A full writeup of the HTB TombWatcher machine, covering a multi-stage AD privilege-escalation path. Starting from user access, it chains WriteSPN abuse, GMSA password extraction, shadow credentials, OU control, tombstone restoration, and finally an ESC15 ADCS exploit to forge an Administrator certificate and gain system compromise.