Machine Synopsis

`TombWatcher` is a medium-difficulty Windows machine that focuses on `Active Directory privilege escalation` through a chained abuse of domain object permissions. The attack starts with the provided credentials for the user `henry`, who possesses `WriteSPN` rights over the account alfred. This access is leveraged to carry out a `targeted Kerberoasting attack`, allowing the `alfred` user’s password to be cracked and yielding control over an account that can add itself to the `INFRASTRUCTURE` group. Being a member of this group allows you to retrieve the `gMSA password` for the `ansible_dev$` managed service account. This account has the privilege to reset the password for the user `sam`, which becomes the next pivot point. Through the `sam` user, `WriteOwner` permissions over the user `john` are abused to obtain a GenericAll ACE, enabling a password reset and full access to the john user, who is a member of the `Remote Management Users` group. This provides an interactive shell and access to the user flag. Privilege escalation to Administrator is then achieved by abusing `john` user’s `GenericAll` rights over the `ADCS` organizational unit. A previously deleted account, `cert_admin`, is restored using the `Active Directory Recycle Bin`, its password is reset, and it is leveraged to exploit `ESC15` against a misconfigured WebServer certificate template. This ultimately allows the issuance of a certificate for Administrator, resulting in full domain compromise.