Pass The Hash: Privilege Escalation with Invoke-WMIExec

Execution

If you have an NTLMv2 hash of a local administrator on a box ws01, it's possible to pass that hash and execute code with privileges of that local administrator account:

Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username administrator -command hostname

Below shows how the user low is not a local admin, passes the hash of the local administrator account on ws01 and executes a command successfully:

RID != 500 - No Pass The Hash for You

Say you have a hash of the user spotless who you know is a local admin on ws01:

...but when you attempt passing the hash, you get access denied - why is that?

It may be because hashes for accounts that are not RID=500 (not default administrator accounts) are stripped of some privileges during the token creation.

If the target system you are passing the hash to, has the following registry key/value/data set to 0x1, pass the hash will work even for accounts that are not RID 500:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username spotless -command hostname

References

Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - harmj0yharmj0y

PreviousUnquoted Service Paths NextEnvironment Variable $Path Interception

Last updated 5 years ago