Checkpoint
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Scenario
Checkpoint attack path
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Needs source review
Status: needs source review. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Needs source review: the page is kept as an archive entry, not a finished walkthrough, because the current source material is too thin.
- <TARGET>-Checkpoint/walkthrough.md
- HTB/<TARGET>-Checkpoint/notes.md
Technical Walkthrough
Checkpoint Walkthrough
Raw flags and reusable secrets are stored only under loot/.
Summary
Evidence
- State:
target-state.json - Notes:
notes.md
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
| Field | Value |
|---|---|
| Platform | Hack The Box / simulated lab |
| Target | Checkpoint |
| Difficulty | Medium |
| OS | Windows |
| Active target IP | <TARGET> |
| Hostname/domain | unknown |
| Pwnbox | <TARGET> |
| Attacker/VPN IP | unknown |
| Local workspace | <local workspace><TARGET>-Checkpoint |
| Pwnbox workspace | ~/htb/<TARGET>-Checkpoint |
| Started | 2026-06-13T23:25:37Z |
Evidence Ledger
| Time UTC | Phase | Command/Action | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|---|
| 2026-06-13T23:25:37Z | setup | htbctl init | target-state.json | Workspace initialized by deterministic harness. | High | Validate route and start baseline recon. |
| 2026-06-13T23:25:50Z | setup | Target IP changed from previous Checkpoint instance | target-state.json | Previous IP <TARGET> was unreachable from the Pwnbox gateway; new active IP is <TARGET>. | High | Mirror workspace to Pwnbox and validate route/service exposure. |
| 2026-06-13T23:25:50Z | setup | Store operator-provided starting credential | loot/starting-alex.turner.cred | Starting credential is available as a loot-only reference for quiet live validation. | High | Test only after a reachable auth surface is identified. |
| 2026-06-13T23:27:12Z | baseline | Path diagnostics for new active IP | enum/path-diagnostics-20260613.txt | Pwnbox SSH/tun0 are valid, but gateway <TARGET> returns Destination Host Unreachable for <TARGET>; targeted TCP ports are filtered/no-response. | High | Align Pwnbox and target VPN/lab region or respawn/reset Pwnbox/target before continuing. |
Synthesis
Current completion state: BASELINE.
Current blocker: the active target IP is not reachable from the current Pwnbox routing path. This must be fixed before credential validation or service enumeration can be meaningful.
Raw flags and reusable secrets must be stored only under loot/.