https://tryhackme.com/room/lateralmovementandpivoting

Task 1 - Introduction

Connecting to the Network

Configure DNS by adding THMDC's IP to the DNS Network Manager > Advanced Network Configuration > Your Connection > IPv4 Settings

Untitled

Then restart the resolved service

sudo systemctl restart NetworkManager

Requesting Your Credentials

For SSH access - Getting credentials from http://distributor.za.tryhackme.com/creds

ssh za.tryhackme.com\\\\<AD_Username>@thmjmp1.za.tryhackme.com

Task 2 - Moving Through the Network

Task 3 - Spawning Processes Remotely

Psexec

PsExec - Windows Sysinternals

To run psexec we need to specify the remote host Administrator username and password

psexec64.exe \\\\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

Remote Process Creation Using WinRM

To connect to a remote Powershell session from the command line

winrs.exe -u:Administrator -p:Mypass123 -r:target cmd

We can achieve the same from Powershell, but to pass different credentials, we will need to create a PSCredential object: