# Lab 3: Kerberoasting, Lateral Movement and DCSyncing

In this lab we will be interacting with one of the agents we spawned in Lab2. Please refer to Lab 2 if you have no agents to get instructions on how to spawn a new one.

In this lab you will:

* Perform a kerberoasting attack on svc\_entrypoint
* Laterally move to the domain controller of sandbox.pwnzone.local
* Perform a dcsync against sandbox.pwnzone.local and steal the krbtgt hash

***

1. Navigate to your agents tab in your starkiller console and interact with one of the Agents you have spawned in Lab 2.

<figure><img src="/files/kNTILx63oq8fguHhmveu" alt=""><figcaption></figcaption></figure>

2. From here, we need to identify if there even are service accounts that we could potentially want to roast. We can identify that information by leveraging a post exploitation task \
   \
   `powershell_situational_awareness_network_powerview_get_user`\
   \
   We can toggle the SPN switch to only give us back service accounts (user accounts with a non empty Service Principal Name)\ <br>

   <figure><img src="/files/ucv7YeCeSDcN1yZXTBwI" alt=""><figcaption></figcaption></figure>
3. Observe the output by going to the Task tab and clicking the dropdown button.\ <br>

   <figure><img src="/files/mNZ3EC8v4s67FxEFK9cJ" alt=""><figcaption></figcaption></figure>

In a real engagement, we have to take some extra caution for honeypot accounts (accounts that are designed to fool attackers to interact with them, which will trigger alerts on the blue side of the house). In SEC565 we cover how to spot them, but for this workshop sake, we will assume that svc\_entrypoint is legit.&#x20;

4. Time to  kerberoast, there are some OPSEC considerations to be made whilst kerberoasting, such as for example the speed of your service ticket requests as well as the encryption type of your requests. RC4 cracks the fastest, but is also the loudest. AES256 is the default so blends in the most, but coincidentally is also the most computationally heavy algorithm to crack. In our agent, go back to the interact tab and select \
   \
   `csharp_assembly_assembly`<br>
5. We will have to download Rubeus for this task. \
   Luckily for us, Melvin Langvik (@flangvik) keeps a repository with popular .NET tools that are already compiled and ready for us to download. In your web browser navigate to \
   \
   <https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.5_Any/Rubeus.exe>\
   \
   Which will automatically download Rubeus for you.<br>
6. Back in Starkiller we have the option to upload a binary by clicking the upload button

&#x20;&#x20;

<figure><img src="/files/OvMuSTrSinOso90ld6c0" alt=""><figcaption></figcaption></figure>

7. A new menu will have popped open where you can click the paperclip button.\
   After clicking on the paperclip a file browser opens, navigate to your Downloads folder and select Rubeus.exe \ <br>

   <figure><img src="/files/zsQhM9ZWs3z1U5qS9quF" alt=""><figcaption></figcaption></figure>
8. Press the upload button
9. In the command field enter the following command and press the submit button\
   \
   `kerberoast /user:svc_entrypoint /nowrap`<br>

<figure><img src="/files/XlqwuTQ8ZvccwP7qtPYN" alt=""><figcaption></figcaption></figure>

10. In the task tab, check the output of our command, a new hash will be in the output. copy the entire hash to your clipboard (select the hash then press your copy hotkey - for windows ctrl + c)\ <br>

    <figure><img src="/files/cOzjhbsm9bW9NFbKMlqz" alt=""><figcaption></figcaption></figure>
11. In a terminal window type \
    \
    `gedit hash.txt`
12. Paste the hash in there, but make sure to remove the \
    \
    `[*] Hash`&#x20;

<figure><img src="/files/5ad9DVAv9c4zf8JGfYxG" alt=""><figcaption><p>change your file so it looks like line 4, not line 1.</p></figcaption></figure>

13. make sure you save the file, and create another file with gedit called passwords.txt\
    \
    `gedit passwords.txt`

In this password file lets put a few commonly used weak passwords, make sure to save the file.

```
LetMeIn123
Password
Password1
Password123
Spring2025
Summer2025
Winter2025
Fall2025
IHateMyJob
admin
ChangeMe123
ChangeMe1234!
```

14. Now that we have a hash to crack and a file with likely passwords, we need a tool that can try and crack the hash for us. John the Ripper and Hashcat are both excellent choices. For this workshop let's go with Hashcat, you can install Hashcat by typing \
    \
    `sudo apt install hashcat -y` \
    \
    In case you prefer john the ripper, a good tutorial on installing john can be found here <https://moezzhioua.com/blog/install-john-the-ripper-jumbo-on-ubuntu/> <br>

{% hint style="info" %}
replace the \<path to> variables with actual paths to your files\
-m is the mode parameter 13100 is the krb5tgs format (the service ticket)

-a0 means wordlist mode - no password brute forcing through guessing or mask attacks
{% endhint %}

15. Once hashcat is installed we can crack the hash using the following command in a terminal\
    \
    `hashcat -m 13100 <path to hash.txt> -a0 <path to passwords.txt>`\
    \ <br>

    <figure><img src="/files/WqfPvRI5Sw76ybd1VBnL" alt=""><figcaption></figcaption></figure>
16. We have successfully decrypted the password of svc\_entrypoint, which is ChangeMe1234! \
    Let's find out if svc\_entrypoint belongs to any interesting groups. In your Starkiller, go back to your interact tab and select the following technique:\
    \
    `powershell_situational_awareness_network_powerview_get_group`\ <br>

    <figure><img src="/files/N8kPTZHc9TItk8l2V1qF" alt=""><figcaption></figcaption></figure>
17. In the tasks tab, you will find the output as per usual and it turns out that svc\_entrypoint is in fact a domain administrator for this domain! \ <br>

    <figure><img src="/files/t2CCkwdUBJKTHncIQzos" alt=""><figcaption></figcaption></figure>

Since this account is a domain administrator, this means we should be able to perform a dcsync and get our hands on the krbtgt hash of the domain.\
We could also steal the NTDS.dit file as another approach instead of performing a dcsync. Feel free to try that out on your own :tada:<br>

18. Since we know the clear text password of the account, lateral movement is pretty easy, we could use any lateral movement strategy we want. A nice built-in lateral movement technique is \
    \
    `powershell_lateral_movement_invoke_psremoting`\
    \
    To latteraly move successfully we will need to fill out some variables:\
    ComputerName: sandbox-dc01.sandbox.pwnzone.lab\
    Listener: \<select your listener from dropdown>\
    UserName: svc\_entrypoint\
    Password: ChangeMe1234!\ <br>

    <figure><img src="/files/mtm7gUjI2vcBoSJlMPGZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/7mr8Q1TDb0xRci9tlDBK" alt=""><figcaption></figcaption></figure>

19. After you press submit, wait a little bit and check your agents tab, a new agent should check in on the domain controller. Click it to interact with it \ <br>

    <figure><img src="/files/LcVI63fkrKKCf6KfbbVm" alt=""><figcaption></figcaption></figure>
20. On this new agent, we can perform a dcsync task, select\
    \
    `powershell_credentials_mimikatz_dcsync`\
    \
    As user parameter, fill out sandbox\krbtgt<br>

<figure><img src="/files/bQkYvbbCazIhYZnBjJtI" alt=""><figcaption></figcaption></figure>

21. We have successfully gotten our hands on the AES256 hash of the krbtgt account and hereby concluded lab 3! Excellent, keep note of that as we will be using this value in Lab 4. &#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec565.gitbook.io/ad-privesc-with-empire/lab-3-kerberoasting-lateral-movement-and-dcsyncing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.