#red-team-capstone-challenge

yeah

and regenerated

and joined again? and ips didn't change?

mhm

oh new subnet now

had to do it again

nice

there is it

this network sucks 😄

yeah i had done that

gonna see if it works now

huh, the routes are all good now automatically...

but still nothing

oh wait had to redo the routes, all good now??

kinda

ehh, still broken ish

maybe at some point the creator can help me out but for now, really unfortunately can't progress with this network

There are multiple ways in. If one route is not working out for you, we highly recommend you change your approach, enumerate more, and try another one.

I have demonstrated a few ways on stream -- dm me and I'd be happy to help with nudges 🙂

i have a question, sorry if its been covered: ive managed to get a foothold on the interior machines and get the first flag, but after getting admin on some of these machines (and some other machines via pivoting), not sure which category this might be for Tier 2 or whatever flags? the e-citizen tool rejects the hostnames

i might not have breached far enough

is this normal that i had to manually add routes for the file ||corpusername.ovpn|| ?
||(it was routing to 10.2001.21 and 10.2001.22)||

10.200.x.21 Is there anyone who can't access RDP?
2 day RDP can't access me

@sweet patrol -- so Workstations are "Tier 2" and servers would be "Tier 1" -- does that help?

hmmmmmmmmmmmmmmm no. unless im in the wrong network

possible

I'll dm you

ive already dmed you!

maybe i do Leave room again join room

bad network

why can't access RDP

I haven't been able to do anything for two days because of this

I'm stuck in the same place even after leaving and getting a new subnet myself

The network likely isn't bad -- to access that machine you need|| to have two VPNs set up||. Make sure they are both set up, and both are configured properly.

Finally, that's only one of many attacks paths. In a real red team engagement or pentest, if one way doesn't work, you need to go back to enumerating to attack a different path. That's very realistic. 🙂

Back on stream -- come join and let's learn together!
https://hacksmarter.live

anyone know why this is happening? i followed the directions and even set permissions on the file and folder to 777 (this is for VPN machine root flag)

network was just reset as well

Stop using remmina and go for xfreerdp

THE FIRST DOMAIN HAS FALLEN!

I successfully get Domain Admin permissions on the first domain in this video. Details are in the description - as usual, don't watch if you don't want a spoiler!

https://youtu.be/xzxpn6k7OIQ

You still having this issue?

Ah I see, someone actually overwrote the entire SSH config... Not very nice of them. You can see here that e-citizen's connection to the host is gone. Will probably require a network reset if you want to verify the flag here. But if you have gotten this far, might as well push through to the WRK machines and verify the first three flags on one of those

yeah it's still happening and the network was also reset. i think i will take a break for tonight though. thanks so much

Gave +1 Rep to @trim beacon

Any chance the platform can issue Certificates of Completion for this lab (similar to Throwback)?

Leave room is same

Does anyone else experience the same phenomenon as me?

Hi guys, I'm getting the same issue above where the ||corpUsername.ovpn|| VPN file routes me to a public 172.32 network which I don't think is correct 😬 am i doing something wrong?

DM me the remote IP from your redteamcapstonechallenge.ovpn file and I'll take a look to see if I can see something there

Will ask, but you at least get a new badge 🙂

Jip, just gotta figure things out

sounds good sir thank you

hey bud. i found this a little inconsistent. yesterday it was routing me properly to 10.200.X.21, 22, today im getting 172.31.5.21, 22

if it's part of the challenge that's cool, i'll smack my head against it a few times

fixed it with ip route add 10.200.116.21 dev tun0

Going to say this once more and pin it and start referring challengers to this message. This network has multiple attack paths, we are also making slight modifications to the paths in cases where we see that too many users are relying on a specific path.

For this reason, in most cases, you can't just watch a stream and follow the exact path that they performed on stream. Chances are something will not work exactly right. Also, sometimes things just break. Go watch @quaint knot's last video (Part 6), where his socks proxy just simply died. These are normal challenges you will face during a normal red team engagement.

If this happens to you:

• Follow a debug approach to try and figure out what exactly changed or is different, and how you can overcome this hurdle
• Leverage your knowledge that you have gathered during the red team learning pathway to explore other paths
• At each stage, there are at least 2-5 different ways of doing something. If one path does not work for you, try a different attack approach. See THM staff as the client, during a red team engagement, you can't call the client every 5 minutes to double check something during a red team, you simply provide them with weekly updates.

We will continue to make certain attack paths harder until they are in balance with the other ones. Therefore expect changes where "things that worked yesterday", won't simply work today. See this as Trimento applying patches to make their estate less vulnerable, same as what would happen on a normal engagement.

However, for the following requests, I'll be more than happy to assist:

• Not being able to redeem flags cause of an issue with the flag system
• E-citizen giving an issue that does not allow you to authenticate or recreate your mailbox

Ah I understand, thanks @trim beacon. I'm not watching streams or anything. Appreciate it!

Gave +1 Rep to @trim beacon

ah, i see ok

really gotta start seeing this as a real red team engagement, and not a CTF 🙂

All good, I'm just answering the same questions on the same attack path roughly 20 times a day. So thought time to stop and have users debug a tad bit further. Best of luck on your attack journey!

I can imagine that gets annoying haha, thanks for the info though!

Honeypot VPN never works
Find a real working VPN

That is the aim here, and also why we don't just want to give challengers the full answer for a specific attack path. With multiple routes, it is an acceptable risk for us that a specific attack fails, since that really simulates real life, which then forces users to take another path. Once the challenge has been out there for quite a while and a user is really looking to focus on a specific technique, more than happy to make sure that exact path works for them.

all of life is a CTF, if you squint hard enough, including this

i rust scan my breakfast in the morning

What was working 5 seconds ago, it may not work after 5 seconds.

When you find a possible way, the only way is to never go to rest and continue.

You're gonna wake up the next morning and do it? Tomorrow the way will be blocked and see hell.

I also want to be a steff and try to stop people from succeeding

I think it would look really funny to see you keep trying because you couldn't do what you were doing yesterday

🙂

This is a great tip. Never quit what you're doing

Don't take a shower, don't eat, don't sleep.

After 5 seconds, everything you did will be blocked

It does seem somewhat unfair that people who didn't start immediately and grind like crazy will now face a harder challenge.

I was going to follow the same path people are now complaining doesn't work for them, but decided to go through the red teaming path as quickly as I can while still retaining the material, so I can be equipped to proceed further, but I am feeling quite discouraged just reading this channel.

By the time I come back to this network, it'll be too difficult for me with the easier exploitation paths patched up to make them unattainable.

We only get the chance to do this for a limited amount of time.

yes is your 100% right.
Obviously, yesterday was a lot easier than today.

As time goes by, there will be more difficulties than the first start challenge, and many people will give up halfway.

Yo @trim beacon how long did it take you and the team to make this?

eh seems the same as yesterday for me as it does today

We have to lower the patch to the "BABY VERSION" 🙂

By all means, you could make it harder for when it moves to business only using whatever data you gather so the write-ups wouldn't be a lifeline, but for now, doesn't seem fair like I said.

The modifications that are made are minor. The overall attack will still work, but will require you to apply knowledge to get it working for you. For this first month, no attack path is fully removed or new ones added, just modifications made. At this point 99% of these modifications are aimed at a single breaching path, since there are 5, and it seems that 99% of users just choose the one. We have not yet made any other major modifications to the network.

No part of the network has been patched up since release. Just got to try and find the multiple paths that have been constructed and laid out. You got this!

Six months is total. About 4 months development and about 2 months of testing time

Scroll through the messages in this channel. 99% of the messages asking for help on the network breach deals with the exact same attack path. We created five paths, and are therefore bringing this path into difficulty line with the others.

I bet lots of it goes over my head but just generally exploring the network I have to appreciate how much work it must've taken

Thank you! Take your time and have fun with it! While it will be nice to complete the challenge, exploring it will give you the same learning experience!

Gave +1 Rep to @digital plaza

It seems to show that this particular path is (was) the easiest path to take if the majority are finding and trying that one.

Oh also is the eternal blue Easter egg somewhere deeper in the network or was that just a joke

Because I've been looking everywhere for it

Absolutely, which is why we are bringing it closer into balance with the others. Like any good game, balancing the "meta" is important 😉

Lol there is an unused easter egg in the network, but it isn't eternal blue 😂 I would really be super surprised if anyone finds the easter egg. What it was meant for we never proceeded with, but the easter egg is there 😂

I'll find it super fast considering how I think don't you worry

I'll even go as far as to say if anyone can find the easter egg (and you will 100% know when you find it), I'll personally (out of my own pocket) buy you a 12 month THM voucher 😂

I personally don’t think it is the easiest path. Just happened to be the path most found, probably due to the streams.

I don't know yet cause I have no idea what the others paths are 😁 Found that one pretty quickly with the enumeration knowledge I had... but got stuck immediately after so figured I don't have the knowledge to go further without the red teaming path

For some reason my VPN keeps restarting, is anyone facing the same issue or faced it and then fixed it ?

I have regenerated the OVPN file a few times now but that doesn't fix the issue

Your redteamcapstonechallenge VPN?

yes

Send me the remote IP in that VPN file

Shall I DM you the IP ?

?

Yes

Open the ovpn file and send me the IP you have in there for remote

one dc down, boom. nice network @trim beacon reminds me a lot of OSEP

tempted to try the room again

Well done!!

If you do, just choose an entirely different attack path and you will have lots of fun! If you went for VPN, go for CMS this time. If you went for WRK1, go for WRK2. If you do that, you will find a lot more in this network

yap, thats what i mean

Hey @quaint knot, could I drop you a DM real quick?

I was just wondering if that was an option, not that experienced in web app attacking so didn’t know

I went to verify my first flag, after making sure it's there, and got an ssh public key access denied error. Is this a bug or do I need to 'git gud', as the saying goes?

I can provide more details tomorrow if this gets traction, off to bed for now 💤

Is this an error you're getting in e-citizen?

@hidden galleon I can reach e-citizen but not mail web and vpn. I had to download a new openvpn file because the old one was just resetting over and over again

Hi guys, I have a problem, I'm connected to the internal VPN but I can not reach any internal hosts, I don't get pings or anything from WRK1 and WRK2

which I already breached yesterday

same

both VPNs seems fine (external and internal)

Looking at the internal vpn screenshot now I notice for some reason I'm being directed to 172.32.5.21 instead of 10.200.103.21, now I wonder if something changed overnight in the challenge

Okay this solved it, I guess they changed the challenge during the night.

the lab is just reset but my internal vpn connection is stuck on a restart loop

2023-05-19 09:55:55 Initialization Sequence Completed
2023-05-19 09:55:55 Data Channel: cipher 'AES-256-CBC', auth 'SHA512', peer-id: 0
2023-05-19 09:55:55 Timers: ping 5, ping-restart 120
2023-05-19 09:55:57 Connection reset, restarting [0]
2023-05-19 09:55:57 SIGUSR1[soft,connection-reset] received, process restarting
2023-05-19 09:55:57 Restart pause, 1 second(s)

14: capstone: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.50.114.44/24 scope global capstone
       valid_lft forever preferred_lft forever
    inet6 fe80::623:1092:adf:c83f/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 12.100.1.8/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c4c:7fc3:d65c:5cff/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

@fiery frostdm me

#red-team-capstone-challenge message This has been present for a while actually - but great job fixing it, that is the way 🙂

Yesterday I just downloaded the vpn file (although in a slightly different way which I dont want to spoil) and it worked out of the box

This is a someone tampered with the host in your network. Your two options are to vote reset the network, or to just do your further compromise and then verify the flag later

I knew there had to be some way through the CMS...

😁

Can someone help me confirm if there's something wrong with my subnet I know where the ovpn file is, changed the Xs but I have only been able to reach 2 servers once and it crashed after 10 minutes and didn't work again...Now when I use the ovpn file the IP are showing external IPs rather than internal to the nextwork.

Can you ping the .12 machine on your subnet?

yes

Then your subnet is ok, and the issues you're experiencing are because that particular path is unstable (by design).

Try looking for another way in!

You can also run through a debug/troubleshooting process with this path if you'd like, but that is part of the challenge.

whats the debug process?

I'll suggest you try researching the term on your own at this point!

Thanks for pointing that out, I'll keep it up and wait for a reset before validating again

Gave +1 Rep to @trim beacon

Sure!

@sweet patrol yo man ; can i dm you ?

I got problem with second vpn where new addresses start with 172 for the .21 and .22. I read that this is a stabilization issue. After retry the vpn now continues to reset. The network is still up so nu clue what the problem is here. Any suggestions?

Search for another way in, there are 4 more!

Fellow hackers , might someone help me to transfer some money to my offshore account? Quite dont understand the transaction chain.

I will do share

there are 4 ways to get iniital foothold or first flag ?? thats cool !

Hello there, found a way to get the first flag, but the validation is not working because (I guess) somebody messed up with the ssh keys. Except reset the network, nothing else to do ?

If you leave the room, wait a min, and join it again, you might have another subnet assigned, which will allow you to continue on a more stable network.

OK thx for the advice !

So ive managed to make it to the .22/.21 stations. But im stumped on how to access the webserver on the external network. Ive only received errors trying to access. And I remember when authenticating it said there was additional info. So if someone can point me in the write direction or a room on how to access a mail server.

Which webserver?

Mail server

Not the web or vpn on the external

.11 ?

sent friend req

Yes. When doing tge authentication for the first time you are given an email and it mentions further information will be in it

Have you enumerated the WebMail?

Yes or at least scanned it and dirbusted it

So you found the IIS page?

I didnt find anything of use last night. Im not currently attempting anything. Was going to on my lunch break so figured id ask ahead of that

But just to confirm, the IIS page was the only one you found?

I dont think i found an iis page unless i missed it

You didn't visit 10.200.xxx.11 ?

Ill give it another look in 30 mins. Yes i got a windows page

Ok, now you know from your network diagram there is something there, what do you think is at work here?

for sure! just confirming and hinting you can get more out of it

Maybe an nmap with the correct flag will give you a hint.

Ill put some more time on the mail server. I know when i tried each port to connect to it i just got firefox has closed connections. But ill do a more indepth scan during lunch

breached the perimeter 🎉

waiting for the first writeups to get released because shadow feels stuck on this

Oh...

What part are you stuck!?

all of it

not figured out how to even download the vpn file....(technically shadow knows just they are busy with other stuff and get distracted so have not done it yet)

haha ; shadow and alpha feels the same !

Do you know where it is?

access page right??? under the networks tab???

probably just waiting to the first of june when the competition period is over and then having fun reading the writeups and learning all the stuffs

u talkin' about the main vpn ?

or shadow could go scope out the vods from the streams

well you need to connect to a special vpn for network rooms

the main vpn or the vpn u talkin' aint busy ; thats ur personal one ;

oooh yeah the vpn is not busy... shadow is busy

There are multiple ways to tackle every stage of this challenge. Unique path combinations for the whole attack chain are in the 1000s.

it is a very big difference

how many ! did you have to use to calculate that????

haha 😂

the math meaning of ! not the programming meaning

It wasn't me who calculated, but it's basic math, you know how many different ways there are from each node and you multiply away 😄

Ah, got your question now - not me who calculated, so I can't say how many (and also that would reveal how many nodes, so don't really want to do that)

yuup fair

lets just say there is a 1/8192 chance shadow can tackle this room on their own.... or about the chance to get a shiny pokemon in the gen 3 games

I believe in you!

omg, freerdp supports PTH?

that makes persistence much easier

wait nvm this only works on old windows :(

or restricted admin ig

although once you have the hash you can enable it with winrm so it would work out

yooooo you guys killed my domain admin persistence by voting to reset the .116 network 😦 -- Time to pivot 😄

We're on the same boat , came back to see the network is reset

Unfortunately, I think people assume the network is broken because their specific attack path isn't working. As a result, these networks keep getting reset -- even though they aren't actually broken

Btw , sorry tyler didnt mean to put you off the rdp session from first domain controller

Ha! I wasn't actively doing anything. I was just getting back to the point of where I was at on my last stream for when I stream later. I also created my own AD user with Domain Admin rights and that's what i was using -- so unless you RDP'd as "TeneBrae93" then you're good 😄

Tell me about it, I was on one day and kept getting kicked because someone was logging in.

I preferred doing it before it was released 😂

That's probably my only frustration but there isn't really a fix on the THM side. I take the time each time to establish real persistence by making my own accounts, access, etc. but I have to re-do it every single day so... it's not really persistent since users keep resetting my subnets!

I just could not resist poking you there

Can you imagine if TryHackMe did NOT have a streak requirement? How often these networks would be reset?

it seems like 5 votes to reset is a little low, maybe they should make it 10 votes or something

if they can

I think the votes are related to people in your subnet.

more people = more votes.

ohhh i see, it's not always 5?

gotcha

I had a solid 8 hours today without a reset, feeling lucky. My only suggestion would be the network reset should be initialized by moderator if there is a request submitted on unresponsive host , or make it single time overnight.

Cause at present moment a single user can initiate restart every 5 hours just out of frustration.

Daily restart is fine for me , since a lot can break in the shared lab environment. Coming back to where you left is quite easy once you minimize the set of actions needed.

TeneBrae93 is Domain Admin again, now please don't reset networks 😂

is that a play on of the old latin word for darkness???

WOW YOU ACTUALLY RECOGNIZE IT!!!

yes

You're like the first person ever to recognize where my username comes from 😄

haha more darkness and abyss and void lovers

I got access to swift application as my first flag and haven't breached the perimeter yet. Am I doing something wrong or is it that non-linear?

would assume the network is not nescarilly super linear

but what does shadow know that they have not touched at all yet

pressesing that reset button

Forget Swatting, THM users do resetting

Its a late time for me , so best of luck Tyler with the network and on upcoming stream if you will do it!

I finished my pentest report for a client, so I think I have some time this afternoon. Should hopefully be on stream shortly 🙂

lol me too tyler! itching to get back to the THM network

Live now! Come learn with me!
https://hacksmarter.live

resetting was rough was doing medium dirbuster had to restart is sad life

yeah persistence is hard with resets. can you just yoink the hash and then have infinite persistence across resets?

(Pass-The-Hash)

Oh wow, I get to watch live!

so I just got started and the timer for extend was already running, I didn't (have) to press start because the timer was already running but from what I understood searching this chat the network ist stuck now I had waited before for the timer to run out just so it was extended again automatically. I'll be honest I don't understand it at all. and I also don't understand why the staff didn't add screenshot instructions on what (not) to do instead of the sentence that will have noobs jump off a cliff 😄 no offense though. Also I have no clue when to use reset. It's currently 4/5 but I don't want to ruin it for others because I know it's super frustrating when that happens and it seems to happen a lot 😄

Does the network diagram say the network is running? Are you connected to the redteamcapstone VPN?

the network says uptime 1h 3m and extend(1h26m)

Top right corner - does it say Running in green?

yeah

Ok, have you successfully connected to the network VPN?

i was kind of able to register

it did say something went wrong but then created the acc

Ok, so you can ssh to e-citizen? Can you ping the .12 machine?

nothing happening so I guess that's a no

There should at least be an error message of the network is stuck/locked.

can I share a screenshot of the IP I'm pingig?

You can use spoilers to hide it.

So I pinged the ||10.200.1*.12||

1sec

yeah I just thought it was because I wasn't auhtenicated but I am again and still no response at all for that ip

I can screenshot it if you like

U goota leave the room for couple of minutes ; and join again ; regenerate the vpn and connect

U would be joined in different subnet

No need to screenshot, steps given by alphaOmega should help, but I'd appreciate a dm saying what subnet you were connected to

so I just got the message that it is now resetting should I still leave and join again?

sure

Reset should fix it too! Just remember to give it ~15 minutes for all the config scripts to stabilize.

I'll try again in 15 minutes then

thanks!

if we use phishing, should we wait a certain amount of time ? or the mail have to contain some specifics details to trigger the opening ?

are you supposed to be able to send email from the email they give you?

getting connection refused when trying to send email

getting Mail server configuration error. Too many recursive forwards..

I would recommend crafting your emails with care

Yeah with gophish it works fine

Yes, you should be able to send emails - you need to configure your email client correctly though

Got it thanks ! Gona review my campaign

Gave +1 Rep to @hidden galleon

am i supposed to be using port 25 or the one with tls

Client ask you for protocols, check on which port they are running

I was about to say - you're on your own with details, that's all the nudges I'm giving, research if you need to!

thank you!

i think i'm just not sending it to the right email

NOO i triggered windows antivirus which deleted the whole way of doing privesc

Back on stream if anyone wants to hack together 🙂
https://hacksmarter.live

The Blue Team Matrix has you. 😂

OKAY I think I am taking the weekend off friends! Streaming every single night is getting much -- and I think I've been on stream for 3 hours today!

ROOTDC has fallen at least 🙂
https://youtu.be/Td_Krk1S3yg

oooh was just about to ask about vods

hey just a sanity check please; if i can't query the rootdc with commands like get-aduser etc, it always failing saying active directory services are not running, is that intended or an issue?

this is from the corpdc. trying to get its sid

nvm, i think it might have just been a perculiarity of my shell. adding a user to the dc and remoting in over mstsc seems to have fixed these commands

four flags to go!!!

you got this!

almost got privesc on both wrk1 and 2 but taking the weekend off

hiya again. email from @trim beacon (nicely done by the way) advises that once i find the swift website, more details will be provided to me? is this automatic or is there something i need to do to trigger it - have the website open

If you have the website open, on e-citizen say submit proof for flag 17 and it will kick off the process. The end is near!!

i literally just realised i probably need to use the e-citizen tool 😄

thanks

Good luck with the final goal execution!

just a note, there seems to be an issue with the e-citizen authorized_keys on the .116 subnet. didn't affect getting the first flag, but looks a bit boned (prints maybe a dozen of these):

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:HaDm9ACgV3jW0WzWgixDjckkkgx/29ax6jq4RuA0gFI.
Please contact your system administrator.
Add correct host key in /home/e-citizen/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/e-citizen/.ssh/known_hosts:2
  remove with:
  ssh-keygen -f "/home/e-citizen/.ssh/known_hosts" -R "10.200.116.201"
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.

I'll take a look and see what is happening there. All ssh host verification should be disabled. As long as you can get the flag I'm happy

I did also encounter same behaviour in e-citized as aquinas did. But i was able to submit it. Also if it possible to DM you to report possible misdeployement? @trim beacon

sure. misdeployment of what tho

That might give away some hosts on the network, i would love to clarify first.

boom

great lab @trim beacon - would be good practice for people going for OSEP i reckon

Yes please, send me screenshots as well as the server IP in your VPN file

Congrats on completing it! Glad you liked it! Remember to submit your report if you want to enter the competition!

has someone good resources about bloodhound-python, or encountered any dns-tcp problems with it and was able to resolve them? I m always getting ||TCP port 53 answered The DNS operation timed out.|| thrown and don't now if it's proxychains or an bloodhound-python issue

Are you porxychaining? Cause that is only TCP? Do you have the -dns-tcp flage added?

yes i am proxychaining and i added --dns-tcp I have the issue on my machine and tried it on the attack box, i think i m mising something 😄

Feeling accomplished and grateful after completing the Red Team Capstone Challenge! Massive thanks to @trim beacon and the entire team for putting together such an amazing lab. The e-citizen and your own working mail implementation added a whole new level of realism, and were hands down one of the most unique and innovative features. Kudos to everyone involved! ❤️

Gave +1 Rep to @trim beacon

Glad you liked it! Congrats on completing it and thank for the lovely feedback!

Gave +1 Rep to @broken nest

Mmm, it might be, Tyler did that I think on his second last or third last stream? Remember there we also had some issues with getting the correct flags to be used. Might be good to check that out? In his case it was the TCP for DNS flag

I've had similar issues in the past. As a workaround for smaller lab scenarios where ip-addresses and hostnames are known you can trick bloddhound and use DNS Chef (https://github.com/iphelix/dnschef). You can simply use a a config file where you plug in all the addresses and hostnames and basically fake DNS responses from the DC / NS. But as mentioned, this is not really applicable for larger or unknown environments, but should work in this lab.

Ok, thank you, i ll try both 🙂

yo hackers ; Is red teaming more about making things / tools work rather than exploits ? ; cause i am having hard time debuging and changing tools to work than doing exploits .

Is this also the case in real engagments or ?

hi to you all, might be dumb, BUTTT. should WORK1 and WORK2 be reachable from BANKDC? also in the .116 network

Yes , why you assume they shouldnt?

both seem to be unreachable, I have an enterprise admin in rootdc and i am able ro RDP in BANKDC, but no connection to neither of them, might be the network or something that I am missing. Thanks!

Gave +1 Rep to @broken nest

You have an rdp connection on bankdc and cant ping them?

Exactly, it does indeed timeout, the DNS resolution is correct due to the ping command shows correctly the IP of the machines

You can DM me so we wont spoil anything to other users.

if someone has similar issues i ll recommend watching ||https://www.youtube.com/watch?v=4ydjpSSKQ8g|| resolved it. Thank you @trim beacon @stiff pawn

Gave +1 Rep to @stiff pawn

I'd suggest you watch Al's streams of this challenge. Took him 3 hours to get a working phishing payload to bypass AV to get a connection back. Constant debugging and innovation is a must for any red ream

😈 🦾

All the way to the swift part and people vote to reset the network when it's working fine. Lost connection 😭

Samee, 2nd time reset today, I've had to do all breaches and set up persistence every day only for it to be reset the next day 😭

if someone voted to reset the network they should provide a reason to. when 5 votes are reached a staffer should do it manually after reading the reasons and confirming a network issue

but that might be too much for staff

idk

But then you'd need to wait until a staff member reviewed it, staff aren't on 24/7.

Which means it could take longer for the reset to happen.

for me personally, i'd rather wait 24 hours than redo everything :|

i know redoing everything won't take 15 minutes

but its annoying doing it 6 times in a single room

but das just me

because people will reset the room for an issue not even related to the network

could anyone drop a hint for the approvers account? been struggling for a while now, can DM for not spoiling

I just started network an hour ago and someone already voting to reset 😓

Back to being live on stream for a little bit. Come join!
https://hacksmarter.live

so... what happens if the network reseted while having e-citizen waiting for my "Y" for flag 19? because now it says to me that i already have a verification attempt (the transaction obviously does not exist due to the reset) and none of the options work, the "Z" throws a Python exception

I Have the same issue with flag 18 on network 118. They reset the network as I was submitting now it is stuck in this loop...
@trim beacon any way we can fix this?

The transaction for flag 20 will be broken too (I suppose)

Authenticate to e-citizen, press option 2,and then say reset swift progress and you can just start over from flag 17

neat

@trim beacon Please give private subnet to @quaint knot for streaming, as his stream is very educational. Hate him to get frustrated while juggling broken subnets. Thanks! feldmanslv

Perfect, thanks mate and respect for the work you did... this is an amazing network

Gave +1 Rep to @trim beacon

The bank has fallen, thanks @trim beacon for the great and fun network, awesome job!

Gave +1 Rep to @trim beacon

Yeah I'm having some chats with him. Want him to give it one more try and if that doesn't work I'll deploy him into the HOLD network to allow him to finish the challenge

Glad you are enjoying it!

Congrats and thank you!

Gave +1 Rep to @tame island

Thank you very much for this and for the great work you do/have done!

Gave +1 Rep to @trim beacon

I spend hours on getting my domain account and reproing all my step, and another reset 😢

someone placed password on vpn server account?

I think were in the same network. Someone disabled ssh password access to the .250 server

I have a working network, time to make Trimento fall. Come join!
https://hacksmarter.live

Hey guys! I'm having issues connecting to the network here. I can ssh to e-citizen but when I verify my email access it's saying no route to host. Also, not able to access any of the public facing services... is this on my end?

can you check your routes?

sometimes I needed to add the routes manually

otherwise might be an issue with the network, I would leave the challenge, wait a min, join in and get a different subnet

yo hackers ; I need help on submiting the flags LOL ; like which host --> which flag no !

i am EA ; had only submited 1st flag

Each host should had flags which we needed to submit like in ctf's ; haha

the challenge was fun --> submiting flags aint

How can i do this as my route info looks ok...

on the room, right corner on the gear icon, leave room. Wait a min, refresh the page, join room

download the connection of the lab again and you should be good to go

nvm ; It was network issue !!

Got it going!! Thanks so much!!

Gave +1 Rep to @viral yew

VICTORY!!! Final video will be out soon. Then I'll have a FULL walkthrough from perimeter to goal execution on my YouTube page 🙂

congrats!

Exploiting AD room talks about tiers. But general rule of thumb is tier 2 is workstations and then you can take it from there

8th and final video in my Red Team Capstone series where we successfully submit a fraudulent transaction and complete the network!
https://youtu.be/K_rybcJkxyo

My persistence has been reset again 😭

10.200.117?

103

10.200.103

isnt the swift bank web page and dc accessible after connectin' internal vpn ??

it was there yesterday days back ; lol ;now i cant reach even using proxies .

I am experiencing a problem while connecting to the corporate VPN. It assigns me a 172.x.x.x IP address, which prevents me from successfully pinging the internal resources, wrk1 and wrk2. Can someone please assist me with this issue?

Bruh, I just set up persistence 5 mins ago and someone already comes and breaks it

You either have to manually add the routes or look for another path to access it

Can people PLEASE start being considerate in a shared network. EG, if you need to add yourself to the file for a user don't remove others.

This, exactly, Please append yourself into the file rather than clean copying just yourself.

Doesn’t surprise me you can do more, was just thinking you could

||Search for any Higher Privileged accounts > and use something to get it to (Maybe Directory Traversal?) download and boom you have a higher privileged account, although can’t test it as dont have access to the network||

any mod available to help?

With?

Just ask

How can I hack "BANKDC"?

already did that a while ago 🙂

sorry for bothering Jay, I've resetted my swift progress in order to take some screens for my writeup

when I access the e-citizen platform, I get the following warning

Although it is possible to confirm Flag 17, I am not able to complete the transaction for the 18 Flag

But after a reset I've been able to so I was just confirming the situation

The keys shouldn't be changing

@trim beacon i mean my verification of SWIFT Approver Access is broken, the lab have reset and i havent validate it and now i have this message:

You already have an active compromise attempt, printing details

You already have an active SWIFT check. If you cannot remember your SWIFT details as required, please use option Z to reset the check

i cant reset it and the transaction is not there anymore

what happens when you try to reset the swift progress in the e-citizen?

need help with that? Give me a nudge 🙂

what is mean "nudge"?

@viral yew

sorry, probably got the wrong wording. I meant I could help.

never had that before 😦 even after a network reset?

have a way to contact support?

One thing you could try is to switch networks. Leave the capstone challenge room, wait a minute, join it again and you might get thrown to another subnet. Then repeat the process to check if it is related to the network or your user. Or ping a mod or @trim beacon

You should be able to fully reset your swift progress by authenticating to e-citizen, pressing option 2,and then full swift progress reset

#red-team-capstone-challenge message
so success

Even with the error the reset should have taken hold. Do you still have an active attempt?

How do I access BACKDC with RDP?

Do I connect to RDP first with CORPDC, and then RDP again?
Windows to RDC?

you are right, i got the error but it have benn reset
thx

Cool just making sure else could do a full flush my side

You will have to configure a proxy chain. You can't directly access BANKDC just directly from the perimeter

From CORPDC I would try to fully compromise the Parent Domain first. Then from ROOTDC it should be easy

bigger chain i have made yet with ligolo , nice ^^

I am already doing so

After Selecting 17 under [1] Submit proof of compromise
[17] SWIFT Web Access

I get the following warning looped:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Does the network have to be resetted?
It's the Subnet 10.200.119.X

All i have to do is BANKDC and the challenge will be done.

CORPDC, ROOTDC It's already done.

From rootdc you should be able to access bankdc

RDP to rootdc and then to Bankdc for example

So what I'm curious about is how can I connect to BANKDC via RDP?

Can I connect RDP in ROOTDC, through remina, and then from Windows in ROOTDC to BANKDC through use "Remote Desktop Connection"?

ahah i think is right

this is same thing mean right?

This should not affect the process, you should be able to just proceed

finaly ^^

Congrats!

Ya, connect from corp to root and from root to bank

is there an issue with the .116 network? Whenever I try to authenticate to CORPDC it says invalid password even though im using the right credentials

You can also access it through network path or via psexec

Congrats!

thx, and was a fun ride, good work

Gave +1 Rep to @trim beacon

How long has the network been active?

4h 50m

i have re-setup my persistence since evil-winrm works, just logging in with rdp does not

We have seen that sometimes longer than 4 hours CORPDC does not like things, especially given how busy the host is with authentication. Specifically RDP connections. But everything else should still work. Once the network just enters the sleep state, the issue will resolve itself. No reset needed

alright got it, thank you very much!

I'm in the Approver view but I dont see any dummy transaction made

Might be a bug? or im doing something wrong?

Finally completed the challenge 🥳 Well done am03bam4n for creating an excellent challenge.

Does anyone also has problems with the VPN server at 10.200.103.12? I can visit index.php but nothing else works on the website

lets go！

Did you get this sorted? It might be that you just need to request the transaction again?

Congrats on completion!

Congrats! Remember you can still provide your writeup for prizes!

Apparently my method just isn't enough to bypass it

Need to think of a new route I guess

What does auth debugger say? Cause if it says approver it should be working? Or are you seeing a different error?

Thanks!

Can writeup be made public now? If my writeup is not English, do I need to modify it?

People still be adding themselves and removing others 😭

If you feel uncomfortable, you can quit the room, rejoin the room, and have the probability to change the environment for you

Did that already today 😅

Writeups will not be made public, we will however be using the writeup feature to collect submissions. Yes please, writeups should be in English. The technical part is most important, so even if the English writing isn't 100%, it will be accepted

Was getting forced disconnected on RDP by someone earlier today, so though I'd give it some time and come back later, I come back to see my persistence removed, all good, Nearly at the end will set it up again and finish soon

I would suggest seeking "a road less travelled". Means less "traffic" from other users 😉

Also recommend staying away from RDP, cause of the entire thing of users kicking you out. Other protocols such as RPC or SMB may come much more in handy since no limit on amount of users

SMB is the plan for now

It's just that so close to the end 😂

I know the feeling 😂 Almost makes it feel like a real engagement and client is making your life difficult 😉 Good luck with the grand finale!!

well tyler has produced 8+ hours work of kinda write up that you can follow along to get your teeth into the target

which is the closest to a write up we will probably get from multiple sources from the streams until after competition period is over shadow would assume

so can anyone help me, i produced the session with parent domain rootdc and I could access it at first and see its folder form its path, but after sometime I cant access it like its not exsisting anymore , how to fix that, i tried purging my "klist" but nothing

ok iknow

😭

Can I PM you my method? I don't spoil it for others if it's indeed a method

Sure you can

can someone help me nudge me into an alternative way? I am stuck at the VPN 172. which is supposed to be on purpose.. I tried to do it at different times different days but no success and I I am out of ideas or maybe knowledge

DM ! what u done so far ;

Hello all !! is there anyone facing a problem with the vpn config file in 10.200.103.12 ,

I wanted to connect using this vpn but it looks like it goes on infinite loop

Finally done 🙂 @trim beacon dude this was awesome! Thank you.

Gave +1 Rep to @trim beacon

Congrats! Glad you liked it, remember to submit your writeup to win some awesome prizes!

unsubmits the writeup

It will be good to take a look at the pinned messages and to scroll through previous messages of this channel. This has been discussed quite a bit

after all shadows path of exploitation is watching the creators streams on how to hack it

because shadow is slightly lazy and also wanna relax and learn

If you are smart about it, you can mix and match their techniques 😉

true that is something shadow could do.... though not gonna write a write up to submit anyways

rather someone else win

There are still quite a number of prizes up for grabs and only 1.5 weeks to go. So might as well try if you are feeling up for it somewhere in this month

the room badge award is not limited right??? because that is what shadow wanna get on top of all the knowledge

No limits, except for the time limit when it goes B2B.

let the competition continue then and lets see if shadow can maybe finish in time... though shadow is not super into doing this kinda competition to win prizes.... rather be on the give away prizes side

Good luck there!

Yoo, whoever forced me out of RDP please, I just need 5 mins I'm at the last flag submission 😅

Maybe it's the blue team 😅

I hope not I just need to approve the transaction 😅

what network?

Let's go, Just finished it 😄 🔥

.118?

Congrats! 🎉

congrats!

Thaank Yoou! This was a really fun challenge @trim beacon and everyone else who worked on this. I'm curious about the thought process that went behind making this challenge. 😊

@trim beacon wanted to torture us before it went to business.

I meant more like how they went about creating it 😅

and I absolutely love the flag submission process

Hopefully this is the way forward.

Yes

I've been creating networks for quite a bit of time. Even before I joined THM. For my day job, I revamped "tabletop exercises", which is an exercise where we play out an incident to the blue team and have them defend. Basically revamped it to make it more real by creating a full organisation and then attacking it during the exercise, meaning the blue team actually had to investigate things and try to find + stop me.

So when I joined THM, always had the idea of creating a large challenge, but realised it would be wasted if THM does not also provide the training required to solve it. So was placed on the back burner to complete the red team learning pathway, where I create the AD network rooms to teach basics of AD security testing.

With the red team learning pathway done, team felt it is time to release a challenge to test that knowledge and I was tasked with creating it. Using previous knowledge of building large scale test networks and with the knowledge I've gained as a security tester over several years, created it. I loved the idea of actually having paths in the challenge that I have personally seen on client engagements. Also without disclosing too much, SWIFT is something that I have dealt with quite closely for several years.

My primary goal was to create a real red team challenge, and what that meant for me it not something like getting DA. Cause if you tell the execs you got DA, they eyes roll. But if you show them the meeting minutes of the CEO's next board discussion, all of the sudden they lose their minds. Sure DA helps you get it, but execs care about impact, no technical deats. So wanted something where you could actually do goal execution, and SWIFT felt like a nice goal due it requiring a couple of steps to achieve.

The other thing I wanted was a network where there wasn't a single path to compromise. Personally, I do not like CTFs. Never have and don't think I ever will. Always get frustrated when I have to do one since if you don't follow the creators exact path, you are screwed. So I wanted something that had multiple attack avenues, again similar to real world where there might be several misconfigurations for you to play around with to reach your goal.

So I first built the full network and made it secure. Had some help from the other team members as well. And then planned out the various different possible attacks at each stage, introducing them and testing them, before finally checking to see if the entire chain worked.

Lastly, since we had multiple attack paths, I realised we could not have flags on the hosts, since you might not compromise the host on your journey, which led me to create e-citizen. I have actually created something very similar for my day job's hackathon competition, so used a based structure and then built it from there.

That was my part in the design, the other massive part where I have to give props is the testing team. Several testers and content engineers help test this behemoth to make sure that things are working. So yeah, quite a massive endeavour!

We are looking to reuse this system for future challenges as well!

and what an adventure it was

Next on the list I think should be red vs blue KotH 🤔

I enjoyed it so much that my wife just gave me free card during the weekend to be around the computer when possible 😅

I would love to try KotH but I get nervous doing those challenges.

Same here, but when it is a full network, might make for a much more pleasant experience than a single host

it might indeed, with different machines to compromise, and different attack venues, might release the pressure of attacking and holding one machine

A fascinating read. E-Citizen totally makes sense. This challenge really got me intrigued as to how it was made. Most other CTFs haven't invoked that feeling lol 😅

Agree, but could perhaps take it one step further to give an edge to the red team and keep the blue team on their toes but "releasing" misconfigurations as time progresses. Similar to how normal users make mistakes that leads to vulnerabilities. That way even if your blue team fixes all the current things, can keep the exercise going But future plans and dreams, will see what is possible!

Happy to share and thanks for taking on the challenge!

Gave +1 Rep to @dull kestrel

@lyric stream can this be pinned?

thank you for your vods @quaint knot through the first one now and about to start the second one

Gave +1 Rep to @quaint knot

I know KOTH would become much more enjoyable for me with the e-citizen design. Right now the fun of KOTH is sucked out by people submitting pre-recorded flags right as the match starts.

There isn't a good way to address people having done the box a few dozen times but at least this way it would become a speedrun for the flags rather than what it is now

yeah agree, having something like e-citizen do checks for specific files will probably make for a much more enjoyable experience.

My ultimate hope here is to actually randomise "misconfigurations" from a pool of misconfigurations. That way we can always create new misconfigurations and keep things interesting so even on the same boxes, it isn't the same thing. Sure you can still play so often that you get all possible paths, but at the very least it will mean you need to redo enumeration whenever you gain access and can't just copy from memory

I as on the swift steps and reset 😢

hi Am03 can I pm you to ask a question about the 172 routing? I tried 2 ways and I am still routed to 172

Thank you for your contribution. After I learned the Red Team path, I always thought 《holo》 and 《 throwback》were the best practice rooms, but until your challenge was released

Gave +1 Rep to @trim beacon

Any hints on what should I do, I have access to .100 and I made, out of desperation, a user with every privilage possible, can't get that domain RDP access to it, only from local corp/admin. Please some hints

Not just RDP, even PsExec if falling on me

yo @trim beacon ; after the network reset ; do i need to reset the swift process too ??

cause i cant login with same email and creds now ;

and someone's eavesdropping in the network.

I know i am a red-teamer and u my client --> but some blackhat hackers doing smthing mischief

seems thats the problem for most r.n

Sure I'll take a look, but do take that pinned message into consideration 🙂

Really glad you liked it!

This might be part of the issue. If you give it every privilege possible, Microsoft will add this user to what's called the Protected Users group. Which will restrict what authentication may be used. I would suggest taking a bit more of a surgical approach

Yes, authenticate to e-citizen, press option 2, and then clear swift progress

This happened to me, I gave every privilege I could think of, wouldn't let me RDP, had to try one by one

Does anyone have advice for me on how to add an enterprise admin account on the root dc, i was able to exploit it and submit the flags but user creation errors out in my psexec session.

I used || a golden ticket with mimikatz || for the initial compromise, but i need to setup persistence to further attack the bank division

For some reason im connected to the VPN but cannot reach any servers, I think the environment didn't really boot up?

dm me

Might be in a locked state

"Note: If your network goes offline while you are working, please refresh the room page before clicking the "Start" button again. If you click "Extend" instead, you will place the network in a locked state where the timer first has to run out before you can restart the network."

@tardy wharf spammed it almost everywhere ^

Damn it, since it's a shared room other people keep extending it and locking it.
Is there a way a mod can reset it?

failed to submit the flag
Issue with reading the file provided: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte

i try with this command but still not wokring cmd.exe /c echo 3bf54534-7247-47c1-xxxxxxxxbb > filename.txt

Try to ADD " " or just use the cmd.exe shell. You can make a txt file locally and upload it to the location :D

any idea how to upload i connected with evil-winrm

Use powershell commands

Make sure you use cmd to do this! #red-team-capstone-challenge message

echo "---------------------" | Set-Content filename.txt

upload /home/kali/proof.txt /windows/temp

thanks work

Gave +1 Rep to @dull kestrel

The corpdc on 116 again responds with invalid credentials upon authentication with rdp. Is there another way to fix this instead of letting the timer run out?

Can you DCSync it again?

Do you mean dcsync like i got access to the dc in the first place? No, i cannot

Password has been changed, you have to step back and get that hash again.

I can login with eviln-winrm so the password is working fine

because this is ticket attack so you can try rdp one of domain machine and repeat again

with what user?

It keeps giving me this message when I'm trying to finish task 19

and it says I have an active SWIFT check, option Z gives another error:

If you try again many times, I suggest you find all the transfer records required by the task to follow.

If it really doesn't work, you can choose to reset SWIFT and start again.

Thank you, resetting SWIFT worked

Gave +1 Rep to @forest plinth

I finally did it!! I didn't do any phishing though so I wonder where that has been needed lol

Wonder if anyone has breached through phishing 🙃

I've been trying but so far no bytes 😉

I got a writeup report with that 🙂 So jip, it has happened

are we going to see the writeups when it's over?

According to the scope:

Attacking any hosts outside of the provided subnet range. Once you have completed the questions below, your subnet will be displayed in the network diagram. This 10.200.X.0/24 network is the only in-scope network for this challenge.
(dumb question)
However, when I initialized the vpn for the corpUsername.ovpn. I got IPs outside of 10.200.X.0/24 network starting with 172.X.X.21/32 and 172.X.X.22/32 for the net_route_v4_adds. Would this mean running a scan on these is incorrect?

Im going to attempt to delete the configuration file for that ovpn and re-downloaded it and edit the file again

@trim beacon we have 13 days or w/e is left to submit the writeup right? No need to rush it?

For the competition:

"There are two streams that you can participate in for this competition. The competition will run from the release of the challenge (11 May 2023) until the 31st of May 2023, 11:59pm BST. Winners will be announced on the 5th of June 2023 via Discord and Twitter."

You need to change the routes 😛

would i have to delete then add my own routes? (awesome..thx!

3 flags down, 17 to go

awesome network so far kudos @trim beacon

any clue on getting this

PUSH: Received control message: 'PUSH_REPLY,route 10.2001.21 255.255.255.255,route 10.2001.22 255.255.255.255

10.2001.21 ?

is it 10.200.1.21 and 10.200.1.22 ?

dunno how much shadow can say but shadow bets it is both

yep, you have to ||create new routes||

or sometimes they might just work without you doing anything

I have a little problem, when I try to connect to the vpn (the .ovpn file, that I found in the beginning) worked well, but now it is like a infivite loop, because the connection in off and it is restarting, after it gets a connection

This is because many people are using the same vpn file

try to find anothe way in if vpn doesn't work

there are like 4 other ways (||CMS||)

Okay, I think think this is the easiest I found

but except wait, I can not do anything

I haven't been able to get anything else to work, I barely even managed to get past the routing issue 😔

yeah, honestly me too though my vpn seems to be stable these days

though today i might go back and it might be broken again

while it's broken i'm looking at other ways in, still working (apparently you can phish??)

I did try to do a campaign with GoPhish, but I must have failed to configure something properly

i havent figured out how to send emails yet haha

my smtp settings must be brokenn

I followed the guide from the path aaand it didn't work 😁

yikes yeah

thersé also probably a way through the ||cms login page|| but no dice yet

if you figure anything out feel free to dm me because i havent :/

(if the challenge allows)

I tried the ||creds you can find, but no dice for CMS as well||

yeah, i tried the same thing

also i feel like the ||todo list|| is exploitable but again no dice

I will, you're welcome to DM me too 🙂

yeah, must be missing something small but crucial

there's also ||mssql|| running on one of the machines no? not sure if that's exploitable though

yeah, I found it too, haven't gotten to enumerating and trying to exploit it tho

going to get back into it in a bit and if my vpn just dies again will have to look for other ways in

good luck!

ty you too

will update you if i find something

thanks

thanks

I just finished it today 🥳. Fantastic network @trim beacon, btw has anyone tried exploiting the || october cms lfi || for initial access?

wait you can do that???

I'd be surprised if you can't.

I finally got my first flag, I could cry of joy 😂

Really?

nice!

yeah, I couldn't believe it either

I got 3 flags in one.

What point are you at?

yeah, I'm gonna see what else I can get, I'm just basking in the joy of getting anywhere at all

What have you done so far?

You can DM if you have to post too many spoilers.

Nice man!

I'm on ||WRK1||, submitted my first proof, gonna do as much enumeration as I can

Hope you seen that 😉

either ||wrk1|| or ||wrk2|| work, both have fun methods of escalating

currently there too

awesome

Got the 3 flags! Thanks

Gave +1 Rep to @pseudo parrot

There will be blog posts about these users and their attack paths in yes

Due date is the 31st, so yes, that seems to check out

Glad you are enjoying it! Good luck with the rest!

Glad you liked it, thanks for the feedback! Indeed yes we had one user to find it and exploit it, but not that exact vuln you are talking about

Gave +1 Rep to @muted compass

Is pinned now. 😎

so is there any prize for submitting a writeup??

Yes, read Task 4 in detail for the prize details. 🥳

ohhh those prizes are for the writeup, gotcha

Verifying your email access using your credentials, please stand by....

There was an issue with email access, the most likely cause is a network reset. Please stand by....
Creating email user
ssh: connect to host 10.200.103.11 port 22: No route to host
Something went wrong with user creation

Repopulating mailbox. Please stand by.....
[Errno 113] No route to host
Error: unable to send email

=> Is there anything I can do? I cannot interact with any machine / IP in the network. I also tried from attackbox and I got the error above.

3: capstone: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.50.99.xx/24 scope global capstone
valid_lft forever preferred_lft forever
inet6 fe80::3fc9:e213:92e7:9a48/64 scope link stable-privacy
valid_lft forever preferred_lft forever

Subnet 103 is in a locked state again..., you'll have to wait till the timer runs out 😦

Probably ran out by now

57 mins left 😦

But ok, thnk you for the hint. Then I probably was just lucky until now and that is the issue described in the intro of the room

haha I wondered why sudo stopped working, someone overwrote the whole passwd file to just one user xD

@trim beacon The Bank finally got pwned after 3 sleepless nights . Thanks, for this wonderful room man . initial and approver took a long time ; others i pwned like a boss 😎 . I'll be back again to pwn this bad boy with other vector ; . JAI HOSS !! 😈 🦾

Gave +1 Rep to @trim beacon

let’s goo i don’t need to use this unstable vpn anymore found an alternative way in

there is pain pain, and there is reset network before final transaction pain

gonna continue tomorrow before someone crashes it again

that sounds really interesting and great learning ressource

The SWIFT reset seems to be broken. followed my kill chain 3 times now to get to here. The first time I was reset just before the last 2 flags. Now non of the payment information wok. I get the following when I reset swift

This is why we have multiple attack paths. Imagine the chaos if there was only a single attack path in this estate and users take actions like this!

Congrats and thank you for the feedback! Remember to submit a writeup if you want to win limited edition swag and other goodies!

Gave +1 Rep to @granite valve

Almost like on a real red team engagement 🙂

Can you DM me your Remote IP in your redteamcapstonechallenge.ovpn file? I'll then quickly take a look

is it good for me that i started red team capstone when i am not completed offensive pentest path

Depends on what other experience you have in the field of cybersec, but you may find the challenge difficult

yes thats right : i have no prior knowledge so its difficult for me thanks

Gave +1 Rep to @trim beacon

I have run the attack chain so many times to get to the SWIFT with the various resets or disconnects. I finally got it all done this morning. Thanks @trim beacon for the last bit of technical support this morning.

Gave +1 Rep to @trim beacon

why after connecting to 2 vpn the config i found on .12 i stopped seeing other network?

Congrats on completing it! Thank you for the feedback!

Gave +1 Rep to @serene crystal

Please see the pinned messages, this will be something you have to debug yourself

Thanks for the great experience and for your hard work @trim beacon 🙂

Gave +1 Rep to @trim beacon

Despite not doing this (no plan/streak) thank you @trim beacon for creating this! Sat and watched my last few of the series by @quaint knot (thanks to him too).

Loved every minute and cannot wait to see what happens next

Gave +1 Rep to @trim beacon

Hi, anyone can help, as I was not able to start this room, it always stay the the same, not showing the IP addresses, I rest many times, I am not sure what I am doing wrong here, is not suppose after few minutes show you the IP addresses?>

Please read the Project Registration section in Task 2 carefully, it tells you exactly what needs to be done to display IP addresses.

same here, do you have any resources to solve this one?

yes it would be incorrect, you have received an ip range which is in your scope
check the pinned msg

ops, just clicking completed to task 2 question solved the problem and IP are visible, I almost gave up on this room

Hi, the proof of compromise verification is broken on 10.200.118.250 for the Red Team Capstone Challenge:

Once you have performed the steps, please enter Y to verify your access.
If you wish to fully exit verification and try again please, please enter X.
If you wish to remove this verification attempt, please enter Z
Ready to verify? [Y/X/Z]: Y
Warning: Permanently added '10.200.118.12' (ECDSA) to the list of known hosts.
ubuntu@10.200.118.12: Permission denied (publickey).

Could not recover the verification file, hence flag could not be verified

Can anyone help me with that issue?

As far as I can see, the authorized_keys file of the ubuntu user has been overwriten

As discussed in previous messages, you can continue to compromise the network and then verify compromise from another host

Glad you liked at least spectating the challenge!

Just a pleasure!

sigh... someone deleted the whole /etc/passwd file on .12

or made it only have one user in it

reset time ugh

could some staff reset the 118 subnet? don't feel like waiting 2 more hours... thank you!

🥲 that sucks, I am sorry to hear that. Could also be a good time to look at .13 if you haven’t already. Hopefully that one is fine.

yeah... though i would prefer using the technique i have used so far i'll look i guess

Pop me a DM. I'll give you an exclusive hint for 13 so you face less traffic 😉

dmed

anyone ever had a problem with blinking rdp black screen

... blinking how?

there might be other services where u can login rather rdp ; its busy cause everyone's using that.

CORP-DC has fallen!

I just made another user and it was a normal RDP session

thank @trim beacon the swift reserve bank has fallen!!! One of the best, if not the best AD lab there is, so creative and exciting lab enviroment. I wish I would gain that 1337 level when i completed it xd, but who cares I got the badge and it was an epic path full of network resets and stolen credentials 😄

Gave +1 Rep to @trim beacon

Can someone help me figuring out how to be able to attack the wrk1 and wrk2 after I connect with the ovpn file? There’s something wrong with the routing and can’t figure out how to fix it

Dm me

I’ll give you some hints

Congrats! Thank you for the lovely feedback!

Gave +1 Rep to @rotund magnet

Sure, I dm’d you. Give me some hints whenever you can 🙂

hey ^^ anyone available for a small tip on .13 ? I've found several small things, but I miss a big thing I guess 😅

dm me

Is there any way to get out of the terrible 103 network?

yea ; leave the room for couple of minutes ; then join again ; u gonna be in another subnet.

Nice, that actually worked. Thank you 🙂

LET'S GOOOO

yikes i think i broke my vpn connection now

that sucks i wanted to spruce up my writeup before submitting it

alr nice it's bacj

I submitted the writeup immediately after completing the challenge, and didn't think too much 🤣, Hope I don't lose my prize for a small problem

submitted writeup 🔥

anyone who needs hints on this challenge feel free to dm me btw!

kudos again to @trim beacon for such an awesome network, def the best thing I’ve done on THM so far

Each spelling mistake or not neatly formatted picture loses you a point! JK 😂

Thanks for the feedback, glad you liked it!

Gave +1 Rep to @normal spire

Are the ||routes on the employee entry supposed to point towards 172.32.5.XX||?

Please read the pinned messages

Yea, had it working for a sec, VPN crashed, no amount of routing gets it back. Will see if I can find another way in then 🙂

dm me if you need a small hint

Hey @trim beacon would it be possible to get certificates like throwback?

Mmm, I'll have to ask. I don't think that was the intention initially. You at least got the badge! But let me checkin with the team!

thank you! no problem if not, just curious

Gave +1 Rep to @trim beacon

is there any kind of solution to this?

||Anyone ever had a problem with the internal VPN connection resetting all the time? I cant seem to establish a proper connection anymore. Getting: Connection reset, restarting [0] & SIGUSR1[soft,connection-reset] received, process restarting all the time||

It's because too many people are using it at the same time

Thanks, Yeah I thought so ... so the only solution to this is wait?

Gave +1 Rep to @slender verge

There are ways to get a stable connection, but I'm pretty sure it will need to work for a bit at least so you can get there, hopefully someone will correct me if I'm wrong

if you want dm me for hints on another way in

Hello everyone, I have an issue that stops me from getting the first flag, I compromise my first machine, followed the steps, and didn't receive any mail with the flag, there was this message : "Well done! Check your email!" then "Error: unable to send email"

So I verified email access through e-citizen, it detected an issue and created a new user, and now it tells me that I already received the flag and that I should remove it ?

Tbh i'm unsure if I configured evolution correctly

Like @normal spire said, there are many ways to get to where you need to go.

If your email was not set up at the time you were emailed the flag, then you will not receive the email once you get it set up. You can, however, print the flag from e-citizen…

go to verify past compromises

remove the flag

then redo it

Thanks guys 🦾

Oh my, I made it! This has probably been the best room I have done so far! Unbelievable what you managed to create here, kudos! @trim beacon And thank you @quaint knot for your guidance along the way!

Gave +1 Rep to @trim beacon

anyone open to helping me? I tried multiple ways to get to the 1st flag but all of them either ended in the 172 or just plain didn't work

sure bud. i can dm you

blessed be aquinas_nz

Congrats on completing it! Thank you for the feedback!

Gave +1 Rep to @distant cypress

this keeps happening 😔

what are you trying to do

it seems to happen every single time I add a user of my own as Administrator on WRK1

huh

worst case you can do net user Administrator <newpasswd>

but not sure why that would happen

might break things for other people

I lose access to any /domain commands basically

wait... why are you trying to add a local admin on wrk1 using /domain

doesn't the user need to be part of the domain?

yeah but you only use /domain when you add a user on the whole domain

which you probably don't have privileges to do

/domain basically adds a user to the whole domain and without it it'll just be on the local machine

10.200.118.x network is completely broken only reachable host is the ecitizen can someone look into this or users press reset?

i pressed it

Thanks 😊

Gave +1 Rep to @normal spire

so is there a flag to get on the VPN server??

not really

once you get to wrk1/2 you get 3 flags

oh so 3 of the first flag? (sorry for the ping btw 😅)

(i was having a stroke)

is anyone around to help me get with rootdc

DM

yeah

Anyone having issues RDPing into the RootDC? I have psexec access, I changed the admin password but I get the following error when I try to RDP into the host "the connection was denied because the user account is not authorized for remote login" I have tried giving access from the command line but no luck, not sure what's missing

DM me

I have the problem, that I can't realy generate a golden Ticket. The ticket is gernerated successfuly, but no PAC is generated and signed, I don't see a user id and I don't see groups ID that is generated.

I think something with the domain is strange

Just thought out of interest to post the latest stats:

• 1000+ room joins from release
• 538 profiles registered on E-citizen
• 166 users has submitted at least one flag
• 1604 flags have been submitted in total (average of roughly 10 flags per user)
• 52 users have completed the challenge

Good luck to all for the final push!

sanity check? can anyone browse to 10.200.89.13 to confirm it's up? So far, I've even went back to regen the room ovpn, then revalidate email, wait 5 minutes, confirm /etc/hosts file is correct. nmap scan shows port 80 filtered

Hopefully someone on your subnet see's this.

i am one of 52

Very nice. Can you solve my Problem?

I am on .89 and nothing has been accessible for about 2 hours

except .250

Please press the reset button so we can fix, doubt anyone from support will help us

not sure what your problem is, so no