Password Attacks - Pass the Ticket (PtT) from Linux

weller · January 14, 2023, 3:32pm

I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.

Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?

weller · January 14, 2023, 4:54pm

Oke I managed to figure it out… It doesnt require any “cracking” just mere guessing. If people are stuck here send me a DM

M00th · January 18, 2023, 11:21pm

Thanks for this weller, not a fan of random luck when it comes to things like this

holeefuk · January 29, 2023, 1:08pm

Figure it out .
I would not call it guess work , rather , inspecting the directory where the bash script is located.

wfsahuo3 · February 3, 2023, 6:39pm

Got it too. It requires a bit of guess work and some luck.

suryateja · February 16, 2023, 1:54pm

I don’t think it’s a guess work, there is a proper way of getting it. Guess works fine, you will get the answer. But consider a real time scenario.

emdeh · February 28, 2023, 10:38pm

no guess work needed - to get the NTLM hash for svc_workstation, you just need to dig a little further to…

‘find’ the .kt files

the first one you likely come across is a misdirection. DM me for more help if you need

Luffy_haki · March 16, 2023, 3:44pm

I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?

emdeh · March 16, 2023, 9:09pm

From memory, the module also discusses how to find files, such as keytab files. Perhaps there is another file that contains a NTLM hash…

famasoon · March 19, 2023, 12:19pm

I stopped at the last problem.
Where is the LINUX01$ Kerberos ticket?

sakis17 · March 20, 2023, 9:20am

Same here. I found the krb5.keytab and if you display the content it says also LINUX01, but when trying to kinit it says credentials not found… any help, or I maybe looked in the wrong place?

sakis17 · March 20, 2023, 9:46am

Hi,

I finally figured it out. Tips: transfer linikatz.sh when you have root access and you will find the needed file. If you don’t want to use the tools, you just need to dig a little deeper.

BAlkan_BAndit · March 22, 2023, 8:57pm

For those who don’t want to rely on linikatz to find the file. If you google around, you will find that the computer account creds (for Linux machines in AD) are saved in /etc/krb5.keytab - you need root access to import or export the creds from it. In the case of this exercise, you need to use kinit. However, there is a something noteworthy here. If you tried logging as the user LINUX01@INLANEFREIGHT.HTB or LINUX01$@INLANEFREIGHT.HTB you have seen it doesn’t work. In this case LINUX01$@INLANEFREIGHT.HTB is indeed the username of the computer account but due to the symbol ‘$’ being reserved for referncing variables, you need to actually put the whole username in single quotation marks.

kinit ‘LINUX01$@INLANEFREIGHT.HTB’ -k -t krb5.keytab

Heng · April 23, 2023, 7:13pm

still not working for me.