Example scenario

The following outlines the setup which we will be working with for the next few sections under "Lateral movement & Pivoting".

Suppose the following scenario where we have obtained two sets of AD credentials:

a. Low privileges (user)

b. Administrative access (admin)

Our goal is to obtain a shell session on an IIS server with administrative privileges. There are 2 servers we will be working with:

a. Intermediary (jmp.test.com)

b. IIS (iis.test.com)

Let's assume that the Intermediary server have no data that will be interesting to us, and it simply functions as an intermediary to get to the IIS server. The main goal is the IIS server, which is only accessible/routable from the intermediary server due to network restrictions, firewalls, etc.

The first set of AD credential allows us to gain a remote shell session on the intermediary machine (jmp.domain), via SSH.

However, the IIS server does not expose a SSH service. Thus, we need to make use of the session we have on the intermediary server to move laterally to the IIS server (iis.domain) using the obtained admin credentials, to gain a remote session with administrative privileges.