Official Support Discussion

Hi. It seems this box is more complicated as easy level. I have the user flag, that is ok. I have downloaded the ticket with R…Then I download a converter ticket. But when I want to use Impacket, I receive error about status_more_processing_ required(still busy). I f someone has an idea, you re welcome. Thanks

A little hint if you happen to get stuck after finding the first credentials and trying to find a second password, if the tools you’re trying to use don’t seem to connect to the box, be VERY careful with the way you are typing down the username you are using to authenticate, use exactly the syntax found in the place that gave you the username, escaping as needed depending on the program.

Can I talk to anyone about the very last step of the privesc? I keep getting an authentication error even though I have (I think) the right bits.

What kind of error or issue do you get or eperience?

This is the error I get using any impacket tool:

[-] Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

Using the -debug option with the same tools I can see this:


[+] SPN CIFS/SUPPORT.HTB@SUPPORT.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache

I guess it has to do something with export KRB5CCNAME=_____________.c____e
If not let me now… I encountered some issues on this machine as well.

That’s what I thought too but I already did run that command, and I can see it worked with klist, however the box won’t take it. This is the SPN I used, maybe it’s wrong?


I don’t have cifs/ in my notes, perhaps I missed that one… Not sure what you tried… I looked into my notes, I used or tried at least several impacket tools. Perhaps a DM for more details?

already rooted this box, awesome one.

For user: found two ways to get the ride, for both of them you need to have a good overlook over the resources you have.
For root: the dogs that always barks!

Could I get some help?

For root, I used the dog and in the graph generated, I saw that the edge starting with G can be used. I followed all of the instructions in the Abuse Info screen of that edge, and at the last command I got a Ticket successfully imported! message.

Dump question but what am I supposed to do with this ticket now? How do I use it to get the root shell? Please comment or DM me, I’m stuck!

I used this approach, I used wine/mono on kali to execute the file and used wireshark to capture ldap traffic then I got the password.

I’m at the final privesc stage, but no matter how I transfer it to the box(tried every way I can think of), I can’t get Rubeus to work. Others have told me it worked for them. I’ve tested the same binary on another Windows system. It also works on kali with wine. Mimikatz works but is too limited to use instead(errors). Has anyone else experienced this?

I’m very close to privesc I think. I have ticket exported to ccache (used GitHub - SolomonSklash/RubeusToCcache: A small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache files for Impacket) but I can’t seem to get Impacket (tried smbclient, psexec, wmiexec) and evil-winrm with kerberos auth to work. Would appreciate any nudges or DMs

hello everyone, if possible, could someone help me?

I was able to find the username: l*** and password: nvEfEK********************************************* through the Use file .exe, managed to get several usernames on the L service and have access to the Gpt**.inf file in the shared folder SY****, but from that point on I don’t know where to go anyone could you give me a tip?

Note: it is believed that the enigma can be solved with Gpt****.inf.

I have the same problem as yours, can you give me a tip?

SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

please help me
got stuck in this
Thanks in advance.

who is stuck in decrypting the password, using dnspy, edit the LdapQuery method, put this at the end of the line: Console.WriteLine("Password: " + password); save everything and run.

if you enumerated users with rpcclient (support.htb) or otherwise here is a simple powershell script to get more information with UserInfor.exe: foreach($line in [System.IO.File]::ReadLines(“C:\users.txt”)){ .\UserInfo.exe user -username= $line}