Key Highlights
- This HackTheBox writeup follows a clear ethical hacking and penetration testing path from enumeration to exploitation.
- Early enumeration identifies a few services.
- Exploitation centers on known vulnerabilities, password hashes, and recovered login details.
- User access depends on careful handling of credentials, OTP timing, and AD.
- For Non-Public Writeup, Check Here
- For Non-Public Scripts used in this writeup, Check Here
- Explanation of non-public Writeup Droping Soon
Introduction
If you want a practical HackTheBox walkthrough that feels approachable, this guide maps the full path in simple steps. It covers the flow you would expect in ethical hacking and penetration testing: scan first, inspect web apps, verify versions, test likely weaknesses, and move carefully toward access. The provided material gives you a realistic lab for building methodical habits instead of guessing your way through the target.
Preparing for the Checkpoint HTB Writeup
Before you start, treat this as a structured penetration exercise rather than a race. Good preparation helps you track services, credentials, app behavior, and each change in the environment. That matters when one clue leads to the next stage.
If you are asking for a detailed writeup for the Checkpoint machine on HackTheBox, the best approach is to organize your tools, notes, and browser setup first. You will move from scans to web review, then to exploitation and privilege work, so preparation saves time and avoids confusion.
ALSO READ: Mastering Connected: Beginner’s Guide from Hack The Box
Initial Foothold
Provided Credentials: alex.turner / Checkpoint2024!
Reconnaissance & Enumeration
Port Scanning (Nmap)
We initiate our scanning with a fast scan followed by service version detection:
nmap -p- --min-rate 5000 10.129.16.196 -oN init.nmap
Based on the open ports, we run a targeted TCP script and service scan:
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.129.16.196 -oN services.nmap
Scan Results Analysis
- Port 53 (DNS): Running Simple DNS Plus.
- Port 88 (Kerberos): Active Directory Kerberos v5 authentications.
- Ports 135/139/445 (MSRPC/SMB): File sharing and RPC interfaces active.
- Ports 389/636/3268/3269 (LDAP/S): Active Directory Lightweight Directory Access Protocol.
- Port 5985 (WinRM): Windows Remote Management is active over HTTP.
Active Directory User Enumeration
We extract a list of valid active domain users.
We save these names to a local wordlist called users.txt for further Active Directory attacks.
SMB Share Enumeration
We perform an unauthenticated/guest SMB check.
We locate an unusual share.
Connecting to the share using smbclient:
smbclient //10.129.16.196/UnusualShare -N
On the share, we can see existing files and a configuration file indicating an automated backend mechanism. This service regularly scans for new or updated packages, extracts them, and installs them.
To Access the Complete non-public writeup, Please CLICK HERE
To Access Every Script Used in this Writeup, Please CLICK HERE
Gaining Initial Access (Foothold)
Identifying the Vulnerability
While we have READ permissions to inspect the share, to deploy our own malicious extension we need WRITE permissions.
To obtain valid credentials for a developer or service account capable of writing, we check for users with the setting “Do not require Kerberos preauthentication” enabled, allowing us to crack their password.
Password Cracking
We crack the hash
This successfully yields the plain-text password.
Exploiting the Extension Share
With credentials, we authenticate to the SMB share and confirm permissions.
How Extensions Execute Code
An extension file is simply a renamed ZIP archive containing the extension assets and metadata, giving them full access to the local operating system APIs.
Furthermore, we can leverage things such as "postinstall", which trigger script execution automatically when the package is extracted and processed.
Constructing the Malicious Extension
We will build a simple, lightweight extension from scratch:
- Create a clean project directory.
- Create a package file. We include a script block.
- Package the extension.
Deploying and Triggering the Exploit
- Start a listener on your attacking machine.
- Authenticate to SMB and upload the malicious package to the root.
- The automated task running on
DC01discovers the new package, parses it, and triggers the script block. Grab user.txt.
Privilege Escalation
With initial access established, we run an active directory checkup using BloodHound or SharpHound and examine local system objects.
AD Privilege Inspection
We run standard Powerview or WinRM privilege checks.
We notice that an user belongs to a group with specific delegation or write permissions over critical system templates, or they may have direct path access to local active directory objects.
Let’s inspect the Domain Controller’s AD CS setup. This is a common attack path in modern AD environments.
Using our Linux attacker system to scan the environment.
Identifying Vulnerable Certificate Templates
The scan output reveals a template with the misconfiguration.
This permits to request a certificate for any user on the domain by specifying their Subject Alternative Name (SAN) in the request.
Escalating to Domain Administrator (System Compromise)
We request a certificate for the domain Administrator account using the vulnerable template.
Output
This generates a private key and certificate file on our system:
Authenticating as Administrator
We use the newly generated certificate to authenticate to the Domain Controller and perform a Kerberos exchange to recover the NT hash of the Administrator account.
This returns the NT hash for the Domain Administrator.
Final Flag Retrieval (Pass-the-Hash)
Using the retrieved NT hash, we authenticate directly to the Domain Controller.
Alternatively, dump the Active Directory database secrets.
You are now logged in with full Domain Admin privileges. Grab root.txt
You have successfully compromised the Checkpoint machine!
Members get early hints, possible starting points, and structured thoughts before the full writeup drops publicly after machine retirement.
Setting Up Your Hack The Box Lab Environment
Start with a clean HackTheBox environment where you can scan, browse, intercept requests, and store results. A simple folder structure for scans, notes, hashes, and screenshots is enough. Keep your host file ready as well, because the target redirects to checker.htb instead of working smoothly by IP alone.
You may also want a disposable setup such as a docker container or a dedicated VM for repeatable testing. That keeps your server tools, browser plugins, and wordlists in one place. If you download proof-of-concept material or review source code from a repository, store those files in separate folders so you can track what each script does.
For beginners, the main steps are straightforward: run initial scans, inspect the web apps, identify versions, check the relevant GitHub or repository info, test the known weaknesses carefully, and document every credential or URL you recover. That steady environment makes the rest of the writeup much easier.
Tools and Resources Helpful for Beginners
You do not need a huge toolkit for this box. A few reliable tools handle most of the work, especially during enumeration and web testing. The goal is to collect useful info, not to throw every scanner at the target.
For beginners and even OSCP-style practice, these tools support the core penetration testing flow:
- Nmap for tcp port discovery, service detection, and quick baseline enumeration.
- Gobuster for directory checks on the HTTP services, while filtering noisy responses.
- Burp Suite for intercepting and editing requests inside the web app.
- A hash cracking tool for working through recovered password hashes.
Just as important are the supporting resources. Keep the app source code notes, version strings, and configuration clues close by. In this writeup, version info from TeamPass and BookStack is what turns raw enumeration into a workable attack path, so your tools should help you confirm details, not just collect bytes of output.
Enumerating the Checkpoint Hack The Box Machine
Enumeration begins with the tcp surface. The scan shows port 22 for SSH and two HTTP services on 80 and 8080. Both web services return 403 responses, which tells you the server is alive but not immediately open.
From there, focus on each directory and application behavior instead of treating the box as empty. The useful trail comes from redirects, rate limiting, version clues, and source review. Those signs point toward application vulnerabilities rather than a direct network flaw, which shapes the rest of the attack path.
Identifying Open Ports and Services
The first meaningful step is a standard Nmap sweep. The result is small but useful. Instead of many open ports, you get a tight service list that immediately narrows your attention to SSH and two Apache-backed web endpoints.
Here is the service summary in a text table:
| Port | Protocol | Service | Details | Why It Matters |
|---|---|---|---|---|
| 22 | tcp | SSH | OpenSSH 8.9p1 | Possible login point once credentials are found |
| 80 | tcp | HTTP | Apache, 403 Forbidden | Suggests web content exists but access is restricted |
| 8080 | tcp | HTTP | Apache, 403 Forbidden | Likely alternate app or admin-facing interface |
For beginners, the next steps are simple after Nmap: verify redirects, browse each port manually, inspect headers and titles, and avoid assuming a 403 means nothing is there. In this case, Apache is giving just enough to confirm the services matter, and that is exactly where the useful enumeration starts.
Exploring Web Applications and Network Shares
Once you visit the site, the IP redirects to the checker.htb URL. That is a strong signal to update your local resolution and continue through the named host. On port 8080, the target presents a TeamPass login page. Another part of the server reveals BookStack.
Directory enumeration needs patience here. Gobuster finds many paths, but the server often replies with 403 or 429 codes and a consistent response length. That can create false positives, so adjust your filtering and slow your requests instead of blasting the app.
A practical hint for getting user access is to collect version and config clues from the applications. TeamPass source behavior and a readme reveal version 3, while BookStack exposes a version value in the app.js URL. Those small details matter more than random guessing because they point directly to the right weaknesses.
ALSO READ: Mastering DevHub: Beginner’s Guide from Hack The Box
Exploiting Vulnerabilities on Checkpoint
After enumeration, exploitation focuses on the web apps rather than the SSH service itself. The provided material shows TeamPass version clues, BookStack version info, and source review that lead to practical vulnerabilities instead of blind trial and error.
One path exposes password hashes through TeamPass. Another uses a BookStack issue to read local files and recover a time-based secret. Those results create the bridge from web access to shell access. Once that works, the privilege escalation steps become a separate task built on local sudo behavior.
Common Weaknesses Encountered and Exploited
The interesting part of this machine is that the weaknesses are tied to app versions and source code clues, not to a noisy exploit chain. Careful review of setup behavior, readme files, and visible version strings gives enough direction to test known issues.
The common vulnerabilities and weak points shown in the supplied material include:
- TeamPass version 3 exposure that allows extraction of password hashes.
- BookStack v23.10.2 behavior that can be abused for local file read through crafted content.
- OTP reliance, where reading the secret becomes enough to support the next login attempt.
- A final path involving sudo abuse and a suid bit change rather than a classic buffer attack.
What matters most is matching the weakness to the evidence you already have. The source code and app info are the real guide here. Even though terms like buffer or SUID often appear in writeups, this route is more about application logic and controlled local privilege abuse.
Methods Used to Gain Initial Access
Initial access begins with TeamPass. A proof of concept is used against the identified version, and the output reveals usernames and hashes. After cracking the hashes, one recovered value leads to a valid password, which opens useful application access.
Those credentials allow login to BookStack as bob. The material also shows another credential set for SSH: username reader with the password hiccup-publicly-genesis. A direct attempt as Bob over SSH fails, so the path shifts back into the web app for more discovery rather than forcing the shell.
Inside BookStack, a backup note exposes a file path, and the visible version in the URL points to BookStack v23.10.2. By intercepting a save request in Burp Suite and modifying the request format, the file-read issue is used to retrieve data like /etc/passwd and then the Google Authenticator secret. After time sync, that supports successful SSH access as reader.
Privilege Escalation Techniques on Checkpoint
With user access in place, the focus shifts to local privilege escalation. The supplied steps clearly describe a Linux-style escalation path, even though the challenge title may suggest otherwise. The important clue is sudo permission tied to a script in /opt/hash-checker.
At this stage, penetration becomes a matter of testing script behavior safely and watching how user input affects the next command. The final outcome is not a kernel trick. It is a controlled abuse that results in a SUID bit being set on /bin/bash, which grants elevated access.
Investigating User to Admin Pathways
The move from user to admin starts by checking sudo rights for the reader account. That immediately reveals a script named /opt/hash-checker/check-leak.sh. If you are wondering how to escalate privileges on the HTB Checkpoint box, this is the next stage to inspect closely.
The script behavior matters. It loads settings, accepts a supplied username, cleans the input to letters and numbers, and then runs another program called check_leak with that cleaned value. When run without an argument, it errors out. When tested with reader, it reports the user is not found in the database. With bob, it reports an exposed password.
Those results show that the script is connected to privileged logic and reacts differently based on the user value. The privilege escalation steps then center on how that underlying process can be influenced. The provided notes confirm that this chain ends with /bin/bash gaining SUID, which turns local user access into full admin-level control.
Leveraging Windows-Specific Exploits
The supplied walkthrough details do not show windows exploits, registry abuse, or service misconfigurations. Instead, the path presented is clearly a local script and SUID-style escalation flow. So the best tip here is not to force the box into the wrong category.
If you are looking for recommended hints for privilege escalation, start with what the machine actually gives you. Review sudo permissions, observe how helper scripts sanitize input, and compare behavior across different usernames. That keeps you aligned with the real attack path instead of chasing unrelated admin techniques.
Another useful point is to verify the state of privileged binaries before and after testing. The notes specifically mention that /bin/bash did not start with the SUID permission and later received it. That change is the decisive signal. Even when a title mentions windows, your escalation work should follow the evidence shown on the host.
Essential Tips and Strategies for Beginners
Beginners usually lose time by rushing past small clues. This machine rewards calm enumeration, version checking, and careful note taking. A 403 page, a redirect, a version in a URL, or an odd backup path can all move the attack forward.
You should also avoid treating privilege escalation as a separate mystery. In real penetration work, the local path often begins during earlier learning and discovery. When you track each clue from web app to shell, the final escalation feels like a continuation instead of a reset.
Avoiding Pitfalls and Common Mistakes
A common CTF mistake is assuming the first blocker means the route is wrong. Here, the target uses 403 responses, redirects, and 429 rate limiting. Those signs can frustrate beginners, but they are also part of the puzzle. Smart attackers slow down and interpret what the app is showing.
Try to avoid these mistakes during enumeration and follow-up testing:
- Ignoring the host redirect and continuing to browse only by IP.
- Trusting every directory result when the server returns uniform responses.
- Skipping version checks in TeamPass and BookStack.
- Forgetting time sync before using a recovered OTP secret.
One more pitfall is forcing a tool where observation would work better. This box does not need endless scanning. It needs clean notes, attention to app behavior, and patience. If you avoid overcomplicating the process, the attack path becomes much easier to see.
Learning From Each Stage of the Attack Path
This machine teaches a very practical attack path. You learn that penetration testing is not only about finding a hole. It is about connecting small pieces of evidence until they form a usable route. That habit carries over into real lab work and stronger reporting.
At the network stage, you build comfort with service discovery and web-focused enumeration. In the application stage, you practice reading version clues, reviewing source code behavior, editing requests, and turning local file read into useful credentials. Those are strong technical skills for any learner.
By the end, you also gain confidence in local privilege analysis. You see how a user-level foothold can turn into full control through script behavior and permission changes. More importantly, you learn to think in stages: recon, app analysis, credential use, shell access, and escalation. That structured learning is the biggest win from this box.
Conclusion
In conclusion, conquering the Checkpoint machine on Hack the Box is an exciting challenge that can significantly enhance your cybersecurity skills. By thoroughly preparing your lab environment, understanding the enumeration process, exploiting vulnerabilities, and mastering privilege escalation techniques, you can navigate this journey more confidently. Remember, every step you take is a learning opportunity, and tackling mistakes along the way will only make you a better hacker. Embrace the process, stay curious, and enjoy the thrill of discovery. If you’re ready to dive deeper and enhance your skills further, consider booking a free consultation with our experts to guide you on your hacking journey!
Frequently Asked Questions
How do I know which tools are best for enumeration on Checkpoint Hack The Box?
Pick tools that match the evidence you already have. For this HackTheBox target, Nmap is essential for enumeration of open services, Gobuster helps with web paths, and Burp Suite supports web analysis. In penetration testing, the best tools are the ones that confirm useful details without creating unnecessary noise.
Are there any recommended hints or tips for privilege escalation?
Yes. Start by checking sudo rights, then inspect helper scripts and how they handle input. On this Linux-style path, the key clue is a script that leads to a changed SUID bit on /bin/bash. Focus on real local vulnerabilities and behavior instead of assuming every admin escalation needs a complex exploit.
What skills can beginners expect to gain from the Checkpoint HTB Writeup?
Beginners can build practical cybersecurity skills in enumeration, web app review, credential handling, and privilege escalation logic. The biggest penetration testing lesson is learning how to follow an attack path from one clue to the next. That kind of structured learning is useful far beyond a single box.
