Skip to content

FruityC2 Pass The Hash

Jump to bottom
xtr4nge edited this page Jan 22, 2017 · 16 revisions

On this tutorial, we will see how to jump from a Local admin (john) to a Domain admin (Administrator) using Pass-The-Hash (Mimikatz). Every time that credentials and hashes are dumped using inbuilt commands on FruityC2, these remains stored in the Credentials section. These Credentials will be available for all the Team members connected to FruityC2.

In this example, I’m interacting with an agent running as a Local admin (john) on WSTATION-A. We can execute a ping to the DC server just to confirm that is available. This server is the domain controller on my Lab network.

Command: shell ping dc



I tried to list the files on \\DC\C$, but this user is just a Local admin for WSTATION-A, and does not have any privileges on the network, so, It cannot list the files.

Command: ls \\DC\C$



But, john is a Local admin on WSTATION-A, so we can execute Mimikatz to dump credentials and hashes, to then, see if there is any credentials that we can use on the network. You can see in the image that Mimikatz was successfully executed.

Command: mimikatz



After dumping the credentials with Mimikatz and/or hashdump (you needs elevated privileges to run these commands), the credentials will be stored in FruityC2. If you open Credentials from the main menu, you will see all of them.

We can see in the list that we have the password/hash for a user called Administrator, for the domain THEXCOMPANY (the domain on the Lab network), yes ok, we also have the password (x.123456), but for this example we will use the hash.



If you click on the hash (Credentials/Password window), FruityC2 will populate “Command >_” input with all the values required to execute PTH using Mimikatz.

Command: mimikatz sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH



After the command is executed, we get the PID of the created process as THEXCOMPANY\Administrator, for this example, the PID is 5520.



Using steal_token and the PID obtained from the previous command, we can impersonate the user Administrator.

Command: steal_token 5520



So lets try again listing the files on \\DC\C$

Command: ls \\DC\C$


Success! We can now interact with the DC server as Domain Admin (THEXCOMPANY\Administrator user).

Use revtoself command to reverse token privileges to the original state (user john).

Command: revtoself



FruityC2 Client

Home
Main
Sections
Commands
Data
Alerts
Team Chat
Code Generator
Profiles

Tutorials

FruityC2 101
FruityC2 Web Delivery (HTA)
FruityC2 Pass-The-Hash
FruityC2 Proxy
FruityC2 Import Modules PS

Clone this wiki locally