Conceal

now where is that pesky user flagā€¦ adjusted scan parameters, looking aroundā€¦ well thatā€™s not very secure is itā€¦ got it with a shell. Privesc nextā€¦ just doing recon, think I may need to compile something.

stuck at phase 2

Yer Iā€™m having issues with it now was fine getting 1st phase up and was holding it find changed something not even sure what and then at 1st I thought it was crashing my kali vm but it was screwing with my tunnel into my server.
Not sure why as I didnt change anything on that interface but if I use the console window and not rdp I can hold the connection if Iā€™m in rdp it will crash and create 1000s of active connecting threads to the target boxā€¦ so I should just try on my dedicated kali laptop is that what you mean?

Spoiler Removed

@Blkph0x said:
Yer Iā€™m having issues with it now was fine getting 1st phase up and was holding it find changed something not even sure what and then at 1st I thought it was crashing my kali vm but it was screwing with my tunnel into my server.
Not sure why as I didnt change anything on that interface but if I use the console window and not rdp I can hold the connection if Iā€™m in rdp it will crash and create 1000s of active connecting threads to the target boxā€¦ so I should just try on my dedicated kali laptop is that what you mean?

thats what i meant , i havent trouble shooted to as why the VM was causing the connectivity issues to the ā€œstrong serviceā€ but i finally got phase 1 going when using kali straight from the USB stick on my desktop. just throwing in a tip in case it helps everyone else if they use a VM =)

After spending two decades to have the VPN up and running, finally I could hack the box. :wink:

Hack Nā€™ Roll (-:

This machine is my nightmare - after VPN working, I still looking for privesc possibility.

Iā€™ve given up for now. I thought in Windows it would be easier but itā€™s not.
But itā€™s true that no ISP filtering should be involved, because we are trying to vpn into a vpn and the ISP should not even notice it.

hint for root?

I think Iā€™m onto something re rootā€¦
ā€¦ got it.

After some deliberation Iā€™ve decided to upvote this one. I really wish I could downvote the documentation for that obnoxious bit after the initial scans. Thereā€™s no way I would have ever sussed out all the details without a little help from a couple of people. However analyzing what it took actually resulted in some expanded understanding and an expanded reference library. And itā€™s such a refreshing change from web.

@mRr3b00t said:
ā€¦ also if anyone has connectivity and itā€™s dropping just bring things back UP and you should be ok (Iā€™m guessing the config can be adjusted to stop this!)

My tunnel lasts for a few minutes, then drops. Itā€™s easy enough to bring up again, but itā€™s really slowing down progress towards root. Anyone with a stable tunnel willing to offer a tip?

got root! learn new stuff! that was very cool

@cbaker said:
My tunnel lasts for a few minutes, then drops. Itā€™s easy enough to bring up again, but itā€™s really slowing down progress towards root. Anyone with a stable tunnel willing to offer a tip?

I got tired of screwing with the configs, so I didnā€™t use a ā€œproperā€ way of stabilizing it. I wrote a script that waits for a connection and then just sends a shell command every five seconds as a sort of keepalive ā€œpingā€, then had the server connect back to it. Traffic seems to keep the connection alive.

Just did a bit of Googling and found the dpdaction and dpddelay settings, though, and those also seem to work. Give those a try.

Can confirm that dpd* can help in stabiizing although I still got some drops for certain type of enum tools.
v** setup was a giant mess. use the strong bird and in addition to what you find here in the forum make perfectly sure youā€™re using the correct i****.**s file. On my kali install I had to copy it to a certain directory. took quite some time to figure out it was using my .conf but not my i.*****s. Thanks to @schex for discussion on it.
priv esc was straight forward - if youā€™ve seen something similar before (as always) :wink:
Pay close attention what the user is allowed to do.
Feel free to PM for hints

@kekra said:
Hard to reply without spoiling, but if you want to connect to a VPN based on that version of the service in Windows, the only option you have is to combine it with some other protocol ā€¦ which I called the ā€˜next phaseā€™ above.

Final update: Iā€™ve now made the connection work on Windows - so that I can really access services on the box!

Happy to provide nudges if somebody wants to try that. Hint: Donā€™t zoom in too much on the word ā€˜VPNā€™.

@opt1kz said:

I got tired of screwing with the configs, so I didnā€™t use a ā€œproperā€ way of stabilizing it. I wrote a script that waits for a connection and then just sends a shell command every five seconds as a sort of keepalive ā€œpingā€, then had the server connect back to it. Traffic seems to keep the connection alive.

Just did a bit of Googling and found the dpdaction and dpddelay settings, though, and those also seem to work. Give those a try.

Thanks, I did the same thing, and it does a pretty good job. Iā€™ll look at those. I also tried some different settings for rekey and reauth and some others like lifetime but didnā€™t have much success.

@opt1kz said:

I wrote a script that waits for a connection and then just sends a shell command

nc -z works great as a ā€œtcp pingā€

@LegendarySpork said:
@opt1kz said:

I wrote a script that waits for a connection and then just sends a shell command

nc -z works great as a ā€œtcp pingā€

Hm. Thatā€™s interesting. I never noticed that flag, to be honest. Googling and playing around with it a bit and you could probably use this too, youā€™re right. Neat.

For me it was easier/quicker to just whip out Python and do it that way (it was all of ten lines), but this netcat feature could be useful in the future, so thanks!

TCP ping 4evR

while :; nc - z 10.10.10.10 21; sleep 10; done

Another good use ā€“ I use nc - z flag for scanning whenever transport is limited somehow and nmap isnā€™t reliable. I used this on another active box recently.

can someone pm me. Iā€™m having some trouble talking to president Eisenhower. Iā€™ve never done it, iā€™ve already installed more software on my computer than iā€™m really happy with, and itā€™s making me feel all sorts of stupid