Conceal

@n00kie said:

@Warlord711 said:

@n00kie said:

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

charon-cmd

Dont think its possible using only charon-cmd. I think we need strongswan installed and configured properly. Charon-cmd only got predefined profiles and none on them matches here.

thats true just wanted to lead the way to strongswan thought throwing that in as hint.

by any chance have you used or found anything better than charon-cmd ? the debugging on it is a story 20 chapters long

"charondebug =

How much charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1.

Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts and the level is one of [-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types."


The logging is very customisable, and you may or may not find it helpful.

@23Y4D said:
I wrote a couple of scripts to try different command configurations “eventhough I know what should be the correct one”, and I tried various configurations of the IP***.conf file… I tried and installed various plugins to swan, and even tried multiple configurations on a Windows VM… and kept getting the same policy error.

This is where I can confidently say: “this is a stupid machine… goodbye”

This !
Dont get it, ‘the’ scan tools only gives a valid response using a specific set of proposals but using these proposals, configured in ipsec.conf or using charon, alwas result in NO PROPOSAL CHOSEN error. Searching for the error only returns basic stuff like “install plugins” etc but do not solve the situation here.

Plugins are installed and available, not sure why it always fails.

RFC 2409 - The Internet Key Exchange (IKE) maybe helpful

I am in the middle of privesc right now but if I have time, I can help those who are stuck using a certain strong application. It can be a pain in the ■■■■!

Edit - I will not hand you answers if you haven’t done anything to research it :slight_smile:

@rewks said:

@n00kie said:

@Warlord711 said:

@n00kie said:

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

charon-cmd

Dont think its possible using only charon-cmd. I think we need strongswan installed and configured properly. Charon-cmd only got predefined profiles and none on them matches here.

thats true just wanted to lead the way to strongswan thought throwing that in as hint.

by any chance have you used or found anything better than charon-cmd ? the debugging on it is a story 20 chapters long

"charondebug =

How much charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1.

Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts and the level is one of [-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types."


The logging is very customisable, and you may or may not find it helpful.

Thank you !

the debug logs were useless for me :stuck_out_tongue: unfortunately this one is a guessing game.

Can someone pm me to discuss about privesc ?

Edit: NVM found it.

To save lot of time try to enable logging and for every change do see log to understand what is went wrong. Make sure you read wiki page for most important proto port part. https://wiki.strongswan.org/projects/strongswan/wiki/connsection

The moment you co-work with someone to solve the connection problem on the machine and he managed to connect but after all doesnt give you a hint.

rooted. thank god root wasnt as much of a pita as user.

for the folks working on user - this link helped me troubleshoot. https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html

So knowing your error and what it might mean, read through the config man page relevant section AND TRY EVERYTHING YOU SEE. It’s a bit of a PITA as you’re just guessing but there isn’t much to try.

Thank you mightily to the folks who have provided some explanatory or reference material as well as a few pointers in IM!

I’ve found what I believe are the phase-1 settings with i**-s***, and have piped those into c*****-c** along with a list of all possible phase-2 proposals (listed in Microsoft interop guide) in a for loop and still NO_PROP. I am making some assumptions (auth profile and identity) but I’m fairly confident they are correct. Anyone willing to PM a nudge?

@bianca said:
@0xEA31, do we need to brute force to get the right configs? I mean specifically the s****t, in order to get the params the server is expecting. I ask because I tried all the obvious ones and I keep getting the same response.

If you are trying to connect from a (Kali) Linux box, it’s really hard to figure out why things go wrong: as far as I searched in Google there is no place where you can find a copy- paste configuration.

Even from a Windows box you have to figure out what to do, and yes, it’s not obvious (at least it wasn’t to me). But from a Windows box you do not have to bother with low level details and quirks.

So my suggestion is: try from a Windows box and, when you have done, try to mimic it’s behavior. You’ll probably find yourself stuck again but, at least, you’ll have all the info to solve the quirk. Anyway, some links already suggested in other posts will really help you to get the solution.

Sorry for being so elusive, but there are only 40 users that got the way in, and I don’t want to spoil the solution.

Finally, if anyone wants a “copy-paste answer” she/he’ll have to wait until the box will be retired. I'll publish a post on this because, as I said, it seems to be something quite undocumented, at the moment.

Windows box is just as much fun, error 791. At this point its not even apparent if I’m troubleshooting a Windows bug or actually going at the box. What a treat.

@0xEA31 said:

@bianca said:
@0xEA31, do we need to brute force to get the right configs? I mean specifically the s****t, in order to get the params the server is expecting. I ask because I tried all the obvious ones and I keep getting the same response.

If you are trying to connect from a (Kali) Linux box, it’s really hard to figure out why things go wrong: as far as I searched in Google there is no place where you can find a copy- paste configuration.

Even from a Windows box you have to figure out what to do, and yes, it’s not obvious (at least it wasn’t to me). But from a Windows box you do not have to bother with low level details and quirks.

So my suggestion is: try from a Windows box and, when you have done, try to mimic it’s behavior. You’ll probably find yourself stuck again but, at least, you’ll have all the info to solve the quirk. Anyway, some links already suggested in other posts will really help you to get the solution.

Sorry for being so elusive, but there are only 40 users that got the way in, and I don’t want to spoil the solution.

Finally, if anyone wants a “copy-paste answer” she/he’ll have to wait until the box will be retired. I'll publish a post on this because, as I said, it seems to be something quite undocumented, at the moment.

There is definitely documentation for how to do it. Think about wild***ds and how they’re used in the specific app you’re working with.

As for the last part of what you said - I will also reiterate this. Unless you’ve done some serious research and there are just minuscule problems with your setup, I am going to tell you to do more research. If you get mad, sorry. Part of the learning from this box is definitely the journey of setting up everything. 10/10 very useful.

@w0rtw0rt that is fair enough as long as there is some reasonable inferential way to get to the appropriate background information. The maddening part for me is simply not turning up what I’ve needed on google or man pages.

I have no issues with doing plenty of homework. Fortunately folks have been sharing some general references. I still am lost but at least at this point I have stuff to research.

HTB and the box creators get to make the rules but I’m just saying that if you want to keep my interest there has to be at least a viable research path.

PS right now I am working through the mighty waterfowl example network diagram and configuration. Good stuff to know.

The process to setup the VPN connection was awesome.

I learned a lot! :slight_smile:

(And I’m still discussing with some mates another options and attributes… cool xD)

For those who are having some fun with that strong:

@LegendarySpork said:
@w0rtw0rt that is fair enough as long as there is some reasonable inferential way to get to the appropriate background information. The maddening part for me is simply not turning up what I’ve needed on google or man pages.

I have no issues with doing plenty of homework. Fortunately folks have been sharing some general references. I still am lost but at least at this point I have stuff to research.

HTB and the box creators get to make the rules but I’m just saying that if you want to keep my interest there has to be at least a viable research path.

PS right now I am working through the mighty waterfowl example network diagram and configuration. Good stuff to know.

I will admit I am a little biased with this particular box because my background is in networking and security architecture. Therefore, I have a lot of background in this kind of stuff (although from the linux side of things, it’s a new ballgame). However, the knowledge you gain from this box would be immensely helpful for either offensive or defensive security specialists because of the literal construction of a configuration. Understanding what’s going on in the engine, so to speak, so that you can know exactly what’s going on.

All this to say is that every single resource you need is out there. There is nothing in the construction of the configuration that is left to chance here. It’s truly not a guessing game. There are definitely ways that are explained to get around things you do not or cannot know. This goes for the user portion and the root portion.

Progress. I installed ALL of the bigbird stuff and then used the relevant start command to fire up the relevant daemon. Am working through the documentation. There are actually some good examples with pictures. Thanks again folks for the pointers.

Rooted…

Unfortunately, this machine will be one of the few boxes I give a dislike, solely because of the terrible vpn setup experience…

Having to spend hours and hours of guessing the correct vpn configuration and learning how to use an obsolete services -which BTW lacks basic documentation- is completely useless for pen testing, unless you are practicing for CCNP security, which I believe HTB is not the right place for.

From the beginning, I had all of the settings correct, expect for one word or even one letter, and it wouldn’t work, and I wouldn’t know why because the service keeps us completely blind.
If it wasn’t for the guys help, I would have never found out why it wasn’t working, even though I had 99% of the configurations correct.

Side note: I believe the priv esc method I used can only run once, and then it wouldn’t work, so the box needs to be reverted in order for it to work again, or a certain process needs to be killed.
This is what happened to me, and it says so in the PoC. But I could be wrong.
Either way, there seems to be more than one way to do it.

In general, if it wasn’t for the vpn setup experience, or at least if the vpn setup was straightforward, this would’ve been a great box, and a great practice for OSCP. But, Alas!

Thanks everyone for the help, and thanks to the box creators for their efforts.

I wanted to root this machine just to downvote it.
Here is why:

The actual entry is just …
EVEN if you are good at networking, it takes good “guessing” to actually connect!
You need to GUESS most of the configurations !
I find this to be a disaster. It is just like bruteforcing, except that, you will actually bruteforce everything?!

Aside from that, once you’re in, user is pretty straight forward.

Root was another guessing game especially with the different VMMs involved. I also realized that there is more than 1 way to get root. So have fun with guessing !

Edit: I don’t hate the guessing game for the root, it is actually pretty realistic. There are at least 3 confirmed ways to get root. So it depends on what approach you take.

guys, check and read carefully every parameter in the man page of s*w ic.conf