Using nmap I am able to found 2 open ports, 80 and 5985.

First thing I see is the URL, it looks like it is refering to a local file.
Using path traversal, I found who I am able to access other local files in the system.

Using this vulnerability, I will be able to access internal services of the machine, and the windows, will send the NTLM hash, who can be intercepted with respondes.
responder -I tun0
Using the LFI vulnerability, I access to a smb service.
Responder has intercepted the NTLM hash.

Using John the Ripper, Im able to crack the password hash.
john --wordlist=/usr/share/wordlists/rockyou.txt john.txt

Using this password, I can obtain a shell using evil-winrm.
evil-winrm -u Administrator -p badminton -i 10.129.32.194
Using this shell I'm able to found the flag.
