Fix cracked credentials not displaying for multiple Kerberos hash types

[LSUDOKO]

Fixes rapid7#21098

When multiple cracked cores exist for the same originating credential
(e.g., krb5tgs and krb5asrep cracked together), the display map was
overwriting entries. Changed to use ||= operator to keep the first
cracked core instead of overwriting it.

Since all cracked cores for the same hash have the same password data
(same private_id), displaying any one shows the correct cracked password.

This ensures both krb5tgs and krb5asrep credentials display their
cracked passwords correctly when cracked together.

[h00die]

@LSUDOKO if you developed a test script, it can be handy to include that. Don't add it to the PR code change, but in a comment or the description

[h00die]

Using the instructions in rapid7#21098 on how to recreate the issue, this did not solve the problem.

msf exploit(multi/script/web_delivery) > creds -d
Credentials
===========

id  host  origin  service  public  private  realm  private_type  JtR Format  cracked_password
--  ----  ------  -------  ------  -------  -----  ------------  ----------  ----------------

msf exploit(multi/script/web_delivery) > creds add user:krb5tgs hash:\$krb5tgs\$23\$*user\$realm$test/spn*\$63386d22d359fe42230300d56852c9eb\$891ad31d09ab89c6b3b8c5e5de6c06a7f49fd559d7a9a3c32576c8fedf705376cea582ab5938f7fc8bc741acf05c5990741b36ef4311fe3562a41b70a4ec6ecba849905f2385bb3799d92499909658c7287c49160276bca0006c350b0db4fd387adc27c01e9e9ad0c20ed53a7e6356dee2452e35eca2a6a1d1432796fc5c19d068978df74d3d0baf35c77de12456bf1144b6a750d11f55805f5a16ece2975246e2d026dce997fba34ac8757312e9e4e6272de35e20d52fb668c5ed jtr:krb5tgs
msf exploit(multi/script/web_delivery) > creds add user:krb5asrep hash:\$krb5asrep\$23\$user@domain.com:3e156ada591263b8aab0965f5aebd837\$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac jtr:krb5asrep
msf exploit(multi/script/web_delivery) > use auxiliary/analyze/crack_windows
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] Setting default action auto - view all 3 actions with the show actions command
msf auxiliary(analyze/crack_windows) > rm ~/.msf4/john.pot
[*] exec: rm ~/.msf4/john.pot

msf auxiliary(analyze/crack_windows) > set action john
action => john
msf auxiliary(analyze/crack_windows) > set verbose true
verbose => true
msf auxiliary(analyze/crack_windows) > rexploit
[*] Reloading module...
[+] john Version Detected: 1.9.0-jumbo-1+bleeding-aec1328d6c 2021-11-02 10:45:52 +0100 OMP
[*] No lm found to crack
[*] No nt found to crack
[*] No mscash found to crack
[*] No mscash2 found to crack
[*] No netntlm found to crack
[*] No netntlmv2 found to crack
[*] No krb5tgs-aes128 found to crack
[*] No krb5tgs-aes256 found to crack
[*] No timeroast found to crack
[*] Wordlist file written out to /tmp/jtrtmp20260316-3108263-bklv5
[*] Checking krb5tgs hashes already cracked...
[*] Cracking krb5tgs hashes in single mode...
[*]    Cracking Command: /usr/sbin/john --session=EawzEi93 --no-log --config=/home/h00die/metasploit-framework/data/jtr/john.conf --pot=/home/h00die/.msf4/john.pot --format=krb5tgs --wordlist=/tmp/jtrtmp20260316-3108263-bklv5 --rules=single /tmp/hashes_krb5tgs_20260316-3108263-udd1bd
Using default input encoding: UTF-8
[*] Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
[*] hashcat          (1067)     
1g 0:00:00:00 DONE (2026-03-16 09:52) 50.00g/s 256000p/s 256000c/s 256000C/s sandman..90210
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
[+] Cracked Hashes
==============

 DB ID  Hash Type  Username  Cracked Password  Method
 -----  ---------  --------  ----------------  ------
 1067   krb5tgs              hashcat           Single

[*] Checking krb5asrep hashes already cracked...
[+] Cracked Hashes
==============

 DB ID  Hash Type  Username  Cracked Password  Method
 -----  ---------  --------  ----------------  ------
 1067   krb5tgs              hashcat           Single
 1067   krb5tgs              hashcat           Single

[*] Cracking krb5asrep hashes in single mode...
[*]    Cracking Command: /usr/sbin/john --session=w0w5suGf --no-log --config=/home/h00die/metasploit-framework/data/jtr/john.conf --pot=/home/h00die/.msf4/john.pot --format=krb5asrep --wordlist=/tmp/jtrtmp20260316-3108263-bklv5 --rules=single /tmp/hashes_krb5asrep_20260316-3108263-kz337
Using default input encoding: UTF-8
[*] Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
1g 0:00:00:00 DONE (2026-03-16 09:52) 50.00g/s 256000p/s 256000c/s 256000C/s twinkle..90210
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
[*] hashcat          (1068)     
[+] Cracked Hashes
==============

 DB ID  Hash Type  Username  Cracked Password  Method
 -----  ---------  --------  ----------------  ------
 1067   krb5tgs              hashcat           Single
 1067   krb5tgs              hashcat           Single
 1067   krb5tgs              hashcat           Single
 1068   krb5asrep            hashcat           Single

[*] Auxiliary module execution completed
msf auxiliary(analyze/crack_windows) > creds
Credentials
===========

id    host  origin  service  public     private                                                                                   realm  private_type        JtR Format  cracked_password
--    ----  ------  -------  ------     -------                                                                                   -----  ------------        ----------  ----------------
1067                         krb5tgs    $krb5tgs$23$*user$realm$test/spn*$63386d22d359fe42230300d56852c9eb$891ad31d0 (TRUNCATED)         Nonreplayable hash  krb5tgs     hashcat
1068                         krb5asrep  $krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c (TRUNCATED)         Nonreplayable hash  krb5asrep

Also, I don't think your intended solution would solve the problem as we can see two lines in the original issue:

XXX check_results function prior to process_crack_results: {"hash_type"=>"krb5tgs", "method"=>"Single", "core_id"=>"936", "password"=>"hashcat"}
XXX check_results function prior to process_crack_results: {"hash_type"=>"krb5asrep", "method"=>"Single", "core_id"=>"937", "password"=>"hashcat"}

They have different core_id fields.