PtT From Linux - Workstation Service Account

I have the keytab file. It only contains an AES hash. No NTLM and it’s proving to be extremely difficult for me to figure a way to make this work. I’ve requested a TGT as well. I can’t get onto MS01 to use Rubeus and I can’t seem to pass the ticket off to anything.

The section says With the AES256 or AES128 hash, we can forge our tickets using Rubeus or attempt to crack the hashes to obtain the plaintext password. but I have not found a method to brute a password. I can’t find any “Plain AES256” methods. What am I missing?

1 Like

Look for another file that will contain the NTLM hash. I made the same mistake.

I’m only seeing 2 kt files and neither have an NTLM hash in them. I’m not really sure where else to find the hashes.

I have requested the TGT as well. Unless I can impersonate with SSH i’m not sure what else there is, here.

Check in the home folder, you will find and scripts folder, check in there for more kt files.

Finally Got After Wasting Long Hours of Time Please check carefully

Don’t Blindly Follow Htb . We Need To have searching skills

hint : search full directory which is provided in crontab

There was some kind of bug. I literally just got lucky one day and it was “there”. Somethings wrong with the module or I was unlucky but I was searching the correct place. for the better part of 3 days the ticket was expired. There is only 2 tickets and the enumeration process is very simple.

It was in the exact same spot that I originally searched. HTB uses some kind of script that updates tickets and it doesn’t work correctly, or maybe I just got caught with bad timing and their lab was acting-up.

I woke up one morning hopped on my computer and there it was… Right where I looked about 60 times. I even double checked with Klist and they were both expired, until something just aligned and the ticket finally updated.

I don’t know why but I am not continuing with academy at this moment. I’ll use the main platform, instead.

this is not a difficult module. in fact it’s one of the easiest ones if you have some experience with Linux and some AD. but after that experience I’d just Stick to boxes and prolabs.

I’m not sure if it was an active directory problem or Linux problem or maybe I am mentally unstable and i’m hallucinating but either way it wasn’t very cool

What is strange is no one else has experienced this. The tickets seem to update properly for everyone. Maybe I am crazy, but I eventually finished it.