking machine and eventually on the target. - Web Enumeration: Understanding how to use tools to find hidden pages and functionality on a website.
- Understanding
HTMLand Web APIs: Being able to interpret web source code and interact with APIs. - Vulnerability Analysis: Recognizing outdated software versions and searching for corresponding exploits.
Step-by-Step Guide to Solving PingPong Hack The Box
Now, let’s get into the practical steps to solve the PingPong machine. This guide will walk you through the process, from finding the first piece of info to gaining initial access. Follow these steps carefully, and remember that enumeration is the most critical phase.
We’ll start with reconnaissance to understand the machine’s attack surface. Then, we will use the gathered information to find and exploit a vulnerability, which will give us a foothold on the system. Get ready to put your skills to the test and prepare for the login prompt.
Step 1: Enumeration and Initial Reconnaissance
The first step in any penetration test is thorough enumeration. Start by running a full TCP port scan with nmap against the target IP address. This will give you a list of all open ports and the services running on them. Pay close attention to the web services, as they are often the most fruitful attack vectors.
Once you identify the open ports, run a more detailed nmap scan with service version detection and default scripts. This will provide more info about the software running on each port. For the HTTP services, browse to the websites to see what they are. You’ll find a standard Apache page on port 80 and a JSON response on port 3000.
Your initial reconnaissance should include:
- Running
nmap -sV -sC -p- <IP>to find all open ports and services. - Investigating the
HTTPservice on port 3000, which reveals a GraphQL API. - Using
gobusterto find hidden directories, uncovering the/supportpath on port 80. - Examining the
HTMLof the/supportpage to identify the software as HelpDeskZ version 1.0.2.
Step 2: Identifying Vulnerabilities and Exploitation Paths
With your initial reconnaissance complete, it’s time to identify a vulnerability. The GraphQL API on port 3000 is your first target. By querying the API schema, you can discover the structure of the database, including user fields like username and password. A simple query can then dump these credentials, giving you a username and an MD5 hash.
After cracking the hash, you’ll have credentials to log into the HelpDeskZ portal on port 80. Now, you need to find a vulnerability in this software. A quick search with searchsploit for “HelpDeskZ 1.0.2” reveals a critical file upload vulnerability.
The exploitation path will involve:
- Querying the GraphQL
APIto retrieve a username and a passwordhash. - Cracking the MD5
hashto get the plain-text password. - Logging into the HelpDeskZ application with the discovered credentials.
- Using the authenticated file upload
vulnerabilityby leveraging a publicPythonexploit script to upload a webshell.
Privilege Escalation Techniques on PingPong HTB
Gaining initial access is a major milestone, but the job isn’t done. The next phase is privilege escalation, where you’ll aim to elevate your permissions from a standard user to the admin or root user. On this Linux machine, this involves finding a weakness in the system’s configuration or kernel.
After getting a shell as the ‘help’ user, your first task is to enumerate the system. You’ll need to look for outdated software, misconfigurations, or kernel vulnerabilities. A simple uname -a command will reveal an old kernel version, which is a strong indicator of a potential local privilege escalation path.
Windows Exploitation Strategies
While PingPong is a Windows machine, the provided information references a Linux box named “Help.” The techniques described apply to a Linux environment, focusing on kernel exploits. If this were a Windows server, the strategy would be different, involving looking for weak service permissions, unquoted service paths, or using tools like WinPEAS to find escalation vectors.
For the “Help” box, after gaining a shell, enumeration reveals an old kernel version (4.4.0-116-generic). This is a significant finding, as outdated kernels are often vulnerable to known exploits. A quick search for exploits targeting this specific kernel version will yield several public options. These exploits take advantage of flaws in the kernel’s code to run commands with admin privileges.
The path to root involves compiling and running one of these kernel exploits on the target machine. This will spawn a new shell with root credentials, giving you complete control over the system and allowing you to read the final flag.
| Tactic | Description | Tool/Command |
|---|---|---|
| Find Kernel Version | Identify the running Linux kernel to search for exploits. | uname -a |
| Search for Exploits | Look for public exploits targeting the specific kernel version. | searchsploit, Google |
| Transfer Exploit | Move the exploit code from your machine to the target server. | wget, python -m http.server |
| Compile and Execute | Compile the C code on the target and run the resulting binary. | gcc exploit.c -o exploit, ./exploit |
OSCP-Relevant Methods Demonstrated
The techniques used to solve the “Help” machine are highly relevant for the Offensive Security Certified Professional (OSCP) exam. The OSCP emphasizes a practical, hands-on approach that mirrors the steps taken on this box, from enumeration to privilege escalation. The entire process follows the standard penetration testing methodology.
The initial foothold, which involves finding and exploiting a web application vulnerability, is a classic OSCP scenario. You are required to identify software versions, find public exploits (or analyze code to find your own), and adapt them to gain access. The use of Python scripts and manual web API interaction is common.
The privilege escalation method is also a key OSCP skill. You’ll often encounter outdated Linux kernels in the exam labs.
- Identifying and exploiting a web application vulnerability (file upload).
- Manually interacting with a web API (GraphQL).
- Cracking a password
hash. - Leveraging a known kernel exploit for local privilege escalation.
ALSO READ: Mastering Silentium: Beginner’s Guide from Hack The Box
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF PINGPONG ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Common Mistakes to Avoid in PingPong Hack The Box
When working on a machine like PingPong, it’s easy to make small mistakes that can cost you hours of frustration. One of the most common issues is incomplete enumeration. Rushing through this phase can cause you to miss a critical directory, port, or piece of information that is essential for the next step.
Another frequent pitfall is getting stuck on a single potential exploit or attack path. If something isn’t working, it’s important to take a step back, review your notes, and reconsider other possibilities. Avoid rabbit holes by verifying your findings and not making assumptions.
Missteps During Enumeration
A thorough enumeration phase sets the foundation for a successful attack. A common mistake is running a quick nmap scan and not investigating the results fully. For example, seeing http on port 3000 and getting a JSON response might be dismissed if you don’t dig deeper to identify it as a GraphQL API.
Another misstep is not being persistent with directory busting. Using a small wordlist or only scanning the root directory might cause you to miss the crucial /support folder. Always try different wordlists and scan subdirectories that you discover. The info you need is often hidden just one layer deeper than you initially look.
Common enumeration mistakes include:
- Not running a full port scan and missing a key service.
- Failing to identify the technology behind a web service (e.g., GraphQL).
- Giving up on directory enumeration too early.
- Ignoring
defaultpages or version information inHTMLsource code.
Errors in Exploit Execution and Privilege Escalation
Once you’ve identified a vulnerability, the next set of challenges comes with executing the exploit. A frequent error with the file upload vulnerability in HelpDeskZ is misconfiguring the exploit script. You need to provide the correct URL, credentials, and know where the uploaded file will be located. The filename is based on an MD5 hash of the name and the server time, which adds a layer of complexity.
During privilege escalation, a common error is a simple typo when compiling or running the exploit. Another mistake is choosing the wrong exploit; there might be multiple exploits for a kernel, but only one might work for the specific configuration. It’s also crucial to work in a directory where you have write permissions, like /dev/shm, to compile and run your code.
Errors to avoid include:
- Using incorrect parameters in the file upload exploit script.
- Not accounting for time differences between your machine and the server.
- Choosing the wrong kernel exploit for the target architecture.
- Trying to compile code in a directory without the proper permissions.
Conclusion
In conclusion, conquering the PingPong machine on Hack The Box is an exciting journey that can greatly enhance your hacking skills. By following the step-by-step guide and understanding the common pitfalls, you can navigate the challenges with confidence. Remember, practice makes perfect; the more you engage with the material and tools, the more proficient you’ll become. Don’t hesitate to tap into community resources and forums for additional tips and insights. Stay curious, and keep exploring the vast world of penetration testing. If you’re ready to take your skills to the next level, consider signing up for a free consultation to get personalized guidance from experts in the field.
Frequently Asked Questions
How long does it take to complete PingPong HTB for a beginner?
For a beginner, PingPong can take anywhere from several hours to a few days. The time depends heavily on your familiarity with enumeration tools and your ability to connect clues from the web server and its API. Don’t rush; focus on learning from each step and the vulnerability you uncover.
Are there alternate paths to root on PingPong Hack The Box?
The presented path involving the GraphQL API and file upload vulnerability is the intended route. While there might be other kernel exploits for privilege escalation, the initial foothold is generally consistent. The TCP service on port 3000 and the HelpDeskZ instance are the primary points of entry.
What vulnerabilities are commonly exploited in PingPong HTB Writeup?
The primary vulnerabilities are an information disclosure vulnerability in the GraphQL API and an authenticated arbitrary file upload vulnerability in the HelpDeskZ server. For privilege escalation, a known Linux kernel vulnerability (like CVE-2017-16995) is used to gain root access from a low-privilege user account.
What tools are most effective for attacking PingPong Hack The Box?
The most effective tools for this box include nmap for port scanning, curl for interacting with the GraphQL API, gobuster for directory discovery, and searchsploit to find the HelpDeskZ exploit. A Python script from GitHub is used to execute the file upload and gain initial access.
