Shibuya
Windows
Hard
4.9
MACHINE RATING114
USER OWNS91
SYSTEM OWNS19/06/2025
RELEASEDMachine Synopsis
Shibuya is a Medium Windows machine that starts of with the SMB port exposed. Enumerating possible usernames through Kerberos an attacker is able to find the valid machine account `red:red`. With these credentials, he can further enumerate the remote users and discover that the user `svc_autojoin` has a password in its description. With this account in hand, he is able to discover some `Windows Imaging Format (.wmi)` files that contain hashes for the user `simon.watson`. Now, the attacker has command execution through SSH on the remote machine and is able to enumerate that another user has an active interactive session. By performing a cross-session relay attack he is able to steal the hash and crack the password for the user `nigel.mills`. The new user is member of the `t1_admin` groups which has enrolment rights on a certificate template that's vulnerable to `ESC1` and by exploiting it we are able to gain `SYSTEM` privileges on the machine.
Machine Matrix
