It says: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.
The lecture shows a technique that uses GetUserSPNs.py, in which you need the DC ip, and valid credentials to a SPN account so you can retrieve a list with all the rest SPN.
The problem is that the exercise does not provide any credentials to carry out this credentialed technique.
Second, the domain name is not provided either.
The only thing I have gotten is the IP of the DC using nmap. I assume that this is the IP of the DC because it is the only living machine that has appeared.
I have tried to assume the domain name of the network in the example, which is
INLANEFREIGHT.LOCAL/htb-student
also assuming that the user of the credentials that is provided to me is an spn.
I stuck in âWhat powerful local group on the Domain Controller is the SAPService user a member ofâ. I already got the password of SAPService, but when I tried to get the user info with rpcclient, it failed. here is the output
Reread carefully the output of commands given as examples in the section. The output of some of these commands gives you what you need after minor change.