Rooting TombWatcher: Navigating Active Directory Complexities and Elusive Paths

Machine: TombWatcher (Windows)

Difficulty: Medium

Points: 30

IP: 10.129.196.94

Domain: `tombwatcher.htb`

TombWatcher proved to be a challenging Active Directory box on Hack The Box, pushing the boundaries of enumeration, privilege escalation, and persistence. What started as a seemingly straightforward AD enumeration quickly devolved into a complex dance of version-specific tool quirks, mysterious machine resets, and elusive permissions. This write-up details the journey from initial access to full Domain Administrator compromise.

1. Initial Reconnaissance & Gaining a Foothold

Our adventure began with a single set of credentials: henry / H3nry_987TGV!. The first order of business was to understand the network landscape.

1.1. Network & Service Discovery with Nmap

A thorough nmap scan painted a clear picture of a Windows Domain Controller (DC01) for the tombwatcher.htb domain. Key Active Directory ports (53, 88, 135, 389/636, 445) were wide open, as was WinRM (5985), indicating potential PowerShell remoting. The nmap scan also revealed an IIS web server on port 80.

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -T5 -oA tombwatcher_initial 10.129.196.94
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-07 15:00 EDT
Nmap scan report for 10.129.196.94
Host is up (0.075s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-07 23:00:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-07T23:02:08+00:00; +4h00m03s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-07T23:02:09+00:00; +4h00m03s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-07T23:02:08+00:00; +4h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-07T23:02:09+00:00; +4h00m03s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: 4h00m02s, deviation: 0s, median: 4h00m02s
| smb2-time:
|   date: 2025-06-07T23:01:30
|_  start_date: N/A

Default Page, nothing here. An image to describe post

A gobuster scan was also performed to discover directories on the web server, which identified /aspnet_client.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.129.196.94 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50 -x php,txt,html,js,json,bak,config -k --random-agent -o certificate_dir.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.196.94
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
[+] Extensions:              txt,html,js,json,bak,config,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client        (Status: 301) [Size: 158] [--> http://10.129.196.94/aspnet_client/]
Progress: 1399 / 240000 (0.58%)[ERROR] Get "http://10.129.196.94/page.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.129.196.94/editor": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.129.196.94/editor.json": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 2061 / 240000 (0.86%)[ERROR] Get "http://10.129.196.94/database.config": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.129.196.94/ads": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

1.2. Active Directory Enumeration with CrackMapExec

Using the henry credentials, we enumerated domain users and confirmed the domain's weak password policy. This initial enumeration provided a list of users, including Alfred, sam, and john.

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.129.196.94 -u henry -p 'H3nry_987TGV!' --users-export users.list
SMB           10.129.196.94   445   DC01              [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB           10.129.196.94   445   DC01              [+] tombwatcher.htb\henry:H3nry_987TGV!
SMB           10.129.196.94   445   DC01              -Username-                          -Last PW Set-        -BadPW- -Description-
SMB           10.129.196.94   445   DC01              Administrator                       2025-04-25 14:56:03 0      Built-in account for administering the computer/domain
SMB           10.129.196.94   445   DC01              Guest                               <never>               0      Built-in account for guest access to the computer/domain
SMB           10.129.196.94   445   DC01              krbtgt                              2024-11-16 00:02:28 0      Key Distribution Center Service Account
SMB           10.129.196.94   445   DC01              Henry                               2025-05-12 15:17:03 0
SMB           10.129.196.94   445   DC01              Alfred                              2025-05-12 15:17:03 0
SMB           10.129.196.94   445   DC01              sam                                 2025-05-12 15:17:03 0
SMB           10.129.196.94   445   DC01              john                                2025-05-19 13:25:10 0
SMB           10.129.196.94   445   DC01              [*] Enumerated 7 local users: TOMBWATCHER
SMB           10.129.196.94   445   DC01              [*] Writing 7 local users to users.list

Attempts to use psexec.py and smbexec.py with henry failed, indicating writable shares were not present.

┌──(kali㉿kali)-[~]
└─$ /usr/share/doc/python3-impacket/examples/psexec.py tombwatcher.htb/henry:'H3nry_987TGV!'@10.129.196.94
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 10.129.196.94.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

┌──(kali㉿kali)-[~]
└─$ /usr/share/doc/python3-impacket/examples/smbexec.py tombwatcher.htb/henry:'H3nry_987TGV!'@10.129.196.94
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 10.129.196.94.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

certipy-ad find was used to enumerate certificate authorities and templates, but encountered timeouts and lookup failures.

┌──(kali㉿kali)-[~]
└─$ certipy-ad find -u henry -p 'H3nry_987TGV!' -dc-ip 10.129.196.94
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Failed to lookup object with SID 'S-1-5-21-1392491010-1358638721-2126982587-1111'
[*] Saving text output to '20250607152356_Certipy.txt'
[*] Wrote text output to '20250607152356_Certipy.txt'
[*] Saving JSON output to '20250607152356_Certipy.json'
[*] Wrote JSON output to '20250607152356_Certipy.json'