Skills Assigment - Pivoting, Tunneling, and Port Forwarding

thanks a lot John! any help would be greatly appreciated because am stack after logging into vfrank

Hello everyone.

i came here because i was stuck as well i, i did the ping sweep and it keep coming up with just the ip i was currently on. i think the wait time for reply is not long enough because right away when i straight up ping i got a hit. so if your stuck try pinging that and trying what you got for credentials.

also things arent as complicated as you might think, you can just remote desktop connect to all the window machines. the only tunneling i did was to the ubuntu machine 10.129.x.x the rest i did with windows remote desktop.

Watch out for your interfaces when in first windows machine. And when ping sweeping, if you get nothing, make a secon pass with increased wait for the request (-w parameter).
Hope this helps.

Thanks for all the help guys. I’m trying to use the method in ‘Remote/Reverse Port Forwarding with SSH’ to get the LSASS file from the windows host. Which technique did you manage to use? thanks!

In fact I can upload to the target, Mimikatz here we go!

hi. I found the last host from 172.16.6.X in another subnet. but I cant RDP to this last host. am I missing something? The host has route to access the other subnet

1 Like


Don’t know if you’re still sharing notes, but I’d love to see them. This module is the one I’m struggling with the most, so would be nice to see some hints and notes. If you’re still doing it, I have a throwaway Gmail -


1 Like

Much appreciated. Was missing one stupid thing but this helped. Finished it now. Cheers!


i had problem transferring the LSASS to my local host, can you help me ?

take advantage of the rdp utilities, if u are using mstsc client, enable driver share plugin, to copy the lsass dmp; otherwise if u are in xfreerdp client (linux), switch the /drive parameter

1 Like

The drive parametr is huge game changer, i was stucked yesterday on different chalenge and this helped me a lot. BTW a bit out of topic, in case you got two windows target hosts one pivot and one in external network and you have powershell session on both (with help of webshell) not a RDP and from some let’s say domain rules you cant force on the second box in external network to use PS remote and therefore evil-winrm. You cant use invoke/scripts block commands or enterpssession, decode/encode is not working as it is freezing. How do u transfer files and lets say python is not installed, is it a game over?

xfreerdp /v: /u:‘mlefay’ /p:‘P****’ /drive:linux,/home/kali/ctf/rdp /dynamic-resolution

This Will share your local kali drive to rdp session you established as network drive


Have you cracked it, if yes how, or you passed the hash?

Hey No i did’t Completed Last Skill Assigment . i Skipped It And Planing To Complete After Ad Enum Module

how do you send the file to the attack host? im trying with impacket smbserver but it doesnt work a python, php server neither

I am stuck after getting the lsass file and discover the user v**** but impossible to crack the hash with classics wordlists.
I discover the second server with the IP 172.16.6.* but impossible to log in rdp with mlefay (and in dont have the v*** 's password ^^)
I also tried to set a netsh on the first windows srv but nothing work…
Please if someone can help me it will be very apreciate :slight_smile:


if you still sharing your notes :slight_smile:

Thanks !

you can send throuth proxychains

For all those who are struck logging in here is my tip use: inlanefreight.local\vfrank as user name.
Happy Hacking


Thank you… Hahahaha