Forward VPN traffic from ProxyVM to AppVM

Bloged · February 20, 2022, 9:52am

For a few days I’ve been trying to get a ParrotOS Qube to receive reverse shell from an HackTheBox machine.

Sidenote: Hack The Box is a massive, online cybersecurity training platform, allowing individuals, companies, universities and all kinds of organizations around the world to level up their hacking skills. So this is legal!

My setup:
ParrotOS Qube → ProxyVM → sys-firewall → sys-net

ParrotOS based upon a ParrotOS template build with this how-to (Option 2).
ProxyVM is a minimal Debian template setup as a sys-tunnel and that connects to the HackTheBox network.

I can connect to the HackTheBox machines and HackTheBox shows me as connected. So the ProxyVM works… now when it is time to reverse shell to my ParrotOS Qube I get stuck.

I’ve tried to be able to ping my ParrotOS Qube from sys-vpn-htb without avail using this how-to. Before that I’ve tried this how-to to allow outside connections from HackTheBox to the ParrotOS Qube.

Basically what I want is for all traffic on tun0 on my sys-vpn-htb to be forwarded to my ParrotOS Qube. If possible even restrict it to IP ranges like 10.10.11.*!
It seems my lack of Qubes + iptables knowledge is killing me right now!

With kind regards,
Bloged

groucho · May 11, 2022, 10:50am

Hope this still may be of any help.

Considering your case

HTB_VM → HTB_FIREWALL → sys-firewall → sys-net

The VPN tunnel is established in HTB_FIREWALL throug openvpn and a tun0 interface is created.

Establishing the VPN tunnel is like positioning our HTB_FIREWALL inside the HTB network.

Packets from the HTB vulnerable machines are now able to get to our HTB_FIREWALL.

However, although packets actually reach our HTB_FIREWALL, iptables comes into place to decide what to do with suck packets.

By default Qubes configures iptables on the machines to drop all the incoming packets except for the one directed towards the localhost interface.

We have to allow incoming packets for tun0 to be accepted by iptables

We go in HTB_FIREWALL and do

sudo iptables -D INPUT -j DROP

sudo iptables -A INPUT -i tun0 -j ACCEPT

sudo iptables -A INPUT -j DROP

So now we have tun0 whitelisted.

This means we are able to accept incoming requests originating from the HTB vulnerable machine to our HTB_FIREWALL

But now we want to forward this incoming traffic from HTB_FIREWALL:tun0 to HTB_VM:eth0.

Always inside HTB_FIREWALL we do

# create a NAT pre-routing rule to make the packets' destination become HTB_VM
sudo iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <HTB_VM_ETH0_IP_ADDRESS>

# allow to perform the actual forwarding
sudo iptables -I FORWARD 2 -i tun0 -d <HTB_VM_ETH0_IP_ADDRESS> -j ACCEPT

Now we have to allow our HTB_VM to accept the incoming traffic.

We whitelist the source IP by using <HTB_MACHINES_IP_RANGE> (the range or the IP of the target box).

We go in HTB_VM and do

# allow incoming requests from HTB_FIREWALL

sudo iptables -A INPUT -i eth0 -s <HTB_MACHINES_IP_RANGE> -j ACCEPT

This should makes you able to reach your goal.