Well you obviously need admin privios on the target computer to give it commands that you want if you are not using a trojan on it. So they took the password hash and cracked it and then an open service on the server like Telnet or whatever, then used that port to establish a connection that can be used to give commands. Second one, you can see the internal network if you can see the Route Table, one of those routes in the table should contain the internal IP range.