Windows: Pass The Hash - WMIExec

overview

A Kali GUI machine and a target machine running a vulnerable WMI service are provided to you. The IP address of the target machine is provided in a text file named target placed on the Desktop of the Kali machine (/root/Desktop/target).

Your task is to fingerprint the WMI service using the tools available on the Kali machine and then use the WMIExec tool to perform a post-exploitation on the WMI service. The WMIExec uses a similar approach to SMBExec, but it executes commands through WMI. Also, it generates fewer event logs.

The following NTLM hash may be used to access the service:

| Administrator User NTLM Hash | | 5c4d59391f656d5958dab124ffeabc20 |

Objective: Exploit the target machine using provided NTLM hash and retrieve the flag! Instructions:

• Your Kali machine has an interface with IP address 10.10.X.Y. Run “ip addr” to know the values of X and Y.

• The IP address of the target machine is mentioned in the file “/root/Desktop/target”

• Do not attack the gateway located at IP address 192.V.W.1 and 10.10.X.1

solutions

The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-2376.pdf