I just solved TombWatcher from Hack the Box.
TombWatcher Machine Summary
TombWatcher is a medium-difficulty Windows Active Directory machine that challenges players to exploit misconfigurations in Active Directory Certificate Services (AD CS). The initial foothold is gained through enumeration of vulnerable certificate templates, specifically one that allows low-privileged users to enroll certificates with the Certificate Request Agent application policy. This enables an ESC1-style attack, where a user (cert_admin) can request a certificate on behalf of a high-privileged account like Administrator, ultimately leading to domain compromise. Additionally, players must explore deleted AD objects, leveraging PowerShell to enumerate tombstoned users via Get-ADObject, restore accounts with Restore-ADObject, and regain access by resetting passwords using Set-ADAccountPassword. TombWatcher combines certificate abuse, account recovery, and AD enumeration to simulate realistic attack paths often encountered in enterprise environments.
The first step in solving this machine is to connect my Kali Linux terminal with Hack the Box server. To set up this connection, I ran the following command in my terminal:
After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.72. Then I performed reconnaissance using Nmap to find all the open port and services associated with the target machine. Using the following command, I found all the services and port running at 10.10.11.72:
After the nmap scan was completed, it displayed all the open ports associated with the target machine.
I noticed an error “Clock skew too great” in the nmap scan. This error is caused due to the time difference between the target machine (10.10.11.72) and our machine. To rectified this, I ran the following command in my terminal:
This command disables automatic time synchronization via NTP (Network Time Protocol) on Linux systems that use systemd. When you turn this off, your system clock will no longer update automatically using internet time servers. You'll need to manually set the time using timedatectl set-time or another method if needed.
This command will manually synchronizes your system clock with the time server at IP address 10.10.11.72.
- Local Name Resolution Without DNS: The /etc/hosts file allows your system to resolve hostnames without querying a DNS server. It is useful when DNS is unavailable or misconfigured and when you're in an isolated or internal network.
- Testing and Development: You can point a domain (like myapp.local) to a local or test server (e.g., 127.0.0.1 or a staging IP). For example: 127.0.0.1 myapp.local This allows testing websites or apps locally using human-readable names.
- Security and Control: It can prevent connections to known malicious domains by redirecting them: 127.0.0.1 malicious-site.com
After trying few other methods, then I remembered that the TombWatcher is a Windows machine and I immediately thought of using bloodhound. Bloodhound is primarily used in Active Directory (AD) environments to analyze and visualize relationships and permissions for identifying privilege escalation paths and attack vectors. It is widely used by red teamers and penetration testers to gain a foothold inside a Windows network (e.g., via phishing or exploitation). It is also used to escalate privileges, move laterally, or eventually gain Domain Admin rights. To use bloodhound, I ran the following command in my terminal:
I copied the hash and created a file called hash.txt and pasted the hash.
I got basketball after cracking the hash.
After cracking the hash and obtaining the plaintext basketball, I used bloodyAD to check if the account had the ability to modify AD objects. I discovered that I could add users to the INFRASTRUCTURE group:
The operation succeeded, and alfred was now a member of INFRASTRUCTURE. I suspected this group had elevated permissions in the domain, so I proceeded to investigate how that could be leveraged for privilege escalation or lateral movement.
After adding alfred to the Infrastructure group, I used gMSADumper.py to check for group-managed service accounts (gMSAs) with readable credentials:
The script revealed that ansible_dev$ was a gMSA account whose password could be read by members of the Infrastructure group. Since I was already part of this group, I was able to retrieve the AES keys and NT hash for the account. These credentials could now be used to authenticate as ansible_dev$ - potentially granting me further access to the domain.
After identifying valid credentials for the john account (Test1234.), I used Evil-WinRM to establish an interactive shell on the target:
This gave me PowerShell access as the john user, which I then used to enumerate Active Directory, search for misconfigurations, and perform privilege escalation techniques. After successfully connecting to the target using Evil-WinRM as john, I navigated to the user’s desktop and retrieved the user flag: type ../desktop/user.txt.
To investigate the domain history and potential tampering, I queried deleted objects in Active Directory using:
This revealed multiple deleted instances of a user account named cert_admin, all residing in the Deleted Objects container. Each deletion instance had a unique objectSid, indicating the user was deleted and recreated multiple times, possibly as part of a privilege escalation or account abuse chain.
After discovering several deleted instances of the cert_admin account using Get-ADObject, I restored the most recent one using:
After restoring the deleted cert_admin user using Restore-ADObject, I reset its password to a known value using:
- It allows EnrolleeSuppliesSubject
- It uses Schema Version 1
I issued a certificate to cert_admin with CRA permissions:
I leveraged this misconfiguration to request a certificate on behalf of the domain administrator using:
This gave me a certificate and private key (administrator.pfx) that I used to authenticate as the Administrator:
After obtaining the evil-winrm shell, I ran the following script to obtain the root flag (Explanation: type was used to display the contents of the file named root.txt located in the Desktop directory one level above the current working directory, which is similar to cat in Linux):
Hurray, I got the root flag!!!
Keywords
cctv HackTheBox complete walkthrough
cctv.htb
cctv hack the box writeup
cctv hack the box walkthrough
cctv htb write up
cctv htb walkthrough
cctv htb machine root flag
cctv htb machine user flag
connected.htb
connected htb writeup
connected htb walkthrough
connected hack the box machine user flag
connected hack the box machine root flag
connected hack the box write up
connected hack the box walkthrough
devhub.htb
DevHub HackTheBox Season 11 htb machine complete walkthrough
devhub htb walkthrough
devhub htb writeup
devhub hack the box walkthrough
devhub hack the box write up
DevHub htb machine user flag
DevHub htb machine root flag
Reactor HTB Writeup
reactor htb walkthrough
HackTheBox - Reactor machine Season 11
reactor hack the box write up
Reactor Hack the Box Walkthrough
Reactor HTB machine user flag
Reactor HTB machine root flag
smarthire.htb
smarthire htb writeup
smarthire htb walkthrough
SmartHire Hack the Box Write Up
SmartHire Hack the Box Walkthrough
HackTheBox - SmartHire Season 11 Machine HTB Complete Walkthrough
smarthire htb machine user flag
smarthire hack the box machine root flag
Helix HTB machine
helix.htb
helix htb walkthrough
Helix htb writeup
Helix Hack the Box Walkthrough
Helix Hack the Box Write Up
HackTheBox - Helix Season 11 HTB machine complete walkthrough
helix htb machine user flag
Helix hack the box machine root flag
Checkpoint htb writeup
Checkpoint HTB walkthrough
checkpoint.htb
checkpoint hack the box write up
checkpoint hack the box walkthrough
HackTheBox - Checkpoint Season 11 HTB machine complete walkthrough solution
checkpoint htb user flag
checkpoint htb root flag
fries.htb
fries htb write up
Fries HTB walkthrough
Fries HackTheBox Season 10 htb machine complete writeup solution
fries hack the box user flag
fries hack the box root flag
Fries hack the box walkthrough
Fries Hack the Box Writeup




























0 Comments