Shibuya - HackTheBox
This is a Hard Active Directory Box. Kerbrute reaveals a user that has weak credentials and is able to enumerate more users. One of those users has his password on the Description field and hash access to an SMB Share. It contains .wim files that are extracted into SAM files. Dumping the SAM gives a foothold as Simon.Watson, that can exploit an active RDP session of Nigel.Mills to get his NTLM hash. Nigel.Mills has ADCS privileges and can exploit ESC1, gaining access as Domain Administrator. ...
