Prancer Blog / SwarmHack Deep Dive
Lateral Movement, Pivoting & Internal Compromise — Automated
From .env credential leak to SSH tunnel pivot into an isolated network — the seven autonomous phases that prove real exploitable risk.
SwarmHack Team · 2026-04-22 · 10 min
Continuing from Part 1: the external scan dropped 9 findings and 31 crown jewels — including SSH credentials sitting in a .env file. Now we watch SwarmHack chain them.
- How discovered credentials feed the SSH lateral-movement agent automatically
- How the privilege-escalation synthesizer constructs the chain from confirmed evidence
- How an SSH tunnel turns a dual-homed host into a path into an isolated network
Phase 2: Credential Correlation (T+60s)
The Intelligence Bus runs 12 regex patterns over every HTTP response and every deep-exploit artifact. In this engagement, two independent sources surfaced the same SSH credential pair:
| Source | Evidence |
| -------- | ---------- |
| CMDI deep exploit | cat /var/www/html/.env → SSH_USER=pentest, SSH_PASS=pentest123 |
| Unprotected admin page | HTML body: SSH: Port 22 (pentest/pentest123) |
Two independent confirmations of the same credential pair raise effective confidence to ~1.0. The credentials are then pushed onto the shared Intelligence Bus — every agent with lateral-movement capability picks them up in real time.
Phase 3: SSH Lateral Movement (T+60s → T+90s)
sshpass -p 'pentest123' ssh pentest@localhost -p 222210 post-exploitation commands ran, 10/10 succeeded:
$ whoami → pentest
$ id → uid=1000(pentest) gid=1000(pentest)
$ uname -a → Linux target-a 5.10.76-linuxkit
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
$ ifconfig
eth0: 172.20.0.10/24 ← external interface
eth1: 172.20.1.10/24 ← internal interface (pivot point)eth1: 172.20.1.10/24 is the moment the autonomous engine knows segmentation can be bypassed. From this single ifconfig line, SwarmHack derives: *"this host bridges to a different network — let's tunnel through it."*
Phase 4: Privilege Escalation Chain (T+90s)
The PrivEsc synthesizer doesn't run a vulnerability scan — it reasons over confirmed findings and produces an explicit chain:
<diagram title="Synthesized privesc chain (confidence 95%)">
www-data ──reads──► /var/www/html/.env
│
▼
SSH_USER=pentest
SSH_PASS=pentest123
│
ssh ─┘
▼
pentest user
│
sudo NOPASSWD: ALL
│
▼
root</diagram>
| Field | Value |
| ------- | ------- |
| Severity | critical |
| CWE | CWE-269 (Improper Privilege Management) |
| MITRE ATT&CK | T1068, T1548 |
| Starting user | www-data (uid=33) |
| Target user | root |
| Vector confidence | 95% (Environment credential leak) |
Phase 5: Internal Network Discovery (T+90s → T+120s)
Three independent signals converge on the same internal address space:
| Signal | Evidence |
| -------- | ---------- |
| ifconfig on Target A | eth1: 172.20.1.10/24 — dual-homed |
| .env from CMDI | INTERNAL_API=http://172.20.1.20/api/v1 |
| Admin page leak | "Internal services: 172.20.1.20 (DVWA test server)" |
The autonomous engine now has both the route (Target A bridges) and the destination (172.20.1.20).
Phase 6: SSH Tunnel via portable-pty (T+120s → T+180s)
SwarmHack's NetworkSessionManager reuses the existing SSH ControlMaster session to spin up a local port forward:
ssh -L 8881:172.20.1.20:80 -N -f \
-o ControlPath=/tmp/swmhk_sessions_{mission_id}/target-a_2222_pentest.sock \
pentest@localhost -p 2222A probe HTTP request is fired through the tunnel:
GET / HTTP/1.1
Host: localhost:8881
→ HTTP/1.1 302 Found, Location: /login.php ✓ DVWA detectedThe session is just OpenSSH. No Meterpreter binary, no implant — just the target's own SSH server held open with ControlMaster. Memory overhead vs. Metasploit: ~0 MB vs. ~500 MB.
Phase 7: Internal DVWA Scan Through Tunnel (T+180s → T+367s)
A second full kill-chain spawns against localhost:8881 (the tunnel endpoint). Every finding produced through the tunnel is tagged generation: 1 in the OCSF report — distinguishing it from direct (gen-0) findings.
<diagram title="End-to-end phase flow">
PHASE 1: Web Scan PHASE 3: SSH Lateral PHASE 4: Privesc
───────────────── ────────────────── ─────────────────
SwarmHack → :8880 SSH → :2222 Chain synthesis
│ │ │
├─ 9 findings ├─ Shell as pentest ├─ www-data
├─ CMDI → .env creds ├─ 10/10 cmds OK │ → .env creds
├─ admin.php leaks creds └─ Dual-homed confirmed │ → pentest
└─ 31 crown jewels │ → sudo
│ │ └─ → root
│ FEEDS ──────────────────────────►│ │
│ SSH credentials │ FEEDS ──────────────────────►│
│ FEEDS
▼
PHASE 5: Discovery PHASE 6: Tunnel PHASE 7: Internal
────────────────── ─────────────── ─────────────────
ifconfig shows eth1 SSH -L 8881: SwarmHack → :8881
│ 172.20.1.20:80 │
├─ 172.20.1.10/24 │ ├─ 1 finding
├─ .env → 172.20.1.20 ├─ Tunnel active ├─ CVE-2021-44790
└─ Dual-homed └─ DVWA reachable └─ 2 crown jewels</diagram>
The Final Tally
| Metric | Value |
| -------- | ------- |
| Total findings | 11 (9 external + 1 lateral + 1 internal) |
| Total crown jewels | 35 |
| Targets compromised | 2 |
| Total runtime | 6m 7s |
| Human intervention | 0 |
| Post-exploit commands | 10 / 10 succeeded |
Across 11 consecutive runs, SwarmHack produced exactly the same 11 findings and 35 crown jewels — every single time.
Why It Matters
A SOC dashboard sees three different alerts: "web app scan", "SSH login", "internal Apache fingerprint". Without correlation, none of them tells the story.
SwarmHack tells the whole story in one report:
1. CMDI on /ping.php leaks .env 2. .env provides SSH creds 3. SSH session reveals dual-homed interface 4. Tunnel established to internal subnet 5. Internal Apache exposes another CVE chain
That's what "proof of exploitable risk" means — a connected narrative from first packet to crown jewel, generated autonomously and reproducibly.
Next Up
In Part 3 we tackle the question we get most often: *"Why don't you just use an LLM for this?"* Spoiler — five structural reasons, none of which improve with a bigger model.