I finished the forest box. Anyone familiar knows the svc-al****** user. I’m now working on another box and Crackmap, smbmap, Spray (pw spray script), hashcat, john…all are referencing the user from forest and the domain. Wtf is going on?
I checked my krb5.conf, klist shows no tickets stored, I removed all .ccache files from impackets dir and elsewhere on my system, kadmin flushed tickets… what could be storing and reusing this info. On so many tools?
I deleted/reinstalled kerberos packages and impacket. Problem still persists. Specifically while working on sauna box, I got a user kerberos hash. When I tried to crack with hashcat and john, both failed while referencing the svc user from forest and the domain.
I had to copy the hash to another VM and crack it there. Any ideas?