Skip to main content
πŸ§ͺWriteups & Researchadvanced2 min read
β€’

HTB: Corporate Machine Writeup

Full walkthrough of the Corporate machine on Hack The Box. Covers API exploitation, Active Directory lateral movement, and privilege escalation.

HTBActive DirectoryAPI exploitationprivilege escalation
Share:𝕏inβ¬‘βœ‰

HTB: Corporate Machine Writeup

Difficulty: Hard
OS: Windows
Skills: API testing, Active Directory, Token manipulation

⚠️ This writeup is published after the machine was retired. Always follow responsible disclosure.

Reconnaissance

Starting with an Nmap scan:

nmap -sC -sV -oA corporate 10.10.11.xxx

Open Ports:

  • 80 (HTTP)
  • 443 (HTTPS)
  • 389 (LDAP)
  • 445 (SMB)
  • 5985 (WinRM)

Initial Foothold

API Discovery

Browsing to port 443 revealed a corporate intranet application. Directory enumeration found an exposed API endpoint at /api/v1/.

ffuf -u https://10.10.11.xxx/api/v1/FUZZ -w /usr/share/wordlists/api-endpoints.txt

Found endpoints:

  • /api/v1/users
  • /api/v1/auth
  • /api/v1/config

Authentication Bypass

The /api/v1/config endpoint returned sensitive configuration without authenticationβ€”an IDOR vulnerability. This leaked internal hostnames and an API key.

{
  "db_host": "internal-db.corporate.local",
  "api_key": "a1b2c3d4-xxxx-xxxx-xxxx",
  "debug": true
}

Using this API key, we could authenticate to the /api/v1/users endpoint and retrieve employee credentials.

Lateral Movement

AD Enumeration

With valid credentials, I used bloodhound-python to map the Active Directory environment:

bloodhound-python -u svc_api -p 'FoundPassword123!' -d corporate.local -ns 10.10.11.xxx

BloodHound revealed a path from the compromised service account to Domain Admin through:

  1. svc_api β†’ GenericWrite on IT-Support group
  2. IT-Support β†’ CanPSRemote on DC01

Exploiting GenericWrite

Added our controlled user to the IT-Support group:

Add-ADGroupMember -Identity "IT-Support" -Members "svc_api"

Privilege Escalation

SeImpersonatePrivilege

The IT-Support account had SeImpersonatePrivilege on DC01. Used PrintSpoofer for escalation:

.\PrintSpoofer64.exe -i -c cmd

Got SYSTEM!

Flags

  • User flag: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Root flag: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Key Takeaways

  1. API security matters β€” Unauthenticated endpoints are a goldmine
  2. Defense in depth β€” One compromised account shouldn't lead to DA
  3. Privilege hygiene β€” Service accounts rarely need SeImpersonate

Tools Used

  • Nmap
  • ffuf
  • BloodHound
  • Evil-WinRM
  • PrintSpoofer

Questions about the techniques in this writeup? Reach out at m1k3@msquarellc.net

Found this helpful? Share it:

Share:𝕏inβ¬‘βœ‰

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Writeups & Research

Explore more articles in this category.

Browse πŸ§ͺ Writeups & Research

Related Articles