Executive Summary

Logging chains six distinct primitives into a full domain compromise:

  1. A plaintext credential leaked inside a readable SMB log share

  2. Kerberos-based enumeration of a GenericWrite edge on a gMSA

  3. gMSA NT hash dump via LDAP ACL manipulation

  4. DLL hijack through a scheduled task to execute as a privileged user

  5. ADCS certificate template abuse (ENROLLEE_SUPPLIES_SUBJECT) to mint a trusted WSUS TLS cert

  6. Rogue WSUS server attack delivering a Microsoft-signed binary that elevates msa_health$ to local administrator

Attack Chain

wallace.everette (Domain User - guest-read on \\DC01\Logs)
  → IdentitySync_Trace log leaks svc_recovery password
    → svc_recovery: GenericWrite on msa_health$ (gMSA)
      → Patch msDS-GroupMSAMembership → dump NT hash
        → WinRM as msa_health$
          → Upload Settings_Update.zip (malicious DLL)
            → UpdateChecker Agent (runs as jaylee.clifton) loads DLL
              → user.txt
              → CSR submitted via DLL → UpdateSrv template issues wsus.logging.htb cert
                → SeMachineAccountPrivilege → create attacker01$
                  → DNS dynamic update → wsus.logging.htb → attacker IP
                    → wsuks rogue WSUS on port 8531 (HTTPS with our signed cert)
                      → DC downloads PsExec64 as SYSTEM
                        → net localgroup administrators msa_health$ /add
                          → WinRM as local admin → root.txt

Step 1 - Initial Setup

Add Hosts Entry

echo "10.129.23.117  DC01.logging.htb logging.htb wsus.logging.htb" | sudo tee -a /etc/hosts

Configure Kerberos

svc_recovery is in Protected Users - NTLM authentication is blocked. All operations with this account require Kerberos. Configure /etc/krb5.conf:

sudo nano /etc/krb5.conf

[libdefaults]
    default_realm = LOGGING.HTB
    dns_lookup_realm = false
    dns_lookup_kdc  = false
    ticket_lifetime = 24h
    forwardable = yes
    noaddresses = true

[realms]
    LOGGING.HTB = {
        kdc = 10.129.23.117
        admin_server = 10.129.23.117
    }

[domain_realm]
    .logging.htb = LOGGING.HTB
    logging.htb  = LOGGING.HTB

Clock Skew - Critical for Kerberos

Kerberos requires clocks to be within 5 minutes. The DC was ~7 hours ahead. Verify via LDAP:

python3 -c "
import ldap3, datetime
s = ldap3.Server('10.129.23.117', get_info=ldap3.ALL)
c = ldap3.Connection(s, auto_bind=True)
print(s.info.other['currentTime'])
print('Local:', datetime.datetime.utcnow())
"

Output:

['20260423162023.0Z']
Local: 2026-04-23 16:20:24.257012

Offset was ~7 hours. Wrap every Kerberos call with faketime

⚠️ Issue: The faketime shared library was DLL-locked by a running process when re-used quickly. If faketime throws libfaketime: unable to load, kill and restart the terminal or run ldconfig to refresh the linker cache.

Step 2 - Port Scan

nmap -Pn -p- --min-rate 2000 -T4 10.129.23.117

53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8530/tcp  open  unknown     ← WSUS HTTP
8531/tcp  open  unknown     ← WSUS HTTPS
9389/tcp  open  adws
47001/tcp open  winrm

Ports 8530/8531 immediately flag a WSUS server running on the DC - the final escalation primitive.

Step 3 - SMB Enumeration

nxc smb 10.129.23.117 -u wallace.everette -p 'Welcome2026@' --shares

Share       Permissions   Remark
ADMIN$                    Remote Admin
C$                        Default share
IPC$        READ          Remote IPC
Logs        READ
NETLOGON    READ          Logon server share
SYSVOL      READ          Logon server share
WSUSTemp                  WSUS Local Publishing share

The Logs share is readable without elevation. Download everything:

smbclient //10.129.23.117/Logs -U 'logging.htb\wallace.everette%Welcome2026@' \
  -c 'prompt OFF; mget *'

Files retrieved: Audit_Heartbeat.log, IdentitySync_Trace_20260219.log, Service_State.log, TaskMonitor.log

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

Upgrade once - unlock everything instantly.

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv