Management
The presence of the MANAGEMENT$ host was initially suspected from the very beginning during the DNS enumeration. Additionally, it was confirmed to be present, enumerated from multiple sources. While it was suspected to be an internal host as due to the unreachable nature from Kali, I was hoping that gaining a foothold would make a difference.
Upon gaining the foothold, I discovered an IP address (10.10.10.2), dynamically allocated to the ARP table as the default gateway that appears to be within the same subnet as the MANAGEMENT$ host
*evil-winrm* ps c:\Users\support\Documents> ping -n 2 management.support.htb
pinging management.support.htb [10.10.10.4] with 32 bytes of data:
reply from 10.10.11.174: Destination host unreachable.
reply from 10.10.11.174: Destination host unreachable.
ping statistics for 10.10.10.4:
packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
*evil-winrm* ps c:\Users\support\Documents> ping -n 2 10.10.10.4
pinging 10.10.10.4 with 32 bytes of data:
reply from 10.10.11.174: Destination host unreachable.
reply from 10.10.11.174: Destination host unreachable.
ping statistics for 10.10.10.4:
packets: Sent = 2, Received = 2, Lost = 0 (0% loss),However, it would appear that I am still unable to reach the MANAGEMENT$ host from the target system
*evil-winrm* ps c:\Users\support\Documents> $Cred = New-Object System.Management.Automation.PSCredential("SUPPORT\support", (ConvertTo-SecureString "Ironside47pleasure40Watchful" -AsPlainText -Force))
*evil-winrm* ps c:\Users\support\Documents> Invoke-Command -Computer Management -Credential $Cred -ScriptBlock { whoami }
connecting to remote server management failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
+ categoryinfo : OpenError: (Management:String) [], PSRemotingTransportException
+ fullyqualifiederrorid : WinRMOperationTimeout,PSSessionStateBrokenRe-attempt was made with the PowerShell’s Invoke-Command cmdlet with no avail
*evil-winrm* ps c:\Users\support\Documents> ping -n 2 10.10.10.2
pinging 10.10.10.2 with 32 bytes of data:
reply from 10.10.10.2: bytes=32 time<1ms TTL=64
reply from 10.10.10.2: bytes=32 time<1ms TTL=64
ping statistics for 10.10.10.2:
packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msHowever, I am able to reach the 10.10.10.2 host