Logging HTB Writeup Premium

I just solved Logging from Hack the Box!

Logging Machine Summary

Logging is a medium-difficulty Windows machine on Hack The Box that focuses on Active Directory enumeration, Kerberos authentication, certificate abuse, application exploitation, and privilege escalation through a rogue Windows Server Update Services (WSUS) infrastructure. The machine demonstrates how exposed log files, insecure Active Directory permissions, certificate-based authentication, and trust in internal update services can be chained together to achieve complete domain compromise.

The attack chain begins with Nmap enumeration, which identifies the target as an Active Directory Domain Controller exposing common domain services including DNS, Kerberos, LDAP, SMB, WinRM, and IIS. After performing host configuration and time synchronization to satisfy Kerberos authentication requirements, SMB share enumeration reveals an accessible Logs share containing several application log files.

Analysis of the downloaded logs uncovers hardcoded LDAP bind credentials belonging to the svc_recovery service account. After validating the credentials, Kerberos authentication is performed by requesting a Ticket Granting Ticket (TGT), followed by BloodHound enumeration of the Active Directory environment. BloodHound analysis reveals that svc_recovery possesses GenericWrite permissions over the msa_health$ machine account, providing a clear privilege escalation path through a Shadow Credentials attack.

Using Certipy, Shadow Credentials are added to the msa_health$ account, allowing certificate-based authentication and retrieval of the machine account's NTLM hash. The hash is then used to authenticate successfully through Evil-WinRM, establishing an initial foothold on the target system.

Following initial access, extensive post-exploitation enumeration is performed to understand the environment. User privileges, installed applications, scheduled tasks, directory structures, application binaries, and monitoring scripts are reviewed to identify potential privilege escalation opportunities. Application log enumeration and analysis reveal that the custom UpdateMonitor service repeatedly attempts to process a missing Settings_Update.zip archive and dynamically load settings_update.dll during scheduled update checks. Scheduled task enumeration confirms that the application executes automatically every few minutes under the jaylee.clifton user account.

Permission enumeration further reveals that authenticated users possess write access to the application's update directory, making the update mechanism vulnerable to DLL hijacking. A malicious DLL is generated using msfvenom, packaged into the expected ZIP archive, and delivered to the monitored directory. Once the scheduled task executes, the rogue DLL is loaded successfully, resulting in remote code execution and a reverse shell as jaylee.clifton. The user flag is subsequently retrieved from the compromised user's Desktop.

After obtaining user-level access, additional user directory enumeration uncovers an exported incident report describing a temporary migration to a staging WSUS server (wsus.logging.htb) alongside details of a continuously running synchronization task. These findings shift the focus toward the domain's internal software update infrastructure.

PowerShell is launched to perform certificate enumeration, where a user certificate is successfully requested using the Active Directory Certificate Services (AD CS) infrastructure. The certificate is exported as a password-protected PFX file, retrieved through Evil-WinRM, and reused locally for certificate-based authentication using Certipy. Active Directory Certificate Services enumeration identifies an enrollable certificate template suitable for abuse, allowing a new certificate to be requested for the staging WSUS server.

Using Kerberos-authenticated DNS management, a malicious DNS record is created that redirects wsus.logging.htb to the attacker's system. After verifying the DNS modification, the WSUS attack environment is prepared by installing and configuring the wsuks framework. A rogue WSUS server is then launched using the previously obtained certificate, allowing the attacker to impersonate the legitimate update server.

The rogue WSUS infrastructure is subsequently configured to deliver a malicious administrative command through the Windows Update mechanism. As the target performs its scheduled update synchronization, it downloads and executes the supplied payload, adding the previously compromised msa_health$ machine account to the local Administrators group.

Finally, administrative access is re-established through Evil-WinRM using the existing machine account credentials. Privilege verification confirms successful membership in the local Administrators group, enabling unrestricted access to the system. A recursive search locates the administrator's root.txt file, and reading the flag completes the machine with full system compromise.

Protected Page

Check here: https://buymeacoffee.com/boltechtechnologies/logging-htb-writeup

Keywords:

Logging HTB Walkthrough

HTB Logging - HackTheBox Season 10 Machine Complete Walkthrough User & Root Flag

DC01.logging.htb

wsus.logging.htb

Hack The Box - Season 10 HTB Logging Writeup - Medium

Logging CTF Walkthroughs

logging htb writeup

Logging Writeup - HackTheBox

Nimbus HTB - Complete Writeup

HTB: Logging - Full Writeup (Season 10)

HTB-Logging

HackTheBox - Logging Season 10 HTB Machine Complete Walkthrough

logging hack the box write up

Logging Machine | HackTheBox

Logging htb-writeup

logging hack the box walkthrough

HTB :: Logging - Writeup

Logging HTB Machine Walkthrough

Mastering Logging: Beginner's Guide from Hack The Box

I just solved Logging from Hack the Box

Pwned Logging from Hack the Box

Hack the Box (HTB) machines Logging walkthrough Season 10

Rooted Logging from Hack the Box

HTB-Logging Season 10 Machine User & Root Flag Solution

Owned Logging from Hack the Box

Enigma HTB Writeup

enigma.htb

Engima htb walkthrough

Enigma Hack the Box Walkthrough

Hack the Box (HTB) machines Enigma walkthrough Season 10

Enigma Hack the Box Write Up

HackTheBox - Enigma Easy Linux

logging-htb · GitHub

Enigma CTF Walkthroughs

Enigma - HackTheBox Season 11 HTB Machine Walkthrough

I just solved Enigma from Hack the Box

Rooted Enigma from Hack the Box

HTB-Nimbus

Owned Enigma from Hack the Box

Hack The Box | Logging

Pwned Enigma from Hack the Box

Enigma | Hack The Box Complete Season 11 HTB Walkthrough

enigma htb machine user flag

enigma hack the box season 11 machine root flag

Logging WriteUp - HackTheBox

Reactor HackTheBox Walkthrough

Checkpoint HackTheBox Walkthrough

Nimbus HackTheBox Walkthrough

Connected HackTheBox Walkthrough

Helix HackTheBox Walkthrough