Going through some material at Hack the Box (HTB), I came across various lessons that I couldn’t get past. I’m not fluent in NetCat, and it comes in many different variations, so I got stumped with the content of the course. The course content details setting up a listener using NetCat. The methodology however, isn’t compatible with the Workstation VM’s being used. A slight change needs to be made to the flags.

The Issue

In courses, like “Attacking Authentication Mechanisms,” there are two lesson that require a valid listener on a port. They use Net Cat like so:

nc -lvp 1337

If you do this on a Pwnmachine (HTB Workstation VM), it will bind to 0.0.0.0

The problem with this bind, is that the course lessons request you tamper with content so you get traffic to the VM ip (an internal IP). However, with a bind to 0.0.0.0 the connection attempts will be refused.

Steps to Reproduce

Thankfully the steps to reproduce the problem is pretty easy.

1. Open a shell and run the command from the lesson: nc -lvp 1337
2. Open a browser and go to http://[the VM’s internal IP]:1337

Result:

Connection is refused. This will fail on all the lesson material.

Resolution

To resolve this issue, the NetCat listener should specify the local IP:

nc [internal IP of VM] -lvn 1337

Now it’s listening to the internal IP on port 1337. Rerunning the attack vector in the lesson should now work. For example, in the lesson on uri_redirects for OAuth tampering, if you use Burp Suite to intercept the requests and send a tampered URI_Redirect (as specified in the lesson), it will now attempt to go to the IP the NetCat listener is bound to and you’ll see the data you’re looking for.

Use the Pwnbox not a VPN

One other bit of advice. I could never get this to work over VPN. Using the VPN from HTB, it never quite worked out for me, so I suggest that students use the Pwnbox that you can spawn in a browser.