Conceal

1235789

Comments

  • Yes, phase 2 requires a bit of 'brute-forcing'. @voncount - as you mentioned the Windows error before, it's in this case the equivalent of the error you see now on Linux.

    I finally managed to make the native client on Windows and the strong bird on Linux behave in the same way. Did the 'brute-forcing' on Windows and then confirmed on Linux. With hindsight, it might have been easier to automate on Linux, but I am more familiar with that stuff on Windows.

    There is a one parameter with various 'parts' that require 'brute-forcing'.

    But while I get a stable and 'quick' 'association' both of my clients cannot make use of it yet when they fire up the 'next stage' of this type of V**. Might be a glitch in the 'next stage' config or something fundamental - common to two otherwise very different test systems.

  • @kekra said:
    Yes, phase 2 requires a bit of 'brute-forcing'. @voncount - as you mentioned the Windows error before, it's in this case the equivalent of the error you see now on Linux.

    I finally managed to make the native client on Windows and the strong bird on Linux behave in the same way. Did the 'brute-forcing' on Windows and then confirmed on Linux. With hindsight, it might have been easier to automate on Linux, but I am more familiar with that stuff on Windows.

    There is a one parameter with various 'parts' that require 'brute-forcing'.

    But while I get a stable and 'quick' 'association' both of my clients cannot make use of it yet when they fire up the 'next stage' of this type of V**. Might be a glitch in the 'next stage' config or something fundamental - common to two otherwise very different test systems.

    Thanks! I got it on Linux with a bit of help (and discovered mm along the way - thanks schex), though I'm not sure how I'd go back and repeat on Windows. I at least don't get an error when I fire up that bird on Linux, I guess I should go test that next stage.

  • @ferreirasc said:
    Guys... remember... You have the ik*-**** output. It is not a guessing game... ^_^

    Of course, it is not entirely brute force. What you mentioned only gives you 1 unknown. If we needed to bruteforce the info that the tool spits, then it would be something imaginary X20 because there are TONS of combinations. You should also have 3 more things from basic enum. What's left is completely bruteforce. There is even one thing that (I don't know how to say this without spoiling) all the fingers point towards the wrong version of the service. Which is why I hated it the machine.

    Hack The Box

    OSCP | GPEN | CREST CRT | eCPPTv2 | GWAPT | CREST CPSA | ACE

  • @voncount said:
    @kekra said:
    Yes, phase 2 requires a bit of 'brute-forcing'. @voncount - as you mentioned the Windows error before, it's in this case the equivalent of the error you see now on Linux.

    I finally managed to make the native client on Windows and the strong bird on Linux behave in the same way. Did the 'brute-forcing' on Windows and then confirmed on Linux. With hindsight, it might have been easier to automate on Linux, but I am more familiar with that stuff on Windows.

    There is a one parameter with various 'parts' that require 'brute-forcing'.

    But while I get a stable and 'quick' 'association' both of my clients cannot make use of it yet when they fire up the 'next stage' of this type of V**. Might be a glitch in the 'next stage' config or something fundamental - common to two otherwise very different test systems.

    Thanks! I got it on Linux with a bit of help (and discovered mm along the way - thanks schex), though I'm not sure how I'd go back and repeat on Windows. I at least don't get an error when I fire up that bird on Linux, I guess I should go test that next stage.

    I hope my theories about the next stage are correct. I saw something like a confirmation of that theory in the data you get from a successful 'association'. But the next post by @Ryan412 about lots of things pointing at the wrong version of something might tell me I should question everything again :-)

  • I cannot make it work on Windows either, with and without firewall, with my client in dmz and with ports open on the router, trying all the authentication options for that type of v*n. Assuming I have user pass and key correct, how can I be sure it's not a problem with my internet provider not allowing that type of connection? Error 789 forever

    halfluke

  • edited January 10

    Oof. Finally have a connection, thanks to some help. Wow. I'm still digesting...

    LegendarySpork

    my badge doesn't work, click on my profile if you want rank and stuff

    Taking a break from HTB through Dec 2019 in order to focus on other projects.

  • @kekra said:

    I hope my theories about the next stage are correct. I saw something like a confirmation of that theory in the data you get from a successful 'association'.

    Follow-up on my own post, so that I don't mislead anybody. My theories were incorrect - the setup is way simpler than I expected it to be! The alleged info on 'the next stage' was actually not 'from the server' but merged from a backup conf file I 'forgot'.

    This also explains why it cannot fully work the native client, @voncount and @halfluke

    It was an interesting experience so far as I made too much assumptions based on what would be 'common' in the Windows VPN world ...

  • edited January 10

    Does the rightsubnet config need to include specific protocol/port config?

  • @xirax said:
    Does the rightsubnet config need to include specific protocol/port config?

    Yes!

  • rooted.
    Hope it is not a spoiler: If you are privescing with a “framework”. Pay attention to 32/64 bit things. thanks to @chppppp and @MrR3boot for hints on this journey

  • @1NC39T10N said:

    @xirax said:
    Does the rightsubnet config need to include specific protocol/port config?

    Yes!

    Yeah got the connection now. Turns out the type param is important although not sure why as the default value seems to be a superset of the value that works

  • @kekra said:

    @kekra said:

    I hope my theories about the next stage are correct. I saw something like a confirmation of that theory in the data you get from a successful 'association'.

    Follow-up on my own post, so that I don't mislead anybody. My theories were incorrect - the setup is way simpler than I expected it to be! The alleged info on 'the next stage' was actually not 'from the server' but merged from a backup conf file I 'forgot'.

    This also explains why it cannot fully work the native client, @voncount and @halfluke

    It was an interesting experience so far as I made too much assumptions based on what would be 'common' in the Windows VPN world ...

    I haven't gotten it to work on the Windows side but I'm in from my Linux box. I'm not sure how I'd replicate the final few tweaks to my config file that got me in over to Windows, but for now I'm happy with what I have.

  • @voncount said:
    I haven't gotten it to work on the Windows side but I'm in from my Linux box. I'm not sure how I'd replicate the final few tweaks to my config file that got me in over to Windows, but for now I'm happy with what I have.

    I am also in from Linux - I think you cannot use that type of connection with the native Windows client (I did not test to install other clients on Windows). Also the scripted way of configuring a native client does not have more options than the GUI

  • Rooted! 4 days just bring up host-host connection.

  • edited January 10

    So I can run a few commands using an easy-to-find one-line shell that runs on this server, but most just give me an error. Anyone know why this might be?

    Edtt: Nm, got it. Working on root privesc now.

  • I can confirm that racoon works here too, but I liked the strong bird a bit more.

  • @kekra said:

    @voncount said:
    I haven't gotten it to work on the Windows side but I'm in from my Linux box. I'm not sure how I'd replicate the final few tweaks to my config file that got me in over to Windows, but for now I'm happy with what I have.

    I am also in from Linux - I think you cannot use that type of connection with the native Windows client (I did not test to install other clients on Windows). Also the scripted way of configuring a native client does not have more options than the GUI

    I've never configured these services this way IRL.. I've only ever used this type of config with PKI on lan-only scenarios. I've only managed phase1 connectivity from Windows on this box, however I think using the native wall of fire this may work... also if anyone has connectivity and it's dropping just bring things back UP and you should be ok (I'm guessing the config can be adjusted to stop this!)

  • @mRr3b00t said:
    I've never configured these services this way IRL.. I've only ever used this type of config with PKI on lan-only scenarios. I've only managed phase1 connectivity from Windows on this box, however I think using the native wall of fire this may work... also if anyone has connectivity and it's dropping just bring things back UP and you should be ok (I'm guessing the config can be adjusted to stop this!)

    Hard to reply without spoiling, but if you want to connect to a VPN based on that version of the service in Windows, the only option you have is to combine it with some other protocol ... which I called the 'next phase' above.

    Yes, I've also mainly used it with certificates IRL!

  • Finally got it, prompt downvote.

  • edited January 11

    now where is that pesky user flag.... adjusted scan parameters, looking around.... well that's not very secure is it... got it with a shell. Privesc next.... just doing recon, think I may need to compile something.

    LegendarySpork

    my badge doesn't work, click on my profile if you want rank and stuff

    Taking a break from HTB through Dec 2019 in order to focus on other projects.

  • edited January 11

    stuck at phase 2

  • Yer I'm having issues with it now was fine getting 1st phase up and was holding it find changed something not even sure what and then at 1st I thought it was crashing my kali vm but it was screwing with my tunnel into my server.
    Not sure why as I didnt change anything on that interface but if I use the console window and not rdp I can hold the connection if I'm in rdp it will crash and create 1000s of active connecting threads to the target box.. so I should just try on my dedicated kali laptop is that what you mean?
  • Spoiler Removed

    Hack The Box

  • @Blkph0x said:
    Yer I'm having issues with it now was fine getting 1st phase up and was holding it find changed something not even sure what and then at 1st I thought it was crashing my kali vm but it was screwing with my tunnel into my server.
    Not sure why as I didnt change anything on that interface but if I use the console window and not rdp I can hold the connection if I'm in rdp it will crash and create 1000s of active connecting threads to the target box.. so I should just try on my dedicated kali laptop is that what you mean?

    thats what i meant , i havent trouble shooted to as why the VM was causing the connectivity issues to the "strong service" but i finally got phase 1 going when using kali straight from the USB stick on my desktop. just throwing in a tip in case it helps everyone else if they use a VM =)

  • After spending two decades to have the VPN up and running, finally I could hack the box. ;-)

    Hack N' Roll (-:

    Arrexel
    THIS IS ..... HueHueBR Team!

  • edited January 11

    This machine is my nightmare - after VPN working, I still looking for privesc possibility.

  • I've given up for now. I thought in Windows it would be easier but it's not.
    But it's true that no ISP filtering should be involved, because we are trying to vpn into a vpn and the ISP should not even notice it.

    halfluke

  • hint for root?

    TheJ0k3r

  • edited January 13

    I think I'm onto something re root....
    ... got it.

    After some deliberation I've decided to upvote this one. I really wish I could downvote the documentation for that obnoxious bit after the initial scans. There's no way I would have ever sussed out all the details without a little help from a couple of people. However analyzing what it took actually resulted in some expanded understanding and an expanded reference library. And it's such a refreshing change from web.

    LegendarySpork

    my badge doesn't work, click on my profile if you want rank and stuff

    Taking a break from HTB through Dec 2019 in order to focus on other projects.

  • edited January 12

    @mRr3b00t said:
    ... also if anyone has connectivity and it's dropping just bring things back UP and you should be ok (I'm guessing the config can be adjusted to stop this!)

    My tunnel lasts for a few minutes, then drops. It's easy enough to bring up again, but it's really slowing down progress towards root. Anyone with a stable tunnel willing to offer a tip?

Sign In to comment.