Skills Assessment

ℹ️ Informations¶

• 🌐 Website: HackTheBox
• 📚 Module: Pivoting, Tunneling and Port Forwarding
• 🔗 Link: Skills Assessment

❓Question¶

Once on the webserver, enumerate the host for credentials that can be used to start a pivot or tunnel to another host in the network. In what user's directory can you find the credentials? Submit the name of the user as the answer.

📋 Walkthrough¶

Home directory

❓Question¶

Submit the credentials found in the user's home directory. (Format: user:password)

📋 Walkthrough¶

File in home directory

❓Question¶

Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

📋 Walkthrough¶

I use a ping sweep command

for ip in {1..254}; do (ping -c 1 172.16.5.$ip | grep "bytes from" &); done

64 bytes from 172.16.5.15: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 172.16.5.**: icmp_seq=1 ttl=128 time=3.68 ms

❓Question¶

Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.

📋 Walkthrough¶

I use xfreerdp with those credentials

proxychains xfreerdp /v:172.16.5.** /u:mlefay /p:"Plain Human work\!"

❓Question¶

In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?

📋 Walkthrough¶

Create a LSASS dump with Task Manager, then use pypykatz to decrypt it.

pypykatz -v lsa minidump /tmp/lsass.DMP

echo "49006d0070006c0079002000770065007400200055006e006d00610073006b006500640021000000" | xxd -r -p
Imply wet Unmasked! 

❓Question¶

For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

📋 Walkthrough¶

❓Question¶

Submit the contents of C:\Flag.txt located on the Domain Controller.

📋 Walkthrough¶