Internet entry and the triple-homed pivot¶
Arrival at unseen-gate shows the hallmarks of prior occupation. The loot directory holds evidence of another student’s earlier adversarial work, complete with notes and a discovered NFS share. The prior reconnaissance file points to a single host on the internet segment: wizzards-retreat, at 10.10.0.10, with three ports noted.
Two independent paths open access to that host. The NFS export answers on port 2049; credentials sitting on a world-readable share give shell access without any password. SSH on port 22 accepts password authentication; a wordlist and a username harvested from bash history cover the rest. Either path lands you in rincewind’s home directory, where the machine’s network configuration becomes apparent: three interface addresses, three network segments, and something that looks like standing VPN configuration for zones deeper in the network.
The critical discovery is not the machine itself, but what it reaches. The three addresses place it on the internet segment (10.10.0.10), the enterprise zone (10.10.1.3), and the operational zone (10.10.2.3). A single shell has line of sight to all three, each one a direct attachment with no routing hop required. From unseen-gate, the internet zone is all that is directly reachable. From wizzards-retreat, the interior zones open.
The SSH pivot technique completes the picture. Unseen-gate has no direct route to 10.10.2.0/24, but rincewind’s shell at 10.10.2.3 can relay. Local port forwarding through wizzards-retreat to services on the operational zone means reconnaissance can proceed without ever routing through the inter-zone firewalls or touching any enterprise machine.
The finding that changes everything: a single machine connected to three zones, reachable from outside with a password that survives wordlist attacks. That is where the attack gains depth.