Hi, I already owned the user but I’m struggling with the last part. I created a socks proxy into the target host but my proxychains fails to tunnel an exploitation I’m trying to pull off. Anybody else has or had the same issue?
To clarify: I have set a socks tunnel to the final target and it seems to work just fine, it’s just the exploit itself for some reason that is failing me
I would like to thank @lim8en1 for his help to get me past the winrm authentication side of things. After that and the other tips in here from everyone else I was able to get the system flag as well.
Cheers all!
1 Like
Are you using a python exploit or metasploit or something else? How are you using proxychains? have you edited your proxychains config file or at least confirmed that socks is in there for the port you have on your socks tunnel?
In my case, hitting the service from the windows box does not work. I can use curl with no issues, but neither firefox nor chromium wants to load them through proxychains.
I tried doing portfwd and socks5, and also tried dual socks5 with chaining; both scenarios work with proxychains+curl but not with browsers. Can someone help?
Have you tried adding the socks proxy in browser settings (without using proxychains)?
Or simply forwarding the required ports to your machine instead of using a dynamic proxy?
Tried both with proxychains and in the browser and just hangs until it times out.
Port forwarding, i can only do that to lin not directly to me, and still hangs. If I try from the main victim straight to me, I noticed last night, i never get the connection back.
That’s strange it should work. You can pm me your configuration and I’ll check if something’s wrong with it
1 Like
Well, I finally rooted. This was definitely an interesting and joyable box regardless of the difficulties and hiccups. @mrsBlue and @lim8en1 for helping out through my own mistakes.
3 Likes
I’m tapping out of this one…
Got the user flag, but while researching the CVE for privesc to root, I stumbled across a step-by-step guide to this box (without any explanations) and quickly realised I don’t understand the core concepts behind the route to root.
Think I’ll wait for Master Ippsec’s enlightenment walkthrough when the time comes, but for now, I’m heading back to the Medium/Easy end of the pool 
Anyone had also the issue that the initial RCE is just not working again after restarting the machine?
Payload is the exact same. CSRF and Session id was updated to the new one and it is just not working anymore and it drives me crazy.
Got it finally working again and again struggeling with the PE. Is the service on the Port 9251 just a metasploit module and I need to somehow figure all parameters out?
I run exploit.py
Runs but get the warning the reverse shell was not successful…the only issue I encounter.
I follow the code to that warning but can’t figure it out. Why no reverse shell.
Code looks good…but maybe loading the malicious module in the wrong place?
Hi. This was my my first Hard machine I have made really good progress and reached to the user on Win. Now I saw the service that was running that has the exploit, but I just havent been able to chisel that port and access it on Kali. I have no idea what is happening, so help would be much appreciated.
Please DM if you can help with that small part.
Edit: Got it to kinda work. But know after the redirect it stops working 
HELP
Edit 2: Im dumb af. I got it after researching about the other ports that are accessed. 
I guess I can help anyone stuck…
If anyone need help, ping me.
But how to create a module?
Stuck at creating the module…
This hint is what got me root…thanks!
I figured out the exploit…just trying to figure out how to use it….
How the heck do you scan ports on this thing? I confirmed chisel is working because I can access the local interface. What gives?
search for cve bro
Hello @Tomouhead , I would appreciate your input on configuring Metasploit. I’m currently facing issues in establishing a session. I have set the GUID and ISSUER_URL as required, and my configuration includes RHOST=172.16.2.1, RPORT=9251, LHOST=10.10.14.xx (my Kali IP), and LPORT=8889. However, I’m unable to get the session up. Do you have any suggestions or troubleshooting tips that could help me resolve this? Thank you in advance for your assistance.