To access a sensitive database server located on a different subnet by using a compromised web server as a pivot, which technique should be used?

Port forwarding is the technique that fits this pivoting scenario best. By using the compromised web server as a conduit, you set up a tunnel so that a local port on your machine is forwarded through the pivot to the database server on the different subnet. This makes the database appear reachable on your own host, letting you connect to it as if it were local. For example, you can establish a local port forward that forwards a port on your machine to the database port on the target network through the pivot host, then connect to localhost on that forwarded port to interact with the database. This approach is precise and minimally invasive: you don't need a full VPN to rewrite network topology, and you avoid exposing larger parts of the network. SSH reverse tunnels can work in different NAT scenarios but are more complex and serve a different access pattern, while VPN tunneling would create broader network access through the pivot, which is not as targeted. Proxy chaining adds layers of proxies and isn’t the most direct path to reach a specific database service. Port forwarding directly achieves access to the service on the distant subnet through the pivot.