Hack The Box - HTB TombWatcher Writeup - Medium - Weekly - June 7, 2025
Rooting TombWatcher: Navigating Active Directory Complexities and Elusive Paths
Machine: TombWatcher (Windows)
Difficulty: Medium
Points: 30
IP: [MACHINE_IP]
Domain: tombwatcher.htb
TombWatcher proved to be a challenging Active Directory box on Hack The Box, pushing the boundaries of enumeration, privilege escalation, and persistence. What started as a seemingly straightforward AD enumeration quickly devolved into a complex dance of version-specific tool quirks, mysterious machine resets, and elusive permissions. This write-up details the journey from initial access to full Domain Administrator compromise.
1. Initial Reconnaissance & Gaining a Foothold
Our adventure began with a single set of credentials: henry / H3nry_987TGV!. The first order of business was to understand the network landscape.
1.1. Network & Service Discovery with Nmap
A thorough nmap scan painted a clear picture of a Windows Domain Controller (DC01) for the tombwatcher.htb domain. Key Active Directory ports (53, 88, 135, 389/636, 445) were wide open, as was WinRM (5985), indicating potential PowerShell remoting. The nmap scan also revealed an IIS web server on port 80.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -T5 -oA tombwatcher_initial [MACHINE_IP]
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-07 15:00 EDT
Nmap scan report for [MACHINE_IP]
Host is up (0.075s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-07 23:00:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-07T23:02:08+00:00; +4h00m03s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-07T23:02:09+00:00; +4h00m03s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-07T23:02:08+00:00; +4h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after: 2025-11-16T00:47:59
|_ssl-date: 2025-06-07T23:02:09+00:00; +4h00m03s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 4h00m02s, deviation: 0s, median: 4h00m02s
| smb2-time:
| date: 2025-06-07T23:01:30
|_ start_date: N/A
Default Page, nothing here.
A gobuster scan was also performed to discover directories on the web server, which identified /aspnet_client.
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://[MACHINE_IP] -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50 -x php,txt,html,js,json,bak,config -k --random-agent -o certificate_dir.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://[MACHINE_IP]
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
[+] Extensions: txt,html,js,json,bak,config,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 158] [--> http://[MACHINE_IP]/aspnet_client/]
Progress: 1399 / 240000 (0.58%)[ERROR] Get "http://[MACHINE_IP]/page.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://[MACHINE_IP]/editor": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://[MACHINE_IP]/editor.json": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 2061 / 240000 (0.86%)[ERROR] Get "http://[MACHINE_IP]/database.config": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://[MACHINE_IP]/ads": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
1.2. Active Directory Enumeration with CrackMapExec
Using the henry credentials, we enumerated domain users and confirmed the domain's weak password policy. This initial enumeration provided a list of users, including Alfred, sam, and john.