Pass the Ticket Linux - last question

Hi guys,
I’m so terribly stuck on the last question which is:

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

Can you give me some hint on where to find this linux ticket? I’m root on svc_workstations but can’t seem to find a valid ticket and keep getting access denied each time I try to connect to dc01/linux01 with smbclient. Many thanks in advance

consider using linikatz.sh

(you need to transfer the file)

is this the one I’m looking for?

Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB

I transferred linikatz.sh and still can’t seem to see the proper ticket. Those I tried each gave me a message “no valid credentials found” .

Here is a suggestion for you, download linikatz from the attack machine(kaili or pwnbox) then use base64 to encode it and decode it with base64 on linux01(root privilege) machine. From there, as instructed in the section, you will find the ticket cache right at the beginning of the scan results.

Hi, thanks a lot. I did it before but I made a terrible mistake and provided a wrong path while assigning the variable. I don’t know why I kept root in the path. Solved it now and I feel relieved. Many thanks for your response. Have a good day

I transfered linikatz.sh to and ran it on Linux01. Got the credentials in the folder. Tried the files under kerberos-check ending with .conf and .keytab with path /etc. Didn’t work. Also tried ccache files and no result. Am I looking for only NTLM hash?

If you have access to root user credentials on svc_workstations, try using the kinit utility to reacquire the Kerberos ticket. After this, you can try to connect to the \DC01\linux01 resource using smbclient using the received ticket. Remember to also check that you entered the correct username and password when you receive your ticket using kinit.

Thank you. Got it solved.

1 Like