PingPong
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Scenario
PingPong attack path
State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- <TARGET>-PingPong/walkthrough.md
- HTB/<TARGET>-PingPong/notes.md
- HTB/<TARGET>-PingPong/dead-ends.md
Technical Walkthrough
PingPong Walkthrough
Raw flags and reusable secrets are stored only under loot/.
Summary
Evidence
- State:
target-state.json - Notes:
notes.md
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
| Field | Value |
|---|---|
| Platform | Hack The Box / simulated lab |
| Target | PingPong |
| Difficulty | Insane |
| OS | Windows |
| Active target IP | <TARGET> |
| Hostname/domain | unknown |
| Pwnbox | <TARGET> |
| Attacker/VPN IP | unknown |
| Local workspace | <local workspace><TARGET>-PingPong |
| Pwnbox workspace | ~/htb/<TARGET>-PingPong |
| Started | 2026-06-13T12:53:01Z |
Evidence Ledger
| Time UTC | Phase | Command/Action | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|---|
| 2026-06-13T12:53:01Z | setup | htbctl init | target-state.json | Workspace initialized by deterministic harness. | High | Validate route and start baseline recon. |
Synthesis
Current completion state: BASELINE.
Raw flags and reusable secrets must be stored only under loot/.
Dead Ends
| 2026-06-13T13:21:15Z | standalone-bloodhound-collector | <secret redacted> | enum/<password redacted> | Standalone bloodhound-python authenticated partially but failed/crashed on password prompt, LDAP auth mode, SID/GC resolution, and produced no usable local graph files. | Revisit only if NXC BloodHound or targeted LDAP cannot answer required ACL questions, and then use a fixed collector with explicit Kerberos auth and GC/DC host mapping. |
| 2026-06-13T13:53:45Z | dc1-reverse-socks-pivot | <secret redacted> | enum/dc2-via-chisel-validate-20260613.txt | Two reverse SOCKS attempts connected from DC1 to the Pwnbox chisel server and logged R:socks/R:1081:socks as listening, but no usable 1080/1081 listener existed on the Pwnbox and proxychains validation produced contradictory closed-port output. Per Hard/Insane pivot guidance, stop debugging SOCKS and switch to explicit reverse TCP port forwards. | Revisit only if explicit reverse port forwards cannot support the required PONG enumeration and a different SOCKS implementation is approved. |
| 2026-06-13T13:56:07Z | dc1-chisel-portforward-pivot | <secret redacted> | enum/chisel-portforward-validate-20260613.txt | Explicit reverse TCP forwards to DC2 selected services repeated the chisel failure pattern: client connected and server logged listeners, but the Pwnbox had no usable local listeners and direct connect checks to every high port returned connection refused. | Revisit only if chisel behavior is reproduced/fixed outside the target path or if another validated tunnel primitive is unavailable. |
| 2026-06-13T15:02:39Z | pong-gmsa-direct-global-to-domainlocal | <secret redacted> | enum/pong-gmsa-scope-mutation-20260613.txt | Direct groupType conversion from global security (-2147483646) to domain-local security (-2147483644) returned LDAP unwillingToPerform / <secret redacted>. Post-rollback validation shows the group returned to global and managed-password read remains denied. | Revisit only if the two-step global-to-universal-to-domainlocal conversion is contradicted or if live AD exposes a different group-scope constraint. |
| 2026-06-13T16:05:48Z | pong-gmsa-jea-history-read | <secret redacted> | enum/ping-restricted-pssc-evilwinrm-20260613.txt | Pong_gMSA can connect to the DC1 restricted endpoint, but live PSSC evidence shows a minimal RestrictedRemoteServer in ConstrainedLanguage with only default visible commands and no custom role capability or transcript/file-read path. c.roberts triage also did not prove a readable Pong_gMSA PSReadLine history path. | Revisit only if a specific RestrictedRemoteServer escape, separate role capability, transcript path, or live file-read primitive is discovered. |
| 2026-06-13T16:10:32Z | pong-gmsa-mssql-direct-login | <secret redacted> | enum/pong-gmsa-mssql-readonly-deep-20260613.txt | Kerberos MSSQL login as Pong_gMSA works, but live SQL evidence shows guest/public only: no sysadmin, no impersonation, no server-state/control permissions, no linked servers, no job-step read, and no useful msdb backup metadata rows. | Revisit only if a higher-privileged SQL login is recovered, a linked server appears, or a specific public/guest SQL Server 2022 Express misconfiguration becomes source-backed and live-testable. |
| 2026-06-13T16:38:54Z | svc-sql-kerberoast | <secret redacted> | enum/svc-sql-rockyou-crack-clean2-20260613.txt | svc_sql has MSSQLSvc/dc2.pong.htb and a canonical etype 18 roast hash was extracted directly from the gMSA ccache, but targeted candidates plus the full rockyou list recovered zero credentials. Direct MSSQL login as Pong_gMSA was already low-privilege guest/public. | Revisit only with a target-specific candidate list from new live evidence, GPU cracking resources, or a separate credential disclosure pointing to svc_sql password policy. |
| 2026-06-13T17:05:30Z | ping-gmsa-via-pong-managers | <secret redacted> | enum/ping-gmsa-via-pong-managers-fresh-tgt-20260613.txt | Both stale-cache and fresh-TGT attempts temporarily added c.roberts to PONG gMSA Managers and restored state, but PING gMSA managed-password read stayed denied/no material; final cleanup verifies PONG gMSA Managers is back to global groupType -2147483646. | Revisit only if a different principal/token with an actual PONG gMSA Managers PAC is obtained, or if live evidence shows a different SID should satisfy the PING gMSA read ACL. |