Lab 3: Kerberoasting, Lateral Movement and DCSyncing

In this lab we will be interacting with one of the agents we spawned in Lab2. Please refer to Lab 2 if you have no agents to get instructions on how to spawn a new one.

In this lab you will:

• Perform a kerberoasting attack on svc_entrypoint

• Laterally move to the domain controller of sandbox.pwnzone.local

• Perform a dcsync against sandbox.pwnzone.local and steal the krbtgt hash

---

1. Navigate to your agents tab in your starkiller console and interact with one of the Agents you have spawned in Lab 2.

1. From here, we need to identify if there even are service accounts that we could potentially want to roast. We can identify that information by leveraging a post exploitation task powershell_situational_awareness_network_powerview_get_user We can toggle the SPN switch to only give us back service accounts (user accounts with a non empty Service Principal Name)

   
2. Observe the output by going to the Task tab and clicking the dropdown button.

   

In a real engagement, we have to take some extra caution for honeypot accounts (accounts that are designed to fool attackers to interact with them, which will trigger alerts on the blue side of the house). In SEC565 we cover how to spot them, but for this workshop sake, we will assume that svc_entrypoint is legit.

1. Time to kerberoast, there are some OPSEC considerations to be made whilst kerberoasting, such as for example the speed of your service ticket requests as well as the encryption type of your requests. RC4 cracks the fastest, but is also the loudest. AES256 is the default so blends in the most, but coincidentally is also the most computationally heavy algorithm to crack. In our agent, go back to the interact tab and select csharp_assembly_assembly

2. We will have to download Rubeus for this task. Luckily for us, Melvin Langvik (@flangvik) keeps a repository with popular .NET tools that are already compiled and ready for us to download. In your web browser navigate to https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.5_Any/Rubeus.exe Which will automatically download Rubeus for you.

3. Back in Starkiller we have the option to upload a binary by clicking the upload button

1. A new menu will have popped open where you can click the paperclip button. After clicking on the paperclip a file browser opens, navigate to your Downloads folder and select Rubeus.exe

   
2. Press the upload button

3. In the command field enter the following command and press the submit button kerberoast /user:svc_entrypoint /nowrap

1. In the task tab, check the output of our command, a new hash will be in the output. copy the entire hash to your clipboard (select the hash then press your copy hotkey - for windows ctrl + c)

   
2. In a terminal window type gedit hash.txt

3. Paste the hash in there, but make sure to remove the [*] Hash

change your file so it looks like line 4, not line 1.

1. make sure you save the file, and create another file with gedit called passwords.txt gedit passwords.txt

In this password file lets put a few commonly used weak passwords, make sure to save the file.

LetMeIn123
Password
Password1
Password123
Spring2025
Summer2025
Winter2025
Fall2025
IHateMyJob
admin
ChangeMe123
ChangeMe1234!

1. Now that we have a hash to crack and a file with likely passwords, we need a tool that can try and crack the hash for us. John the Ripper and Hashcat are both excellent choices. For this workshop let's go with Hashcat, you can install Hashcat by typing sudo apt install hashcat -y In case you prefer john the ripper, a good tutorial on installing john can be found here https://moezzhioua.com/blog/install-john-the-ripper-jumbo-on-ubuntu/

replace the <path to> variables with actual paths to your files -m is the mode parameter 13100 is the krb5tgs format (the service ticket)

-a0 means wordlist mode - no password brute forcing through guessing or mask attacks

1. Once hashcat is installed we can crack the hash using the following command in a terminal hashcat -m 13100 <path to hash.txt> -a0 <path to passwords.txt>

   
2. We have successfully decrypted the password of svc_entrypoint, which is ChangeMe1234! Let's find out if svc_entrypoint belongs to any interesting groups. In your Starkiller, go back to your interact tab and select the following technique: powershell_situational_awareness_network_powerview_get_group

   
3. In the tasks tab, you will find the output as per usual and it turns out that svc_entrypoint is in fact a domain administrator for this domain!

   

Since this account is a domain administrator, this means we should be able to perform a dcsync and get our hands on the krbtgt hash of the domain. We could also steal the NTDS.dit file as another approach instead of performing a dcsync. Feel free to try that out on your own 🎉

1. Since we know the clear text password of the account, lateral movement is pretty easy, we could use any lateral movement strategy we want. A nice built-in lateral movement technique is powershell_lateral_movement_invoke_psremoting To latteraly move successfully we will need to fill out some variables: ComputerName: sandbox-dc01.sandbox.pwnzone.lab Listener: <select your listener from dropdown> UserName: svc_entrypoint Password: ChangeMe1234!

   

1. After you press submit, wait a little bit and check your agents tab, a new agent should check in on the domain controller. Click it to interact with it

   
2. On this new agent, we can perform a dcsync task, select powershell_credentials_mimikatz_dcsync As user parameter, fill out sandbox\krbtgt

1. We have successfully gotten our hands on the AES256 hash of the krbtgt account and hereby concluded lab 3! Excellent, keep note of that as we will be using this value in Lab 4.