Pivoting, tunneling, and port forwarding | Academy

Hi pavka, thank you for the insights. Based on your tips, I managed to actually connect to the target machine in the “correct” way (tunneling from the initial foothold, through the pivot, to the target machine). So since a lot of people (including me) are struggling here, I am going to write the definitve guide on how to solve the exercies from the module RDP and SOCKS Tunneling with SocksOverRDP.

As pavka said, the idea of the lesson is to connect to the initial foothold (Windows) on the 10.129.x.x network. From there you need to follow the lesson in the Academy. When you start mstsc.exe, you need to use victor’s credentials since you are not connecting to the target, you are connecting to the pivot host. Once you connect to the pivot windows machine (, transfer SocksOverRDP-Server.exe and run it with admin privileges (as in the lesson). Then go back to the initial foothold (on 10.129.x.x) and configure proxifier (like in the lesson).
Now, here comes the trickiest parts. Even if you have done everything so far, trying to connect to the target ( will fail. Solving it requires 2 modifications:

  1. If you go to the Proxifier console and look at the logs, you will notice that it says “Proxy uses unsupported methods.” You need to go to Profile → Proxy Servers and change the protocol from SOCKS5 to SOCKS4.
  2. Once this is done, go back and try to connect to the target ( again. You will most likely see it succeding and you will most likely even see the windows login screen with the name jason on it. And somewhere during this process it will fail with a weird error essage that does not give too much info (sth about encryption). This is where the last section of the Academy lesson comes in handy. The reason that your connection is failing is that you do not have enough bandwidth (between pivot and target). So what you need to do is go back to your mstsc.exe client → Experience and then set the Connection speed to “Modem (56 kbps)”. Not only that but you need to also check all boxes underneath. This is all to enure that your connection does not overwhelm the network capacity. Now, try to connect to the target using jason’s credentials and it should work. NOTE: due to the settings the connection will be extremely slow so it will take some time to open the flag.txt file. Don’t give up, you will get there.

Sorry for the long text but this one was tricky. Good luck!


Stuck on the last 2 questions of the skills assessment. I’ve done several ping sweeps of the network and only get my IP and the already exploited box back.

I’ve increased the number of packets sent which hasn’t revealed any new hosts.

I’ve also scanned the /16 subnet for any open RDP hosts, which only shows me the one I found in the above mentioned ping sweep.

What’s a guy got to do to find the next host?

hello try
for /L %i in (1,1,255) do @ping -n 1 -w 172.16.5.%i > nul && echo 172.16.5.%i is up.
for /L %i in (1 1 254) do ping 172.16.6.%i -n 1 -w 100 | find “Reply”

any tips on how to get mimikatz onto the first pivot box plz ?

Thanks for that, I was looking at the wrong networks initially :man_facepalming: I’ve now found the host and completed the module.

I didn’t use mimkatz, I dumped anything I needed, then transferred it locally and used Pypykatz to extract anything juicy.

You can create a shared drive on a RDP session using:
xfreerdp /v:IPADDRESS /u:USERNAME /p:PASSWORD /d:DOMAIN /drive:SHARE,/path/shared

^^might help transferring tools/files

1 Like

The hint about checking all the boxes was extremely helpful. Thank you.

One other thing, I had better luck with not entering a username on the second RDP window and just entering as the computer and entering creds on the next screen.

How did you solve it?
I have tried in your same way, then whit shared folders, but nothing worked.

I have the same problem, you solve it already?

UPDATE: Done with this exercise :slight_smile:

Hello, I have problem in the Meterpreter Tunneling & Port Forwarding section.
When I set the SESSION parameter in msf autoroute, I have this problem

Could anyone give me some hint? Thank!

Did you ever figure this out? I happen to have the same problem rofl

Are you using the same msfconsole “processes”? Go back and list the sessions. Everything should be done whithing the same msfconsole, leaving the sessions and jobs in the background. Check the previous Metasploit module.

Check the commands to navigate msfconsole without quitting it or opening a new executable to launch another command.

hey there, did you ever manage to figure this one out?

Hey there, I’m having a simlar problem but I’m not even able to ping the host.

Here is my setup:

  1. I’m using Kali Linux on WSL2 (because convinience)
  2. I have setup a dynamic port on 9050 like in the module. ssh -D 9050 ubuntu@<target_ip>
  3. Now that I have done this, I also have the following in my proxychains.conf:
tail -4 /etc/proxychains.conf

socks4 9050
  1. now when I try and use proxychains (nmap, msf, curl literally anything) gives me a !!!need more proxies!!! error or just doesnt route through the tunnel.

So to test with a basic setup I tried using proxychains with TOR as follows:

  1. Setup tor with config file as follows:
tail -2 /etc/tor/torrc

SocksPort 9050
  1. Now restart tor service sudo service tor restart
  2. With the same proxychains.conf file as above I try and run:
proxychains curl https://check.torproject.org

ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| check.torproject.org
!!!need more proxies!!!
!!!need more proxies!!!
!!!need more proxies!!!
|DNS-response|: check.torproject.org does not exist
curl: (6) Could not resolve host: check.torproject.org

Any help would be appreciated. I’m assuming the problem is im using kali on WSL2 but that really shouldn’t matter from a networking POV.
Feel free to DM me or reach out at discord Elus1nist#9042

Thanks in advance!

Edit: Apparently proxychains works flawlessly on pwnbox. So it is a WSL2 thing which I would love to fix. Help still accepted.

It seems that in your setup the “check.torproject.org” cannot be found. At least this seems to be the issue for your Tor setup :slight_smile:

curl: (6) Could not resolve host: check.torproject.org

back again, having more technical issues.
i get this error when running bundle install. do i need to change certain perms?
Retrying download gem from https://rubygems.org/ due to error (3/4): Bundler::PermissionError There was an error while trying to write to /var/lib/gems/3.0.0/cache/trollop-2.1.2.gem. It is likely that you need to grant write permissions for that path.

thanks a lot, putting the folder where the SocksOverRDP-Plugin.dll is located in the exclusions list worked for me!

I have question in RDP and SOCKS Tunneling with SocksOverRDP.
I connected machine with xfreerdp, but I can not find SocksOverRDP folder on desktop.

How do I get SocksOverRDP?

How did you avoid windows defender?

You have to transfer it using PS Invoke method

1 Like

Thanks, I was able to transfer the file to RDP.