Password Attacks | Academy

Or try gui Remmina

Hi, how do you find the policy any hint ?

Hi. I go through the Pass the Ticket (PtT) from Linux page. Big problem with the last flag. I can’t find the correct LINUX01$ Kerberos ticket . There is something in the keytab but it is not possible to use this ticket. am i on the right track?

ctrl+f on this page for LINUX01, i just finished it.
also the real mindfu** is the name of the flag…even the solution name is misguiding lol

1 Like

Did anyone get the optional question on the Pass the Ticket attack under windows lateral movement?
I have tried what I would think should work but I cannot get anything to connect. I tried exporting and converting the ticket to ccache multiple ways but I always end up with this error
“No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)”

This is the question I am having issues with.
From Windows (MS01), export Julio’s ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk. Mark DONE when finished.

This thread seems to be the most active for the password attacks module, so posting this here as well, in the hope someone can assist.

Having trouble with the password mutation module, have posted my detailed steps taken in this thread (a few messages down from the top):

Can you post the question your on? If that is the one I am thinking of it was a giant nightmare for me as well. You might try downloading a new VPN connection or using pwnbox, but again I am not 100% sure which question your fighting?

There’s only the one question in the Password Mutations section. Brute force the ssh password for the user sam, using the password.list file and the custom.rule file provided. (But based on other user feedback, actually brute forcing ftp, not ssh)

I replied to your other thread. Hit me up if you don’t get that horrible question!

Got it… still took multiple tries with what ended up being the correct “mut_password_(xx)char.list” file, but finally got it. Thanks!

Try to find ccache file and export it to KRB5CCNAME=… then use smbclient

try fpt and -t 48

Howdy folks. I’m hopelessly stuck on Password Reuse / Default Passwords. I’ve read the module, tried all the default mysql passwords, googled a bit, to no avail. I have successfully SSH’d in, but after much fishing around in there I’m at a loss. I’m hoping someone can share a massive breadcrumb so I can continue on the trail.

Hi. Would you mind telling me that which username list you used? Thank you

Did anybody solve that second optional exercise?

From Windows (MS01), export Julio’s ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk

I think I could use a nuge… Cause I’m currently running wild!

OK, got it. Don’t try to access DC01 from Kali. Go LINUX01!

1 Like

I solved it, just used the hash of the previous module

Someone can help me, i cant RDP to the Pass The Ticket From Windows Machine, I use the credentials that htb say but displays this error.

guys don’t wast your time. think like an attacker .
if you find a valid user and password then you can login and retrive all users in the system and update your users list :slight_smile:

Note: valid user and pasword list are provided check resources

I’am stuck at Password Attacks Lab - Hard I have found the password of user D**** but it isn’t possible to rdp in. Also not possible to change user. do anyone have a hint for me?

I’ve use a cmd with runas /user: and found a vhd but i can not mount it