Exploitation

Using the credentials I was able to get the TGS for the Administrator user with GetUserSPNs and was able to kerberoast successfully.

Using the following command I was able to crack the TGS. 

hashcat -m 13100 -a 0 user.txt /usr/share/wordlists/rockyou.txt --force

The password for the Administrator account was Ticketmaster1968.

PreviousLDAP

Last updated