linikatz?? And how did you do it? Have you downloaded it to your machine? and how did you upload it?
You don’t actually have to run it, it was one of the tools demonstrated at the end of the PtT Linux section. But the location of the LINUX01 ticket cache (ccache file) is the same as the machine you’re working on. Once you know the location of the ccache file, you just set the right environment variable and you’re impersonating LINUX01.
2 Likes
Yep doh I see now that the screen shots of mimkatz in the module page have the commands you need to use.
good spot batman!
Im on the first question of the Linux pass the ticket section. I cant seem to ssh using the credentials user “[email protected]” and password “Password2” is there some unusual command syntax you need to use? Tiried a few different switches and standard format of [email protected]:port doesnt seem to work.
Please - someone can give me the last answer ?
I have flag.txt on //DC01/Linux01 but it didnt work -,-
Maybe something wrong in format.
Try xfreerdp in Your machine to
/u:david /p:Password2 /v: /d:inlanefreight.htb
and then SSH 
[Pass the Ticket (PtT) from Linux]
I’m stuck on login as “svc_workstatios”. I found svc_workstatios.kt and can extract the hash in the AES256 format. I tried to crack it to get the password in plaintext, but there was no lock. Can someone nudge me about this?
1 Like
i had the same result - if i have good memory - You must find other file with NTLM password for svc_workstations.
svc_workstations._all.kt ? - something like that if i am not wrong
4 Likes
Thank you
Or try gui Remmina
Hi, how do you find the policy any hint ?
Hi. I go through the Pass the Ticket (PtT) from Linux page. Big problem with the last flag. I can’t find the correct LINUX01$ Kerberos ticket . There is something in the keytab but it is not possible to use this ticket. am i on the right track?
ctrl+f on this page for LINUX01, i just finished it.
also the real mindfu** is the name of the flag…even the solution name is misguiding lol
1 Like
Did anyone get the optional question on the Pass the Ticket attack under windows lateral movement?
I have tried what I would think should work but I cannot get anything to connect. I tried exporting and converting the ticket to ccache multiple ways but I always end up with this error
“No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)”
This is the question I am having issues with.
From Windows (MS01), export Julio’s ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk. Mark DONE when finished.
This thread seems to be the most active for the password attacks module, so posting this here as well, in the hope someone can assist.
Having trouble with the password mutation module, have posted my detailed steps taken in this thread (a few messages down from the top):
Can you post the question your on? If that is the one I am thinking of it was a giant nightmare for me as well. You might try downloading a new VPN connection or using pwnbox, but again I am not 100% sure which question your fighting?
There’s only the one question in the Password Mutations section. Brute force the ssh password for the user sam, using the password.list file and the custom.rule file provided. (But based on other user feedback, actually brute forcing ftp, not ssh)
I replied to your other thread. Hit me up if you don’t get that horrible question!
1 Like
Got it… still took multiple tries with what ended up being the correct “mut_password_(xx)char.list” file, but finally got it. Thanks!