Password Attacks - Pass the Ticket (PtT) from Linux

I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.

Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?

2 Likes

Oke I managed to figure it out… It doesnt require any “cracking” just mere guessing. If people are stuck here send me a DM

1 Like

Thanks for this weller, not a fan of random luck when it comes to things like this

Figure it out .
I would not call it guess work , rather , inspecting the directory where the bash script is located.

1 Like

Got it too. It requires a bit of guess work and some luck.

I don’t think it’s a guess work, there is a proper way of getting it. Guess works fine, you will get the answer. But consider a real time scenario.

no guess work needed - to get the NTLM hash for svc_workstation, you just need to dig a little further to…

‘find’ the .kt files

the first one you likely come across is a misdirection. DM me for more help if you need

1 Like

I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?

From memory, the module also discusses how to find files, such as keytab files. Perhaps there is another file that contains a NTLM hash…

I stopped at the last problem.
Where is the LINUX01$ Kerberos ticket?

Same here. I found the krb5.keytab and if you display the content it says also LINUX01, but when trying to kinit it says credentials not found… any help, or I maybe looked in the wrong place?

Hi,

I finally figured it out. Tips: transfer linikatz.sh when you have root access and you will find the needed file. If you don’t want to use the tools, you just need to dig a little deeper.

1 Like

For those who don’t want to rely on linikatz to find the file. If you google around, you will find that the computer account creds (for Linux machines in AD) are saved in /etc/krb5.keytab - you need root access to import or export the creds from it. In the case of this exercise, you need to use kinit. However, there is a something noteworthy here. If you tried logging as the user LINUX01@INLANEFREIGHT.HTB or LINUX01$@INLANEFREIGHT.HTB you have seen it doesn’t work. In this case LINUX01$@INLANEFREIGHT.HTB is indeed the username of the computer account but due to the symbol ‘$’ being reserved for referncing variables, you need to actually put the whole username in single quotation marks.

kinit ‘LINUX01$@INLANEFREIGHT.HTB’ -k -t krb5.keytab

1 Like

still not working for me.