Kerberoasting

rednanof · July 30, 2023, 4:42pm

In this module: Login To HTB Academy & Continue Learning | HTB Academy

It says: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.

The lecture shows a technique that uses GetUserSPNs.py, in which you need the DC ip, and valid credentials to a SPN account so you can retrieve a list with all the rest SPN.

The problem is that the exercise does not provide any credentials to carry out this credentialed technique.

Second, the domain name is not provided either.

The only thing I have gotten is the IP of the DC using nmap. I assume that this is the IP of the DC because it is the only living machine that has appeared.

I have tried to assume the domain name of the network in the example, which is
INLANEFREIGHT.LOCAL/htb-student

also assuming that the user of the credentials that is provided to me is an spn.

GetUserSPNs.py -dc-ip 172.16.5.225 INLANEFREIGHT.LOCAL/htb-student

asks for the password. I write “HTB_@cademy_stdnt!”, which is the user’s password, and it is wrong.

uc28 · August 12, 2023, 10:29am

use the forend account

MahonIsland · September 7, 2023, 9:17am

ran into the same issue, there are no credentials for the forend user.

MahonIsland · September 7, 2023, 9:21am

if anyone has trouble with this module, what user on that module page has creds?

rednanof · September 14, 2023, 7:24am

the credentials were in the introduction of the module, where it presents a narrative (we were encommended to pentest X company etc)

cakra · September 18, 2023, 3:11am

the required cred is located in this page : # Credentialed Enumeration - from Linux

linyera · October 3, 2023, 3:11pm

i believe the domain is “EAGLE”

jlug331221 · November 3, 2023, 9:53pm

Trying to do hashcat and the attack box keeps crashing… Anyone else having this problem?

jlug331221 · November 3, 2023, 9:57pm

Never mind. I got it. Had to get the ticket on the attack box, copy it to the HTB VM, then perform the hashcat cracking.

CaptainSmyth · December 9, 2023, 6:53pm

When I try to connect to the kali machine it keeps saying “connection refused.”

WCB5350 · February 9, 2024, 2:01am

You need to start thinking like a pentester, the creds are in the previous modules, I used Dbranch Winter2022

userb1ank · February 15, 2024, 4:09pm

I stuck in “What powerful local group on the Domain Controller is the SAPService user a member of”. I already got the password of SAPService, but when I tried to get the user info with rpcclient, it failed. here is the output

I only see one group, and it is not the answer. Should I restart the box?

userb1ank · February 15, 2024, 4:18pm

Figured out, just read the ‘CN’

r0j0rg3 · March 21, 2024, 7:26am

I have the same problem as you, but I’m also not able to see it on the common name (I might be doing it wrong btw).

Fingenn · March 21, 2024, 1:55pm

Reread carefully the output of commands given as examples in the section. The output of some of these commands gives you what you need after minor change.

vision · April 15, 2024, 7:08am

You can find password for forend in LLMNR/NBT-NS Poisoning - from Linux section.
here’s the password:

Klmcargo2

I hope it helped.

vision · April 15, 2024, 11:24am

To find SAPService user a member of GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/sapservice
look CN name of sapservice.