Conceal

Still getting the INVALID_ID_INFORMATION with a connection established. This means phase 1 is completed, but there’s a problem with phase 2? Not sure my ciphers are correct, but would like to know where to look using tcpdump -i tun0 -vvvv?

got root…pm for hints…

Oh god, what a pain this box… haha, “learned tons” but the hard way…
Little’s advices:

user: if you’re on linux, and you wanna make a tunnel, this word must not be in the respective config file… rolf …
root: try harder on what the framework is telling you…

Cheers!

Rooted !!! Hats off to creator … very good box… bit of a time monster though - VPN setup was brutal

If anyone on here has had issues with IEX to get a shell connection, PM me, been stuck on this for days and can’t understand why I can’t either pass the argument in the Tcp.ps1 script or IEX + pipe to the Invoke-CMDLET. Someone save me, I know there’s people getting shells this way!

I’m stucking on root, somebody could pm and give me a hint? tks

I ran into a fun problem on my way to system. Kept getting this error:

This version of C:\path\to\my\PE.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

This was very confusing at first. I thought it maybe had something to do with the architecture. After lots of digging, I came up empty handed.

I then inspected my process a bit further, compared the local and remote binaries, and saw something interesting…

A little encoding during transport and everything was working swimmingly. Pay attention to the details!

EDIT: I realize the root of my problem now was not having the correct mode during upload… sigh. Good practice though!

Type your comment> @stonepresto said:

I ran into a fun problem on my way to system. Kept getting this error:

This version of C:\path\to\my\PE.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

This was very confusing at first. I thought it maybe had something to do with the architecture. After lots of digging, I came up empty handed.

I then inspected my process a bit further, compared the local and remote binaries, and saw something interesting…

A little encoding during transport and everything was working swimmingly. Pay attention to the details!

EDIT: I realize the root of my problem now was not having the correct mode during upload… sigh. Good practice though!

Hmm I’ve been running into this issue forever, also though it was weird because both 32 or 64 bit gave the same error, thanks for the hint! Should have thought about that before (facepalm)

Hi Everyone, I’ve been having some issues trying to configure the ip***.c** … Seems I cannot establish the connection. I have experience with routers and firewalls establishing this protocol but somehow I am unable to make this work any hint would be appreciated if someone could PM me.

If anyone could help with privesc, I know what to do using an “edible” but it seems to never go through regardless of what arguments I give it…

Does the edible privesc require to wait or trigger something in order for it to “run”?

Type your comment> @lduros said:

Does the edible privesc require to wait or trigger something in order for it to “run”?

You need to feed it the right parameter(s) based on the environment it’s being run on.

Type your comment> @clmtn said:

Type your comment> @lduros said:

Does the edible privesc require to wait or trigger something in order for it to “run”?

You need to feed it the right parameter(s) based on the environment it’s being run on.

Nevermind, I was using the wrong binary, after too many resets lol. Losing my mind. Thanks for the hint.

Hi guys!!
Can someone PM me about Phase2, please?

I’m stuck with this logs:
INFORMATIONAL_V1 request 2352573931 [ HASH N(INVAL_ID) ]
In tcpdump it show
phase 2/others R inf[E]: [encrypted hash]
and get a timeout, with failed.

I tried a lot of right/left networks ans subnets,
0.0.0.0/0 or /32
10.10.0.0/16 or 10.10.10.0/24
Also with %any too
And try different ESP
Any hints or brainstorm are welcome in DM.
Thanks

Type your comment> @Amen0 said:

Hi guys!!
Can someone PM me about Phase2, please?

I’m stuck with this logs:
INFORMATIONAL_V1 request 2352573931 [ HASH N(INVAL_ID) ]
In tcpdump it show
phase 2/others R inf[E]: [encrypted hash]
and get a timeout, with failed.

I tried a lot of right/left networks ans subnets,
0.0.0.0/0 or /32
10.10.0.0/16 or 10.10.10.0/24
Also with %any too
And try different ESP
Any hints or brainstorm are welcome in DM.
Thanks

Got the tips to handle it.
Thanks

Rooted with very interesting investigation and reading solutions for earlier HTB machines.
Root shell droped not from the first time. Tried several times with slightly different settings.

But user is the song! Found no any practical manual so had to read docs and study all technology from the beginning and brute forced configuration file.

hats off to @lduros @ferchosur and @Bernie

Just rooted the machine, and i have 2 things to tell that i wish i saw in the forums.

  1. You can still get a connection with wrong configurations, but it drops in 10-30 seconds. Don’t assume you got it correct, just because you got a brief connection.

  2. Turns out privesc is really really unstable, so don’t give up once it fails. Also, i suggest not to use the payload from our beloved framework for this one.

Also don’t be like me and priv desc… Just because something works does not mean that its right.

I was working with w*****ll but when system restarted all files was gone, I can use a hint to know how to upload my shell or other files.

EDIT: Found it!

Hi!

I’m having trouble with phase 2, as usual. Based on the error I get, the problem is with the subnets. I tried different (reasonable) subnets, even specifying protocols/ports. I’m using the “strong” client mentioned here.
I have never worked with this service before. I would really appreciate some hints.

Well, I just figured it out! This was a ■■■■ of a ride, I almost gave up.

I just want to summarise the information already here and add some useful tips.

First, you want to really understand how this protocol named after the famed htb youtuber works. The pdf about the router linked here is a good start (read the poster’s comment for the relevant part).
You should use the “strong” client me and many, many others already hinted at if you are attacking from a linux machine (I did).

As people already mentioned, there are 2 phases. The first one should be straight forward if you used the tool named after Kyle’s Canadian brother ( i**-s*** ) and found the secret on the only other port the host is (seemingly) running.

Now the second phase is tough. I had the most difficulty with this one.
You have to think about what kind of connection you want to establish: you want to connect one host to another. You have to figure out the “left” and “right” sides. You can use things similar to wdcds, but you can also specify what kind of ptol you want to use. Figure out what side should be vague and what should be specific.
Also, you should think about what “type” of connection you are looking for. Maybe, the default one is not what you need…
Check out the man page about the i*c.cf file already linked in this discussion.

Lastly, the troubleshooting link in this discussion is a HUGE help, you will definitely need it to figure out what problem you have to solve.

I hope I did not spoil anything. Happy hacking!