Hello and welcome to another Hack the Box walkthrough. In this blog post, I am going to show you how to pwn the TombWatcher machine on hack the box. If you are new to this channel, please don’t forget to like, comment, and subscribe to my YouTube channel for more awesome content. Also, don’t forget to follow me on LinkedIn and X for more HTB walkthrough and cybersecurity related contents.
About the Machine
TombWatcher is a medium-difficulty Windows Active Directory machine that challenges players to exploit misconfigurations in Active Directory Certificate Services (AD CS). The initial foothold is gained through enumeration of vulnerable certificate templates, specifically one that allows low-privileged users to enroll certificates with the Certificate Request Agent application policy. This enables an ESC1-style attack, where a user (cert_admin) can request a certificate on behalf of a high-privileged account like Administrator, ultimately leading to domain compromise. Additionally, players must explore deleted AD objects, leveraging PowerShell to enumerate tombstoned users via Get-ADObject, restore accounts with Restore-ADObject, and regain access by resetting passwords using Set-ADAccountPassword. TombWatcher combines certificate abuse, account recovery, and AD enumeration to simulate realistic attack paths often encountered in enterprise environments.
The first step in solving this machine is to connect my Kali Linux terminal with Hack the Box server. To set up this connection, I ran the following command in my terminal:
0 Comments