Connect to tun0 w webshell?

This might be a question for any box… this will be the 3th time I’ve gotten a shell but was stopped by outbound access (potentially on purpose but I had to check)… Should I be able to use the webshell to connect to my own IP to use as a command and control server (10.10.15.x)? I can connect through the browser when I host ‘python3 -m http.server 8181’ as a sanity check, but no luck w curl or wget in the shell. I also wasn’t able to complete admirer for the same reason (other m***l connections to it both on and off the vpn would work, just not through the admirer app server. As for Passage, I have also tried an external IP like google.com, I’m guessing outbound is blocked? Is this intentional?

@burninator said:

This might be a question for any box… this will be the 3th time I’ve gotten a shell but was stopped by outbound access (potentially on purpose but I had to check)… Should I be able to use the webshell to connect to my own IP to use as a command and control server (10.10.15.x)?

It depends. Boxes are different there isn’t an answer which is always true here.

I can connect through the browser

The browser on your local machine to a server on your local machine?

when I host ‘python3 -m http.server 8181’ as a sanity check, but no luck w curl or wget in the shell.

Again, it depends. Not every box has those tools. Sometimes it might be a syntax error. There are lots of possible answers here.

I also wasn’t able to complete admirer for the same reason (other m***l connections to it both on and off the vpn would work, just not through the admirer app server.

Admirer was a MySql connection not a webshell. There are different things you need to do to make it reach out to your machine. Not the least of which is configuring your conf files to allow it.

As for Passage, I have also tried an external IP like google.com, I’m guessing outbound is blocked? Is this intentional?

HTB boxes are normally blocked from accessing external sites.

There isn’t a one-size-fits-all answer as boxes do vary, however in passage you should be able to check for a connection by:

  • on your local machine run nc -nklvp 8888
  • on the remote machine type nc YOURIP 8888

If you get a connection, it has worked.

Yes by “browser” I meant local machine to local machine.

NC times out as well, as well as the reverse bind.

Maybe I’ll see if I can try to get DHCP to give me a new IP, though idk how the VPN will like that… seems like I pretty much always get the same address.

Hmm no luck with restarting the interface and requesting a new ip with dhclient. I should note, this is just the basic web shell running as user w**-**** (sorry I’m new, idk if that constitutes a spoiler).

For now I’m just trying to get going with Passage, since it seems like the simplest one to troubleshoot this on. I appreciate any help - honestly I feel like I’ve spent more time trying to diagnose network issues on this one then hacking, but I wanted to reach out to make sure it’s not something I’m doing wrong.

Again, it depends. Not every box has those tools. Sometimes it might be a syntax error. There are lots of possible answers here.

Yeah sorry I meant I was spinning up the Python server on my local box, checking if it’s up with the local browser, and then trying to get the web shell to connect to it.

@burninator said:

NC times out as well, as well as the reverse bind.

Then it is likely there is a networking problem.

Maybe I’ll see if I can try to get DHCP to give me a new IP, though idk how the VPN will like that… seems like I pretty much always get the same address.

What IP address do you have?

Hmm no luck with restarting the interface and requesting a new ip with dhclient.

You should be using the tun0 interface which, I suspect, isn’t managed by dhclient.

You should be using the tun0 interface which, I suspect, isn’t managed by dhclient.

Oh - yeah giving dhcpclient tun0 as a param didn’t work, and sbin/ip addr got a permissions denied.

What IP address do you have?

10.10.15.47 - I should note I’m not running http.server or nc or anything right now, nor am I currently connected to the VPN. Did you want to connect so you can try to hit it?

I was going to go generate a new connection pack and see if that helps but if you’d like to experiment I can wait.

And thanks again for the help, btw

@burninator said:

You should be using the tun0 interface which, I suspect, isn’t managed by dhclient.

Oh - yeah giving dhcpclient tun0 as a param didn’t work, and sbin/ip addr got a permissions denied.

The IP address is assigned by the OpenVPN client, so its worth making sure that connection is working but if you can connect to the HTB box, that has to be working.

What IP address do you have?

10.10.15.47 - I should note I’m not running http.server or nc or anything right now, nor am I currently connected to the VPN. Did you want to connect so you can try to hit it?

No, most of the traffic on the HTB network is a bit more segmented than that. The only thing which matters is that you can access it from the server you are trying to get a reverse connection back.

I was going to go generate a new connection pack and see if that helps but if you’d like to experiment I can wait.

Its worth trying - if it continues to be a problem, its probably worth raising a JIRA ticket with HTB once you’ve ensured you are using the correct IP addresses etc.

When you want to test this try:

  • on your machine python3 http.server 80
  • on the remote machine wget http://YOURIP?/

See what the output of both looks like

After that you can try using tools like netcat to send commands and see what the responses actually are.

So I tried a different country connection pack which forced a new IP, but still no luck connecting to a python http.server or NC. I don’t want to put too much network troubleshooting time into this, I’d rather be focusing on the hacking part :smile: so good idea - I’ll send them a ticket.