#red-team-capstone-challenge

Thanks, i do it

Gave +1 Rep to @serene sedge

👍

👍

hello guys,

I am confused, I have gotten my hands on the ||corpUsername.vpn|| file, after putting my vpn address it seems I can access the internal network. As I read the data:
2023-05-27 18:06:03 net_route_v4_add: 172.32.5.21/32 via 12.100.1.1 dev [NULL] table 0 metric 1000 2023-05-27 18:06:03 net_route_v4_add: 172.32.5.22/32 via 12.100.1.1 dev [NULL] table 0 metric 1000 .

It seems to me I should be able to enumerate this two ips, though I can't nmap them.

Am I missing something obvious?

Edit: It seems it is needed to add sudo ip route add 10.200.XXX.21 dev tun0 right?

Edit of edit: It works!

Absolute, which is same as any other red team engagement. But if you are smart about it, you start to script up your attack. Rather than doing it manually, write a python or shell script to do that staging for you. Means within a minute you are back where you were. So good exercise in automated your staging as well.

Personally I'm a massive fan of writing python stagers. You can even create a template for yourself that will perform all the steps required to for example deploy a malicious key and configure a proxy pivot for you

can I Dm one of the mods I think I stumbled over something unusual might also be my inexperience very unclear to me but makes me a bit uneasy

another reset

zzzzz

You can DM me if you want to

Hello world.
Beginner here. Trying to execute Get-ADGroup on the CORPDC and query group info from the ROOTDC, but it tells me that the server is down... Am I missing something here ? Thx 🙂

Can anyone suggest my next step, I am getting an error when trying to setup email for this challange , on evolution. I am not able to authenticate password that was given on the e-Citizen platform.

@slow garnet DM

You have to add the routes, either by using the ip route command the others mentioned above to the tun0 interface, or do it the way I did, I rewrote the config file and added three lines. One to not ask the server for the bogus routes, and two more to route to the correct machines.

thank you buddy!

Gave +1 Rep to @stark hemlock

👍

soon only a week left

How many users are allowed at once? Is there a typical limit in an Office AD environment in real life?

The number of users allowed on a Windows Active Directory (AD) server at once is not strictly defined by the AD server itself. Instead, it depends on various factors such as the server's hardware capacity, network infrastructure, and the configuration of the server and associated resources.

Windows AD servers are designed to handle a large number of simultaneous user connections. The exact number of concurrent users that can be supported depends on factors such as the server's processor, memory, disk I/O, and network bandwidth. Adequate server resources, including CPU, RAM, and network capacity, should be provisioned to handle the expected workload.

Additionally, the number of users that can connect to a Windows AD server simultaneously can be influenced by other factors such as the server's Active Directory configuration, domain controllers, network infrastructure, and the applications and services running on the server.

It's important to ensure that the server infrastructure is properly sized and scaled to handle the expected user load. Performance testing and capacity planning can help determine the optimal configuration and capacity for an AD server based on specific requirements and expected usage patterns. --OpenChatGPT

anyone can give me a hint on why I'm getting errors trying to start a service?

My spearphishing custom loader does work! But... the box that downloaded from me doesn't allow ingress traffic, I breached that box before. RIP.

Hello,
I am confused about this custom e-mail address I get from this e-citizen server. In the description, it says we somehow have to find the mailserver. There is a mailserver directly accessible. Is this the one or is it the one from thereserve or do they use the same? (authentication against this server did not work) I don't understand why I should have to "find" the mailserver hosting my own address.

you can use the email to login to web email, to receive email for flag, also to claim the flag

If you've found the one on .13

Your credentials should work to log in.

hi i'm having a bit problem with the internal vpn. it just keeps resetting itself which it didn't previously. do i have to change anything in the corpUername.ovpn file?

emmm, although this may not be useful, but I can tell you that this error has no effect, and you can still access the openvpn intranet normally

Hello, yesterday I had issues connecting to the internal network so I did: sudo ip route add 10.200.116.21 dev tun0 sudo ip route add 10.200.116.22 dev tun0

Everything went fine, and I could nmap these adresses, however today ovpn keeps restarting:

...
2023-05-28 09:56:22 net_addr_v4_add: 12.100.1.9/24 dev tun0 2023-05-28 09:56:22 net_route_v4_add: 172.32.5.21/32 via 12.100.1.1 dev [NULL] table 0 metric 1000 2023-05-28 09:56:22 net_route_v4_add: 172.32.5.22/32 via 12.100.1.1 dev [NULL] table 0 metric 1000
...
2023-05-28 09:56:22 Initialization Sequence Completed 2023-05-28 09:56:22 Connection reset, restarting [0] 2023-05-28 09:56:22 SIGUSR1[soft,connection-reset] received, process restarting 2023-05-28 09:56:22 Restart pause, 1 second(s)
...

Thank you

is windows defender activated domain wise? yesterday I could upload tools with no issue on WRK1 and today I get the tools deleted

but somehow the ports are filtered i did use ip route add and added those ip's before and got a scan but now everything is unaccessible i can't rdp into the machines in any way

having the same issue

You need to continue enumerating

is there any other way to get access to the machines using the credentials that i've found?

I believe you, like me, ignored the mailbox of function

what's wrong with this? is defender activated by default on WRK1? or did someone activate it for trolling?

like I literally could upload tools yesterday after a reset

I believe it was turned on by default, but someone turned it off. So you can upload tools

so all I did yesterday was fake then

great

I got up to domain admin on CORPDC

now I cannot upload chisel to pivot

If you have permission, of course, you can also turn it off

Finding a fix?

nah still stuck

can't get admin now on WRK1 lol

fuck my life

you can bypass

not sure how

i found a fix

yes?

go the the vpn portal

and use the mail and password you got and log in

below that you have an option to submit

https://github.com/Flangvik/ObfuscatedSharpCollection/tree/main/NetFramework_4.7_Any

that'll give a specific user vpn config

that's nice! going to give it a try

thanks 😄

and burp suite？ you can try

thanks man it works now

Gave +1 Rep to @forest plinth

still detected when ran

oh man...

got RDP

i sent you a pm 🙂

In fact, like you, I fought against WinDefender from the beginning, until I gave up and went another way. There is no such horrible antivirus software on Linux

there has to be a way to do this T.T

I had all the kill chain up to domain admin on CORPDC

16 hours straight yesterday

If you have an account of DA group or a hash of administrator, you can consider logging in to wrk1 and turning off WinDenfer

can you tell me how to fix the internal vpn

the internal vpn is restarting constantly

I just bypassed the login screen by typing " in the username field

Then I downloaded a working VPN file from the page afterward

i have downloaded the vpn file but it is giving me ||172.32.5.21/32|| and|| 172.32.5.22/32|| ip address

how to get proper ip allocation ?

I think you can search the chat for many answers since this is probably one of the most asked questions (I was at that point too but found another way in)

yes thanks@brave pebble @weary flicker

can someone give me a nudge on how to be able to reach ROOTDC network wise? I tried using ligolo-ng but the agent cannot reach my tun0 IP

having a network meltdown on my head rn lol

I am having a similar issue with connecting to the corp VPN - yesterday it was receiving routes to 10.200.x.21/32, 10.200.x.22/32, but today it is getting 172.32.5.21/32 and 172.32.5.22/32 - neither of which can be reached by RDP, or pinged.. or anything else.

I had logged into the VPN server with one of the names I got from ||password enumeration of smtp|| and received new stable .ovpn files, which are stable, but give the erroneous IP route - this is true for multiple different .ovpn files, including the original corpUser.ovpn

It's an easy fix, you can look in this channel, people have posted the solution many times now

ah - thnks

My problem is, that I have submitted the access to SWIFT flag yesterday and I got credentials there and do a transaction and only submitted this from one capturer. Today I am on a different machine and I can't login with this credentials

Is there a way to receive new credetials and a pin code

@slender verge @forest plinth do you now a way to do that?

I'm up to that part myself, so I don't know for sure, but I think you just have to use e-citizen to reset your swift progress

But how can I do this?

I think there is no description

Log in to the e-citizen portal, authenticate, verify past compromises, reset swift progress

Okay I will try this

Thank you it worked

great 🙂

I finished the room and I want to say THANK YOU to everyone who answers my questions 💪

someone broke the mail server?

if they did they might have broken some of the rules of the engagement

nah, another reset

now I cannot return to where I was, awesome!

cannot access to CORPDC somehow with socks proxy, when I could before

are you documenting your steps?

also after a reset, allow for 10-15 minutes for everything to get up and running again

shadow feels terrible because they don't feel in a good enough mental state to do this but also having as lot of Fear Of Missing Out

specifically on the badge

if you're up to it, you'll have plenty of time to get it once the competition ends and write-ups can be published

well some write ups are already public but yeah

they are?

for example @quaint knot write up in video format is public thank you so much for that

Gave +1 Rep to @quaint knot

obviously the flags are not provided in the write ups

ah yes, Tyler, you're right

also good meeping mooping tyler... you leaked the first flag

oh no, he did?

yeah....

am03bam4n told him to hide the flags after the first one got leaked and he seems to have oblidged

not watched all the vods yet so dunno if he accidentally leaked any more

I guess it happens when you're streaming with no prep

yeah

but basically am03bam4n was right when he said initial access was one of the hard parts, it actually gets easier after, if you've done the AD networks in particular

I'm not getting the flag for ROOTDC on my mail

:S

you can get it from the e-citizen portal too if the email gets delayed

I reseted it and did it again and no mail is coming

oh yeah?

just go to verify past compromises, and then you can chose to get the flag value for the things you've compromised

thanks man

tomorrow I'll continue with the 2nd part of the lab

maybe I'll finish in time 😄

you can do it!

Ha yeah.... I don't think I leaked more, but definitely difficult when streaming live and working through it for the first time!

we all do mistakes

the important thing is to learn from them

IRL the limit is 2, unless the host is a jump host. Which is why you want to rely on tooling that does not take an active session, allowing you to move a lot more silently

ChatGPT is full of s**t. There is an actual limit on RDP and it is two. Any more and you need an RDP license, which is incredibly expensive and only allocated to select jump hosts. There is no limit on NETLOGON user connections, but there is a limit of two on interactive logons

AV should be on all hosts. Might have been another user disabling it. However defender does re-enable itself after a couple of minutes

There are five different ways you can breach the perimeter. If one method fails for you, as suggested, enumerate to find another way

if you got a cred combination that would work over rdp is evil-winrm able to use it????

and does that support multiple users using it at the same time???

probably should read the man page

Reset your SWIFT progress once you are ready to perform the steps again. You have to get Flag 17 - 20 in one go, since you need your SWIFT accounts for all 4 flags. You can reset progress by using option 2 of E-citizen

The fun part is, if a user just copies the flag into their room, we can see it since their profile won't match on e-citizen. So we can ban the user. This feature will be used in B2B to verify users actually perform the steps and don't just copy paste flags. Also, all flags will be rotated in their values, meaning you can't copy from a video stream at least

guess you can ban shadow then

You have to restore your email access before you submit the flag. However, if you forget, use Option 2 on e-citizen to just view the flag there

blame shadows testing nature to try and see if said flag worked

We decided against banning any normal users, especially since we were able to ensure that streams only leaked one out of the 20 flags. Was more to just make sure the competition was fair

thanks for that

Gave +1 Rep to @trim beacon

The Thing is, that Tyler leaked more than one flag. In one Situation he is scrolling up and there were about 4-5 flags

But you see it, so it doesn’t really matter

looking at the write ups shadow has found they dunno if they can even follow along or have to bodge a combination of them to get the results

still wondering what methods you can use to spawn a shell with windows login creds that is not tied to rdp so that multiple users can be on at the same time

think evil-winrm is one but not sure

Stuck at rootdc can’t get pass av got any ideas pls

Yes this is one method

Use native windows tools like Sysinternals? So either PSRemote or PSExec?

Also, if you are at DC, you can also just simply create an exclusion folder for your malware using admin privs?

Yeah, doesn't matter for now and will be rotated again before room goes B2B. even 5 flags isn't a train smash honestly

nice

Ok thanks am03bam4n will try some of what you mentioned am on the rootdc though PSExec bin watching Tyler vids but got stuck at the rootdc

Do you know how many write ups are already writen? Because I don’t know, if there is a chance to win, when I write a WriteUp now

shadow has so far found 2 public written write ups by using search engines

then there is the vods by tyler

dunno if @heady monolith and @meager ginkgo vod are accessable but seems those would be on twitch in that instance

I thought of WriteUps that are for the WriteUp Challenge

aaah

about those shadow dunno

the ones shadow has found are not that good in that regard

There have been X number of writeups. But X is not yet larger than Y number of prizes 😉 So still a change if you submit. Remember that we assess the writeups, so even if you submit later than others, if your is better than others, you can still win a larger prize. And then if you don't win the first three prizes, there are still runner up prizes

Okay 👌

Algebra remains useful even after school

Can I do the WriteUp in GitHub, because I don‘t have Word License, so I can‘t convert a Word document to a PDF

Hi @trim beacon , out of curiosity may we see the first 20 to own the lab as you did post it before?

That will be fine, might lose a point for formatting. You could always just use Google's docs to convert to PDF once done?

Yeah give me a second to query it

I have to splice two logs together to get the ordered list currently. I can print the list of those that completed it with the single log, but need to splice both to get it ordered. Will do that closer to the end of it when the competition closes

go go go gobusters

Completed the lab! Thanks a lot @trim beacon, work like this deserve all the praise it can get, hopefully you keep making awesome labs like this 😄

Gave +1 Rep to @trim beacon

But here is the list of the 77 users who have completed it thus far:

| username | Flag Submission Count |
+----------+-----------------------+
| 0x       |                    20 |
| ac       |                    20 |
| al       |                    20 |
| al       |                    20 |
| Al       |                    20 |
| Aq       |                    20 |
| az       |                    20 |
| Bl       |                    20 |
| bo       |                    20 |
| co       |                    20 |
| Cy       |                    20 |
| cy       |                    20 |
| d4       |                    20 |
| Da       |                    20 |
| da       |                    20 |
| de       |                    20 |
| de       |                    20 |
| di       |                    20 |
| El       |                    20 |
| ep       |                    20 |
| ff       |                    20 |
| ga       |                    20 |
| ga       |                    20 |
| gp       |                    20 |
| ha       |                    20 |
| he       |                    20 |
| He       |                    20 |
| Hi       |                    20 |
| ho       |                    20 |
| hu       |                    20 |
| Ig       |                    20 |
| Ja       |                    20 |
| jc       |                    20 |
| Je       |                    20 |
| jo       |                    20 |
| JP       |                    20 |
| Ke       |                    20 |
| Ke       |                    20 |
| le       |                    20 |
| m0       |                    20 |
| ma       |                    20 |
| Ma       |                    20 |
| mb       |                    20 |
| me       |                    20 |
| Mm       |                    20 |
| ms       |                    20 |
| n4       |                    20 |
| Ne       |                    20 |
| ni       |                    20 |
| Ni       |                    20 |
| of       |                    20 |
| PK       |                    20 |
| Pr       |                    20 |
| ps       |                    20 |
| Qx       |                    20 |
| r0       |                    20 |
| Ra       |                    20 |
| ra       |                    20 |
| ro       |                    20 |
| ro       |                    20 |
| Sc       |                    20 |
| Se       |                    20 |
| se       |                    20 |
| Sh       |                    20 |
| si       |                    20 |
| So       |                    20 |
| Su       |                    20 |
| Sy       |                    20 |
| Te       |                    20 |
| ur       |                    20 |
| ut       |                    20 |
| vu       |                    20 |
| Wi       |                    20 |
| WM       |                    20 |
| Wo       |                    20 |
| z3       |                    20 |
| Z3       |                    20 |
+----------+-----------------------+

wait someone with sh in their username has done it that is not shadow????

imposter

yayy I'm on that list

Congrats on completing it!

Might be sheldon 😉

Thank you very much, great training for my upcoming CRTO

Me to PK 😅

Awesome feedback thanks!

Gave +1 Rep to @sterile elk

Much appreciated , then we shall wait for the competition to end to review the standings!

Okay I will try this, because now I started writing in ONENOTE

Shadow should have finished that lab already

hahahahaaaaa nope not done yet

We got the zoomies!

what was the command in sublime text to enable multiple cursors so that you can do text clean up again????

ctrl+shift+alt simultaneously

thanks

Yeah, that one can work, also if you have your own Windows VM, I believe runas is used for injecting credentials like that?

I will copy this to GitHub and then I will covert it. (I am new at this theme with WriteUps)

and there we go an username list

now to try and find where the john config is to mangle some passwords

oh.... oh noes the network is resetting so nothing works right now

Yeah, the resets get annoying very fast

Takes about 10-15 minutes for everything to get up and running again

yeah shadow thought they had typos because everything just stopped but apparently it was a network reset

haha! Thanks for cutting thru the BS - AI aint smart enough to take our jobs yet! Not by a long shot!

Gave +1 Rep to @trim beacon

@trim beacon if you typo your username when registering with e-citizen what happens???

oh my goodness i have to many chisels
Tyler R

made shadow laugh

@trim beacon We've got an issue i think on the verification bot checking CORPDC's set of evidence

Warning: Permanently added '10.200.116.102' (ECDSA) to the list of known hosts.
THMSetup@10.200.116.102: Permission denied (publickey,keyboard-interactive).

Could not recover the verification file, hence flag could not be verified

can't check for the file if it doesn't connect to the thing in the first place :(

oooh yeah that looks like a bug

don't think anything wrong happens, e-citizen takes any names

doesn't have to be your thm name

i used "ghost" as an abbreviation of mine and have been progressing thru it fine

if you typo'd though, you can create another account with the right name no prob

yeah don't think shadow typoed it just thought it was an interesting question

i see, yeah

hope the bug gets fixed soon, i'm panicking myself while lookin at the 7 day left counter

think a server reset would fix it or nah?

i hate those as much as the next person but if its a publickey issue maybe thatd do it

¯_(ツ)_/¯

Whoever was talking about how the Windows systems are getting tougher with Defender, or something about Defender turning itself back on. I have been using payloads that employ process memory hiding, specifically a C++ module-stomped shellcode runner with XDR unhooks that runs Havoc C2 with Ekko Sleep Obfuscation. I watched Defender detect it in a rare instance as it goes through it's +/-RWX & RC4 Reencrypt Loop but fail to remove the payload. You can find shellcode runner templates on iredteam.

I'm just exploring different attack paths right now since I wasn't able to get persistent access or escalate privileges yet. But I want to try another method, a payload using Guard Pages. As well as targeting the VPN box since that seems to be a priority to maintain persistent access to the AD network.

I also saw someone spearphish one of the owned email accounts two days ago. You missed a line in your loader method, but yes, at least two of the emails will "click" and run it.

shadow thinks they know 1 of the users that run email stuff

📧

probably not taking that path anyways

It’s really tough. There is a ____ that prevents the loader from successfully downloading the payload for a specific box. But they did click it. And a specific loader from a known TA in a specific file format does work

Another email will kindly send you back a reply.

im running into problem after problem at this point, i'm shutting down for today

ROOTDC is unreachable for some reason, and now the checker's not working for CORPDC flags either

hitting reset and signing off for the day sadly

somehow can't login to the vpn server using valid creds... welp poop

@trim beacon ```
2023-05-29 01:14:27 PUSH: Received control message: 'PUSH_REPLY,route 10.2001.21 255.255.255.255,route 10.2001.22 255.255.255.255,route-metric 1000,route-gateway 12.100.1.1,topology subnet,ping 5,ping-restart 120,ifconfig 12.100.1.9 255.255.255.0,peer-id 0'
2023-05-29 01:14:27 Options error: route parameter network/IP '10.2001.21' must be a valid address
2023-05-29 01:14:27 Options error: route parameter network/IP '10.2001.22' must be a valid address

sooo this is not intended right???

ips with 2001 does not exist

or at least not in ipv4

How to create a Windows Defender AV Exclusion Folder using cmd; not powershell, over psexec connections. For some reason, cmd gets stuck and powershell responds with alot of fumbled garbage

sounds like something you could search online or ask chatgpt

I have

though in a real life environment do not give critical data to chat gpt

Ive even tweaked it different ways from multiple sources. Ive just hit a wall with it. Nothing I have tried works.

¯_(ツ)_/¯

Its a mess.

yeah noticed that kinda

gonna try and switch subnet because this current one is broken in multiple ways and waiting for the other users on there to not screw it up after a reset did not feel worth it

anyone got a method for dumping hash or bypass the AV on ROOTDC? creating a new user would be the easiest but also would be a big no no for other player and on any type of shared lab like this

time to read the rules of the engagement and see if we are allowed to create new users on dc

Its not the network or hosts on my end. Im just doing something wrong and cant figure it out right now

tom seems you are allowed to actually create new accounts on the target machines

though yeah could make the challenge easier for others if you set a super simple password

if there is a rule about this it's seem like i'm blind 🤣

Using any attack methods to complete the goal of performing the transaction between the provided accounts.

plus create confusion for other of i don't make the username obvious

well you could always make the username your tryhackme username or discord username

it is in the project briefing

it tells you what is in scope and out of scope

suggest you re read it if you need to

yeah but because i got an admin user on that DC dumping the hash and login via the local admin hash will be the cleanest though

fair enough

have you tried other shell versions like evil-winrm or things like it

of course but even with an admin user i logged to the ROOTDC i still can't dump the hash by hand or by some obfuscated version of tool like mimikatz

well win defender is running on there

plus can't run bloodhound because i'm the corp/admin user not a local admin

and as an admin user there should be a few ways to kill it

i also try to kill the AV as nt system but either way it's just bricked my shell

who tf changed the admin user password on CORPDC ?? (on the .89 network)

also is shadow the first person to make a thunderbird profile for the emails instead of evolution or whatever everyone else uses

???

I don't remeber correctly but is it normal that the .21/22 machines don't have internet access?

would assume yes

in a real life senario they probably would have internet access but to make it more secure and not have vuln machines open to the internet that people could use for bad stuff generally tryhackme target machines don't have internet acces

and this is also behind a vpn so yeah

None of the machines have internet access

yeah I thought so but I wasn't sure thanks 😄

Failed to log in using valid credentials in the VPN portal, Is anyone having the same issue? I have logged in previously with those credentials but now it's not working

ime, mostly likely someone has changed those passwords, only solution is find other path or leave and join another subnet

It is definitely not bad, it just always surprises me when it is wrong with how much confidence it gives its wrong answer 😅

You can either register a new profile of just keep using the one with the typo. Won't be any difference really

If THMSetup's key gets denied, it means someone modified the SSH files like they should have. This is one of the very very rare cases where a reset is the actual answer to the problem

Since most users choose this breaching path, which seems to be the easiest one, we made the conscious decision not to fix the config being pushed down. So take a look at the error, think about what it is trying to do, and then how you can correct it. I'll give one more hint, just because a VPN server pushes down certain routes, does not mean that's the only routes it can route traffic for.

If you use proxychains, you can establish a double pivot and then use secretsdump to do this yourself. Or you can simply create a shadow copy of the ntds.dit file and then use mimikatz offline to read the file and dump hashes

the only thing i haven't try is secretsdump, because i have a shell on rootdc (both from the corpdc and my machine) i did try to make a local copy of the sam file and dump the hash locally but i got some type of access denied

So on DCs you won't find the AD creds in SAM. You need to volume shadow copy the ntds.dit file. You also can't perform normal copy since the database is in active use. Also, you need the highest machine privileges possible, so can't use even Admin, has to be SYSTEM. Honestly setting up a pivot with proxychains and running secretsdump is easier in my opinion

oh yeah secretsdump is the bester way and i'm giving it a try as soon as my network no long bricked and i did try to make a shadow copy the ntds.dit and got i think the same type of access denied error and i use the reg thing to copy the sam file plus i only need to local admin cred on that machine after that i can use evil winrm to get a better shell

Are you using admin or SYSTEM for the copy? Cause you will need to be SYSTEM for those copies. Easiest is to use something like pxexec.exe /s to get a system shell to perform the copies. But again, secretsdump might just be easier

oh wait yeah i think i got system when doing both of those dump

using pxexec for system

That should technically allow you to bypass the Access Denied issue

yea i know but at least that method didn't kill my shell

PSexec is part of sysinternals, so the tooling should not flag as AV at all, making it quite nice for these types of things

my network is up i'll send some screenshot for you to see what i mean also yep the only not nice thing about that is i keep losing my PsExec64.exe file so every time i need to use it i have to download a new one 🤣

@trim beacon sorry for the long wait but this is what i mean

i did try this method to kill the AV, dump the ntds file and the sam / system file but nothing work but i got my pivot up and a golden ticket on my kali i'll try secretsdump

So I do think that is AV blocking you from straight up copying SAM 😂 But it should allow you to make a Volume Shadow Copy of ntds.dit since that is an acceptable procedure. But I would also not just do it remotely but actually first spawn a psexec shell and then do it, so the actual command you are trying to run, like VSC, does not run over the network

Secretsdump should work good for you!

i forgot that AV could block that 🤣 and that's a psexec shell on the rootdc or you mean i need a shell with impacket-psexec?

psexec shell should work fine

yea in that screenshot i was in a psexec shell

Yes, but you are running the command remotely. Drop into a psexec shell, so just vanilla cmd.exe and then from there try to VSC ntds.dit

oh

-s cmd /c "ref save hklm\sam C:\" runs the reg save command remotely, which is double malicious. Honestly better to just drop into a shell first and take things from there

Also, the reg save might be failing since remote registry reads might be disabled. So again, better to just do it locally. Will also help you to better understand the error you are getting instead of just simply shell exit with code 1

just pwned bankdc!

@trim beacon sorry to bother but my dumb ass forgot where i put my secretsdump note and i can't find anything about dumping the hash with the golden ticket but i have to go now so while you are here can you send the syntax? thanks in advance (you can dm if it's too much spoiler)

Gave +1 Rep to @trim beacon

You need to load the ticket into memory. One second for link

Check attack path 3: https://kylemistele.medium.com/impacket-deep-dives-vol-2-attacking-kerberos-922e8cdd472a

Image here is wrong, instead of doing that a second time, you do `EXPORT KRB5CCNAME=/full/path/to/ccache/file

ok i'm back and i did found that blog plus i know how to work with ticket i just don't know secretsdump command or i'm just dumb

@dreamy comet You can DM if you still need help with that

hi i needed some help with the vpn portal

its not taking in the credentials i had used to login previously

i literally logged in using the credentials found in the mail server yesterday but now its now taking those

is there any fix?

Which credentials are you using? feel free to dm.

After i validate my first flag, network is disconnected and i can not continue. How to do vpn persistent ? I am French.

The admin folders are gone from workstation 1 and 2 in the bank domain in my network. So you can’t save the file to Users\Administartor

Just create a folder by yourself?

can anyone help me with this?

Whoever’s just revealed the directory on the VPN Server (*.12)… why?

(117 Subnet)

alot of users might be there in ur network who are bruteforcing directories and what not in vpn server .

the fix can be : wait for reset ; or find another path ; or change the lab's subnet !

Sorry I'm a novice here but could you kindly tell me how to change subnet of the lab?

everyone's a noobie at the start ; nevermind just grind

leave the room for couple of minutes ; join again then u might be in another subnet

oh i did notice that

my initial subnet was 118 then it changed into 121

still the problem didn't get fixed

then change it again ; if dont wanna go another route !

ok i think I'll do that thanks for the help 🙂

appreciate it

😈 🦾

can dm ; if still got trouble !

sure i will 😊

GOLDEN CERTS ARE THE BEST 😎

hey alpha i dmed you

lo, how exactly do we go about getting the logins for the bank capturers/approvers?

i've just changed the AD password of a capturer and logged in via RDP, swift config file says the latest AD password should be the SWIFT login but the login's not working

does it take a short while to sync or something of the sorts?

think about "Where is my password will be stored on my laptop?"

search for a sensitive password file? maybe, got it

yo guys ; can anyone reset the .116 network ??

that unironically helped, thank you

yes i'll hit the reset once im done

please notyetnotyetnotyet

Anyone on .117 mind resetting?

The VPN server seems to be broken rn

116 here*

do it ! just reset it ! 😂

man, its been reset

:(

i was about to get my final flag, damn

now i'm going to be going through a chain of RDPs again but at least it should be marginally easier

that's the regarding pain among other resets !

yeah, i'm probably not alone

i guess stuff like this won't be a problem once its closed access and for the business peeps only since it wasnt meant to be en-masse given to the public

Anyone else on .116 subnet unable to ping e-citizen (Left and rejoined room)

well, yes because the server's getting reset here on 116

i think

In my attack box via THM web I can ping?

though i just pinged it and its alive

ah

strange

i think its an issue with your vpn then, try reconfiguring it if youre using ovpn

|| Ready to verify? [Y/X/Z]: Y
Warning: Permanently added '10.200.116.12' (ECDSA) to the list of known hosts.
ubuntu@10.200.116.12: Permission denied (publickey).

Could not recover the verification file, hence flag could not be verified

Once you have performed the steps, please enter Y to verify your access.
If you wish to fully exit verification and try again please, please enter X.
If you wish to remove this verification attempt, please enter Z
Ready to verify? [Y/X/Z]: ||

@trim beacon ?

? No Im trying to get perimeter breach flag

oh ; how u writing ur file / flag ?

if u used powershell its fucked up . ; so use cmd or rdp

DM

I guess someone messed up the SSH service! but u can try to get further into the network and use a different endpoint to verify this flag 🙂
Alternatively you could swap subnets and retry there?

Probably me when I priv esc'd knowing my luck LOL! Will be attempting over networks

@trim beacon I am retracing my steps so I can do a write-up, may I ask you if something is intended or a bug currently?

See message here: #red-team-capstone-challenge message

However you can just further compromise the estate and come back to this flag on a different host

Sure you can send through

Thanks dude 💖

Gave +1 Rep to @trim beacon

thank you 🙂

Gave +1 Rep to @trim beacon

hey, anyone here able to help me with doing the final flag?

how exactly do i go about all of that process, where's the flag email and am i supposed to send any transactions?

i've got everything i need and i've done all the other flags

got the capturer's and approver's email, my own set of two emails and access to the website

how exactly do i prove all of this stuff, and what's the "SWIFT Access flag email", is that just the current email i have?

do claim flag and follow the step by step

i mean ssh to e-citizen and do like you do when claiming flag, it's a sequential process, from flag 17-20, so take note of everything. if you did not get the email in the Flag 17 process, i think you can reset the swift flag and repeat the step

nvm, think i got it

yeah, of course

i just missed where my pin was in the emails i got

ended up restarting it like 5 times

did you verify if your email is created?

yeah, of course

it's been done now, got the last flag

i didn't look at the email properly, mindlessly claimed flags, turns out the pin was on that first SWIFT email

coool

ye

great machine overall, that was a blast

**Hi, everyone! **
Sorry if anyone ask it before, but I have really troubles.
I configured ||corpUsername.ovpn|| file to remote ||10.200.X.12 1194||, but when trying to connect it always restarts every 5 seconds. This happened after I add ||sudo ip route add 10.200.X.21 dev tun0||. I don't know, maybe it has something to do with that.
Please help with this, I thank you in advance.

I don’t know that route. There are like at least 3 other easier ways to make your way through the network. I would focus on finding those.

you have to make your own custom vpn file to get into the internal server

you can do that through the vpn portal but first find out how to access it then make any vpn files you want

If the route has been added correctly, ip a should show you the ips and you can just try nmap the other machines

Anyone able to quickly help me pivot into the machine cause my proxychains and that seems to be busted?

(explain what Im doing wrong ^)

I still had trouble even after that then used the vpn portal to manually generate a custom vpn file for me with the credentials that i had found during enumeration

This works too

But sometimes those generated vpn files can also send invalid ips

but now the problem I'm facing is that the freakin vpn portal doesn't accept the credentials 🙂 i got a reverse shell through that yesterday but now nothing works 🙂

DM

LoL, don't know why, but I can't login to VPN request portal, although everything was fine before

My credentials are correct.

If network resets then your persistence is removed 😂
and if some one else can also rewrite the ssh keys

someone already did that actually but luckily @granite valve took the trouble and guided me through this mess :' )

think someone kept breaking the vpn server multiple times on shadows last subnet because it always failed logins with correct credentials

so that's why the creds didn't work

¯_(ツ)_/¯

could also be intentional breaking by itself to make it more realistic by am03bam4n

then , shadow could find another way in . from .13 [ web ]

its easier than shadow thinks

well probably

found the admin thingy thingy on web in the past

vpn works now so can finally login there if shadow wants

also easy auto generated personal vpn file

cool ; happy hunting !

oh lol forgot to verify the email again to access it again

Oh, so you got a flag?

nope but got the rules of engagement message in there

ah nice and easy setup

Ah, you logged to the mail server that way.

yeah a thunderbird profile

and /etc/hosts

is the vpn portal working again?

dunno how working it is but seems it is working enough on shadows subnet

oh ok

Once you have performed the steps, please enter Y to verify your access.
If you wish to fully exit verification and try again please, please enter X.
If you wish to remove this verification attempt, please enter Z
Ready to verify? [Y/X/Z]: Y
Warning: Permanently added '10.200.116.12' (ECDSA) to the list of known hosts.
ubuntu@10.200.116.12: Permission denied (publickey).

Could not recover the verification file, hence flag could not be verified

Once you have performed the steps, please enter Y to verify your access.
If you wish to fully exit verification and try again please, please enter X.
If you wish to remove this verification attempt, please enter Z

;-;

@trim beacon soo how do shadow get their flag now????

because that error on e-citizen does not look like it is user fixable

clear

nice good job @smoky breach

and got a sudo user on the vpn box with access to all commands without password run as sudo

oh wait shadow might understand why e-citizen fails

someone removed what e-citizen needed to work to gain a ssh session

from where u tryin'' get the flag ?

VPN host

powershell is fucked up ; u might wanna use cmd or rdp

the problem seems to be someone nuked the authorized_keys for the public key that e-citizen uses to verify

oh ; then --> its time for some pivot !

does this looks same as yours ?

yeah probably

https://tenor.com/view/emmy-amy-poehler-peace-out-peace-sign-peace-gif-13956226

oooh haha

yeah shadow and connor are apparently on the same subnet too

@hexed whale ello neighboor red teamer

assuming connor@parrot is their hacking machine from their addition to the authorized_keys file

also seems the vpn files this vpn host is generating are broken and don't actually currently give access to the internal stuff.. but could use the vpn host as a jump host

just gotta setup proxychains

eugh tired now so dunno if shadow feels up to it

.119?

huh nope .116

but there was a authorized_keys public key with connor@parrot

That was me earlier lmao, couldnt get the internal vpn generator to work so hopped off that subnet

haha

Im smashing my head against a wall trying to get into corpdc tho...

||┌─[connor@parrot]─[~/Documents/THM/Red_Team_Capstone]
└──╼ $~/Tools/local/BloodHound.py/bloodhound.py -d corp.thereserve.loc -u svcScanning -p "Password1!" -ns 10.200.119.102 --dns-tcp -c all
INFO: Found AD domain: corp.thereserve.loc
Traceback (most recent call last):
File "/home/connor/Tools/local/BloodHound.py/bloodhound.py", line 5, in <module>
bloodhound.main()
File "/home/connor/Tools/local/BloodHound.py/bloodhound/init.py", line 303, in main
ad.dns_resolve(domain=args.domain, options=args)
File "/home/connor/Tools/local/BloodHound.py/bloodhound/ad/domain.py", line 666, in dns_resolve
q = self.dnsresolver.query(query.replace('pdc','gc'), 'SRV', tcp=self.dns_tcp)
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1089, in query
return self.resolve(qname, rdtype, rdclass, tcp, source,
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1043, in resolve
timeout = self._compute_timeout(start, lifetime)
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 950, in _compute_timeout
raise Timeout(timeout=duration)
dns.exception.Timeout: The DNS operation timed out after 3.2024636268615723 seconds||

timed out after PI seconds

indeed but why?

¯_(ツ)_/¯

anyways time to play subnet roulette again

You keep compromising the network, then you will get access to machines like WRK1 and WRK2, where you will be able to submit the first three flags in one go

When your in ||svcscanning|| but still needs to get the first three flags cause stupid

should still be able to get them as that user shadow would belive connor

Not sure how your connection is working, but I don't see that you are using proxychains? So how are you connected to the network?

setup dnschef

sshuttle

https://www.youtube.com/watch?v=4ydjpSSKQ8g

See DMs

Trying to do it under 'Server1' hostname but nothng 😦

need wrk1/2

welp shadow lost track on where they were on tyler r:s vods

time to watch part 4 because it feels like that is where shadow kinda left off

I've got a couple questions when it comes to a red team report, not sure if this is the place to ask it, but since it is for this room I will put it here. #1 Is more information better or should I try and keep it concise? For example when transferring a file to a machine should I just say "I transfered mimikatz to x" and then continue on with me running it and exploiting a system or should I actually show me hosting up the file, using wget, making the file executable, etc? #2 For a red team report would you list all of the vulnerability findings and their fixes like you would for a pentest report, or should my report only focus on the goal execution?

shadow would go for stupid simple explainations including all the steps but trying to show impact ¯_(ツ)_/¯

though shadow is not certified or actually a pentester or red teamer so no experience in report writing

See last point of the criteria for submissions: Clear and concise explanation of technical concepts and processes. So make sure to talk about the technical details, but keep it concise and to the point.

Red team reports do not list all vulnerabilities. That would be a penetration test report. Red team reports have what is called the compromise story. It explains how the final goal was achieved and along the way makes note to the misconfiguration that allowed this to happen. Then are the end you can talk about recommendations, which looks at overall what went wrong and what will be the tiny fixes that will make the most impactful change to the security posture. I'll give you a hint, it isn't the usernames that are the problem....

Thanks a ton for the information

Gave +1 Rep to @trim beacon

YAY first 3 flags gotten

sorry who ever it was shadow killed a rdp session for

swapped to another account shadow had creds for to avoid interfering

@trim beacon if you got a new private internal vpn file... and the network resets or restarts... will it still work afterwards???? could test but not gonna force a reset for it

The files still work, yeah

thanks for that confirmation @slender verge

Gave +1 Rep to @slender verge

If you have to change subnets too

hmmm 3 valid cred pairs... 2 of which are help desk employees

feels good

congrats

those are email subject lines

Good stuff @cerulean wraith

now to either relax or to go watch more of tyler R:s videos to get further

guess that if the network resets and shadow regens the email with the verify email e-citizen options all of these emails will pop in there again

but not sure on that either

Take the flags to be on the safe side. Lol

already made a flags.txt file in the ctf/red-team-capstone folder

now to stall submitting one until tomorrow to use it as the streak upper

can confirm, the email client will repopulate once you authenticate and verify email again

thanks again for sanity checking shadows things

Gave +1 Rep to @slender verge

no problem, rooting for you to get that badge

yeah that is the end goal... for now it is chillax with tyler R:s vods

sounds like a good time

yuups

idk if you guys from the staff can log check but my attack boxes crashed quite often I had 2 moments today when the Boxes just froze and connection got lost. It wasn't a reset and the timer still hat 1h+ left. The problem is everything is gone and I have to do it all over again... I had it happen many times before and it's incredibly frustrating to have to start all over again and it was basically for nothing.

would recommend your own kali linux vm instead of the attackbox for this network but you do you

dunno how much staff can help with attackbox stuff though

yeah I agree but the reason why I am a big fan of THM (vs. HTB) is because I can run the attackbox. I can run the attackbox on my business laptop and take part while traveling. and also do quick learnings without having to have my kali vm with me or 2 laptops

ah then note taking and setting up a quick path to exploit using said notes is your best bet

but attackbox shut itself down after 1 hour if you do not extend the attackbox

and it has a max uptime of around 6 hours

that's what I do because I am aware that there is an expiration but the reason I am mentioning it is because those stats didn't apply and then it becomes tedious. The 1h definitely doesn't apply for this room but I also don't know what the maximum is in this room. I just know it was random. today it was once like 4h in and once after maybe an hour

aaaah well you share the subnet with multiple people

they can force resets.... said resets will kick you out

like I said, I understand the mechanic it'S not the reason

okay then

guess it is up to @trim beacon to check in on this then

i still appreciate allthe work that went into this room and that it was open to the community and your help and everyone elses. I just want to point it out as a potential client aswell

anyone on the .89 that can Extend it please?? I am almost to SWIFT time and out of extensions

Thank you!!!

yuup on that... gonna try

apparently shadow can not extend it either.... sorry @heavy crag

its fixed- some one did! caution AV is tight in the BANK side so careful with your commands in psexec or similar- it will kick you out of your shell- amazing!

well if you got some good permissions there you should be able to disable AV temporarily at minimum

think am0 talked about there being scripts to auto re enable AV

If you are running out of time and you are in a bricked subnet, you can leave and rejoin a room in a new subnet without maintaining streaks. Finally the creds worked! Subnet 10.200.121.XX was bricked for days

ooh yeah that one

was on that for about 3 hours

shadow has played subnet roulette multiple times over now

yes- the struggle is real

finally got a working internal vpn file that is private to shadow themselves

and 3 credential pairs

and knowledge of how to get administrator on a perimiter host

gotta learn proxychains and ssh portforwarding for the rest

Yeah I just rooted the VPN box, created a dynamic proxy with SSH, and once I actually root these boxes, I’ll drop a relay back to myself through the VPN box so I won’t need the VPN profiles

can anyone help me solve this riddle? why am I not authorized to RDP in to BANK? I am part of Enterprise Admins, DA, AV turned off, inside a folder with AV Exclusion setup. I'm in PsExec64 shell with the system flag, confirmed NT/Authority

because RDP permission is not included in most of those

you should be able to add RDP permission though

I made it finally . If your RDP gets stuck or you rdp into a host and it takes you to another active rdp session instead , you can see each session using cmd with the following commands qwinsta username And rwinsta session id# to reset the connection. Had to do this a few times and it works like a charm

Did that to me a couple times but I eventually got through. It will work. Your username should be BANK\darkf in the rdp gui

I have tried multiple combos, BANK\darkf, \BANK\darkf, BANK.thereserve.loc\darkf ,etc same result is login failure

no luv with PsExec either

Yeahh, there's something weird up with psexec

Kept having a similar issue

Its definitely BANK\name for it by the way

maybe learning MSF with proxychains would be easier after all?

Dunno if this might be the thing by the way, but which domain did you add the user on?

every server I land on -lol. so far CORPDC, ROOTDC, BANKDC. all are DA or EA where avail

So you used the RootDC to make the account on Bank's?

from CORPDC I remoted into ROOTDC with psexec /s -- still trying to even connect to BANKDC- rn im just plain confused

Surprised you got there, it failed to psexec for me dozens of times for no reason

Foolproof way that I ended up doing which is more reliable than the rest

why make any accounts at all?

ok to be clear - I am on ROOTDC now.

Alright, nice

Can you rdp there as well or nay?

Made a user you can do that with?

I just ended up laterally moving through the preexisting administrator accounts

my darkF user has EA,DA and Remote Desktop local

By resetting their passwords to something predictable and RDPing

im simply outta knowledge

Yeahh. I'm lost as well

Try rdp through your thereserve\darkf account?

From rootdc that is

You have to launch all of these from said rootdc to get into the bankdc, don't think its in corpdc's scope

thanks man -- im gonna take a break thanks for your help!

anytime, fren

perfect time for break as the network is resetting

this whole thing definitely aint a pushover. i'll be helping out a bit for the last few days if i have time

6 and a half days lefft

i do hope someone out there documents all the different ways you can pentest it though, there's so many entrypoints i havent tried out and probably wont for my own sake

all you red team users better run better run quicker then our business creation
shadow 2023-05-30

since jesus christ this is probably the first time i've had 15 terminal windows and 3 rdp sessions open at once

well if you wanna do this after they close it down guess you should apply for a business license

Why does it show to me 5 days?

Besides, I completely lost the access after 5 days?

that is before it kicks you out of the room to free up subnet space

none of your answers and progress will be lost

but you will have to rejoin the room

oh, I see. Thank you

no problem

it is how all the network rooms work

I can continue this room once I joined it

as the subnets are shared between users it helps keep costs low

yuups

yeahh, i learnt that eventually

the first network room that i joined was HoloLive, and I thought the countdown was going to lock me out lmao

i ended up rushing through the entire thing in the 6 days of access i had

and this room i ended up rushing in less time due to that old habit too

3ish days

well in this case the rushing will help as this room is not staying open to the public for that much longer

yeah, this one was the real deal. thankfully got it done, heh

still take breaks though, peeps. unhealthy not to

probably wasn't the best on my mind to sell my soul for the past 3 days because i came in a little late and ended up hitting at it for 5+hrs/day

for some reason, after I ran /bin/cp to try and read a file ( shell ovpn), I got this error after running simple commands (was there an update in security?): ls: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.33' not found (required by /home/ubuntu/libcrypto.so.3) ls: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by /home/ubuntu/libcrypto.so.3)

Huh, I've been trying to retrace every step for a proper write-up and it's honestly looking like I never actually managed to bypass AV, someone else must have been disabling it on my host 🥲

If you have been getting utf-8 codec cannot decode byte errors when reading your flags, make the username.txt file locally on Linux and run unix2dos on it so it uses Windows' default text format UTF16

or just use cmd

cmd /c "echo my-guid > c:\windows\temp\username.txt"

i disabled it whenever i got to admin just so i could use mimikatz for looting 🙂 probably should have turned it back on when done

seemed mean though

Hey can i get the 'RedTeamer' title if i complete this challegen?

I did that once or twice, mostly just created exclusion folders

No, that was from a different event

Im all about this Title

maaaaan

Thx for answering

There's a badge when you complete it

I am also getting 172.32.X.21/22 instead of 10.200.X.21/22. I can manually add the route and access 10.200.X.21/22 but wonder why i am getting 172.x.x.x and not 10.x.x.x. Does anyone know? is this an issue with capstone network?

You have to change the openvpn config file to not pull routes from the VPN server. And then add two more lines pointing directly to the boxes. 3-5 lines.

deliberately broken ovpn to make the path harder to encourage people to explore the 4 other paths or learn how to modify the script- choice is yours;)

There is also a No-VPN Method that I was trying out before the network reset. I’m going to finish the rest tomorrow, hopefully I can rejoin the room. The No-VPN Method uses relays on Linux and Windows netsh via firewall hole-punching and proxying shells between each subnet.

Mmm, I'm not fully sure? I think it might work since the client cert should check out? I see others have confirmed that it does work

Remember that BANK PCs automatically work with the BANK domain. If you want to auth with an EA account, make sure to specify the correct domain .So that will be thereserve.loc\darkF in the username field when you auth

You can verify the Domain of the account by looking for the OU of the account

If you could, would you be able to give me a full rundown of how/which tools used from entry all the way to bank? I'd be really interested to know how you can proxychain multiple connections and do so on windows too

Pop me a DM and I'll send you three videos I create for this

yo man @trim beacon ; whats the issue with network stopped

its 3rd time today ;

it says it stops after no one's using ; but am on that network

i would also like to know that.

It stops after the time runs out. If you extend the time then it will continue again

sorry to say that but it had time ;

I can't seem to be able to, Discord's telling me I don't share a server with you or you have that option off. I'll go ahead turn my restrictions down and you can shoot me the DM if possible?

Man by the way, you make some amazing rooms. Props to you, probably my favourite thm dev

Would love to see those vids though, absolutely

You need to verify your profile first

!docs verify

Will respond in DMs in a bit

You will then probably have to chat at #site-support for them to review what is happening with the connection

sure ; lets give it last shot !

Ah, makes sense. I'll probably go ahead do that sometime for future ref

hello im new here anyone help me?

Hello

Hey anyone can help me in stuck getting connection from rootdc with my attacker machine i should pivot right? If yes I have tried plink it showing " no supported authentication methods available (server sent : public key, keyboard -interactive)

It should be the biggest regret that 《Red Teamer》 title was not given in this challenge.

Nah, I prefer Red Teamer being part of the event.

anyone having problem connecting with mysql server in vpn

make sure your password and username are the right upper and lower case letters

funny now vpn portal is not working

uh oh

someone might have bricked it then

or it just did it itself

if you are on the .89 subnet the VPN host might be a bit slow as shadow is spamming it with packages for nmap

oooh now the vpn host is broken as it gives the wrong routes again

welp poop someone broke the vpn host completely... it no longer accepts the input to start a rev shell

and shadow don't recall what the backend was on the web host

Hello everybody, I'm trying to access the vpn portal, I have the username and password, for some reason it keeps loading without delivering. My ovpn works.

do you have burp's intercept proxy turned on???

nope!

i type 10.200.xxx.12 and everything is fine, I put username and password, and nothing

guess someone might have broken your vpn host too

seems to happen often

Is there a fix to that? I'd love to finish the mission

well the reset button on the room page.... or find another path in

most would state to find another path in

That sucks

yeah.....

hence why some people play subnet roulette

i.e leave the network room for 3-15 mins... rejoin... download your first open vpn config file again... try again

this will get you a new subnet

some times those are equally broken sometimes they work

it is a bit of roulette after all

glad because I regenerated, and it still doesn't work lol

If you were reconnecting to newly generated vpn file , make sure to restart the firefox when trying to access the vpn website

When you ask for the next .vpn file there.

victory! Thanks for the tip

Hey does anyone know how to create a domain user on root dc ?

Used net user not working

Used new-aduser -name and pass enabled

nice got a meterpreter shell on VPN host now

nice, i might try that way in a bit due to current manual complications

first metasploit proxychains set up

I just got a email saying the Red Team Capstone ends on June 5th? I thought it ends tomorrow?

the competition ends tomorrow the access to the network ends on the 5th

i.e for first to get all 20 flags and best writeup stuff ends tomorrow

if you are after the badge you have until the 5th

Hmm I think I am too late to win the competition 🤣 So far I got to ROOTDC. And right now upgrading my Linux distros. I think once I get access again I am going to backtrack and make my own VPN profiles so my relay-to-relay method can be sent back to my attacking machine more reliably.

I have been using ssh based dynamic socks proxies for my initial breaches. I never had any luck with the reliability of Metasploit's socks4a server but maybe things changed?

The three fastest have been taken, still a reward for a really great writeup.

Not sure about the other runners up prizes.

Yeah I have been having issues getting the VPN server to work as a relay since that was what I wanted all along Meterpreter Reverse Portfwd <- DC1 Relay <- DC2 Relay <- DC3 Relay <-> Vault.

YAY bloodhound collection thingy finally worked for shadow

Getting to the app finally then having the network break on you is... heartbreaking I cannot imagine that on a real assessment. So glad I am experiencing it now 😄

Random question, do you lot know if the rewards (hoodie) is for all completionists or for the top X

Just gotta keep going . I’m probably the most noob of all the noobs . I stayed on it for almost three days straight and got it

Ah fair enough, doubt I’m gonna have my report available in time but it’s fineeee I’ve had great fun so far

YAY 4th credential pair found

Woo! Well done

thanks connor

Any time

this is a service acoucnts creds too so not a normal user

any better alternatives to set up pivoting as ssh -D is not supporting and chisel is not giving proper results

proxychains using meterpreter

also known as using metasploit

dunno if it is better but it is an alternative

Defo better than Sshuttle imo with what I’ve been dealing

¯_(ツ)_/¯

has been mostly stable for shadow.... so far it has only dropped the thingy 3 times due to meterpreter dying for some reason

I couldn’t get meterpreter proxychains to work although got sent some guides by @trim beacon to try so will retry.

tier 1 foothold and tier 1 admin achieved

huge win

My VODs are all available for like 60 days, unless I didn't read a rule somewhere, I wasn't aware that flags were supposed to be kept hidden. Kinda hard to stream and keep flags hidden tbh.

no problem as am0 stated there is an easy way to check if someone got the flags legit using e-citizen

or at least shadow thinks it will not be a problem

Yeah plus once the room goes business only rotating the flags would solve the issue I guess.

After completing the challenge I went and got a bottle (spoken in the most English accent for bottle like bottel) of rum . Now I can’t see anything and fat finger everything . Is there any help for this

At the end of the day, we can’t fully stop people from sharing flags. So those who copy and paste are only cheating themselves. I wouldn’t worry about it too much 🙂

I don’t know if that’s possible actually but if it is then yes , they only cheated themselves . This was supposed to be the capstone of the redteam path . Honestly , I followed Tyler’s path but it was really hard for me . But it helped me understand the whole red team path better and think about maybe things I could have done differently and come to the same goal. I was on this for over a week and for the last part : DCCORP, ROOTDC, and then BANKDC for three days almost on end with hardly any sleep . It’s the understanding of what you are doing that really helps . I had to google through so much stuff and I can’t even really remember the past week at all to be honest . I sit in a dark ass room and hack. That’s all I do. I don’t Work. I spend all of my day hacking . But yes , there are probably people that copy flags and paste for a badge . Who Cares . All that matters is that YOU get it . And UNDERSTAND it .

I payed 16,000 to go through a school through ISRAEL to learn how to hack when I could have payed 14 a month and went through tryhackme and done it way cheaper than what I did . Everything is on google . If you have a will there’s a way . I promise you that

And this was hands down the absolute best learning experience I’ve had in a long fuckin time . The man that created this network is absolutely fuckin awesome and he knew what he was doing . Things don’t work on some subnets , ok, we’ll figure out another way in or go to another subnet . There are alot of ways to complete this challenge and I exploited one that I didn’t think was known about and I wanted to get it done before it was possibly patched because this isn’t a CTF like was stated earlier . Blue Team can come and mess up everything for you. So treat it more as an engagement instead of a CTF

For example : if you want to know how to add users to a domain then google it or chatgtp it . AI isn’t all that bad

If you wanna know how to mimikatz ( well based on the version you downloaded ) then chatgpt that shit

You can get errors then you gotta start googling and trying different things

Everything will not work the way you seen someone else do it . I can verify that

The network isn’t the problem . Instead of resetting ; which I have done a few times honestly or switching to a different subnet , really look at what you are doing

It isn’t the network

This is as about as real as you are gonna get on any platform

I kind of wished I wouldn’t have competed it now . This was the thing that really kept me going for the past week . I’m sad . Going back to regular stuff. I wish you all well

Glad to hear you like it too ^^ I had a similar experience of spending a ton of time and feeling a little lost now. Going to rest and get back to studying I think

I really thought I would come in ass end of this whole thing . I’m triple noob . But I really wanted to explore it and learn what I could

And really , it doesn’t matter :at least for me , where you finish. It’s the whole process of learning . That’s the only reason I did it

i really recommend this room if anyone goes for OSEP in future by the way. it has a similar feel

hopefully THM creates a non-business way to access it in future for those who missed it

Thanks mate, your comments really helped me. I think I did it right.

pull-filter ignore "route 172."
route 10.200.x.21 255.255.255.255 12.100.1.1
route 10.200.x.22 255.255.255.255 12.100.1.1

Although, does the 3389 rdp have closed to force people to explore other paths?

Open 10.200.x.21:22
Open 10.200.x.21:135
Open 10.200.x.21:139
Open 10.200.x.21:445
Open 10.200.x.21:5001
Open 10.200.x.21:5985

Gave +1 Rep to @stark hemlock

❤️

I do not recall RDP being closed in my subnet

yeah, just finish running a full nmap. It's open

(lol) me: sipping some ramen noodles noticing a pattern where ssh keeps securing itself everytime i run into an issue with home directory being absent

RDP not working for me, anyone faced the same?

try a few times, and you should be able to get it. Ive done about 17 tries before successfully getting rdp

17 tries, OMG. Are they setting up it on purpose?

either that or there just a buzz of people logging in through rdp forcing it to disconnect and us to try and try or disconnect and reconnect like an IT guy restarting a computer

lol

all i can say is, i run into more misconfigurations than contructive thoughts on my end

try with xfreerdp instead

yeah, that's my go to. Didn't work then I did remmina

strange, it was the other way for me

@slender verge Did you do the via domain name or just user name? xfreerdp /u:laura.wood@corp.thereserve.loc /p:"Password1@" /v:$IP?

[16:13:33:138] [23854:23855] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[16:13:33:138] [23854:23855] [WARN][com.freerdp.crypto] - CN = WRK1.corp.thereserve.loc
[16:13:42:191] [23854:23855] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[16:13:42:199] [23854:23854] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Remmina shows the disconnect signal received. Disconnect signal received on RemminaProtocolWidget

for xfreerdp it's just the username

Tried about 30ish times. No luck

yikes, maybe someone changed the password

Thanks mate. Voted mine to reset

good, you can also leave the room, wait 5-10 minutes, and join again to get on a different subnet

Joined another subnet. Now the internal VPN starts infinite loop. What’s happening for the network.

been there. a lot of configuration is next.

Hi all, final day for writeup submissions! Get those reports in if you want to be in the running for a prize! Winners will be announced on the 5th!

Oh my goodness! Been trying to get this RDP to work for days now. Switched to xfreerdp from Remina and added /timeout:30000

Worked first time. lol.

My subnet was reset just as I was beginning to access the swift login. I guess that’s my queue for sleepy time

The username is name@corp.thereserve.loc

how many wp have been submitted so far？@trim beacon

could you solve the infinite vpn loop with configuration? and if what did you do?

Thanks, will try it after I fix the vpn again.

Gave +1 Rep to @rapid sigil

Tried to add data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC didn't work out.
Update the vpn during the limited time of room is a bad call. The sink cost for me is too high to make me move on other paths.

I want it done and move on next. Or simply remove the ovpn file, then people won't fall in first place.

Do I submit a write up/report all the way to ||svcScanning|| 😂

try using a windows machine . I can not connect on Kali but can connect on a windows machine

Thank you will try it. Now I’m facing another round of infinite restart vpn issues

Gave +1 Rep to @undone oak

dm ; i can share u tips to stop that glitch!

When is this challenge going to be business exclusive?

prob. after 5th hune

When your on SERVER1 rdping into WRK1 cause the VPN Generator is scuffed.

btw you can add timeout bc sometimes xfreerdp dies: /timeout:10000

@trim beacon I'm getting issues with utf-8 decoding. When trying for flags ❤️

eeew someone removed the ability to use pubkey sign in on the vpn host

time to play another round of subnet roulette then

Ouch

Make sure your mail box is repopulated (if you changed subnets) and make sure you are using cmd to make the txt files, it doesn't work well if you use powershell

yeah ouch is appropiate as there is no way to fix the pubkey option being disabled that shadow knows of

I found a bypass, instead of using evil-winrm I'm rdping into the server box then using that to RDP into the other boxes.

unless you can restart services with only arbitrary file read and write access

fuuuuuu I got booted out my proxychains

Hello everybody,

I'm on the machine 102. So I try getting on bankdc, for that I do the following:

||New-ADGroup -Name "Enterprise Admins"

Add-ADGroupMember -Identity "Enterprise Admins" -Member username

Once I try using the RDP from 102 to 101 I'm notified that I can't remote login so I do this:

Add-ADGroupMember -Identity "Remote Desktop Users" -Members username||

I still have the same error message!

oh??? wonder if there is a limit to what ports proxychains can use on the target machine

I believe you need to get access to the rootdc first ❤️

and back onto server1

writing a short quick guide helps a meep ton

also why does everyone use the old ssh-rsa format for their ssh keys???

SSh-keygen default I think

Hey ^^ using the e-citizen, I m trying to get flag 18, but the e-citizen tool only say: "Invalid data, please try again
Expecting value: line 1 column 1 (char 0)" ^^' any issue with the tool ?

just to be nice shadow reads the authorized_keys file and puts back any other peoples public keys in there after over writing it just so that everyone can play

Hi connor, ok but I do, as I did this:

||``PS C:\users\administrator\desktop> .\PsExec64.exe \rootdc.thereserve.loc cmd

PsExec v2.42 - Execute processes remotely
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows [Version 10.0.17763.3287]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
ROOTDC``||

Try running those commands on that device.

C:\Windows\system32>net user Administrator password123! /domain

same issue 😢 😢 😢

Weird.

Im not at that point, setting up an enterprise admin personally.

Here, if you r on 102 (corpdc), you can't New-Group "enterprise admins", since this group is on forest's root

Hello, if you don't mind, I sent you a pm

ok ^^

haha someone killed the web server on this subnet

can't get to the site to meet the team

don't matter much as shadow has another route in but yeah

What am I missing if I can login to the e-citizen portal but can’t ping any other server?

The e-citizen portal is just for flags and setting up the email it is not a part of the challenge otherwise. If you have your VPN setup you should be able to talk to the web server, vpn server, and mail server for the network. Those three machines are where the capstone starts. It should also be noted that windows machines do not normally respond to pings by default

nmap -p 3389 -vv $IP -Pn

to check if most machines are running

because most have rdp port open

obviously you should need routing and pivoting to get into most of the internal stuff

Hi - took this same path but was using the psexec.exe /s flag (system)- encountered exactly what you did, somehow got down to .52 with RDP and a messy combo of re-running mimikatz to dcsync each time, while adding a new admin on every server I landed on, I used MSF with proxchains as base --- so convoluted it makes my head spin even as i type this. When my MSF session finally died (5hrs straight) - I tried to get back - that's when I noticed someone had burned down the network below me and reset was 4/5.

I now got a new machine because I am traveling and can’t have another freeze kill after 6h etc. the problem is I can’t even ping the Webserver or reach it via Firefox

Time to call it a night. I wasnt going for competition anyways

@trim beacon great network dude ❤️ Loving it

Did you try to regenerate and redownload your VPN file?

Do I only need the one one the access page? Yes right?

Yeah that is right

Can you ping: 10.200.[SUBNET].12?

If so your vpn is all good ❤️

Nope

That‘s exactly why I loved the online version so much it was just no hassle and problems (except for the kill after 6h) 😂

Well I would try to regenerate your VPN file if you haven't already, also make sure you are running it with sudo. If none of that works then you can try this troubleshooting script https://github.com/tryhackme/openvpn-troubleshooting

oh boy the hashes are flowing

Regenerated the vpn, also using sudo

I will try that

😂 nice the script said something went wrong ask for assistance on them discord 😄

lol

oh boy

hmm, well you can try running "killall openvpn" and then start up your VPN again to make sure that you only have one instance running

If anyone needs some help , I’m here . Barely . Downed almost a whole half gallon of rum last night and dying right now

Thanks I‘ll find the answer somehow I guess just my time is running out as I have to travel sadly 😄 but oh well

Gave +1 Rep to @fervent sail

That's a shame, wish I could have helped more

the other thing I notice is changing the admin password on CORPDC seems to be a lot easier path to achieve final goal (even though it is extremely inconsiderate to other players, and a path I avoided)- I wonder why that is- Even creating a new user with admin privs that matches all the groups (basically create an admin clone) does not seem to "equal" the ease that an original admin has.

I need help buddy

can I send you a pm?

Yes

When I tried connecting to corpuname.ovpn then initially it's ip was 10.200.[].21 but now this time ip change to 172.32.5.21 is it right

And when I checked if it is up or not using nmap it's not working

Quite a number, but still some prizes available!

Use CMD instead of powershell to create flag files

Glad you are enjoying it! Seems like you made really good progress!

Hey @trim beacon,
the challenge almost ends and I want to thank you so much for this experience you gave us here. In the chat and with this challenge!
I wasn't prepared for it, and still have to finish the Red Teaming Path, but thanks to @quaint knot I was able to complete it before it goes B2B. But four days left to look for other paths.
Finished a writeup, hope it is not too bad. Keep up the good work! Thank you very much!!!

Gave +1 Rep to @trim beacon

Glad you liked it and thanks for the feedback! Good luck exploring additional paths! We will be reviewing those writeups soon as the deadline for submission is tonight 🙂

Gave +1 Rep to @valid orchid

Will be doing my write up, once I’ve completed the goal. So 🥲

Thanks dude 💖 Loving it so much and it’s great practice with AD

Gave +1 Rep to @trim beacon

Release the t shirt designs! 😀

Do any one know this issue with e-citizen ? ^^

So ive got to the point I have a secure connection to the inside of the network but when rdping into 21/22 after the last reset I cant seem to connect to them using remmina. not able to get to rdp 31/32 either,. Any thoughts, or it it a similar issue to the vpn where if someones already in you have to wait till its clear?

Try ip route add [ip] dev tun0

anyone know how to fix the error MTU value failed at 1000, aborting MTU check error when using the thm-troubleshoot script?

thanks it seemed to work

Gave +1 Rep to @dawn zinc

that usually means something along your network is utterly bonkers

I feel like throwing my laptop out the window 🪟

💩

Best way to configure that is to delete that VPN then configure a new fresh vpn and try again. Think of it as going down to the bone of the issue and seeing if it needs to be restarted

the lengthy way for this is 'sudo openvpn --config [path]-configuration-name.ovpn --data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC' and i actually have article I made on it but it works a lot better when you just completetly redownload. If you have more issues, its your computers default configuration or connection issues

best way is to (delete) rm that current .ovpn file then reinstall the ovpn. If you have routing problems, just refer to changing the routes and creating a no pull request in the .ovpn file through either nano or mousepad

from my experience so far

meep it something is lagging or crashing shadows ssh sessions over 3 subnets... guess it is time to relax with a gamer live stream and try again tomorrow

after all shadow needs a bit of a break anyways

was about to add users to corpdc for domain admin

that sucks, but at least you start thinking of refining new ideas while you take a break

yuups

all the last 7 subnets shadow has tried has broken web machines too so could not try the alternative pivot route shadow wanna try

because accessing the web cms backend sounded like a fun time

Woop, finally done, so proud. Thank @trim beacon for this wonderful experience !

Gave +1 Rep to @trim beacon

I made a user called simp for shell, yet the shell isnt simping for me lol

Rename it to Keats, recite his wonderful poem "On receiving a curious shell", and it should work. 😄

Im going to be honest, I cant tell if thats a joke or legit at this point. Ive been having shell problems on every technique ive used according to my knowledge where keep getting || sudo: unknown uid 33: who are you? || lol