Kerberoasting is cracking the TGS to recover the service account password.

Kerberos relies on a ticket that the Ticket Granting Service issues for access to a specific service (an SPN). After you obtain a TGT, you request a service ticket from the TGS for that SPN. That service ticket contains an encrypted portion that is protected by the service account’s password hash. An attacker can grab this ticket and perform offline cracking to recover the service account’s password. Because the attack targets the ticket issued by the TGS, it’s described as Kerberoasting cracking the TGS-derived ticket to reveal the service account password. The other items aren’t the focus: the TGT is an earlier credential, the service ticket is the same ticket produced by the TGS, and the Kerberos session key is a separate per-session key not the target of this password-cracking step.