Conceal

Hi guys!!
Can someone PM me about Phase2, please?

I’m stuck with this logs:
INFORMATIONAL_V1 request 2352573931 [ HASH N(INVAL_ID) ]
In tcpdump it show
phase 2/others R inf[E]: [encrypted hash]
and get a timeout, with failed.

I tried a lot of right/left networks ans subnets,
0.0.0.0/0 or /32
10.10.0.0/16 or 10.10.10.0/24
Also with %any too
And try different ESP
Any hints or brainstorm are welcome in DM.
Thanks

Type your comment> @Amen0 said:

Hi guys!!
Can someone PM me about Phase2, please?

I’m stuck with this logs:
INFORMATIONAL_V1 request 2352573931 [ HASH N(INVAL_ID) ]
In tcpdump it show
phase 2/others R inf[E]: [encrypted hash]
and get a timeout, with failed.

I tried a lot of right/left networks ans subnets,
0.0.0.0/0 or /32
10.10.0.0/16 or 10.10.10.0/24
Also with %any too
And try different ESP
Any hints or brainstorm are welcome in DM.
Thanks

Got the tips to handle it.
Thanks

Rooted with very interesting investigation and reading solutions for earlier HTB machines.
Root shell droped not from the first time. Tried several times with slightly different settings.

But user is the song! Found no any practical manual so had to read docs and study all technology from the beginning and brute forced configuration file.

hats off to @lduros @ferchosur and @Bernie

Just rooted the machine, and i have 2 things to tell that i wish i saw in the forums.

  1. You can still get a connection with wrong configurations, but it drops in 10-30 seconds. Don’t assume you got it correct, just because you got a brief connection.

  2. Turns out privesc is really really unstable, so don’t give up once it fails. Also, i suggest not to use the payload from our beloved framework for this one.

Also don’t be like me and priv desc… Just because something works does not mean that its right.

I was working with w*****ll but when system restarted all files was gone, I can use a hint to know how to upload my shell or other files.

EDIT: Found it!

Hi!

I’m having trouble with phase 2, as usual. Based on the error I get, the problem is with the subnets. I tried different (reasonable) subnets, even specifying protocols/ports. I’m using the “strong” client mentioned here.
I have never worked with this service before. I would really appreciate some hints.

Well, I just figured it out! This was a ■■■■ of a ride, I almost gave up.

I just want to summarise the information already here and add some useful tips.

First, you want to really understand how this protocol named after the famed htb youtuber works. The pdf about the router linked here is a good start (read the poster’s comment for the relevant part).
You should use the “strong” client me and many, many others already hinted at if you are attacking from a linux machine (I did).

As people already mentioned, there are 2 phases. The first one should be straight forward if you used the tool named after Kyle’s Canadian brother ( i**-s*** ) and found the secret on the only other port the host is (seemingly) running.

Now the second phase is tough. I had the most difficulty with this one.
You have to think about what kind of connection you want to establish: you want to connect one host to another. You have to figure out the “left” and “right” sides. You can use things similar to wdcds, but you can also specify what kind of ptol you want to use. Figure out what side should be vague and what should be specific.
Also, you should think about what “type” of connection you are looking for. Maybe, the default one is not what you need…
Check out the man page about the i*c.cf file already linked in this discussion.

Lastly, the troubleshooting link in this discussion is a HUGE help, you will definitely need it to figure out what problem you have to solve.

I hope I did not spoil anything. Happy hacking!

I am stuck at the INVALID_ID_INFORMATION part on phase 2 can someone give me a hint please? I have tried every combination I can think of.

EDIT: I got it to finally connect. The problem I am having now though is that I am not able to reach the machines open ports.

EDIT: GOT IT! On to more enumeration to get user

finally got root… if somebody need help just pm me
Edit: hats off to @clmtn @tabacci @strcpy and thanks for your help

Stuck at setting up the initial connection to get user. Using the ‘strong’ client but i’m missing something. I’ve studied the man pages and the support pages of the client with no luck. If someone please could PM me, would really appreciate some help.

Same here @nsbyte

im being constantly timed out on /upl**d… is it rabbit hole or is this box just buggy AF?

Type your comment> @wildstyle9 said:

Same here @nsbyte

Just got to phase 2. Remember to carefully look at the used / included configs.
Reading the (sys)logs will really help a lot.

The best tip I can give:
Make a config in your mind and check the logs if client is following up your config.

Edit: rooted. enumerate, enumerate, read and understand how possible priv esc could work.

Hi guys, I’m having a weird issue: last night I got to phase2 using strS* and was trying to get past the sub****** issues but when I tried to continue today, i’m stuck at ‘peer not responding’. Nothing about my config has changed. I tried resetting the box, restarting everything at my end but nothing seems to work. Weird thing is, when I try it with charon-cmd, the peer does respond. Does anyone have any clue about what might be going on?

EDIT: sorry guys, you can ignore this. My htb vpn IP had changed, i’m an idiot.

Also stuck with the received INVALID_ID_INFORMATION error notify– Got tired bruteforcing the left/right subnet param if anyone has a nudge I’d really appreciate it…

Type your comment> @jownz said:

Also stuck with the received INVALID_ID_INFORMATION error notify– Got tired bruteforcing the left/right subnet param if anyone has a neduge I’d really appreciate it…

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html

@nsbyte

I do know why i get the error – I’m just tired of brute-forcing to get the exact values that the server enforces…

I’m working on getting the connection up and running, but it’s fairly foreign to me. At this point I can see my machine sending out initiation requests, but I’m not getting anything back. I’m going to keep plugging away once I have some time, but a hint wouldn’t be the worst thing in the world.

owned user , owned root with most of the help using the famous framework. fun box

Rooted! Nice box. Learned a lot about windows exploitation, also about a protocol I truly knew very little about. Thanks bashlogic!