Machine Overview
| Platform | HackTheBox |
| Target | dc01.checkpoint.htb |
| Operating System | Windows Server 2025 (Build 26100.32860) |
| Role | Domain Controller |
| Domain | checkpoint.htb |
| Starting credentials | alex.turner : Checkpoint2024! |
Windows Server 2025 Domain Controller chaining an AD ACL misconfiguration to restore a deleted account, credential reuse to land a malicious VS Code extension, a dMSA BadSuccessor attack to recover a service account hash, and Volatility memory forensics from a VM snapshot to reach Administrator.
2026-06-15
ACL write on Deleted Objects → restore tombstoned account → credential reuse → malicious .vsix on developer share → reverse shell → dMSA BadSuccessor → service account NT hash → VM memory image → Volatility hashdump → pass-the-hash → Domain Admin
| Platform | HackTheBox |
| Target | dc01.checkpoint.htb |
| Operating System | Windows Server 2025 (Build 26100.32860) |
| Role | Domain Controller |
| Domain | checkpoint.htb |
| Starting credentials | alex.turner : Checkpoint2024! |
This machine is currently live on HackTheBox. The full writeup unlocks automatically once it retires.
← Back to writeups