How to use 2 VMs vs HTB machine?

Heya.

I have googled en-mass for this but I just can’t find the thread or maybe a tutorial for this task.
90% of results I get is how to setup a 1 machine to connect to HTB and play. Basic tutorials for HTB.
Maybe my search parameters were wrong but I really tried a lot.

So I decided to come here and ask you guys\gals who really know what they are doing.

So far I have been using just the Linux VM (VMware) to connect and “play”.
And it serves me fine but I would like to learn how I could use 2 VMs (Linux and Windows) vs HTB OpenVPN machine IP.

I am not a total noob in networking and I have already set up the NAT so machines can talk to each other but nowhere else. So just 2 VMs are talking. Now here I think my knowledge falls short and I would like to learn this.

In simple terms, what I want:

  1. Connect to HTB box with Linux VM (openvpn profile.conf). This allows me to play the boxes ofc.
  2. Connect the Windows VM to Linux VM but that it can reach OpenVPN machine IP.

I can get step two only to talk to Linux VM but I cannot reach HTB box. I know it has something to do with port forwarding or firewall rules but as said, I don’t know. I often use 2 VMs for malware analysis but that is just them talking to each other (debugger and debugee for example). There is no VPN involved.

Any help in the matter would be appreciated. I’ll take tips and tricks even and research on my own.

Thanks.
Stay safe.

1 Like

As host I use a Xubuntu 20.04 LTS.

$> uname -a
Linux Box3.home.arpa 5.13.0-39-generic #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Two virtual machines prepared with Parrot OS 5 for this test:

$> virsh list --all
 Id   Name        State
----------------------------
 -    Parrot-S1   shut off
 -    Parrot-S2   shut off

Start the VPN on the host. Don’t connect inside one VM to the Hack-the-Box VPN.

$> openvpn /home/ulrich/Downloads/xtal.ovpn
Fri Apr  8 12:03:07 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Fri Apr  8 12:03:07 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10```
[...]
Fri Apr  8 11:31:20 2022 Initialization Sequence Completed

On the host the network interface tun0 was created by the OpenVPN.

$> ip address
[...]
15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.10.14.55/23 brd 10.10.15.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 dead:beef:2::1035/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::15d8:c910:dd83:a439/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Create a virtual network with NAT on the host.

The configuration of the network forwarding the traffic to the interface tun0 with NAT:

$> cat networkHTB.xml
<network>
  <name>networkHTB</name>
  <forward dev='tun0' mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
    <interface dev='tun0'/>
  </forward>
  <bridge name='virbr1' stp='on' delay='0'/>
  <domain name='networkHTB'/>
  <ip address='192.168.10.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.10.128' end='192.168.10.254'/>
    </dhcp>
  </ip>
</network>

Create and start the virtual network:

$> virsh net-define networkHTB.xml 
Network networkHTB defined from networkHTB.xml
$> virsh net-start networkHTB
Network networkHTB started

Use the network in the configuration of the two machines.

$> virsh edit Parrot-S1

$> virsh edit Parrot-S2

The interface definition of the machines are like (different mac addresses):

<interface type='network'>
  <mac address='52:54:00:ce:3c:a6'/>
  <source network='networkHTB'/>
  <model type='virtio'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

Starting the VMs.

$> virsh start Parrot-S1
Domain Parrot-S1 started

$> virsh start Parrot-S2
Domain Parrot-S2 started

In both VMs the other VM and boxes in the Hack-the-Box network are reachable.

┌─[✗]─[ub@ParrotS1]─[~]
└──╼ $ping -c 3 ParrotS2
PING ParrotS2.networkHTB (192.168.10.222) 56(84) bytes of data.
64 bytes from ParrotS2.networkHTB (192.168.10.222): icmp_seq=1 ttl=64 time=0.233 ms
64 bytes from ParrotS2.networkHTB (192.168.10.222): icmp_seq=2 ttl=64 time=0.238 ms
64 bytes from ParrotS2.networkHTB (192.168.10.222): icmp_seq=3 ttl=64 time=0.241 ms

--- ParrotS2.networkHTB ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2025ms
rtt min/avg/max/mdev = 0.233/0.237/0.241/0.003 ms
┌─[ub@ParrotS1]─[~]
└──╼ $ping -c 3 10.10.11.125
PING 10.10.11.125 (10.10.11.125) 56(84) bytes of data.
64 bytes from 10.10.11.125: icmp_seq=1 ttl=62 time=36.6 ms
64 bytes from 10.10.11.125: icmp_seq=2 ttl=62 time=130 ms
64 bytes from 10.10.11.125: icmp_seq=3 ttl=62 time=52.8 ms

--- 10.10.11.125 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 36.644/73.003/129.616/40.567 ms

Attention: The connection to the HTB boxes uses NAT.
The VMs have IP addresses like 192.168.10.222 not like 10.10.14.55.
The host does a NAT between the VMs and the interface to the VPN.

Hence if a reverse shell is started on a box also a port forwarding on the host to a VM is necessary. (Or use the host to catch the connection.)

1 Like

Thank you very much. Apologies for delayed response, I didn’t get the notification and was out of town. This is more than I expected.

I was doing some more research after posting this and it seems using some firewall solution like opnsense or pfsense can actually do the linking but they are ISO images and need lot of setup.

Not a problem, but since you provided tons of details I will get on it right now!

Thanks again.