Checkpoint
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Scenario
Checkpoint attack path
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- <TARGET>-Checkpoint/walkthrough.md
- HTB/<TARGET>-Checkpoint/notes.md
Technical Walkthrough
Checkpoint Walkthrough
Raw flags and reusable secrets are stored only under loot/.
Summary
Evidence
- State:
target-state.json - Notes:
notes.md
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
| Field | Value |
|---|---|
| Platform | Hack The Box / simulated lab |
| Target | Checkpoint |
| Difficulty | Medium |
| OS | Windows |
| Active target IP | <TARGET> |
| Hostname/domain | unknown |
| Pwnbox | <TARGET> |
| Attacker/VPN IP | unknown |
| Local workspace | <local workspace><TARGET>-Checkpoint |
| Pwnbox workspace | ~/htb/<TARGET>-Checkpoint |
| Started | 2026-06-13T23:02:39Z |
Evidence Ledger
| Time UTC | Phase | Command/Action | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|---|
| 2026-06-13T23:02:39Z | setup | htbctl init | target-state.json | Workspace initialized by deterministic harness. | High | Validate route and start baseline recon. |
| 2026-06-13T23:03:00Z | setup | Store operator-provided starting credential | loot/starting-alex.turner.cred | Starting credential is available as a loot-only reference for quiet live validation. | High | Mirror workspace to Pwnbox and validate SSH/route. |
| 2026-06-13T23:03:56Z | baseline | Pwnbox SSH and route validation | enum/route-liveness-20260613.txt | Pwnbox SSH works, attacker IP is <TARGET>, and route to target exists; common Windows ports returned filtered during first probe. | Medium | Run full TCP sweep before assuming service set. |
| 2026-06-13T23:10:34Z | baseline | Full TCP validation from Pwnbox | nmap/tcp-all-syn-fast.nmap | Aggressive sudo SYN sweep across all TCP ports found no open services. Earlier connect scan also produced no open-port evidence. | High | Run one bounded UDP probe, then verify HTB instance state if no usable surface appears. |
| 2026-06-13T23:11:48Z | baseline | UDP top-50 validation from Pwnbox | enum/nmap-udp-top50-20260613.txt | UDP probe found no confirmed open service; all scanned ports were open-filtered/no-response or filtered. Current state is reachable-but-not-enumerable. | High | Ask operator to confirm the Checkpoint instance is running and that <TARGET> is still the active target IP. |
| 2026-06-13T23:15:57Z | baseline | Path diagnostics after operator confirmed active instance | enum/path-diagnostics-20260614.txt | Pwnbox tunnel and route table are present, but VPN gateway <TARGET> returns Destination Host Unreachable for <TARGET>; TCP connects also alternate between timeout and no-route. | High | Align target/Pwnbox VPN region or respawn/reset the HTB instance before further target work. |
Synthesis
Current completion state: BASELINE.
Current blocker: Pwnbox tunnel is up, but the HTB VPN gateway cannot route to <TARGET> (Destination Host Unreachable from <TARGET>). This is a target/Pwnbox VPN alignment or instance reachability problem, not an exploit-path issue.
Raw flags and reusable secrets must be stored only under loot/.