Myles Nieman
← All writeups

PingPong

Overview

PingPong is an insane-rated Windows box framed as an assumed-breach scenario — the engagement begins with valid domain credentials rather than a blind external foothold. The domain is ping.htb.

Path: assumed-breach creds (c.roberts) → domain enumeration → (notes end here).

Note: These notes are incomplete — enumeration was underway but the box was not finished. The writeup covers what was documented.

Enumeration

The scenario provides starting credentials:

c.roberts / AssumedBreach123

An initial Nmap scan of the target confirms a Windows domain controller based on the open port set — DNS, Kerberos, LDAP, SMB, and the global catalog ports are all present:

$ nmap 10.129.245.56 -Pn
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
2179/tcp open  vmrdp
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Nmap scan results for the ping.htb domain controller

The domain name is confirmed via an anonymous LDAP base query:

$ ldapsearch -x -H ldap://10.129.245.56 -s base namingcontext

Domain: ping.htb

LDAP base query confirming ping.htb domain name

With valid credentials, BloodHound data is collected using bloodhound.py:

$ python3 bloodhound.py -u c.roberts -p "AssumedBreach123" -c All --zip -ns 10.129.245.56 -d ping.htb

BloodHound collection running against ping.htb

Analysis of the BloodHound output pointed toward Active Directory Certificate Services (ADCS) as the likely privilege escalation vector, but the notes end here.

Takeaways

  • Assumed-breach engagements skip the external recon phase — with valid credentials, BloodHound collection is an immediate first step to map all AD attack paths.
  • ADCS misconfigurations (ESC1–ESC8 templates) are a common escalation path in modern Windows environments and worth checking immediately after collecting BloodHound data.