HTB Academy | Password Attacks | Pass the Hash (PtH)

HTB-Academy Module 147 Password Attacks – Pass the Hash (PtH)

Creating a new post as there a few older posts that I’m not sure I’ll get a response on. Stuck on the following question in this module:

  • Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
  1. Used mimikatz and julio’s hash launching a powershell console, having a separate admin cmd prompt open listening on port (currently 5000)
  2. Imported the Invoke-TheHash.psd1 and you can see in the screenshot…Invoke-WMIExec appears to go through properly as the command is executed.
  3. I have tried listening on ‘any’ and also specifically listening on the local 172 IP address (local MS01 Windows machine on same network as DC01).
  4. With -Target i’ve used both ‘DC01’ and ‘’
  5. Tried every powershell reverse shell option on…ensuring all are Base64-encoded…screenshots are of the PowerShell #3(Base64) as instructed in the module.

Why am I not getting a reverse shell here? I’ve tried various ports, tried adjusting the powershell command to be “powershell -e ” and also just “powershell ” and it makes no difference.


Any help is greatly appreciated as I’m at a complete loss of what could be wrong here. Thank you!

Maybe it’s not visible in the screenshot, but it is in quotes.

-command “powershell rev shell encoding”

Also tried the command with/without tagging the domain (I.e. -domain inlanefreight.htb) doesn’t matter

Well that’s great it works for you. I’ve done both of those things previously and it didn’t work. I’ll try it again tomorrow and post more screenshots if needed.

im having the same issue literally at the same part

i just solved it if you need any help just ask

1 Like

Just to post a resolution…my issue was at, after selecting the PowerShell #3 (Base64) shell generator…I had the ‘Base64’ encoding also selected in the ‘Encoding’ dropdown…so it was encoding the whole thing again. Posting this since the issue is an easy fix and does not involve any spoilers to the material.

1 Like