Password Attacks - Pass the Ticket (PtT) from Linux

weller · January 14, 2023, 3:32pm

I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.

Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?

weller · January 14, 2023, 4:54pm

Oke I managed to figure it out… It doesnt require any “cracking” just mere guessing. If people are stuck here send me a DM

M00th · January 18, 2023, 11:21pm

Thanks for this weller, not a fan of random luck when it comes to things like this

holeefuk · January 29, 2023, 1:08pm

Figure it out .
I would not call it guess work , rather , inspecting the directory where the bash script is located.

suryateja · February 16, 2023, 1:54pm

I don’t think it’s a guess work, there is a proper way of getting it. Guess works fine, you will get the answer. But consider a real time scenario.

emdeh · February 28, 2023, 10:38pm

no guess work needed - to get the NTLM hash for svc_workstation, you just need to dig a little further to…

‘find’ the .kt files

the first one you likely come across is a misdirection. DM me for more help if you need

famasoon · March 19, 2023, 12:19pm

I stopped at the last problem.
Where is the LINUX01$ Kerberos ticket?

sakis17 · March 20, 2023, 9:20am

Same here. I found the krb5.keytab and if you display the content it says also LINUX01, but when trying to kinit it says credentials not found… any help, or I maybe looked in the wrong place?

sakis17 · March 20, 2023, 9:46am

Hi,

I finally figured it out. Tips: transfer linikatz.sh when you have root access and you will find the needed file. If you don’t want to use the tools, you just need to dig a little deeper.

j4l3n · June 16, 2023, 9:46am

As he is saying, just dig a little bit more, if you can’t crack the AES-256 hash, maybe there is a better file that you can crack.

cybersapper · July 1, 2023, 10:25am

The required keytab didn’t show up with the scan, so you wouldn’t know where the right one is unless you checked the directory with the bash script.

Sudo1 · July 26, 2023, 10:08am

you dont have to crack AES-265 there is another file *.kt

Sudo1 · July 26, 2023, 10:31am

I cant call the DC01 Share for Julio.txt. I get always the error message " smbclient -L //dc01/julio -k -c ls -N
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER" someone has the same problem?

solved!!!

RyanC · August 1, 2023, 7:46pm

I am getting the same error. Any idea why that is the case?

RyanC · August 1, 2023, 8:08pm

Nevermind. Double check your ticket has not expired.

Sudo1 · August 2, 2023, 12:17pm

Thats it

markEmarc · August 2, 2023, 6:09pm

I reaaaally don’t understand why I have the same error. Everytime I export the ticket export KRB5CCNAME=<TGT_ccache_file_path> (in this case I tried export KRB5CNNAME=FILE:/krb5cc_647401106_HRJDux with and without FILE:prefix) I can never use proxychains impacket-wmiexec dc01 -k .
If anyone has a hint (the ticket is always valide, I make sure I check )

softpillow · August 8, 2023, 2:38pm

I did this but when I access the //dc01/linux01 i get this flag s 1 n G _ K e y **************