Skills Assigment - Pivoting, Tunneling, and Port Forwarding

I don’t know if it’s the right method, but it seems the simplest one without making too many pivots.
I’m glad you’re done :wink:

1 Like

Great skills assessment! I used SCP to move files and used zenmap to get the 3 final IPs. I should have realized the domain/username is key for me to complete this assessment.

I’m sure I’m missing something obvious, but I’m having issues figuring out the password for the mlefay account. I read the for-admin-eyes-only file, but the phrase in the file isn’t the password. I tried logging into ssh using the id_rsa file and mlefay username, but that doesn’t work either.

The id_rsa would be created very likely by the user whose home directory you found the file. Try re-logging into the pivot host with that user, the enumerate for other host(s) where you can use what you found.

How did you transfer mimikatz to the target pivot machine to dump the credentials? I tried scp from my attacking machine and using powershell from the pivot machine, but it doesn’t connect. I’m executing the commands using proxychains.

1 Like

Here are some nudges.

  1. Have you turned off real time protection on Windows? That had prevented me from transferring executables from pwnbox over to the victim pc.
  2. Or have you considered downloading lsass.dmp from Windows back to pwnbox/Kali via SCP?

I also may have a few nudges for anyone who may be having trouble getting onto the first RDP machine ( The ‘Meterpreter Tunneling & Port Forwarding’ section helped me a lot. I hope that’s not giving away too much info & hope it helps anyone who may be stuck like I was.

This worked for me except for Can’t seem to RDP into that one for some reason, and I’m guessing that’s where the final flag is :confused:


^ Oh my goodness this helped so much. I was already on the final machine, I just just overlooking something so simple. Thank you so much

Any tips on how to get mimikatz to the first pivot Host?
Been stuck for days

the id_rsa file did not protected by any passphrase, just try to modify the right “chmod 600 id_rsa”

Hi, I know it is a stupid question but I am after completing first 2 questions so got new credentials, ifconfig and found the that the webserver is on another network segment. Now i wanted to try to find next host but I cannot install nmap or even ping on the webserver through the shell. I am unsure how to proceed from here. I know it says server01 so I just tried ssh username@server01 but it did not work as well. I would appreciate a nudge in good direction.

Have you tried to ssh to the webshell’s ip address and use it as a pivot to hop to the next host?

Dropping this link here because I found it to be extremely helpful when configuring double pivoting for the last two questions of the skill assessment: Pivoting with Chisel | Ap3x Security

If you think your double pivot setup is correct then you might need to run your commands a couple of times for them to work. Seems like connections using double pivoting are somewhat unstable and certain tools might have less tolerance for timeouts.

Hey, is the password even meant to be crackable? Because I used pth but i dont have access to the dc anyway, so I guess I have to guess wordlists?

haha nevermind i had the password right in front of me for well over 2h

Pretty straight forward, and you don’t need to install tools on the machines.

when connecting with rdp you can connect with a shared drive on your kali machine.

xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

/usr/share/windows-resources contains a lot of useful stuff when it comes to windows. “share” is how it will be named.

Dont change anything except what is in CAPS.

I’m not sure if what I’m experiencing is what you mean. This assessment is killing me…I can RDP into the .5.35 machine, but it drops out and I have to restart the connection after 30-45 seconds. It is extremely frustrating. Does anyone have any idea what this is, or how I can get it to stop, or at least last five minutes to get anything done?

Figured out that if I used keep alive for the ssh connection it kept the rdp open as well. Hopefully that helps someone to not smash their computer like I wanted to!

1 Like

Can anyone help me?

I am in the 5.35 machine, got the credentials for vfrank and when trying to rdp to 6.25 with them it keeps saying logging error. I have tried domain/username, username alone and nothing seems to work

I am trying to RDP to INLANEFREIGHT.LOCAL/vfrank with the pass * ImplX wXt UnmXskedX *