Pass the NTLM hash
winexe -U jenkins/administrator //10.129.1.109 cmd.exe
tried pth-winexe -U jenkins/administrator //10.129.1.109 cmd.exe
Paste the NTLM hash when prompted. (this may be the go to!)
mimikatz
At this point, we have a new PowerShell session that allows us to execute commands as Jeff_Admin.
Let's list the cached Kerberos tickets with klist:
No Kerberos tickets have been cached, but this is expected since the account has not performed an interactive login. However, let's generate a TGT by authenticating to a network share on the domain controller with net use:
Now run .\PsExec.exe \dc01 cmd.exe
Last updated