Skills Assigment - Pivoting, Tunneling, and Port Forwarding

XSS · July 21, 2022, 1:30am

I’m stuck in this quetion:
For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

I already found the windows server, but i can find the others computers into the network.

Someone can help me? I’m stuck here about 3 days

PayloadBunny · July 21, 2022, 8:37am

Have you tried Ping sweep?

XSS · July 21, 2022, 3:01pm

That is what i did:

Connected to webadmin server using a ssh -D 9050
RDP to windows server using proxychains (172.16.5.35)
Used a “for script”: for /L %i in (1,1,255) do @ping -n 1 -w 200 172.16.5.%i > nul && echo 172.16.5.%i is up.
Found only 172.16.5.15(ubuntu), 172.16.5.35(windows)
Nmap -sn to 172.16.5.1 with proxychains
Found only 172.16.5.15(ubuntu), 172.16.5.35(windows) again
Stuck here

PaoloCMP · August 7, 2022, 3:13pm

Are you still stuck?
I think I found an other ip but I can’t connect

XSS · August 8, 2022, 11:27pm

i already done

XSS · August 8, 2022, 11:30pm

use ipconfig, you will see 2 ethernet networks, 1 is one network, 2 is the other.
Use this command to do a ping sweep in CMD (not powershell):

for /L %i in (1,1,255) do @ping -n 1 -w 172.16.5.%i > nul && echo 172.16.5.%i is up.

Change 172.16.5. to ip that you found and you will found the next machine

PaoloCMP · August 9, 2022, 6:54am

Yes I did, found a 172.16.6.**, but can’t connect. I tried a double port forwarding (with netsh) to connect via rdp but no result

XSS · August 11, 2022, 2:40am

You need to use netsh in windows machine

PaoloCMP · August 11, 2022, 8:31am

I did, I use netsh in the first windows machine to connect port 3389 of second machine and set a portfwd in the ubuntu server. But when i try xfreerdp it doesn’t work.
I use same credentials, like the note said.

abcbbxhdhd · September 7, 2022, 2:24pm

Hey, what creds did you use for the last machine? The same as in the note on ssh?

XSS · September 8, 2022, 5:57am

user: vfrank , pass: Imply wet Unmasked

tip: use mimikatz to get passwords

abcbbxhdhd · September 8, 2022, 6:09am

I ve already done it, Thanks

Timumba · September 13, 2022, 5:39pm

hey,
in the first place how did you crack that password?
secondly that password does not match the nt hash i got of vfrank.

I did lsass dump and got the hashes but I’m not able to crack it .

I’ve found the 3rd host but I can’t access it.

If someone could help

Timumba · September 13, 2022, 5:58pm

nvm, figured it out!
:))

19delta4u · November 8, 2022, 3:02am

Did you figure this out. I’m working on it right now.

19delta4u · November 8, 2022, 3:06am

I’m at the same point. Did you finish the skills assessment?

[UPDATE]

I finished the module.

stellar · November 8, 2022, 11:23am

hello colleague, am in at a similar stage, after the ping sweep,discovered the 172.16.6.35 but cannot find the credentials for vfrank and so cannot login to it. any help would be appreciated. Zhanna

19delta4u · November 9, 2022, 12:59am

The last machine is 172.16.6.25 I believe.

XSS · November 9, 2022, 5:38pm

use mimikatz

stellar · November 10, 2022, 8:56pm

Maybe you accidentally answered my question, i was on vfrank and couldn’t find the last two flags. But my vfrank was on 172.16.6.35 ,not the 25 one. And couldn’t find any new flags except for the previous one, the one you see on mlefay. Am badly stuck