Hi pavka, thank you for the insights. Based on your tips, I managed to actually connect to the target machine in the “correct” way (tunneling from the initial foothold, through the pivot, to the target machine). So since a lot of people (including me) are struggling here, I am going to write the definitve guide on how to solve the exercies from the module RDP and SOCKS Tunneling with SocksOverRDP.
As pavka said, the idea of the lesson is to connect to the initial foothold (Windows) on the 10.129.x.x network. From there you need to follow the lesson in the Academy. When you start mstsc.exe, you need to use victor’s credentials since you are not connecting to the target, you are connecting to the pivot host. Once you connect to the pivot windows machine (172.16.5.19), transfer SocksOverRDP-Server.exe and run it with admin privileges (as in the lesson). Then go back to the initial foothold (on 10.129.x.x) and configure proxifier (like in the lesson).
Now, here comes the trickiest parts. Even if you have done everything so far, trying to connect to the target (172.16.6.155) will fail. Solving it requires 2 modifications:
Modifications
If you go to the Proxifier consoleand look at thelogs, you will notice that it says “Proxy uses unsupported methods.” You need to go to Profile → Proxy Servers and change the protocol from SOCKS5 to SOCKS4.
Once this is done, go back and try to connect to the target (172.16.6.155) again. You will most likely see it succeding and you will most likely even see the windows login screen with the name jason on it. And somewhere during this process it will fail with a weird error essage that does not give too much info (sth about encryption). This is where the last section of the Academy lesson comes in handy. The reason that your connection is failing is that you do not have enough bandwidth (between pivot and target). So what you need to do is go back to your mstsc.exe client → Experience and then set the Connection speed to “Modem (56 kbps)”. Not only that but you need to also check all boxes underneath. This is all to enure that your connection does not overwhelm the network capacity. Now, try to connect to the target using jason’s credentials and it should work. NOTE: due to the settings the connection will be extremely slow so it will take some time to open the flag.txt file. Don’t give up, you will get there.
Sorry for the long text but this one was tricky. Good luck!
Stuck on the last 2 questions of the skills assessment. I’ve done several ping sweeps of the network and only get my IP and the already exploited box back.
I’ve increased the number of packets sent which hasn’t revealed any new hosts.
I’ve also scanned the /16 subnet for any open RDP hosts, which only shows me the one I found in the above mentioned ping sweep.
hello try
for /L %i in (1,1,255) do @ping -n 1 -w 172.16.5.%i > nul && echo 172.16.5.%i is up.
or
for /L %i in (1 1 254) do ping 172.16.6.%i -n 1 -w 100 | find “Reply”
any tips on how to get mimikatz onto the first pivot box plz ?
The hint about checking all the boxes was extremely helpful. Thank you.
One other thing, I had better luck with not entering a username on the second RDP window and just entering 172.16.6.155 as the computer and entering creds on the next screen.
Are you using the same msfconsole “processes”? Go back and list the sessions. Everything should be done whithing the same msfconsole, leaving the sessions and jobs in the background. Check the previous Metasploit module.
Check the commands to navigate msfconsole without quitting it or opening a new executable to launch another command.
now when I try and use proxychains (nmap, msf, curl literally anything) gives me a !!!need more proxies!!! error or just doesnt route through the tunnel.
So to test with a basic setup I tried using proxychains with TOR as follows:
With the same proxychains.conf file as above I try and run:
proxychains curl https://check.torproject.org
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| check.torproject.org
!!!need more proxies!!!
!!!need more proxies!!!
!!!need more proxies!!!
|DNS-response|: check.torproject.org does not exist
curl: (6) Could not resolve host: check.torproject.org
Any help would be appreciated. I’m assuming the problem is im using kali on WSL2 but that really shouldn’t matter from a networking POV.
Feel free to DM me or reach out at discord Elus1nist#9042
Thanks in advance!
Edit: Apparently proxychains works flawlessly on pwnbox. So it is a WSL2 thing which I would love to fix. Help still accepted.
back again, having more technical issues.
i get this error when running bundle install. do i need to change certain perms? Retrying download gem from https://rubygems.org/ due to error (3/4): Bundler::PermissionError There was an error while trying to write to /var/lib/gems/3.0.0/cache/trollop-2.1.2.gem. It is likely that you need to grant write permissions for that path.
Hello,
I have question in RDP and SOCKS Tunneling with SocksOverRDP.
I connected machine with xfreerdp, but I can not find SocksOverRDP folder on desktop.
I’ve now found the host and completed the module.
