Reading view

There are new articles available, click to refresh the page.

Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

✇Threatninja.net
By: darknite
Reading Time: 11 minutes

Introduction to TombWatcher:

In this write-up, we will explore the “TombWatcher” machine from HackTheBox, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Like real-world Windows engagements, start TombWatcher using the henry account with password H3nry_987TGV!.

Objective:

The goal of this walkthrough is to complete the “Tombwatcher” machine from Hack The Box by achieving the following objectives:

User Flag:

Using Kerberos and AD enumeration, the team cracked a TGS hash (Alfred → password: basketballl) and escalated access through account takeover and BloodHound-guided actions until they obtained valid interactive credentials for a machine user (john). With John’s credentials they authenticated to the host and retrieved the user flag by running type user.txt.

Root Flag:

We exploited a misconfigured certificate template (ESC15) with Certipy to request a certificate for the Administrator UPN, obtained a TGT (saved in administrator.ccache), and extracted the Administrator NT hash. Using those Administrator credentials, they logged into the DC/host and read the root flag with type root.txt.

Enumerating the Tombwatcher Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oA initial 10.10.11.72

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/tombwatcher]
└──╼ $nmap -sC -sV -oA initial 10.10.11.72 
# Nmap 7.94SVN scan initiated Thu Oct  9 23:26:58 2025 as: nmap -sC -sV -oA initial 10.10.11.72
Nmap scan report for 10.10.11.72
Host is up (0.23s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-10 02:11:57Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after:  2026-10-09T17:02:50
|_ssl-date: 2025-10-10T02:13:32+00:00; -1h15m15s from scanner time.

445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:31+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after:  2026-10-09T17:02:50445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:31+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after:  2026-10-09T17:02:50

3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:32+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after:  2026-10-09T17:02:50
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:31+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after:  2026-10-09T17:02:50
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1h15m16s, deviation: 1s, median: -1h15m16s
| smb2-time: 
|   date: 2025-10-10T02:12:48
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Analysis:

  • 53/tcp — DNS (Simple DNS Plus): handles name resolution for the domain.
  • 80/tcp — HTTP (Microsoft-IIS/10.0): web server (TRACE enabled — potential info leak).
  • 88/tcp — Kerberos: AD authentication and ticketing service.
  • 135/tcp — MSRPC (Endpoint Mapper): Windows RPC enumeration and service discovery.
  • 139/tcp — NetBIOS-SSN: legacy file/share name resolution and enumeration.
  • 389/tcp — LDAP: Active Directory directory service (user/group enumeration).
  • 445/tcp — SMB (Microsoft-DS): file shares, enumeration, and lateral-movement vectors.
  • 464/tcp — kpasswd5: Kerberos password change service (can be abused in some workflows).
  • 593/tcp — RPC over HTTP: RPC tunneling over HTTP, useful for certain Windows RPC attacks.
  • 636/tcp — LDAPS: encrypted LDAP (useful for secure directory queries).
  • 3268/tcp — Global Catalog (LDAP): cross-domain AD object searches (fast user/group lookup).
  • 3269/tcp — Global Catalog (LDAPS): encrypted Global Catalog for secure cross-domain queries.

Enumeration:

The website lacks engaging content, featuring only an IIS interface.

BloodHound Enumeration Using Henry’s Credentials

Authentication is performed with the username “Henry” and password “H3nry_987TGV!”, using the nameserver at IP 10.10.11.72 for DNS resolution. All AD elements, such as groups, sessions, trusts, and ACLs (excluding real-time logged-on users), are gathered with the “-c All” flag, and the JSON output is packaged into a compressed ZIP archive via the “–zip” flag for import into the BloodHound GUI to visualize attack paths.

Henry added an SPN to Alfred’s account, which lets attackers request a service ticket for that SPN and perform Kerberoasting to crack Alfred’s password; since Henry could write the SPN, this is a direct takeover path—enumerate SPNs, request the TGS, and crack it offline.

Attempted to use GetUserSPN, but no entries were found!

Targeted Kerberoasting Attack Using Henry’s Credentials

Unfortunately, no results were obtained when using targeted Kerberos enumeration.

The provided string is a Kerberos TGS (Ticket Granting Service) hash in the $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred* format, associated with the user “Alfred” in the “tombwatcher.htb” domain, likely obtained after successful clock synchronisation using ntpdate. This hash, commonly used in penetration testing scenarios like Hack The Box, can be cracked using tools like Hashcat to reveal Alfred’s credentials, enabling further privilege escalation or lateral movement within the domain. The hash includes encrypted ticket data, which can be analyzed to exploit vulnerabilities in the Kerberos authentication system.

We successfully cracked the Kerberos hash and obtained the password “basketballl” for the user Alfred on the domain.

BloodHound Enumeration Using ansible_dev’s Credentials

We should collect additional information using BloodHound-python

Infrastructure has ReadGMSAPassword on ansible_dev, which lets an attacker retrieve the gMSA password material for that account.

We attempted to use the GMSDumper script to retrieve the NTLM hash, but only infrastructure-related data was obtained.

Let’s add Alfred to the infrastructure group to proceed.

Finally, we obtained the NTLM hash for the user ansible_dev$.

Consequently, the attack successfully changed the password to gain SAM access.

BloodHound Enumeration Using SAM’s Credentials

We encountered a timeout error while trying to collect data with BloodHound.py.

We successfully resolved the issue by updating the clock skew.

Forcibly changed the ansible_dev account password to sam, giving immediate authentication capability as ansible_dev; this lets you log in as that service account (or use its credentials on hosts that accept it) to pivot, access service resources, or escalate further—next, validate access and hunt hosts using ansible_dev.

Privilege Escalation via BloodyAD

Using bloodyAD with the command bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u sam -p 'Passw@rd' set owner john sam, we successfully replaced the old owner of the “john” object with “sam” in the tombwatcher.htb domain.

The command bloodyAD --host 10.10.11.72 -d "tombwatcher.htb" -u "sam" -p 'Passw@rd' add genericAll "john" "sam" successfully granted “sam” GenericAll permissions on the “john” object in the tombwatcher.htb domain.

bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u 'sam' -p 'Passw@rd' add shadowCredentials john effectively added Shadow Credentials to the “john” object in the tombwatcher.htb domain, enabling potential Kerberos-based attacks like certificate-based authentication exploitation.

Set the environment variable KRB5CCNAME to john_E8.ccache with the command export KRB5CCNAME=john_E8.ccache to designate the Kerberos credential cache file for authentication operations involving the user “john” in the tombwatcher.htb domain.

Attempting to retrieve the NT hash with getnthash resulted in failure.

Efforts to use bloodyAD to obtain the ‘SAM’ object were unsuccessful.

The UserAccountControl settings indicate a standard account with a non-expiring password.

Issuing python3 owneredit.py -action write -target ‘john’ -new-owner ‘sam’ ‘tombwatcher.htb/sam’:’Abc123456@’ -dc-ip 10.10.11.72 actively changed the owner of the ‘john’ object to ‘sam’ in the tombwatcher.htb domain, targeting the domain controller at IP 10.10.11.72 with the provided credentials, and successfully updated the OwnerSID.

Ultimately, we successfully updated the password for the ‘john’ account in the tombwatcher.htb domain.

We successfully gained access to the machine using John’s credentials in the tombwatcher.htb domain.

Executing the command type user.txt allows viewing the user flag on the compromised machine in the tombwatcher.htb domain.

Escalate to Root Privileges Access

Privilege Escalation:

Running Get-ADObject -Filter {SamAccountName -eq 'cert_admin'} -IncludeDeletedObjects retrieves the Active Directory object for the ‘cert_admin’ account, including any deleted objects, in the tombwatcher.htb domain.

Attempting to restore all objects using their ObjectGUID in the tombwatcher.htb domain.

Running Enable-ADAccount -Identity cert_admin reactivates the ‘cert_admin’ account in the tombwatcher.htb domain, allowing its use within Active Directory.

Issuing Set-ADAccountPassword -Identity cert_admin -Reset -NewPassword (ConvertTo-SecureString "Abc123456@" -AsPlainText -Force) resets the password for the ‘cert_admin’ account to “Abc123456@” in the tombwatcher.htb domain, securely applying the change.

Identifying Vulnerable Certificate Templates with Certipy

Launching certipy find -u cert_admin -p 'Abc123456@' -dc-ip 10.10.11.72 -vulnerable scans for vulnerable certificate templates in the tombwatcher.htb domain using the ‘cert_admin’ account credentials, targeting the domain controller at IP 10.10.11.72.

Attackers identified the ESC15 vulnerability in the target domain, revealing a misconfiguration in certificate templates that enables unauthorized privilege escalation.

ESC15: Exploiting Certificate Services for Privilege Escalation

AD PKI Attack: Enroll a Certificate to Compromise Administrator

ESC15 is an Active Directory PKI attack where attackers abuse overly permissive certificate templates to obtain certificates for high‑privilege accounts (e.g., Administrator). By enrolling or abusing a template that allows non‑admin principals to request certificates or act as Certificate Request Agents, an attacker can request a certificate embedding a target UPN/SID, use it for PKINIT/CertAuth to get a TGT, and then escalate to domain compromise.

Issuing certipy req -u 'cert_admin@tombwatcher.htb' -p 'Abc123456@' -dc-ip '10.10.11.72' -target 'DC01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -application-policies 'Client Authentication' requests a certificate in the tombwatcher.htb domain using the ‘cert_admin’ account, targeting the domain controller DC01 at IP 10.10.11.72, leveraging the ‘WebServer’ template from the ‘tombwatcher-CA-1’ authority with the UPN ‘administrator@tombwatcher.htb’ for client authentication purposes.

Failed Authentication Attempt with administrator.pfx Using Certipy

In the updated system, an error occurs when examining the signature algorithm, indicating CA_MD_TOO_WEAK.

Running openssl pkcs12 -in administrator.pfx -clcerts -nokeys | openssl x509 -text -noout extracts and displays the certificate details from the administrator.pfx file in a human-readable format, excluding private keys.

The certificate uses the SHA1withRSAEncryption signature algorithm, as revealed by analyzing the administrator.pfx file in the tombwatcher.htb domain.

Issuing certipy req -u ‘cert_admin@tombwatcher.htb’ -p ‘P@ssw0rd’ -dc-ip ‘10.10.11.72’ -target ‘DC01.tombwatcher.htb’ -ca ‘tombwatcher-CA-1’ -template ‘WebServer’ -application-policies ‘Certificate Request Agent’ requests a certificate from a V1 template in the tombwatcher.htb domain, using the ‘cert_admin’ account, targeting the domain controller DC01 at IP 10.10.11.72, via the ‘tombwatcher-CA-1’ authority with the ‘WebServer’ template, and injecting the “Certificate Request Agent” application policy.

Leverage the Certipy to request a certificate in the tombwatcher.htb domain. It uses the ‘cert_admin’ account with password ‘Abc123456@’ to authenticate, targeting the domain controller ‘DC01.tombwatcher.htb’ at IP 10.10.11.72. The request, made through the ‘tombwatcher-CA-1’ certificate authority with the ‘User’ template, utilizes the ‘cert_admin.pfx’ file (likely holding a Certificate Request Agent certificate) to request a certificate on behalf of the ‘tombwatcher\Administrator’ account. This exploits the ESC15 vulnerability, where a misconfigured certificate template allows ‘cert_admin’ to impersonate the Administrator, potentially enabling elevated privileges via Kerberos authentication or other attack vectors.

It embedded with the Administrator’s UPN (‘Administrator@tombwatcher.htb’) and SID (‘S-1-5-21-1392491010-1358638721-2126982587-500’), enabling Certipy to obtain a Kerberos Ticket Granting Ticket (TGT) for the Administrator account. Certipy stores the TGT in administrator.ccache and extracts the NT hash for administrator@tombwatcher.htb ,allowing privilege escalation or full administrative access within the tombwatcher.htb domain.

Successfully gained access to the tombwatcher.htb domain using the extracted NT hash for ‘administrator@tombwatcher.htb’

Issuing the command type root.txt allows reading the root flag on the compromised machine in the tombwatcher.htb domain, confirming administrative access.

The post Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty appeared first on Threatninja.net.

❌