Password Attacks - Pass the Ticket (PtT) from Linux

weller · January 14, 2023, 3:32pm

I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.

Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?

weller · January 14, 2023, 4:54pm

Oke I managed to figure it out… It doesnt require any “cracking” just mere guessing. If people are stuck here send me a DM

M00th · January 18, 2023, 11:21pm

Thanks for this weller, not a fan of random luck when it comes to things like this

holeefuk · January 29, 2023, 1:08pm

Figure it out .
I would not call it guess work , rather , inspecting the directory where the bash script is located.

wfsahuo3 · February 3, 2023, 6:39pm

Got it too. It requires a bit of guess work and some luck.