Skills Assigment - Pivoting, Tunneling, and Port Forwarding

I’m trying, any problem that can you see?

image1555×791 231 KB

I upload a reverse shell to webadmin and with meterpreter I use the sock proxy then a portfordwarding, and nothing

UPDATE: Solved
I used the mentioned option “/drive:” of xfreerdp

Hello guys. iam in 172.16.5.35(thats is the same 172.16.6.35). I found a .ssh folder on 6.25 vfrank share. but iam stucked here. Need help, someone ? regards

need help with final steps, got creds for vfrank, tried to login with that using windows remote desktop but it redirects me in the same machine of mlefay but with vfrank user, kinda stuck here

Finally, I have completed the module, what a skill assessment, painful but worth the pain!

yup correct, there was another address to discover sorry for the late reply haha glad u solved it.

can someone help me out please. I’ve been stuck on this for days and I can’t figure out what I’m doing wrong (chances are something very silly).

I’m trying to answer question 4: Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.

I’ve followed the Meterpreter Tunneling & Port Forwarding section as a guide and set up everything correctly, which I’m sure of because when I nmap 172.16.5.35 I see that port 3389 is open and this line in the output:

but when I try and proxychain xfreerdp to that host, it doesn’t work. I’ve tried in pwn box and on my VM with the same issue.

this is the command I’m running

and the error I’m getting:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4

[proxychains] DLL init: proxychains-ng 4.14

[08:25:25:316] [25749:25751] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state

[08:25:25:316] [25749:25751] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr

[08:25:25:316] [25749:25751] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd

[08:25:25:316] [25749:25751] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr

[08:25:26:633] [25749:25751] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized

[08:25:26:636] [25749:25751] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state

[08:25:26:637] [25749:25751] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state

[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.5.35:3389  ...  OK

[08:25:26:823] [25749:25751] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0

[08:25:26:823] [25749:25751] [WARN][com.freerdp.crypto] - CN = PIVOT-SRV01.INLANEFREIGHT.LOCAL

[08:25:26:024] [25749:25751] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server

[08:25:26:024] [25749:25751] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]

[08:25:26:024] [25749:25751] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail

[08:25:26:024] [25749:25751] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

J4rvis,
I am on the last question of this module, gain access to the DC to find the flag. I have RDP access to host 172.16.6.25, I see two other ip within the network but I can’t access them? what am I missing? do I need to go after the DC?

Emdeh,
were you able to complete the skills assessment? I am stuck on the final flag, any hints on this?
thank you for your time.

I RDP’d in to 172.16.6.25 and from there I am stuck on the final flag? I see two other ip’s on the internal network but I can’t access them via RDP, something I am missing? last questions states flag is located on the DC.

no i haven’t progressed. how did you RDP to 172.16.5.35 for question 4?

edit: I got it. I had a typo

@frogman267 the final flag is easier than you think. Look in network locations.

I figured it out as well. I was on the final box just didn’t look in a certain spot for the final flag, so obvious haha.

I was struggling for long with this, and saw no answer in this forum so here an advice about this:
no need to crack any hash, just look closer to mimikatz output.

I can`t connect to the first 172.16.5.35 target I tried proxychains as well! Any hints?! Thanks!

Hello, I’m having trouble getting to the first machine. I’m using proxychains xfreerdp with user mle… but it’s not working… Any hints!!!

I am having trouble RDP’ing into 172.16.6.25 I got as far as sharing mimikatz and chisel with the second host running a ping sweep on the 172.16.6.* network and retrieving the username, password, and domain name for v*****; but I cant RDP into the third host. can you give me some tips?

file explorer will be your best friend to complete the skills assessment

once you have ssh access to the webadmin machine you can use any pivoting technique with that machine. you need to edit your proxychains config file to run through strict chain and if using chisel you need to run proxychains through port 1080. also because the password for the m**** account has spaces you need to use single quotes ‘’. I also reccomend setting up a drive share with xfreerdp so you can share files to the target machine.

I am having trouble RDPing into the 172.16.6.25 machine. I have run a ping sweep to find the ip address and mimikatz to find the username, password, and the domain name. I have been using netsh.exe to foward the port to an ip that I already have access to, but nothing is working. can you give me any tips.

Hey did you manage to solve your problem? I have the same one too haha

well nvm, I managed to solve this module. It was tough, it took me almost 4 hours to finish everything.

for the guys who are struggling with 6.35 (with the first windows machine)

seriously, I’m quite surprised why nobody mentioned it here, so I’ll be the first one

6.35 is a rabbit hole. There is another IP address. So take your time to scan all the IPs from 6.XX

the login credential for that IP is inlanefreight.local\vf*** (since we are talking about AD here, you have to add the domain name yk, check Fundamentals Active Directory Module). You must find PW yourself but c’mon, there are enough hints here.

And from there you can find every answer for the questions remaining with no extra IP/PCs.

I also managed (just) to rdp all the time except the very first forwarding. But the server was quite crazy I think I had to reset my connections like 20 times or what. But I’m sure that you have no problem to solve this assessment in few hours with all those tipps mentioned above and by me. You guys can PM me if you really have no idea how to move on.