Kerberoasting

rednanof · July 30, 2023, 4:42pm

In this module: Login To HTB Academy & Continue Learning | HTB Academy

It says: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.

The lecture shows a technique that uses GetUserSPNs.py, in which you need the DC ip, and valid credentials to a SPN account so you can retrieve a list with all the rest SPN.

The problem is that the exercise does not provide any credentials to carry out this credentialed technique.

Second, the domain name is not provided either.

The only thing I have gotten is the IP of the DC using nmap. I assume that this is the IP of the DC because it is the only living machine that has appeared.

I have tried to assume the domain name of the network in the example, which is
INLANEFREIGHT.LOCAL/htb-student

also assuming that the user of the credentials that is provided to me is an spn.

GetUserSPNs.py -dc-ip 172.16.5.225 INLANEFREIGHT.LOCAL/htb-student

asks for the password. I write “HTB_@cademy_stdnt!”, which is the user’s password, and it is wrong.

uc28 · August 12, 2023, 10:29am

use the forend account

MahonIsland · September 7, 2023, 9:17am

ran into the same issue, there are no credentials for the forend user.

MahonIsland · September 7, 2023, 9:21am

if anyone has trouble with this module, what user on that module page has creds?

rednanof · September 14, 2023, 7:24am

the credentials were in the introduction of the module, where it presents a narrative (we were encommended to pentest X company etc)

cakra · September 18, 2023, 3:11am

the required cred is located in this page : # Credentialed Enumeration - from Linux