Skills Assessment - Password Attacks
Betty Jayde works at Nexura LLC. We know she uses the password Texas123!@# on multiple websites, and we believe she may reuse it at work. Infiltrate Nexura's network and gain command execution on the domain controller. The following hosts are in-scope for this assessment:
DMZ01
10.129.*.* (External), 172.16.119.13 (Internal)
JUMP01
172.16.119.7
FILE01
172.16.119.10
DC01
172.16.119.11
Pivoting Primer
The internal hosts (JUMP01, FILE01, DC01) reside on a private subnet that is not directly accessible from our attack host. The only externally reachable system is DMZ01, which has a second interface connected to the internal network. This segmentation reflects a classic DMZ setup, where public-facing services are isolated from internal infrastructure.
To access these internal systems, we must first gain a foothold on DMZ01. From there, we can pivot โ that is, route our traffic through the compromised host into the private network. This enables our tools to communicate with internal hosts as if they were directly accessible. After compromising the DMZ, refer to the module cheatsheet for the necessary commands to set up the pivot and continue your assessment.
What is the NTLM hash of NEXURA\Administrator?
We have onlye one cred, so... try to scan via nmap the ip -->
nmap -p- --open -sCV -Pn -n 10.129.234.116
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-29 07:20 CST
Nmap scan report for 10.129.234.116
Host is up (0.038s latency).
Not shown: 64627 closed tcp ports (reset), 907 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
| 256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_ 256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Now try to do bruteforce via ssh with hydra, but we havent the username, only have his full name: Betty Jayde. Use user_anarchy for make a username dicctionary and do bruteforce -->
We can see another connections in the ifconfig but... after searching something interesting for a while, we can found creds into the file .bash_history -->
hwilliam : dealer-screwed-gym1
We can see too the FILE01, and the information provided is -->
DMZ01
10.129.*.* (External), 172.16.119.13 (Internal)
JUMP01
172.16.119.7
FILE01
172.16.119.10
DC01
172.16.119.11
We need do a little pivoting using proxychains. Now Iโll check the configuration of proxychains in my machine kali to ensure socks4 127.0.0.1 9050 is present under the [ProxyList] section:
Now, connect via ssh with the user jbetty again but using the flag -D to use the proxychain -->
Now Iโll scan the FILE01 machine routing the traffic through proxychains (in us kali machine):
Nice, try to connect via smb using smbclient with the creds founded -->
NOTE: as the company is called Nexura, I assume that the Domain name is called
nexura
Iโll connect to the HR share to inspect its contents:
Inspecting Archive I found the following:
Iโll get it and try to crack it using jhon because it is a psafe3 file (Password Safe v3) Fristly, we need extract the password hash -->
Now we can try to crack it -->
password : michaeljackson
NICE XDD so... it is very similar than a keepass, login in this .psafe3 -->
Note: Install it -->
sudo apt update sudo apt install passwordsafe
JUMMM DELICIOUSSSSS. We has here users credentialsssss
Credentials Obtained
DMZ01
jbetty : xiao-nicer-wheels5
Domain Users
bdavid : caramel-cigars-reply1
stom : fails-nibble-disturb4
hwilliam : warned-wobble-occur8
As we have seen that the machine DMZ01 has ip to the 172.16.119.X, continue with the pivoting and make nmaps to the others ips -->
We can se the por 3389 for RDP, so... try to connect using the credentials obtained.
Once we are connect to the machine, can get three file .pcap -->
the one that catches my attention the most is the dhcp.pcap, examite it using wireshark but... there are a rabbit hole so... now try to dump the LSASS -->
This requires us to:
Open
Task ManagerSelect the
ProcessestabFind and right click the
Local Security Authority ProcessSelect
Create dump file
Now we need create a folder and make a new and best command for xfreerdp3 to create the share/folder connections -->
Note: Set well your directory
So... now we need open a new powershell and share this file, like this ->
Once we have the file into us kali machine, use pypykatz tool to extact the info ( for more info read it: https://eldeim.gitbook.io/brain_fuck/checklists/certifications/htb-cpts/password-attacks/extracting-passwords-from-windows-systems/attacking-lsass#lab-questions)
Note: git clone the tool
NICE! We has another credential --> stom:calves-warp-learning1 , there is of DC01, scan it -->
Connect via RDP to this ip and share the folder, just in case
We can start with looking at the local group membership using the command:
This is practically a victory beacuse we are in admin group, but we need the NTML hash of admin. How we are in admin group, can dump the NTDS and get the hashes -->
Note: Open a PowerShell as Administrador
First, Iโll capture the system registry key:
Now Iโll use vssadmin to create a Volume Shadow Copy of the C: drive:
Iโll now copy the NTDS.dit:||
Iโll now copy those files to the shared file of my machine and then extract the hashes in my machine:
Extract / decript using impacket-secretdump -->
Last updated