Run the psexec in meterpreter for accessing to 10.130.9.22.By exploring the environment in 10.130.9.22, suddenly found a subnet 10.130.13.119 in the victim computer. So here is the tactic to pivot to the subnet. Interface 6 Name : AWS PV Network Device #1Hardware MAC : 02:ba:b3:20:ec:2cMTU : 9001IPv4 Address : 10.130.13.119IPv4 Netmask : 255.255.255.0IPv6 Address : fe80::f574:c767:4549:475aIPv6 Netmask : ffff:ffff:ffff:ffff:: Interface 8 Name : AWS PV Network Device #0Hardware MAC : 02:66:c3:d8:7b:1aMTU : 9001IPv4 Address : 10.130.9.22IPv4 Netmask : 255.255.255.0IPv6 Address...

Key Management Service >awslocal kms list-keys { "KeyId": "f0579746-10c3-4fd1-b2ab-f312a5a0f3fc", "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/f0579746-10c3-4fd1-b2ab-f312a5a0f3fc" } Check key details >awslocal kms describe-key --key-id 0b539917-5eff-45b2-9fa1-e13f0d2c42ac { "KeyMetadata": { "AWSAccountId": "000000000000", "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "Arn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "CreationDate": 1609757848, "Enabled": false, "Description": "Encryption and Decryption", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Disabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "RSA_4096", "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ] } } Decrypt the servers.enc by the key(in AWS KMS). >awslocal kms decrypt --key-id 804125db-bdf1-465a-a058-07fc87c0fad0 --ciphertext-blob fileb://servers.enc --encryption-algorithm RSAES_OAEP_SHA_256 { "KeyId": "arn:aws:kms:us-east-1:000000000000:key/804125db-bdf1-465a-a058-07fc87c0fad0", "Plaintext": "Decrypted Plaintext", "EncryptionAlgorithm": "RSAES_OAEP_SHA_256" }...