HTB: napper Writeup
Machine Information
| Attribute | Details | |
|---|---|---|
| Name | napper | |
| OS | Windows | |
| Difficulty | Hard | |
| Points | N/A | |
| Release Date | N/A | |
| IP Address | 10.10.11.240 | |
| Author | D3vnomi | |
Machine Rating
⭐⭐⭐⭐☆ (8.0/10)
Difficulty Assessment:
- Enumeration: ⭐⭐⭐⭐☆
- Real-world: ⭐⭐⭐⭐☆
- CVE: ⭐⭐⭐☆☆
- CTF-like: ⭐⭐⭐⭐☆
Summary
napper is a Hard-difficulty Windows machine. Documentation of the attack is limited to initial reconnaissance activities. The subdomain enumeration phase identified three distinct domains (napper.htb, app.napper.htb, and internal.napper.htb) through automated fuzzing. Further exploitation details are not documented in the available notes.
TL;DR: Enumeration (Subdomains discovered) → [Exploitation path incomplete]
Reconnaissance
Domain Discovery
The primary domain identified during reconnaissance:
napper.htbPort Scanning
nmap -sC -sV 10.10.11.240Results: Port scan targeting app.napper.htb was performed with service version detection enabled.
Subdomain Enumeration
Subdomain fuzzing was conducted using ffuf to discover additional hosts:
ffuf -u "https://napper.htb" -H "Host: FUZZ.napper.htb" -w subdomains-top1million-20000.txt -c -t 50 -fs 5602Subdomains Discovered:
napper.htbapp.napper.htbinternal.napper.htb
Hosts File Configuration
All discovered domains were added to the local hosts file for DNS resolution:
echo "10.10.11.240 napper.htb app.napper.htb internal.napper.htb" >> /etc/hostsInitial Foothold
Exploitation Path
[Notes incomplete - exploitation path not documented in source notes]
The reconnaissance phase identified three domains and confirmed service availability, but the notes do not contain documentation of the actual exploitation technique or initial foothold achievement.
User Compromise
Credential Discovery
[Notes incomplete - user compromise path not documented in source notes]
No credentials or user account compromise details are documented in the available notes.
User Flag
[Notes incomplete - user flag not documented in source notes]
Privilege Escalation
Enumeration
[Notes incomplete - privilege escalation path not documented in source notes]
No privilege escalation details are documented in the available notes.
Root Flag
[Notes incomplete - root flag not documented in source notes]
Attack Chain Summary
Based on the documented reconnaissance:
- Subdomain Enumeration - Identified three domains using ffuf fuzzing
- DNS Resolution - Updated hosts file with discovered subdomains
- Further Exploitation - [Documentation incomplete]
Tools Used
| Tool | Purpose |
|---|---|
nmap | Port scanning and service fingerprinting |
ffuf | Web fuzzing and subdomain enumeration |
Key Learnings
Based on the documented reconnaissance phase:
- Subdomain Enumeration: Automated fuzzing with ffuf can efficiently discover additional attack surface beyond the primary domain.
- Virtual Hosting: Web applications often serve different content on subdomains, making subdomain discovery critical for comprehensive reconnaissance.
- Hosts File Configuration: Local DNS resolution enables proper testing of virtual-hosted services during penetration testing.
Note: Further learning opportunities from exploitation and privilege escalation phases are not available in the current documentation.
Author
D3vnomi
Disclaimer
This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.
Last Updated: 08 Mar 2026
Tags: #HackTheBox #Windows #Hard