I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.
Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.
Please guide me in the right direction
In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.
How can I crack the password since there is no RC4/NTLM hash for the account?
Same here. I found the krb5.keytab and if you display the content it says also LINUX01, but when trying to kinit it says credentials not found… any help, or I maybe looked in the wrong place?
I finally figured it out. Tips: transfer linikatz.sh when you have root access and you will find the needed file. If you don’t want to use the tools, you just need to dig a little deeper.
I cant call the DC01 Share for Julio.txt. I get always the error message " smbclient -L //dc01/julio -k -c ls -N
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER" someone has the same problem?
I reaaaally don’t understand why I have the same error. Everytime I export the ticket export KRB5CCNAME=<TGT_ccache_file_path> (in this case I tried export KRB5CNNAME=FILE:/krb5cc_647401106_HRJDux with and without FILE:prefix) I can never use proxychains impacket-wmiexec dc01 -k .
If anyone has a hint (the ticket is always valide, I make sure I check )