CPTS #07: Pivoting, Tunneling, and Port Forwarding

Metasploit could really help make this pivot easier to manage.

Skills Assessment

According to the challenge description, we are given a webshell on the foothold server. We will use this foothold server to pivot and enumerate other hosts. Proceed to answer the questions after gathering information from the foothold server.

While reading a file in the home directory of the webadmin user, we discovered login credentials for another server.

I will use Metasploit to perform pivoting (refer back to the lesson content for detailed steps). After configuring the proxy, I will scan for online hosts within the 172.16.5.0/16 IP range. I discovered two IPs — one belonging to the foothold server and another belonging to a different machine.

I performed an Nmap scan on the .35 server and found several open ports, including RDP, SMB, and others.

Using the credentials found in the file, I successfully logged in to the discovered server via RDP.

At this point, I proceeded to enumerate the server and found the first flag file. I then read its contents and submitted the answer.

The task requires identifying a vulnerable user, and the hint suggests dumping credentials from the LSASS process. I transferred Mimikatz to the target server and used it to dump the LSASS process. From the output, I was able to extract additional credentials belonging to the user vfrank.

I proceeded to use the runas command to launch a command prompt as the user vfrank.

Next, we need to enumerate which hosts are active within the 172.16.6.0 range. During this step, we discovered that two hosts are online: 172.16.6.25 and 172.16.6.45.

From the CMD session running as vfrank, we will proceed to RDP into the servers at 172.16.6.25 and 172.16.6.45 to retrieve the flag files.

There is a shared drive on this machine. Accessing it, we are able to obtain the final flag.