Password Attacks - Pass the Ticket (PtT) from Linux

I’ve tried everything still I couldnt get linux01 kerberos ticket. I used linikatz.sh (honestly I dont understand what this does) but didn’t get any usefull output. Pls help me.

I’m with you brother. They did NOT do a good job on this module, it’s waaay too much info and somehow still not enough to explain what you’re really supposed to do. I also don’t know, but wanted to bump this.

I know I’m a bit late, but I figured it out.

There may be another way to do it, but once you’ve gained access to the ‘root@linux01’ account use “smbclient //DC01/C$” and supply the password for julio@inlanefreight.htb. once you see “smb: >” navigate to \SharedFolder\linux01\ and you can get the flag from there.

You can do this because if you do “id julio@inlanefreight.htb” you’ll see that the account has domain admin access. For some reason when I try to connect to //DC01/linux01 it would give me an error that wouldn’t allow me to list any of the files in the directories.

I spent way too long on this and was just pushing into a wall, but learned a lot in the process. Hope this helps!

EDIT: The reason I couldn’t connect to DC01/linux01 is because I was using the wrong ticket. There were two tickets for julio and one of them was expired. when you do klist it will show you when it expires. make sure to use the ticket that isn’t expired.