Password Attacks - Pass the Ticket (PtT) from Linux

I am stuck on the part where we need to priv esc to root. I dont know how they want me to get access to the account.

Currently I am ssh’ed as carlos and i did the kinit for the svc_workstations user, but this is as far as I am getting. When I want to sudo -l it asks me for carlos his pw but when I fill it in it says no rights.
I dont know how to crack the AES-256 hash from the tgt.

Please guide me in the right direction

In the learning text they say very simple:
Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations.

How can I crack the password since there is no RC4/NTLM hash for the account?


Oke I managed to figure it out… It doesnt require any “cracking” just mere guessing. If people are stuck here send me a DM

1 Like

Thanks for this weller, not a fan of random luck when it comes to things like this

Figure it out .
I would not call it guess work , rather , inspecting the directory where the bash script is located.


I don’t think it’s a guess work, there is a proper way of getting it. Guess works fine, you will get the answer. But consider a real time scenario.

no guess work needed - to get the NTLM hash for svc_workstation, you just need to dig a little further to…

‘find’ the .kt files

the first one you likely come across is a misdirection. DM me for more help if you need

1 Like

I stopped at the last problem.
Where is the LINUX01$ Kerberos ticket?

Same here. I found the krb5.keytab and if you display the content it says also LINUX01, but when trying to kinit it says credentials not found… any help, or I maybe looked in the wrong place?


I finally figured it out. Tips: transfer when you have root access and you will find the needed file. If you don’t want to use the tools, you just need to dig a little deeper.


As he is saying, just dig a little bit more, if you can’t crack the AES-256 hash, maybe there is a better file that you can crack.

1 Like

The required keytab didn’t show up with the scan, so you wouldn’t know where the right one is unless you checked the directory with the bash script.

you dont have to crack AES-265 there is another file *.kt

I cant call the DC01 Share for Julio.txt. I get always the error message " smbclient -L //dc01/julio -k -c ls -N
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER" someone has the same problem?


I am getting the same error. Any idea why that is the case?

Nevermind. Double check your ticket has not expired.

Thats it :slight_smile:

I reaaaally don’t understand why I have the same error. Everytime I export the ticket export KRB5CCNAME=<TGT_ccache_file_path> (in this case I tried export KRB5CNNAME=FILE:/krb5cc_647401106_HRJDux with and without FILE:prefix) I can never use proxychains impacket-wmiexec dc01 -k .
If anyone has a hint (the ticket is always valide, I make sure I check :slight_smile: )

I did this but when I access the //dc01/linux01 i get this flag s 1 n G _ K e y **************


I tried to use ftp to send the ccache to my pwnbox, but an error occured.
501 Rejected data connection to foreign address

why? my command is

I found the krb5.keytab file, but I could not proceed after this step, please give me more hints.