InfoSec LAB

Cerberus_Domain_Joint_Linux_Host

Created: 2 min read

Domain Joint Linux Host

PEAS has discovered Kerberos configuration files and tickets present in the icinga.cerberus.local host This indicates that the icinga.cerberus.local host is indeed a domain-joint Linux host

www-data@icinga:~$ realm list
cerberus.local
  type: kerberos
  realm-name: CERBERUS.LOCAL
  domain-name: cerberus.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@cerberus.local
  login-policy: allow-realm-logins
 
www-data@icinga:~$ cat /etc/krb5.conf | grep -v '^#'
[libdefaults]
default_realm = CERBERUS.LOCAL
 
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	udp_preference_limit = 0
	default_ccache_name = kcm:
 
 
 
[realms]
	CERBERUS.LOCAL = {
		kdc = DC.cerberus.local
		admin_server = DC.cerberus.local
	}
 
[domain_realm]
        .cerberus.local = CERBERUS.LOCAL

It can further be confirmed

Domain-joint Linux hosts utilize sssd (System Security Services Daemon), a software suite that seamlessly integrates with remote directory services like LDAP or Active Directory. sssd facilitates centralized authentication, user, and group information management, supporting offline authentication and caching for improved performance. It integrates with Pluggable Authentication Modules (PAM) and Name Service Switch (NSS), ensuring a unified and secure identity management experience within a domain environment.

root@icinga:~# ps auxww | grep sssd
root         573  0.0  0.5  93916  4928 ?        ss   07:01   0:00 /usr/sbin/sssd -i --logger=files
root         816  0.0  0.6  98216  5536 ?        s    07:01   0:00 /usr/libexec/sssd/sssd_be --domain cerberus.local --uid 0 --gid 0 --logger=files
root         914  0.0  0.6 109392  5908 ?        s    07:01   0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root         915  0.0  0.6  83340  5512 ?        s    07:01   0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root       24163  0.0  0.2   4020  1856 pts/12   s+   16:52   0:00 grep --color=auto sssd

As initially checked, sssd is running

Relevant files are located under the /etc/sssd directory for configuration and the /var/lib/sss directory for cached data, including stored Kerberos tickets

However, accessing those sensitive files requires root-level privileges So I will get back to this once the icinga.cerberus.local host is fully compromised

Interactive Graph View

Backlinks