In this module: Login To HTB Academy & Continue Learning | HTB Academy
It says: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.
The lecture shows a technique that uses GetUserSPNs.py, in which you need the DC ip, and valid credentials to a SPN account so you can retrieve a list with all the rest SPN.
The problem is that the exercise does not provide any credentials to carry out this credentialed technique.
Second, the domain name is not provided either.
The only thing I have gotten is the IP of the DC using nmap. I assume that this is the IP of the DC because it is the only living machine that has appeared.
I have tried to assume the domain name of the network in the example, which is
also assuming that the user of the credentials that is provided to me is an spn.
GetUserSPNs.py -dc-ip 172.16.5.225 INLANEFREIGHT.LOCAL/htb-student
asks for the password. I write “HTB_@cademy_stdnt!”, which is the user’s password, and it is wrong.