Pivoting Skills Assessment — HTB Academy
Module: Pivoting, Tunneling, and Port Forwarding | Platform: HTB Academy
Author: jkonpc
Executive Summary
A red team simulation requiring multi-hop pivoting from an external web server through two internal subnets to compromise a Domain Controller. Initial access was provided via a web shell left by a prior operator. The engagement required SSH tunneling, SOCKS proxy chaining, credential extraction via Mimikatz, and SOCKSOverRDP to reach the final target across three network segments.
| Property | Value |
|---|---|
| External Host | 10.129.201.211 / 172.16.5.15 |
| Internal Host 1 | 172.16.5.35 |
| Internal Host 2 | 172.16.6.35 |
| Domain Controller | ACADEMY-PIVOT-DC |
Attack Chain Overview
- Foothold (webadmin): Web shell on support.inlanefreight.local → SSH key extraction → SSH access to external server
- Pivot 1 (mlefay): Dynamic SOCKS proxy via SSH → internal enumeration → RDP into 172.16.5.35 with discovered credentials
- Pivot 2 (vfrank): Mimikatz credential extraction on RDP host → SOCKSOverRDP tunnel → RDP into 172.16.6.35
- Domain Controller: Network share access → DC flag retrieval
Phase 1: Foothold — Web Shell to SSH
An active web shell on support.inlanefreight.local provided initial access. Enumeration of home directories revealed an SSH private key in the webadmin user’s .ssh directory.
1
ssh -i id_rsa webadmin@10.129.201.211
The host had two NICs, confirming it straddled the external and internal networks:
| Interface | Subnet | Role |
|---|---|---|
| ens160 | 10.129.201.211 | External (attacker-facing) |
| ens192 | 172.16.5.15 | Internal (pivot network) |
Phase 2: Internal Enumeration via SOCKS Proxy
A dynamic SOCKS proxy was established through the SSH session to route tools into the internal network:
1
ssh -D 9050 -i id_rsa webadmin@10.129.201.211
Proxychains was configured with socks4 127.0.0.1 9050 in /etc/proxychains.conf. Host discovery identified 172.16.5.35 as an active internal host:
1
2
proxychains nmap -v -sn 172.16.5.1-200
proxychains nmap -Pn -sT -p3389 172.16.5.35
RDP was confirmed open via Metasploit’s auxiliary/scanner/rdp/rdp_scanner. Credentials discovered on the web server provided access:
|Username|Password| |—|—| |mlefay|Plain Human work!|
1
proxychains xfreerdp /v:172.16.5.35 /u:mlefay /p:'Plain Human work!'
Phase 3: Credential Extraction and Second Pivot
Inside the RDP session on 172.16.5.35, vfrank’s private SSH key was found in mlefay’s .ssh folder. Mimikatz was executed to extract additional credentials:
| Username | Password | NTLM Hash |
|---|---|---|
| vfrank | Imply wet Unmasked! | Extracted |
A ping sweep from the RDP host identified the next target:
for /L %i in (1,1,254) do ping 172.16.6.%i -n 1 -w 100 | find "Reply"
172.16.6.35 responded with RDP open.
Phase 4: SOCKSOverRDP to Domain Controller
Direct access to the 172.16.6.0/24 subnet required tunneling through the RDP session. SOCKSOverRDP was deployed — client on the RDP host, server on the attacker machine, with a listener on port 1080. Proxifier on the RDP machine forwarded all traffic through the SOCKS tunnel.
1
proxychains xfreerdp /v:172.16.6.35 /u:vfrank /p:'Imply wet Unmasked!'
Inside the final RDP session, the Domain Controller was accessible via network shares:
1
\\ACADEMY-PIVOT-DC\C$\Users\Administrator\Desktop\Flag.txt
Lessons Learned
Dual-Homed Hosts Are Pivot Goldmines: The external web server with two NICs was the gateway to the entire internal network. In real engagements, any host with multiple network interfaces should be treated as a high-value target — it’s the bridge between network segments that are otherwise unreachable. Defenders should monitor dual-homed hosts aggressively and restrict which services can bind to internal interfaces.
SOCKS Proxy Chaining Requires Discipline: Each hop added complexity to the proxy configuration. Mixing SOCKS4 and SOCKS5, misconfiguring proxychains, or losing track of which tunnel reaches which subnet will stall an engagement. Maintaining a clear mental map of the network topology and which proxy reaches which segment is essential — especially when tools like SOCKSOverRDP add non-standard tunneling layers.
Credential Hygiene Failures Cascade: A single set of plaintext credentials on the web server unlocked the first internal host. Mimikatz on that host provided credentials for the next hop. Each compromised host yielded the keys to the next — a chain that only works because credentials were reused, stored insecurely, or left in accessible locations. One break in that chain (credential isolation, MFA, or LAPS) would have stopped lateral movement cold.
Tools Used
| Tool | Purpose |
|---|---|
| SSH | Remote access and dynamic SOCKS proxy tunneling |
| Proxychains | Routing tools through SOCKS proxy into internal networks |
| nmap | Host discovery and port scanning through proxy |
| Metasploit | RDP service validation via auxiliary scanner |
| xfreerdp | RDP client for internal host access |
| Mimikatz | Credential extraction (NTLM hashes and cleartext) |
| SOCKSOverRDP | SOCKS tunnel through an active RDP session |
| Proxifier | Traffic redirection through SOCKS proxy on Windows |