# Conceal

• edited February 2019

REMOVED -- double post. sorry

happy to say im a newb

• Frustrated with the Linux V** connection from Kali , attempting to tunnel from Windows host through a nc tunnel to the service on 10.10.10.116. Packets are reaching the service, I have the user/creds and key ...but connection errors out ...anyone willing to PM to troubleshoot ?

• rooted, took me a while, because i'm not that used to windows environments.

• Rooted. Thanks @ASHacker for help.
PM me for hints or nudges.

• Having trouble determining if my I****.conf is configured correctly. Looked through the man pages and still cant get a connection. Can someone pm me and help me figure out how to debug the connection?

• Need a small hint. I'm using Stronswan 5.7.2 and configured conf file to display ike proposal selected, but then my syslog just keeps going in a loop. I used ik*-**** to produce part of my conf file. I believe the VPN server is running *inksys? Is this a clue?

• Type your comment> @techjohnny said:

Need a small hint. I'm using Stronswan 5.7.2 and configured conf file to display ike proposal selected, but then my syslog just keeps going in a loop. I used ik*-**** to produce part of my conf file. I believe the VPN server is running *inksys? Is this a clue?

Update: I figured it out.

• rooted..Was a fun box
Thanks to @sesha569 for his pushes

• Still getting the INVALID_ID_INFORMATION with a connection established. This means phase 1 is completed, but there's a problem with phase 2? Not sure my ciphers are correct, but would like to know where to look using tcpdump -i tun0 -vvvv?

• got root...pm for hints...

• Oh god, what a pain this box... haha, "learned tons" but the hard way...

user: if you're on linux, and you wanna make a tunnel, this word must not be in the respective config file... rolf ...
root: try harder on what the framework is telling you...

Cheers!

• Rooted !!! Hats off to creator ... very good box... bit of a time monster though - VPN setup was brutal

• If anyone on here has had issues with IEX to get a shell connection, PM me, been stuck on this for days and can't understand why I can't either pass the argument in the Tcp.ps1 script or IEX + pipe to the Invoke-CMDLET. Someone save me, I know there's people getting shells this way!
• I'm stucking on root, somebody could pm and give me a hint? tks

• edited March 2019

I ran into a fun problem on my way to system. Kept getting this error:

This version of C:\path\to\my\PE.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

This was very confusing at first. I thought it maybe had something to do with the architecture. After lots of digging, I came up empty handed.

I then inspected my process a bit further, compared the local and remote binaries, and saw something interesting...

A little encoding during transport and everything was working swimmingly. Pay attention to the details!

EDIT: I realize the root of my problem now was not having the correct mode during upload... sigh. Good practice though!

• edited March 2019

I ran into a fun problem on my way to system. Kept getting this error:

This version of C:\path\to\my\PE.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

This was very confusing at first. I thought it maybe had something to do with the architecture. After lots of digging, I came up empty handed.

I then inspected my process a bit further, compared the local and remote binaries, and saw something interesting...

A little encoding during transport and everything was working swimmingly. Pay attention to the details!

EDIT: I realize the root of my problem now was not having the correct mode during upload... sigh. Good practice though!

Hmm I've been running into this issue forever, also though it was weird because both 32 or 64 bit gave the same error, thanks for the hint! Should have thought about that before (facepalm)

• Hi Everyone, I've been having some issues trying to configure the ip*.c ... Seems I cannot establish the connection. I have experience with routers and firewalls establishing this protocol but somehow I am unable to make this work any hint would be appreciated if someone could PM me.

• If anyone could help with privesc, I know what to do using an "edible" but it seems to never go through regardless of what arguments I give it...

• Does the edible privesc require to wait or trigger something in order for it to "run"?

• Type your comment> @lduros said:

Does the edible privesc require to wait or trigger something in order for it to "run"?

You need to feed it the right parameter(s) based on the environment it's being run on.

• Type your comment> @clmtn said:

Does the edible privesc require to wait or trigger something in order for it to "run"?

You need to feed it the right parameter(s) based on the environment it's being run on.

Nevermind, I was using the wrong binary, after too many resets lol. Losing my mind. Thanks for the hint.

• Hi guys!!

I'm stuck with this logs:
INFORMATIONAL_V1 request 2352573931 [ HASH N(INVAL_ID) ]
In tcpdump it show
phase 2/others R inf[E]: [encrypted hash]
and get a timeout, with failed.

I tried a lot of right/left networks ans subnets,
0.0.0.0/0 or /32
10.10.0.0/16 or 10.10.10.0/24
Also with %any too
And try different ESP
Any hints or brainstorm are welcome in DM.
Thanks

• Type your comment> @Amen0 said:

Hi guys!!

I'm stuck with this logs:
INFORMATIONAL_V1 request 2352573931 [ HASH N(INVAL_ID) ]
In tcpdump it show
phase 2/others R inf[E]: [encrypted hash]
and get a timeout, with failed.

I tried a lot of right/left networks ans subnets,
0.0.0.0/0 or /32
10.10.0.0/16 or 10.10.10.0/24
Also with %any too
And try different ESP
Any hints or brainstorm are welcome in DM.
Thanks

Got the tips to handle it.
Thanks

• Rooted with very interesting investigation and reading solutions for earlier HTB machines.
Root shell droped not from the first time. Tried several times with slightly different settings.

But user is the song! Found no any practical manual so had to read docs and study all technology from the beginning and brute forced configuration file.

hats off to @lduros @ferchosur and @Bernie

• edited March 2019

Just rooted the machine, and i have 2 things to tell that i wish i saw in the forums.

1) You can still get a connection with wrong configurations, but it drops in 10-30 seconds. Don't assume you got it correct, just because you got a brief connection.

2) Turns out privesc is really really unstable, so don't give up once it fails. Also, i suggest not to use the payload from our beloved framework for this one.

Also don't be like me and priv desc.... Just because something works does not mean that its right.

• edited March 2019

I was working with w*****ll but when system restarted all files was gone, I can use a hint to know how to upload my shell or other files.

EDIT: Found it!

• Hi!

I'm having trouble with phase 2, as usual. Based on the error I get, the problem is with the subnets. I tried different (reasonable) subnets, even specifying protocols/ports. I'm using the "strong" client mentioned here.
I have never worked with this service before. I would really appreciate some hints.

• Well, I just figured it out! This was a hell of a ride, I almost gave up.

I just want to summarise the information already here and add some useful tips.

First, you want to really understand how this protocol named after the famed htb youtuber works. The pdf about the router linked here is a good start (read the poster's comment for the relevant part).
You should use the "strong" client me and many, many others already hinted at if you are attacking from a linux machine (I did).

As people already mentioned, there are 2 phases. The first one should be straight forward if you used the tool named after Kyle's Canadian brother ( i**-s*** ) and found the secret on the only other port the host is (seemingly) running.

Now the second phase is tough. I had the most difficulty with this one.
You have to think about what kind of connection you want to establish: you want to connect one host to another. You have to figure out the "left" and "right" sides. You can use things similar to wdcds, but you can also specify what kind of ptol you want to use. Figure out what side should be vague and what should be specific.
Also, you should think about what "type" of connection you are looking for. Maybe, the default one is not what you need...

Lastly, the troubleshooting link in this discussion is a HUGE help, you will definitely need it to figure out what problem you have to solve.

I hope I did not spoil anything. Happy hacking!

• edited March 2019

I am stuck at the INVALID_ID_INFORMATION part on phase 2 can someone give me a hint please? I have tried every combination I can think of.

EDIT: I got it to finally connect. The problem I am having now though is that I am not able to reach the machines open ports.

EDIT: GOT IT! On to more enumeration to get user

• edited March 2019

finally got root... if somebody need help just pm me
Edit: hats off to @clmtn @tabacci @strcpy and thanks for your help