Password attacks - pass the hash (pth)

Ya its ridiculous like 100+ new vulnerabilites are disclosed every month for windows OS

Isn’t this possible with cme? I logged in via cme smb IP username password and it worked but when I put --lsa at the end, the hash I receive for David is incorrect. Why is that?

Guys For Completing this Module You Should Definitly Have AD Basics Very Clear
i have Completed Module Successfully
my Methodology :-
→ first connected to the machine with evil-winrm using pass the hash tecq
→ then changed the rdp setting to allow rdp using passthehash (command is present in the module)
→ then logened with same user with rdp
–>run mimikatz.exe to dump all hashes from the memory so there are users david and julio so there ntml hashes are provided by mimikatz
–>use any technq to connect from their acc
→ and there is a domain controller we need to execute commands in domain controller . so julio has access to execute commands in domain controller so we need to use passthehash from powershell by giving the julios hash
→ start listner in the administrator account (ms01) using nc.exe
→ note:- use commonly used ports (ex:443)
–>note:- ip of domain controller is which is provided by htb in module
→ use powershell#3 base64 rev shell from
→ don’t quit its easy be presistent
:slight_smile: All The Best

1 Like

Could anybody explain why I can’t use julios Hash I obtained via CME?
I tried to connect with


But that didn’t work. Why is that?

may have used a different hash protocol make sure you use ntlm hash. Also want to use mimikatz tool for both extracting the hash and passing the hash to open a shell…

I’m confused by the fact that the module won’t tell me how to extract the hashes, or did I not see it? There’s no mimkatz command for extracting all hashes.

there is a Mimikatz module named “sekurlsa::logonpasswords”. On Youtube you can watch how to use it.

think the commands will actually be on the screenshots of the mimikatz tool but not typed out in the module

any help or advice for this Use john’s TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john ? i cannot solve it

module: password attacks
sec:pass the ticket

was not able to obtain a reverse shell i had to live off the land in order to secure the flag. hope this helps :crazy_face:

For those struggling to get c:\julio\flag.txt in the last question, use a more common port (e.g, 443).

Make sure your PowerShell window running netcat is admin.

Another hint for the c:\julio\flag.txt that I’ve just spent 2 hours on.

If everything look good (you have the right syntax for Invoke-WMIExec, the proper hash for Julio and you get a “[+] Command executer with process ID (…)”) BUT you’re not getting your reverse shell, try to think about where you’re sending your shell.

Or to put it differently, DC01 is only reachable through MS01; that should tell you something about the IP you need to send your reverse shell to.

'nuff said. :slight_smile:

Edit: no, I’m not talking about your Kali/ParrotOS IP.

(I feel soooo dumb after realizing what my mistake was)

I set up two xfree RDP one under ms01/admin account and the other under julio’s account. I execute the invoke WMI under julio’s account and have the nc listener on the ms01 account, questions is am I right track? still unable to get a rev. shell. and hints will be grateful.

Hint for living off the land?
I’m stuck on finding flag.txt. I spawned two RDP sessions one as ms01 and the other as julio. launching Invoke under julios account and having the nc listener in the admin account. Am i on right track? cannot spawn rev shell.

No need for a second xfreerdp session. Just use the admin one, as you’re executing code on the DC as julio. Being julio on MS01 wouldn’t change anything. You just need one powershell session to send your reverse shell and a cmd/powershell session to catch it with nc.exe.

Troubleshoot your issue:

  • Do you get “[+] Command executed with process ID (…)” with your WMIExec, using a simple -Command "whoami" ? (you won’t get the usual response, just the confirmation the command was executed). If not, you’re not there yet. Reread the lesson, you’re doing something wrong.

  • If you do, ask yourself why DC01 is not reachable directly from your Kali/Parrot. MS01 acts as a pivot, here. What should you look for when using a pivot to reach an internal network? IPs, maybe? Study the result of ipconfig on MS01. Then list all the IPs you know for this exercice. Something should become obvious.

Feel free to PM me if you need more hints.

sent you a PM, thank you for your time Argon.

Because it’s not the hash you get when running mimikatz. Try running mimikatz for the hash. Lots of examples on this page to get you started.

You don’t need to map the drive. Just cmd.exe.

I was able to able to get the flag.txt by using the commands in the lesson.