If WinRM is installed (which it usually is in a Network for Administrators to manage Computers remotely)
We have a HTTP listenener on Port 5985 and HTPPS on port 5986
If we already have admin rights over the 2. user
Create new session:
PS C:\htb> $Session = New-PSSession -ComputerName DATABASE01Copy File from our Localhost to the DATABASE01 Sessionn:
PS C:\htb> Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\Copy DATABASE.txt from DATABASE01 Session to our Localhost:
PS C:\htb> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session
Using RDP. (xfreerdp or rdesktop) from our Linux machine to either directly copy or mount.
Mounting a Linux Folder using rdesktop:
Momothechi@htb[/htb]$ rdesktop 10.10.10.132 -d HTB -u administrator -p ‘Password0@’ -r disk:linux=’/home/user/rdesktop/files’
Mounting a Linux Folder using xfreerdp:
Momothechi@htb[/htb]$ xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:‘Password0@’ /drive:linux,/home/plaintext/htb/academy/filetransfer
Now on the compromised machine we have a new folder \tsclient\linux under Network
- use it to transfer files from and to the RDP session.
Alternatively from Windows the native mstsc.exe remote desktop can be used.
-> Local Resources
-> More
-> Drive
after that we can itneract with it on the remote session that follows.