Hi guys been working on the new sections of the password attacks module. Currently is the pass the hash section and stuck on the question " Using David’s hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt."
I have found davids hash. But I dont know what tool or command syntax I need to use to pass this hash to access a shared folder and doesn’t seem to be any information on the module how to do this. I tried looking up some pass the hash tutorials online dealing with SMB. But all the tools and commands I have found so far don’t seem to be working for me on the box in the module. If any one knows what to do let me know.
If you’re still having trouble, you might have to input the same command to read the file. I kept getting “Tree connect error code 0x250200C0”. Entered the same command a couple more times and it worked. But yea, “Invoke-TheHash” tool is where it’s at.
Just did this today - stick to the example provided and run mimikatz. Then you should look MORE closely at a simple command that shows files. Fee free to DM me if you’d like more help
Be sure to run a powershell or cmd window as administrator and enter command privilege::debug in the mimikats terminal then use command sekurlsa::logonpasswords.
Hi. Did you manage to solve the last question? " Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt." I can’t make a connection using reverse shell.
you basically just need to follow step by step from the lesson. Sometimes using vpns or firewalls get in the way so just use as direct connection as possbile. Also might have to tweak some of the settings differently in the reverse shell creator than they did in the lesson.
Would you mind to explain it? I don’t get what do you mean by direct connection and different settings. I’ve tried to use another port such as 5000 and using different configuration such as below
I mean connect to the lab with no vpn and maybe no firewall. Think I had to change the netcat to nc.exe. but make sure you use the powershell that is already in base64.
Dont listen to the others, the best way to access \DC01\david is with mimikatz. David doesnt have access to DC01 so you cant spawn a reverse shell with invoke-thehash
I’m struggling to mount this shared folder. Tried net use D: \\XXX\X with mimikatz. It does not error but it also doesn’t seem to mount a D: drive. Any tips? Feeling pretty dumb atm.
EDIT: I’ve figured out, the “cmd.exe” you invoke with mimikatz says whoami:Administrator but in fact still runs Under the context of David/Julio, as far as I can tell.
So i completely ignored/dropped the method, believing "it's not working" when it in fact was working.
It’s very confusing but apparently that is how Windows works…
windows is quite bloated but feature rich but that also makes it more vulnerable all these processes and features and consulted code running and speaking to each other. glitches and vulnerabilities galore
