Skills Assigment - Pivoting, Tunneling, and Port Forwarding

Nvm im just a moron had to log in to INLANEFREIGHT.LOCAL\vfrank

I need help plz dm me if some one can help me

Hmmm, I can’t seem to figure out how to carry mimikatz.
I have read the educational material and it shows how to proxy, but not how to carry mimikatz.
So I don’t know how to do it.
Is there anything that can help me?

In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?

I cannot proceed from this issue.
Can someone DM me a hint?

its work not Work.

1 Like

TIP: Instead of using mimikatz to dump LASS try other methods like manually dumping using windows itself (tool) then inspect it using your attack host.

Hello all,
stucked on login SSH after Q2.
the password in “for-admin-eyes-only” can’t never work.
Rebooted serveral time on server but in vein.
Plain Human not work! at all.
Weird, does anyone share the same situation?

how did you got into i tried with netsh and proxychains xfreerdp /u:vfrank /p:“Imply … …!” /v: (which connects to with netsh) but i could not login.

i got this error can any one please help me with this

how did you got into i tried with netsh and proxychains xfreerdp /u:vfrank /p:“Imply … …!” /v: (which connects to with netsh) but i could not login.

i got this error can any one please help me with this

In a nutshell:

webshell → extracted private key
ssh with above private key to ping sweep
sshuttle to with above private key
rdp to 172.16.5.xx with user found in above step
ping sweep → discovered 2 more hosts, one of them is the one needed
rdp from 172.16.5.xx to that one host
observe and search whats available

Hi man! It’s a volume unit (look at in This PC) of the, so you don’t need to connect to the DC :wink:

1 Like

Ok guys, I managed to spend a whole day on it and FINALLY i solved this lab.
@neuroplastic shared this website and it was REALLY helpful !

Just adapt the IPs according to your case.
I spent 1 hour struggling, and I realized that i forgotten one letter in the password i was trying… what a waste of time ! be precise and careful ! :slight_smile:

did you set the correct permissions for the key? You need less permissions like 600 for the key to be usable. As the error says, permission denied

I have a problem with the final flag :persevere:

I am using metasploit and Netsh to do the port forwarding, but when I connect to the DC with the following command proxychains xfreerdp /v: /u:vfrank /p: “vfrank pass” I get error failed to connect to

On the second Windows machine, I ran this command: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress= connectport=3389 connectaddress=

I also tried to do everything from scratch with Chisel, but the same thing happens to me, I can connect via RDP to the second machine, but I can’t connect to the third one. Does anyone know what I am doing wrong?

Hi guys, i’m terribly stuck. Found the last host 6.35 and after mstsc.exe to this I still see the same flag on C: as I saw on 5.25 and no network disk connected. What am I missing here?

PS. I got enlightened just after posting here. So what you need to do is anothr ping sweep and use vfrank creds to connect to another ip 93rd windows machine). What a learning curve!

that 45 one with ssh is such a troll lol

Because they are different subnetworks. You can’t ping from Foothold because you don’t have routes to subnet10. (That’s the whole point of this lab)
There are 3 subnetworks:

  • subnet5 (
  • subnet6 (
  • subnet10 (

There are 3 machines + DC

  • Foothold: The linux machine you spawn from the lab, has two network interfaces, 1 connected to HTB VPN subnetwork and another in subnet5 (you can ping Pivot1 from this machine).
  • Pivot1: A windows machine, has two interfaces, 1 connected to subnet5 and another connected to subnet6 (you can ping Pivot2 from this machine).
  • Pivot2: Another windows machine, has two interfaces, 1 connected to subnet6 and another connected to subnet10 (you can ping DC from this machine).

Take a look at this diagram, hope you find it helpful

hi, are you there?

Firewall rules may influence this

hey thanks, i got it already. total of 3 different network. the diagram should be subnet mask should be /16 instead of /24 but I understand that the same subnet mask with similar looking IP address doesn’t mean the hosts on the same network.

1 Like