Port Forwarding with Windows Netsh

I’m using netsh.exe to create a pivot which is happening correctly as the xfreerdp output says I’m connecting to the DC. It seems to me that the credentials given in the question victor:pass@123 are not correct. I have tried remmina and also used the pwnbox to no avail.

Has anyone completed this and am I missing something?

I’ve exactly the same problem! Since I was not sure whether I was overlooking something or it was a technical issue, yesterday I started a chat with the technical support. After having attempted to reproduce all the steps, the operator wrote me: “I’m having trouble getting the RDP Service to function properly even with the corrected configuration- there might be a secondary issue here”, “I’ll keep the ticket open for now and update it when I have more information”. I received no news since yesterday, and the issue still persists… Part of me is still convinced that I’m missing something; have you made any progress?

1 Like

Hello yes the issue was solved by selecting a new VPN server (EU/US ACADEMY 1/2) etc. and generating a new OVPN file. Not sure how or why but that fixed the issue after advice from support.

Thanks for the feedback! I tried that, but it didn’t work. I’ll try again with a different server.

1 Like

I’m now having the same issue with the skills assessment I think. Always hard to know if it’s a technical issue or mistake in methodology.

Okay after some sleep appears I actually didn’t specify the domain in the RDP username got it working now.

Someone got this? I am stuck :sleeping:

I am stuck this…
On Windows machine, I used netsh.

C:\Windows\system32>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::ce
   IPv6 Address. . . . . . . . . . . : dead:beef::d5e0:b2f7:fdc1:6c9c
   Temporary IPv6 Address. . . . . . : dead:beef::b1c7:a393:4da:d66e
   Link-local IPv6 Address . . . . . : fe80::d5e0:b2f7:fdc1:6c9c%9
   IPv4 Address. . . . . . . . . . . : 10.129.67.226
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f362%9
                                       10.129.0.1

Ethernet adapter Ethernet1 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::b4e6:89e6:7337:a757%4
   IPv4 Address. . . . . . . . . . . : 172.16.5.150
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 172.16.5.1

C:\Windows\system32>netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.67.226 connectport=3389 connectaddress=172.16.5.25


C:\Windows\system32>netsh.exe interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.129.67.226   8080        172.16.5.25     3389


C:\Windows\system32>

And I use xfreerdp with port forwarding, but return error.

$ xfreerdp /v:10.129.67.226:8080 /u:victor /p:pass@123
[10:12:42:637] [3128:3129] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[10:12:42:637] [3128:3129] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[10:13:03:652] [3128:3129] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[10:13:03:652] [3128:3129] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[10:13:03:652] [3128:3129] [ERROR][com.freerdp.core] - freerdp_post_connect failed

How to connect to victor’s machine?

You did the same thing as me famasoon. Copied the command to forward to 172.16.5.25 but the question is is asking us to RDP into 172.16.5.19.

3 Likes

Thank you!
I resolved it :smiley:

When I try connect to the windows machine that have the portproxy I get a 'Self-signed certicate error" I not coming true and I had done find any solution on it yet.
Can anyone help me with a hint/idea to solve this?

Hi there ! Am also stuck here, the question is: Using the concepts covered in this section, take control of the DC (172.16.5.19) using xfreerdp by pivoting through the Windows 10 target host. Submit the approved contact’s name found inside the “VendorContacts.txt” file located in the “Approved Vendors” folder on Victor’s desktop (victor’s credentials: victor:pass@123) . (Format: 1 space, not case-sensitive)

I’ve found the file already but the thing is , every answer I give from the file is wrong ! Guess I don’t understand the format they are referring to here… need help

Lol ahahah ! I’ve figured it

whats funny is looking at this post everyone tried doing rdp from there attack host machine. i just did it from the rdp session from htb-student user and rdp to victor machine that way.

hey guys,

How is the flag format? I got the flag , but when I submit it, it doesn’t work.

thank you

hey!

what is the format?

Just provide the first and last name… leave those other details

:alien: :triangular_flag_on_post:

1 Like

I did the same hahah, sad. Fortunately I noticed your comment