Conceal

Yup, we’re all stuck. I really wish I had a working server setup with certain mode disabled so I could start with a working connection and then systematically break it. This is my first time with this particular critter.

Edit: plaudits to the box creator – even though the headwinds are tough here I’m forced to research a common technology and its vulns that have not come up for me before. Much more interesting than playing “hunt the directory”.

This is a new initial foothold for me and I’m still not able to connect to the ■■■■ box. I want to make sure we all found the same stuff.

Enumerating a common U** service on port 1** will provide two pieces of info:

A list of 4 possible users: Gu***, Ad********, De******, DeA*.
A P** Key to the Iv1 (note v) service running on U port 5**. This hash can be cracked almost instantly using a common online cracker and the result is a plaintext P** of Du********. I don’t see any TCP ports open on an nmap scan that are open; however, I can see in the S*** enumeration several common windows TCP ports exposed, but manually probing these ports doesn’t give me anything.

I haven’t seen username:password combo anywhere like I did on Mischief. Thus any user here would be a guess of the four enumerated (via sn**-c****). The only password I’ve seen is the cracked version of the P** Key. The algo I’ve seen to connect with is 3d**-***-m****1***. I haven’t seen any kind of group information.

I’ve tried tons of different IPS** configurations ( IPSe* over L2**) to connect to this box with the information above. This seems like it is going to be more complicated than usual because it is a VPN within a VPN. I’ve tried both GUI and CLI configurations, but I cannot achieve a successful connection.

Yes, exact same position @1NC39T10N, it’s a real struggle but it’s forcing me to delve into stuff I’ve just taken for granted up till now.

I keep making tiny jumps, I’m so close to getting it working I can taste it. (Probably going to remain stuck at this point for days because I said that)

Currently trying to figure out why the enumeration confirms the host name is “C******”, yet when connecting I get IDir '10.10.10.116' does not match to 'C******'

I’m in the same boat as you two. I’m trying to figure out if some missing pieces of info are hiding somewhere or if I have to do some brute forcing. I also wonder if I need to switch to a different OS other than Kali to make certain connections.

The client matters because there are different types of VPN and different “modes.” It looks like you should be able to do it from Kali. apt search VPN for different clients, also apt search for other relevant tools, like scanners.

Right now I’m starting to wonder if my scans actually got everything. A couple of obvious services but could there be more?

@1NC39T10N said:
This is a new initial foothold for me and I’m still not able to connect to the ■■■■ box. I want to make sure we all found the same stuff.

Enumerating a common U** service on port 1** will provide two pieces of info:

A list of 4 possible users: Gu***, Ad********, De******, DeA*.
A P** Key to the Iv1 (note v) service running on U port 5**. This hash can be cracked almost instantly using a common online cracker and the result is a plaintext P** of Du********. I don’t see any TCP ports open on an nmap scan that are open; however, I can see in the S*** enumeration several common windows TCP ports exposed, but manually probing these ports doesn’t give me anything.

I haven’t seen username:password combo anywhere like I did on Mischief. Thus any user here would be a guess of the four enumerated (via sn**-c****). The only password I’ve seen is the cracked version of the P** Key. The algo I’ve seen to connect with is 3d**-***-m****1***. I haven’t seen any kind of group information.

I’ve tried tons of different IPS** configurations ( IPSe* over L2**) to connect to this box with the information above. This seems like it is going to be more complicated than usual because it is a VPN within a VPN. I’ve tried both GUI and CLI configurations, but I cannot achieve a successful connection.

on the same boat

same boat, same frustration…

Can someone give a nudge on INVALID_ID_INFORMATION. I guess i’m so close

read page 12 here, http://downloads.linksys.com/downloads/userguide/BEFVP41_V21_UG_NC-WEB.pdf

At this point, I have tried to change around things so much to function correctly. Definitely stuck where everyone else is stuck. I have all this info but no iteration of it seems to be working.

Edit: Actually, it was my syntax. That was the problem. I got the tunnel to come up finally.

@n00kie said:
a windows box? i got sub7.exe for that!

Sub7, NetBus and BO – good times!!! Will it help?

@magnus said:

@n00kie said:
a windows box? i got sub7.exe for that!

Sub7, NetBus and BO – good times!!! Will it help?

lol i wish hahha

I feel like I’m close, but keep getting a “ERROR: notification NO-PROPOSAL-CHOSEN” message. I’ve tried a few different proposals, but so far no luck. :frowning: Any help would be appreciated.

Edit: got in. Used the masked mammal to connect. User flag done, working on privesc.

.

What client do you guys use to connect ? I tried vpnc but seems not to connect at all

I am also stuck on INVALID_ID_INFORMATION. any hints are appreciated.

.

when i turn up i see INVALID_ID_INFORMATION but when i run a statusall i see ESTABLISHED so idk what to think anymore :stuck_out_tongue:

There is two phases in this protocol…

@jkr said:
There is two phases in this protocol…

Yes. I’m sure that we have to deal correctly with subnets on phase-2. I’m afraid if it require more specific variables.