I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.
Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.
Please guide me in the right direction
In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.
How can I crack the password since there is no RC4/NTLM hash for the account?
For those who don’t want to rely on linikatz to find the file. If you google around, you will find that the computer account creds (for Linux machines in AD) are saved in /etc/krb5.keytab - you need root access to import or export the creds from it. In the case of this exercise, you need to use kinit. However, there is a something noteworthy here. If you tried logging as the user LINUX01@INLANEFREIGHT.HTB or LINUX01$@INLANEFREIGHT.HTB you have seen it doesn’t work. In this case LINUX01$@INLANEFREIGHT.HTB is indeed the username of the computer account but due to the symbol ‘$’ being reserved for referncing variables, you need to actually put the whole username in single quotation marks.