Password attacks - pass the hash (pth)

Hi guys been working on the new sections of the password attacks module. Currently is the pass the hash section and stuck on the question " Using David’s hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt."

I have found davids hash. But I dont know what tool or command syntax I need to use to pass this hash to access a shared folder and doesn’t seem to be any information on the module how to do this. I tried looking up some pass the hash tutorials online dealing with SMB. But all the tools and commands I have found so far don’t seem to be working for me on the box in the module. If any one knows what to do let me know.


use “Invoke-theHash” module bro.for detailed steps just see the “Invoke-thehash” topic in the page


If you’re still having trouble, you might have to input the same command to read the file. I kept getting “Tree connect error code 0x250200C0”. Entered the same command a couple more times and it worked. But yea, “Invoke-TheHash” tool is where it’s at.

Just did this today - stick to the example provided and run mimikatz. Then you should look MORE closely at a simple command that shows files. Fee free to DM me if you’d like more help

Yep thanks for the hints I see now that the mimikatz screenshots had command syntax you needed to use.

1 Like

Any tips/suggestions on how you went about finding David’s hash? I dumped all hashes using mimikatz but david’s account was not included in the dump.


Be sure to run a powershell or cmd window as administrator and enter command privilege::debug in the mimikats terminal then use command sekurlsa::logonpasswords.


Goliat te esta buscando, yo que vos me busco un maestro.

1 Like

Hi. Did you manage to solve the last question? " Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt." I can’t make a connection using reverse shell.

you basically just need to follow step by step from the lesson. Sometimes using vpns or firewalls get in the way so just use as direct connection as possbile. Also might have to tweak some of the settings differently in the reverse shell creator than they did in the lesson.

Would you mind to explain it? I don’t get what do you mean by direct connection and different settings. I’ve tried to use another port such as 5000 and using different configuration such as below

I’ve been stuck for a couple of days and this is getting more frustrating every day

1 Like

I mean connect to the lab with no vpn and maybe no firewall. Think I had to change the netcat to nc.exe. but make sure you use the powershell that is already in base64.

Dont listen to the others, the best way to access \DC01\david is with mimikatz. David doesnt have access to DC01 so you cant spawn a reverse shell with invoke-thehash


and it’s the same for \DC01\julio, the only time you need a reverse shell is for the last question

1 Like

Strange, David authenticates but “David does not have write-permission to said-share”:

I’m struggling to mount this shared folder. Tried net use D: \\XXX\X with mimikatz. It does not error but it also doesn’t seem to mount a D: drive. Any tips? Feeling pretty dumb atm.

  1. make sure you run the powershell terminal as administrator if you can

  2. Then run < privilege::debug >

  3. THen run < sekurlsa::logonpasswords >


EDIT: I’ve figured out, the “cmd.exe” you invoke with mimikatz says whoami:Administrator but in fact still runs Under the context of David/Julio, as far as I can tell.

So i completely ignored/dropped the method, believing "it's not working" when it in fact was working.

It’s very confusing but apparently that is how Windows works…

Good grief, lol.

windows is quite bloated but feature rich but that also makes it more vulnerable all these processes and features and consulted code running and speaking to each other. glitches and vulnerabilities galore

I’m definitely not Windows greatest fan.