Kerberoasting

In this module: Login To HTB Academy & Continue Learning | HTB Academy

It says: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.

The lecture shows a technique that uses GetUserSPNs.py, in which you need the DC ip, and valid credentials to a SPN account so you can retrieve a list with all the rest SPN.

The problem is that the exercise does not provide any credentials to carry out this credentialed technique.

Second, the domain name is not provided either.

The only thing I have gotten is the IP of the DC using nmap. I assume that this is the IP of the DC because it is the only living machine that has appeared.

I have tried to assume the domain name of the network in the example, which is
INLANEFREIGHT.LOCAL/htb-student

also assuming that the user of the credentials that is provided to me is an spn.

GetUserSPNs.py -dc-ip 172.16.5.225 INLANEFREIGHT.LOCAL/htb-student

asks for the password. I write “HTB_@cademy_stdnt!”, which is the user’s password, and it is wrong.

use the forend account

ran into the same issue, there are no credentials for the forend user.

if anyone has trouble with this module, what user on that module page has creds? :wink:

2 Likes

the credentials were in the introduction of the module, where it presents a narrative (we were encommended to pentest X company etc)

the required cred is located in this page : # Credentialed Enumeration - from Linux

1 Like

i believe the domain is “EAGLE”

Trying to do hashcat and the attack box keeps crashing… Anyone else having this problem?

Never mind. I got it. Had to get the ticket on the attack box, copy it to the HTB VM, then perform the hashcat cracking.

When I try to connect to the kali machine it keeps saying “connection refused.”

You need to start thinking like a pentester, the creds are in the previous modules, I used Dbranch Winter2022

I stuck in “What powerful local group on the Domain Controller is the SAPService user a member of”. I already got the password of SAPService, but when I tried to get the user info with rpcclient, it failed. here is the output


I only see one group, and it is not the answer. Should I restart the box?

Figured out, just read the ‘CN’

I have the same problem as you, but I’m also not able to see it on the common name (I might be doing it wrong btw).

Reread carefully the output of commands given as examples in the section. The output of some of these commands gives you what you need after minor change.

1 Like

You can find password for forend in LLMNR/NBT-NS Poisoning - from Linux section.
here’s the password:

Klmcargo2

I hope it helped.

To find SAPService user a member of GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/sapservice
look CN name of sapservice.

I can’t even get the SAPService TGS ticket. I ran GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user SAPService -outputfile user but all I get is an overview of the account and the below error message. It never prints the TGS ticket

[-] Principal: INLANEFREIGHT.LOCAL\SAPService - [Errno 104] Connection reset by peer

Not really sure what else I am supposed to do with this

Did you manage to solve it? It’s giving me the same error

It looks like it may be fixed now. I submitted a ticket and they responding saying everything worked as expected with a screenshot of a completely different command. I went to re-run it and attach a screenshot and now it works lol.