I have been trying to complete the 2nd question in the first module:
Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.
I have checked the etc/proxychains.conf for the correct socks4 127.0.0.1 9050. I have run proxychains nmap -v -sn 172.16.5.1-200 and every time it responds with no results. I have tried pwnbox’s, my own baremetal with multiple different vpns. Am I missing something? Has anyone experienced the same issue here?
EDIT:
I am unsure as to why, maybe due to firewalls on the windows machine, but I managed to bypass and pivot using an explicit and direct tunnel: ssh -L 3389:172.16.5.19:3389 ubuntu@10.129.x.x -N. Once that was configured, I was able to run xfreerdp /v:localhost:3389 /u:victor /p:pass@123 which gave me access via RDP to get the flag.txt
I don’t think you’re suppose to able to find the final target with nmap because it’s a Windows machine and like you said it’s likely the firewall is blocking the pings.
But if you want to check whether the nmap command works and does what it should try the following…
Activate the target and you’ll get an ip address (in my case it was 10.129.111.29), then issue the ‘magic command’ to see all the network interfaces on that host. You’ll see an address starting with 172.x.x.x, use this address as your target on nmap. I just tried this now and it found it ok.
I am struggling with this module so much, been stuck here for a while and I still don’t understand how it really work, thanks for your comment it was helpful, now I have to track back and find figure how this works
Wassup, have you found the solution or not?
I will post the main idea here because it was kind of tricky for me too.
okay, firstly you have to understand the concept/idea of dynamic port forwarding,
In other words, it’s like building a bridge above a bridge. (or at least something like this)
Therefore make sure to make a session of SSH with the pivot/victim host while enabling the port dynamic forwarding. -D flag.
to make sure if you were able to establish that concept just “netstat” it with -antp flag.
the most crucial step here is to recognize your /etc/proxychainsxxx.etc file and to make sure that you’re forwarding the packets you’re interacting with from the proxy port which is signed as 9087 for my case
use the simple cmd find / name "/etc/proxychain*****" 2>/dev/null
Remember that you have now built a “bridge” from your machine to the forwarded victim port.
You can interact directly from your machine with the chosen victim IP/Port
Happy Hacking! #Flawz
configured /etc/proxychains.conf (–> socks4 127.0.0.1 9050)
checked listenner port (netstat -antp | grep 9050) → everything ok 9050 active port
connected to ububtu server (on another terminal → ssh -D 9050 ubuntu@server) results -->> connected OK.
tried to ping from my attacker machine → results without reply
But, I can’t connected to 172.16.5.19 via rpd.
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Authorization required, but no authorization protocol specified
[10:00:54:439] [111644:111644] [ERROR][com.freerdp.client.x11] - failed to open display: :1
[10:00:54:439] [111644:111644] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.