Pass-the-Cache to Domain Compromise
This post is going to go over a very quick domain compromise by abusing cached Kerberos tickets discovered on a Linux-based jump-box within a Windows domain environment. In essence, we were able to steal cached credentials from a Linux host and use them on a Window-based system to escalate our privileges to domain administrator level.
Abusing cached Kerberos tickets is nothing new, but its something I’d never come across when performing penetration tests or adversary simulations. Benjamin Delpy added this functionality to mimikatz and tweeted about this back in 2014. More information here: https://twitter.com/gentilkiwi/status/536489791735750656?lang=en
So simply put, if you come across Kerberos “*.ccache” ticket caches, it may be possible to “Pass-the-Cache” and assume the identity of the ticket’s owner. In this case, the cached tickets we discovered were user accounts associated with domain administrator privileges.
More reading on credential caches can be found here if you’re interested: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
As a result of a successful phish and foothold onto a host within an internal corporate environment, a review of our compromised user’s AD groups revealed they had access to a number of jump-boxes allowing them to access resources within a specific environment. These jump-boxes were Linux-based and attached to the Windows domain allowing users to use their domain credentials to authenticate.
Upon accessing this jump box using the user’s domain credentials (obtained using https://github.com/vysec/Aggressor-VYSEC/blob/master/Invoke-CredLeak.ps1), a list of kerberos caches (*.ccache) were found within the /tmp directory of the Linux file system. These files are automatically created when a user authenticates to the jump-box and are only valid for a certain period of time, keep this in mind.
Reviewing the user account permissions (net user <username> /dom) of each user with an associated cached ticket revealed that a small number of users were apart of the domain administrators group. This is where we started to get excited :)
After googling around and trying to find out if these caches could be used, I stumbled upon Benjamin’s tweet. After a review of the tweet, the relevant caches were copied from the jump-box and mimikatz (https://github.com/gentilkiwi/mimikatz) was used to inject one of the kerberos tickets into the current session and assume the target users’ identity.
The following command was executed. As shown, the ptc option and the path to the kerberos cache are specified.
Following this, a new session was created! With a new session running under the context of a domain administrator, we took control of the domain and continued on with the simulation.
Another thing to note as well, is that these ccache files can be taken offline and cracked. Even better is the fact that they can be cracked even if they are expired. The following script from JTR provides the ability to extract a crackable hash from the ccache file: https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/run/ccache2john.py
Hope you enjoyed!