I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.
Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.
Please guide me in the right direction
In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt
. We can repeat the process, crack the password, and log in as svc_workstations
.
How can I crack the password since there is no RC4/NTLM hash for the account?