search

Skills Assessment - Password Attacks

Betty Jayde works at Nexura LLC. We know she uses the password Texas123!@# on multiple websites, and we believe she may reuse it at work. Infiltrate Nexura's network and gain command execution on the domain controller. The following hosts are in-scope for this assessment:

Host
IP Address

DMZ01

10.129.*.* (External), 172.16.119.13 (Internal)

JUMP01

172.16.119.7

FILE01

172.16.119.10

DC01

172.16.119.11

hashtag
Pivoting Primer

The internal hosts (JUMP01, FILE01, DC01) reside on a private subnet that is not directly accessible from our attack host. The only externally reachable system is DMZ01, which has a second interface connected to the internal network. This segmentation reflects a classic DMZ setup, where public-facing services are isolated from internal infrastructure.

To access these internal systems, we must first gain a foothold on DMZ01. From there, we can pivot โ€” that is, route our traffic through the compromised host into the private network. This enables our tools to communicate with internal hosts as if they were directly accessible. After compromising the DMZ, refer to the module cheatsheet for the necessary commands to set up the pivot and continue your assessment.

  • What is the NTLM hash of NEXURA\Administrator?

We have onlye one cred, so... try to scan via nmap the ip -->

nmap -p- --open -sCV -Pn -n 10.129.234.116

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-29 07:20 CST
Nmap scan report for 10.129.234.116
Host is up (0.038s latency).
Not shown: 64627 closed tcp ports (reset), 907 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_  256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Now try to do bruteforce via ssh with hydra, but we havent the username, only have his full name: Betty Jayde. Use user_anarchy for make a username dicctionary and do bruteforce -->

We can see another connections in the ifconfig but... after searching something interesting for a while, we can found creds into the file .bash_history -->

hwilliam : dealer-screwed-gym1

We can see too the FILE01, and the information provided is -->

Host
IP Address

DMZ01

10.129.*.* (External), 172.16.119.13 (Internal)

JUMP01

172.16.119.7

FILE01

172.16.119.10

DC01

172.16.119.11

We need do a little pivoting using proxychains. Now Iโ€™ll check the configuration of proxychains in my machine kali to ensure socks4 127.0.0.1 9050 is present under the [ProxyList] section:

Now, connect via ssh with the user jbetty again but using the flag -D to use the proxychain -->

Now Iโ€™ll scan the FILE01 machine routing the traffic through proxychains (in us kali machine):

Nice, try to connect via smb using smbclient with the creds founded -->

NOTE: as the company is called Nexura, I assume that the Domain name is called nexura

Iโ€™ll connect to the HR share to inspect its contents:

Inspecting Archive I found the following:

Iโ€™ll get it and try to crack it using jhon because it is a psafe3 file (Password Safe v3) Fristly, we need extract the password hash -->

Now we can try to crack it -->

password : michaeljackson

NICE XDD so... it is very similar than a keepass, login in this .psafe3 -->

Note: Install it -->

sudo apt update sudo apt install passwordsafe

JUMMM DELICIOUSSSSS. We has here users credentialsssss

hashtag
Credentials Obtained

DMZ01

jbetty : xiao-nicer-wheels5

Domain Users

bdavid : caramel-cigars-reply1

stom : fails-nibble-disturb4

hwilliam : warned-wobble-occur8

As we have seen that the machine DMZ01 has ip to the 172.16.119.X, continue with the pivoting and make nmaps to the others ips -->

We can se the por 3389 for RDP, so... try to connect using the credentials obtained.

Once we are connect to the machine, can get three file .pcap -->

the one that catches my attention the most is the dhcp.pcap, examite it using wireshark but... there are a rabbit hole so... now try to dump the LSASS -->

This requires us to:

  1. Open Task Manager

  2. Select the Processes tab

  3. Find and right click the Local Security Authority Process

  4. Select Create dump file

Now we need create a folder and make a new and best command for xfreerdp3 to create the share/folder connections -->

Note: Set well your directory

So... now we need open a new powershell and share this file, like this ->

Once we have the file into us kali machine, use pypykatz tool to extact the info ( for more info read it: https://eldeim.gitbook.io/brain_fuck/checklists/certifications/htb-cpts/password-attacks/extracting-passwords-from-windows-systems/attacking-lsass#lab-questionsarrow-up-right)

Note: git clone the tool

NICE! We has another credential --> stom:calves-warp-learning1 , there is of DC01, scan it -->

Connect via RDP to this ip and share the folder, just in case

We can start with looking at the local group membership using the command:

This is practically a victory beacuse we are in admin group, but we need the NTML hash of admin. How we are in admin group, can dump the NTDS and get the hashes -->

Note: Open a PowerShell as Administrador

First, Iโ€™ll capture the system registry key:

Now Iโ€™ll use vssadmin to create a Volume Shadow Copy of the C: drive:

Iโ€™ll now copy the NTDS.dit:||

Iโ€™ll now copy those files to the shared file of my machine and then extract the hashes in my machine:

Extract / decript using impacket-secretdump -->

PreviousPass the CertificateNextAttacking Common Services

Last updated