Find the secret Server

Find the Secret Server

Connecting to their labs

sudo openvpn <filename>.ovpn

As you can see, you are attached via VPN to the network 10.175.34.0/24 but there are also other three networks. In each network, there is a web server (you can access it by browsing its IP address with your web browser) with the following IP addresses: 172.16.88.81, 192.168.241.12 and 192.168.222.199.

Goal

The goal of the lab is to configure your VPN lab environment in order to reach all the hosts in the networks!

Tools

The best tool is, as usual, your brain. Then you may need:

OpenVPN client
Web browser

Steps

Check your current network configuration

Before connecting to the lab, check you current routes.

Connect to the lab and check your routes

Establish the VPN connection to the lab. If it's your first time in Hera Lab please refer to this manual: https://members.elearnsecurity.com/lab/manual

What differs from the previous output?

Visit the two web servers

There are two Web Servers at the following addresses: 172.16.88.81 and 192.168.241.12. Are you able to navigate them once you are connected to the lab?

Add a route manually

We know that there is another server at the address 192.168.222.199. Right now, we do not have any route set on our machine and we are not able to reach it. Try adding the correct route to that network and see if you can reach it.

Solutions

After connecting to the labs, check if we are connected to the network

┌──(kali㉿kali)-[~/Desktop]
└─$ ip a    
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a6:1f:86 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.8/24 brd 192.168.101.255 scope global dynamic noprefixroute eth0
       valid_lft 85879sec preferred_lft 85879sec
    inet6 fe80::a00:27ff:fea6:1f86/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:bb:c3:4d:50 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 0e:d3:1e:2c:9e:16 brd ff:ff:ff:ff:ff:ff
    inet 10.175.34.100/24 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::cd3:1eff:fe2c:9e16/64 scope link 
       valid_lft forever preferred_lft forever

We found that we are connected to network successfully via tap0.

Scanning the Network

Here i'll be performing a ping sweep to get the devices that are currently on the network.

$ fping -a -g 10.175.34.100/24 2>/dev/null                                  1 ⨯
10.175.34.1
10.175.34.100

here we see 2 hosts the network 34.1 and 34.100.

we will now try to reach the servers

open the server 172.16.88.81 and 192.168.222.199

Both the sites are reachable.

now ill check the routes for the secret server at 192.168.222.199

┌──(kali㉿kali)-[~/Desktop]
└─$ ip route
default via 192.168.101.1 dev eth0 proto dhcp metric 100 
10.175.34.0/24 dev tap0 proto kernel scope link src 10.175.34.100 
172.16.88.0/24 via 10.175.34.1 dev tap0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.101.0/24 dev eth0 proto kernel scope link src 192.168.101.8 metric 100 
192.168.241.0/24 via 10.175.34.1 dev tap0

As you can see that there is no route to the 192.168.222.199

we will go ahead and add a new route manually

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo ip route add 192.168.222.0/24 via 10.175.34.1                                                                                                              2 ⨯
[sudo] password for kali: 
                                                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$ ip route                                     
default via 192.168.101.1 dev eth0 proto dhcp metric 100 
10.175.34.0/24 dev tap0 proto kernel scope link src 10.175.34.100 
172.16.88.0/24 via 10.175.34.1 dev tap0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.101.0/24 dev eth0 proto kernel scope link src 192.168.101.8 metric 100 
192.168.222.0/24 via 10.175.34.1 dev tap0 
192.168.241.0/24 via 10.175.34.1 dev tap0 
                                                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$

Our route to the subnet 192.168.222.0 is now added successfully.

Lets try to reach the webserver now.

i did another ping sweep for the subnet 192.168.222.0

┌──(kali㉿kali)-[~/Desktop]
└─$ fping -a -g 192.168.222.0/24 2>/dev/null
192.168.222.1
192.168.222.199
                                                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$

checking via web browser for the same.

So the lab is now completed.

NextScanning and OS Fingerprinting

Last updated 4 years ago

Was this helpful?