The presence of ports **8530/8531** (WSUS) on a domain controller is the biggest signal — WSUS over TLS (8531) combined with ADCS usually hints at an ESC17-style attack path.
wallace.everette (given)
│
▼
Readable log share → svc_recovery creds
│
▼
Protected Users → AES-only TGT for svc_recovery
│
▼
GenericWrite on MSA_HEALTH$ → Shadow Credentials
│
▼
PKINIT → MSA_HEALTH$ NT hash
│
▼
WinRM as MSA_HEALTH$ (Remote Management Users)
│
▼
Drop malicious DLL in C:\ProgramData\UpdateMonitor
│
▼
UpdateMonitor scheduled task runs as jaylee.clifton → user.txt
│
▼
Rubeus tgtdeleg → jaylee TGT
│
▼
ESC17 cert for wsus.logging.htb via UpdateSrv template
│
▼
ADIDNS poisoning: wsus → attacker IP
│
▼
Rogue WSUS (wsuks) pushes PsExec payload
│
▼
DC runs: Add-ADGroupMember "Domain Admins" -Members "MSA_HEALTH$"
│
▼
Reconnect WinRM as MSA_HEALTH$ → Domain Admin → root.txt
nmap -sC -sV -p- 10.129.170.186
Key ports observed:
| Port | Service |
|---|---|
| 53 | DNS |
| 88 | Kerberos |
| 135, 139, 445 | RPC / SMB |
| 389, 636, 3268, 3269 | LDAP / LDAPS / GC |
| 464 | kpasswd |
| 593 | RPC over HTTPS |
| 5985 | WinRM |
| 8530, 8531 | WSUS (HTTP / HTTPS) |
| 9389 | AD Web Services |
The presence of ports 8530/8531 (WSUS) on a domain controller is the biggest signal — WSUS over TLS (8531) combined with ADCS usually hints at an ESC17-style attack path.
echo "10.129.170.186 DC01.logging.htb logging.htb DC01 wsus.logging.htb" | sudo tee -a /etc/hosts
Contact me on Discord or LinkedIn for the password.
Contact on DiscordHackTheBox policy restricts publishing walkthroughs for active-season machines. This writeup is password-protected to respect that policy while keeping the content available to those who already have access.