Pivoting to Juliette

Basic windows enumeration shows that the user Juliette is also on the box.

Exploring the contents in htdocs, we try to see if there are any improperly stored passwords within configuration files.

Leaked credentials from JSON

Seems like Juliette loves to order pizzas. Remember that function is disabled in the admin portal?

We are in luck! Juliette's data file still contains her password!

Using this password, we can SSH into her account and obtain user.txt.