Help with Web Server Pivoting with Rpivot

I am stuck in “Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer.” task.

I recieve apache default page, but can’t see a flag

Okay, I solved it. Check ip addresses in internal network

When you tried it initially did the webpage time out?

didi you figure it out? I’m having the same time out problem although it shows that port 80 on the host 172.16.5.135 is open

Nevermind, I solved it using curl

1 Like

Curl worked for you. I ended up doing two ways. 1 using metasploit and the other using http-enum with nmap.

could you explain how you did this please

I had the same problem, curl responded instantly but browsers timedout.

Use proxychains and a command you want to issue.
The command can be anthing you would normally do, but this time it’s routed through the attacked host, eg: the ssh connection you set up using the username provided.

So for me it was:

proxychains curl -v <internal IP you find from the box>

Then just look through the code - if set up properly it will return instantly.

I think I’m going crazy. The nmap to web 172.16.5.135 returns 80 open, so the proxy with rpivot is configured correctly, but when I do the curl it does not return anything. Can you give me a clue?

──╼ [★]$ proxychains nmap 172.16.5.135 -p80
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-17 17:48 BST
[proxychains] Strict chain … 127.0.0.1:9050 … 172.16.5.135:80 … OK
[proxychains] Strict chain … 127.0.0.1:9050 … 172.16.5.135:80 … OK
Nmap scan report for 172.16.5.135
Host is up (0.10s latency).

PORT STATE SERVICE
80/tcp open http

─[us-academy-3]─[10.10.14.181]─[htb-ac-569102@htb-yzy3dresrw]─[~]
└──╼ [★]$ proxychains curl -v 172.16.5.135
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14

  • Trying 172.16.5.135:80…
    [proxychains] Strict chain … 127.0.0.1:9050 … 172.16.5.135:80 … OK
  • Connected to 172.16.5.135 (127.0.0.1) port 80 (#0)

GET / HTTP/1.1
Host: 172.16.5.135
User-Agent: curl/7.88.1
Accept: /

  • Empty reply from server
  • Closing connection 0
    curl: (52) Empty reply from server

Solved

How do you manage to solved it?

I performed THE SAME STEPS the next morning. I think sometimes HTB environments, while great, start with errors. Once everything was restarted, with the same steps I was able to do it without problem.

I am still struggling with this one. I followed the steps in the instruction, establish the connection to my attack box with rpivot and have no problem there.

I tried using both firefox and curl, yet can never get the page to display. If I use the following

nmap -v -p 80 172.16.5.135

It shows that port 80 on 172.16.5.135 is open with an Apache web server running.
However, proxychains using either firefox or curl gets me no results.

I am sure that it’s an easy error on my part, but I have tried it a few days this week and can’t get any further.

Any more help or clues is certainly appreciated. I want to understand why I am failing this lesson and how the correct procedure works.