Example scenario

The following outlines the setup which we will be working with for the next few sections under "Lateral movement & Pivoting".

Suppose the following scenario where we have obtained two sets of AD credentials:

a. Low privileges (user) to access jmp.test.com

b. A user named admin, that is under the Domain Admin group for the domain test.com

Our goal is to obtain a shell session on an IIS server with administrative privileges. There are 2 servers we will be working with:

a. Intermediary (jmp.test.com)

b. IIS (iis.test.com)

Let's assume that the Intermediary server have no data that will be interesting to us, and it simply functions as an intermediary to get to the IIS server. The main goal is the IIS server, which is only accessible/routable from the intermediary server due to network restrictions, firewalls, etc.

The first set of AD credential allows us to gain a remote shell session on the intermediary machine (jmp.test.com), via SSH. The second credential provides us access to any machines in the domain (including iis.test.com ) as the Administrator user.

However, the IIS server does not expose a SSH service. Thus, we need to make use of the session we have on the intermediary server to move laterally to the IIS server (iis.test.com) using the obtained admin credentials, to gain a remote session with administrative privileges.