What is the purpose of enabling the dcui user and remote SSH on VMware ESXi when planning lateral movement to a Windows VM?

By default, the `dcui` user is an administrator but cannot log in remotely. An attacker sets a password for `dcui`, modifies the shell in `/etc/passwd` from `/sbin/nologin` to `/bin/sh`, and enables SSH with `vim-cmd hostsvc/enable_ssh`. This creates a persistent remote access channel to the ESXi host, allowing the attacker to repeatedly manage snapshots and extract credentials without needing the initial foothold. This step is crucial for maintaining access during the lateral movement process, as detailed in the Penetration Techniques article.