Post

Tombwatcher - Medium - Windows

Tombwatcher - Medium - Windows

Starting Credentials

1
As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

Nmap Scan

The port scan discovered the standard ports for a domain controller with web services active as well. Nothing else of interest.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Nmap 7.95 scan initiated Sat Jun  7 15:35:53 2025 as: /usr/lib/nmap/nmap -sCV -p- -v -oN portscan.log 10.10.11.72
Nmap scan report for 10.10.11.72
Host is up (0.032s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-07 23:37:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-07T23:39:28+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
|_ssl-date: 2025-06-07T23:39:29+00:00; +4h00m01s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
|_ssl-date: 2025-06-07T23:39:28+00:00; +4h00m01s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
|_ssl-date: 2025-06-07T23:39:28+00:00; +4h00m01s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49684/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
49719/tcp open  msrpc         Microsoft Windows RPC
49734/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 4h00m00s
| smb2-time: 
|   date: 2025-06-07T23:38:52
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun  7 15:39:28 2025 -- 1 IP address (1 host up) scanned in 214.97 seconds

SMB Shares Enumeration - Henry

This challenge started with a set of credentials. The user has no interesting shares.

10a3cd5e661350b0cec6d6390793338a.png

Bloodhound Collection - Henry

netexec was used to collect data for Bloodhound as shown below.

4044fe149c38b17794162dafae9886e2.png

Reviewing Bloodhound Data

The Henry user has permissions to WriteSPN to the Alfred user which means it will be possible to perform a targeted kerberoast attack.

c37e1531b8c2e31e6da8c005a04bd0cb.png

Targeted Kerberoast

The below screenshot shows the result of the successful targeted kerberoast attack.

d87ec9cfc6274cf5e012f9098c3b1039.png

Cracking Hash

The hash cracked which provided a new set of credentials for the Alfred user.

bce94da30610f6e840e8d5d348d68e4a.png

Reviewing Bloodhound Data

Alfred has the ability to add themselves to the Infrastructure group. Members of the Infrastructure group have the ability to read the GMSA password of the ansible_dev$ account.

4263db390051128be07555c8a0544d04.png

Infrastructure - Adding Group Member

bloodyAD was used to add Alfred to the Infrastructure group as shown below.

98d51ac541757e0a15fd03542ab18d9c.png

Reading GMSA Hash

Now Alfred is a member of Infrastructure they should have the correct permissions to read the NTLM hash of the managed account ansible_dev$. The below screenshot shows the successful outcome.

b475239cf5e1bc05a636feb988d67b94.png

Reviewing Bloodhound Data

I now have access to the managed account ansible_dev$. ansible_dev$ has the ability to change the password for the Sam user.

7792379279920d2ae8ef328f587e80e8.png

ForceChangePassword - Sam

The password for Sam was changed via RPC using a pass the hash technique as shown below.

f5254dd5d5d5d0e56771df36577ed74b.png

Reviewing Bloodhound Data

Sam has the ability to take ownership of the John user object. That means it will be possible to change the ownership and modify the DALC which will then make it possible to perform a shadow credential attack.

7ed22e747a35cb6caee9baeb54589a5d.png

Changing Ownership

The below screenshot shows the command used to change ownership.

c7cf7ad1f3e0b7c458942b17fb16bd8e.png

Edit DACL

The below screenshot shows the command used to change DACL properties.

8407e387d1253ecebae4385edc461891.png

Shadow Credential Attack

The permissions are now in order to perform the shadow credential attack. The below screenshot shows the successful outcome.

c94adb7e50ca4f3e2f18250c2bb0a011.png

Reviewing Bloodhound Data

John is part of Remote Management Users which means they can create a remote session to the domain controller.

36752d75be4643f7750c8cd0bbba53f8.png

John also has GenericAll over an object named ADCS. (This had no purpose and was not the path forward.)

2caf5756582efe5dd1e5e1b0b1820e61.png

WinRM - John

It was possible to remote into the domain controller via WinRM as shown below. User flag captured.

ed038dfe8ed3bd4648c407b06bd9f5fa.png

Tombstoned Objects

I spent a lot of time searching the file system of the domain controller and could not find anything useful. John’s permissions to modify the ADCS object had no value either. However it did offer the hint that ADCS is active on the domain controller so it will be worthwhile to check for vulnerable templates.

The name of the box offered a hint for the next part. Tombstoned objects are objects which have been deleted on the domain controller. The below powershell scripts can be used to show any objects which have been deleted.

Show Deleted Objects

1
2
3
4
5
6
7
8
9
10
11
12
 # Enable the ability to search for deleted objects
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = "LDAP://DC=tombwatcher,DC=htb"
$Searcher.Filter = "(isDeleted=TRUE)"
$Searcher.Tombstone = $true
$Searcher.SearchScope = "Subtree"

# Perform the search
$Results = $Searcher.FindAll()
$Results | ForEach-Object {
    $_.Properties["distinguishedName"]
}

The below screenshot shows a number of objects which have been deleted. They relate to a user with a name of cert_admin. This looks interesting.

b68ffa10a01eb0ab9180d5095e26f2bf.png

View Details of Deleted Objects

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$domain = "DC=tombwatcher,DC=htb"
$searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.SearchRoot = "LDAP://$domain"
$searcher.Filter = "(isDeleted=TRUE)"
$searcher.Tombstone = $true
$searcher.SearchScope = "Subtree"
$searcher.PageSize = 1000

$results = $searcher.FindAll()
foreach ($res in $results) {
    $dn = $res.Properties["distinguishedname"]
    Write-Host "`n[+] Tombstoned Object: $dn"
    foreach ($key in $res.Properties.PropertyNames) {
        $val = $res.Properties[$key]
        Write-Host "$key = $val"
    }
}

e30925f5e189414939afdfda7827d016.png

Restoring Object - cert_admin

When an object has been deleted its possible to restore it afterwards using PowerShell. The below screenshot shows the commands used to restore cert_admin.

58aebd818436dac4aeeeedfeb5984564.png

Reviewing Bloodhound Data

Once cert_admin was restored I used the John user to collect data while the cert_admin object was active. The below screenshot shows that John has GenericAll over cert_admin. This means a shadow credential attack should be possible.

4a06b9baa59d79582df291870cc35f29.png

Shadow Credential Attack

John was used to carry out a shadow credential attack which discovered the NTLM hash of the cert_admin user.

c6a644859e12c6dde3a6e8bdaef79e1e.png

Enumerating Vulnerable Templates

So far there is an ADCS object in addition to a user account named cert_admin. Everything is pointing towards a vulnerable template so I used certipy-ad to find vulnerable templates. It discovered a template named WebServer which was vulnerable to an ESC15 attack.

9b20b24283ba75f1f31d09bd2b02b4eb.png

4aacd8dc261fc227ef973cd2122fd15a.png

Exploiting ESC15

The below screenshot shows how certipy-ad can be used to exploit the ESC15 vulnerability. The key parts is setting the UPN to Administrator in addition to setting the application policy to Client Authenication.

434e56b91ff5d383bec40416787a680c.png

Creating Administrator Account

It was possible to use the administrator.pfx certificate to authenticate to the domain controller. ESC15 seems to have some limitations which relate to the protocol used for authentication. PKINIT authentication will not work however SChannel authentication does work.

The below screenshot shows the result of authenticating via SChannel to spawn an LDAP shell as administrator. Afterwards I used the shell to create a new user and grant them administrator access.

365f5b22be5353912e8ef52946b4323d.png

a87e1b4dddd31013a106f6ea2939faa3.png

WinRM - Administrator

The below screenshot shows it was possible to remote into the domain controller with the administrator user that I created in the previous step. Root flag captured.

5ec46c34085ddfb0d2c89e7b482b9d94.png

This post is licensed under CC BY 4.0 by the author.