#holo-network

@hasty galleon

I think i tried that but ill give it a go again. Server keeps going down.

@vapid umbra made no difference

so you just have to stabilize the shell ??

yeah, i have the reverse shell just need to stabilize it

/usr/bin/script -qc /bin/bash /dev/null

try this

then do this

/usr/bin/script -qc /bin/bash /dev/null after stopping or before?

first run this

progress i have a pseudo shell now

should i still spawn the python shell or skip that?

both script and python will do the same thing

depends on you what do you want to use

ill stick with the script for now, python wasn't doing anything for me.

Thanks @vapid umbra been stuck for a good 2 hours now trying to get this done.

Gave +1 Rep to @vapid umbra

happy to help !!!

Which version of python were you trying to use? I think I had the same issue today

python -c 'import pty; pty.spawn("/bin/bash")'

on the holo.live server

@vagrant willow

Did you check python existed first?

I did not, i figured since the task specified that you had to follow the instructions exactly then I should do so. You are right though, python did not exist and I should have used python3

Yea it would have been super obvious if stderr was coming back. TIL add 2>1 if something doesn't work.

In this case how do I get reverse shell?

Even if you see it in running processes, if the application is not in scheduled task, how do I get the reverse shell. Placing the dll file in the folder and waiting for a long time, nothing happened.

Just because you don’t see the task doesn’t mean it’s not there

lol

anyone can lend a hand for dll hijacking?

I put it on the Windows\Tasks

but can't shutdown it

what do you put in \windows\tasks?

the .dll generated using msf

Can I DM you?

do the program you hijacking look for dll files in that folder?

just write here

the application is on the Windows\SysWOW64

no

then you have the wrong application

the application is the rakremover

hmmm .exe hmmm

*kavremover I mean

you have rdp into .35?

Yes.

look from the folder \Users\<username>\ after some files

is that the .dll on the Appdata? result from the powerup?

A program will always look for the dll file first where it runs from

this is the wlbsctrl.dll right?

no

have you googled appname dll hijacking?
If not check that

saw it now.

it's on the user application

I think I messed up

I put the .dll on the same folder of the kav.exe

but when I run it doesn't work

and now I can't delete the .dll

if you messed up with the dll payload, then you need to reset the network

after putting the dll on the same location of the application we need to run the application right/

?

if you start the application then you are the owner...

scheduled task start this application as admin

this should be run every 2 mins right? hmmm

anyone can help reset the network?

thanks guys

whats your subnet ?

Hey Once again me, help me out with ntlmrelayx

1. sshuttle
2. msfconsole and gain nt \authority system in PC FILE SERVER
3. upload shell.exe
4. Turn off all the smb services and restart the machine
5. run the ntlmrelayx
6. Run shell.exe and port forward the 445 port
   I have done all this but didnt get the response in the ntlm

currently on .35 trying to get a system access using dll hijacking

Okay

are you able to finish the task 43?

yesss

I know I'm doing the right thing, but it's working.

I'm trying to do the reverse shell on admin.holo.live (10.200.x.33) but nothing seems to work

tried nc, nc.traditional, perl and php

on my vm nc -lvp 1234

got stuck here 2 months ago as well and then I quit it, but now I wont

you can DM me

I'll try to help

Thanks everyone for helping me, I was able to finish the holo network

I'm trying to do the docker privesc but it says it cant find the alpine:latest image

well I got shell on L-SRV02 but that doesn't mean much ig

wait what the

r/accidentalroot moment

Spill the beans

not accidental

maybe

can I ask for some hints on task 28 (exploiting password reset form/login form)
I'm using a lot of requests and combinations but could not pass through - some of my tries (no particular order):

||I'm getting the token in the cookie, but setting cookie by itself desn't make me recieve the redirect||

||I don't know how should I get the page to go with that cookie or token with GET param||

I noticed the SUID and just started connecting to random docker containers that were downloaded on the machine

because it didn't have the alpine container specified in gtfo bins

turns out one of them was the machine

google what alpine is and what other alternatives you have from the docker list

you also have to modify a bit the code that was provided

The guide says to use evil winrm on the fileserver machine, however I tried it multiple times and it did not work, crackmapexec ran through and was able to authenticate via smb though, any ideas/pointers?

You can use the browser dev tools and it will give you exactly what you need, but you need to do it twice

requesting user token twice? what for?

i'm still getting ||<b>Notice</b>: Undefined index: user_token in <b>C:\web\htdocs\password_reset.php</b> on line <b>24</b><br />||

Once you have retrieved the token from the JSON response or cookie, you can submit it within the URL query under ?token.

try using ?token instead of ?user_token

Can someone send me the submission email for the room? I recently finished room but my subscription expired before I realized I didn't save email. Thanks

The deadline for the competition is September 15, 2021. Participants must email all reports to reports@blacksunsecurity.com. Please send this via an email that you regularly check. We will be contacting all the winners via email.

I'm getting either Undefined index: user or Undefined index: user_token, with any combination of query parameters (user, token, user+token)

There is a different page you need to use. I can't recall it off the top of my head right now.

how can I know that? only know pages are ||index.php,password_reset.php,reset_form.php and login.php|| - did I miss something?

nothing here, i'm keeping session ID and making request to all of above pages with either token and user_token GET params, still nothing - I think I leave it for now and gong to access this via actual browser from home
EDIT: I've sshuttle onto that subnet and got some pages by fuzzing that bad boy EDIT2: no success 😛

You will be forwarded to this page once you did the process correctly

by common sense, yes, but no success so far

imo it should work that way: ||go to reset_password.php, take the token, then make a simple request to reset_password.php?token=TOKEN and it should do something. at least do the same with login.php||

but it is not a case here

becasue you suppose to get a mail with that url - so no cookies or POST argumetns shold be required

As I said before - Do it twice

yeah I know, now i feel double stupid 😛 gotta take a break and try with the browser alter unfortunatelly

ok, got the redirect - so it has to be user_token not token @hidden lava

thanks @vital olive @hidden lava

Gave +1 Rep to @vital olive

Well done 🙂

how can I test if the pivoting VPN works for sure? I tried running ```bash
sudo /opt/sshuttle/run -r linux-admin@10.200.120.33 0.0.0.0/24

or should I run as root?

edit: logging in to shuttle as root doesn't fix it, either

when I run it using chisel with chisel server -p 46969 --reverse on my pc and chisel client 10.x.x.x:46969 R:socks on the server it doesn't work either

^using proxychains

atleast, I'm testing it using ping which did work when I SSH'd

Any else facing issues while logging into admin.holo.live? Was working fine a few minutes back, and then lost the reverse shell, and now can't log in..

either close your web browser, open it again and do it again or do it in incognito mode. I believe it's the php session that expires or something

Ah got it working after a restart of the browser. Many thanks!

@fading jungle I do apologise, I was just copying what was given in the notes.
Congrats on getting it in the end. 🙂

sure, no prob at some time I would probably do that too 🙂

Thanks @fading jungle

Gave +1 Rep to @fading jungle

soo ive tried to get the sub domains, ran both commands with holo.live and the IP address, and nothing is resolving, tried doing it from attack box and own kali box still nothing, did i miss a config somewhere? nm got it LUL

For hash cracking using Google Colab instance, what is the recommended wordlist? rockyou.txt shows an estimated time of more than an hour..

Rockyou should be ok

Finally cracked it after 35 mins using rockyou!

And 1 hour is really good for that wordlist :D, trust me - on free tier AWS EC2 was around 10 days and on my RPi was around 20days; also remember that you won't go through full wordlist

Exactly, that method... Rocks

👀 make sure u doing the local admin's account and not the root one. ughhh Ik no one is silly like me but yea i did that lol bymistake

lol you're not alone. I tried doing the root account as well..

xenon processor + nvidea tesla graphics card well yea 1 hr is expected lmao

Yeah it pretty much gives you a taste of how crucial a GPU is to red teaming.

tip: don't waste time on root 😛

at least not with dict attack, cause I did try 😛

Need some hints on filesrv priv esca part.
Enumerating the ScheduledTask

I found the program in user directory but still cannot identify which task make sense to the local priv esca

There isn’t one

well

there is

but there isn’t

tl:dr simulated user interaction

Hi. I place the dll on that place then wait but no call back happen. Don't understand what I was doing wrong.

In what place, what dll

@lone spruce
||I place kavremoverENU.dll (the msfvenom gen x86 dll payload) on the watamet user desktop. ||

Now you just need to wait

if it still doesn’t execute after a good bit of time you need to look back and make sure everything is right on your end. If you still think everything is right vote for a reset

I want to know if things are all correct how long to wait the task will be trigger ? a few minutes or hours ?

10 - 15 minutes max

I'd really appreciate help on this matter

You’re command is off

you’re range is misconfigured

is the desktop in the %PATH%?

@wind bobcat got a sec?

I have 3

yay

ok, so trying different versions of impacket but getting not much progress

I'm slow cause I just rebooted... sorry for the 8 minutes of dat

when you say you haven't got much progress do you mean the same error still happens?

actually just [-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'

and then the socks not working, because it's never succeeded

hmmm. the local reboot might have actually helped

rebooting blindly NEVER helps

ok unsupported mech type is good

you installed the krb5-utils package, yeah?

and how are you proxying into the network, sshuttle?

yes, shuttle

actually, I think it worked. I've been trying all day and it just finally worked

the only things that changed in the last hour is the room shutdown and my kali vm crash-rebooted

it seems to be hit or miss tbh, I have a general idea of what goes into ntlmrelayx, but I have zero idea as to why it would fail

almost feels like timing on rebooting 35 and MAYBE some state on .30

you know more about windows than I do... is there a way to change what port netlogin is listening on? like make it not 445

crap, zephyr woke up, brb

nope

essentially in order to get all those services to stop listening, recall a few tasks back, you had to stop 4 different services

yea, I recall that from the commands

the only way I found was port redirection which (in my testing) didn't work

I was thinkning of that too

https://rastamouse.me/ntlm-relaying-via-cobalt-strike/

rasta did have success

if I were on linux I would totally redirect

I think the reason why I didn't is because a new driver needs to be installed

(and I have little doubt of success)

traditionally, this would be done by dns poisoning, then your system can relay un-needed authentcation and data coms to the real host minimizing disruption, si?

correct

you (for example) could also hijack a DNS record if you had a user that's part of the dnsadmin group too

just know that if someone were to issue ipconfig /registerdns the record would be overwritten

or mitm the dns too 🙂

I'm trying to ping Holo but I'm not

So non of the initial scan to discover IP is not working

I'm connected to holo VPN

Any ideas ?

So the deadline for the report on September 15th still holds or might it get pushed further?

what's your network?

I'm on VPN Holo-live network

It's showing me active connection

yea, what are the numbers, what nmap are you using?

What nmap ?

yea, like command

Nmap -sc -Pn CIDR

you should be able to just hit http://10.200.xxx.33/ or port 22, try that manually, if you can get those, you know the network is working

is your xxx 123?

Okay

Thx

or 69- if it's 69 then this is probably a technical problem and you should lave the room, rejoin and regenerate the openvpn till it's not 69

While running nmap scan it shows 0 host alive

also, it says "" right?

if you're network is 10.200.123.0/24, I can verify that if it's up or not

from thm vpn, the only accessible host only one
you might need to use chisel to forward traffic to access other host

btw, ping directly from the attacker machine might not work

once you inside .33, you will be able to ping other host

may i know which part you have tested?

https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/amp/

all mentioned in this article

hmm, tbh, i have not use proxychain with ntlmrelayx

the way i done it

1- get meterpreter on the target
2- start ntlmrelayx with sudo
3- from meterpreter - disable 4 services mentioned in the task
4- issue shutdown /r /t 0 in the meterpreter session
5- once the step 4 command issue, you can login to .33 using nmap to check port 445 of .35 which will reflect as filter or close
6- once the target rebooted, start again meterpreter, you will saw callback
7- then issue portfwd command, i believe there is a link from the task - which will show the portfwd command of meterpreter
8 - then you will saw ntlmrelay session with SRV-ADMIN - succeeded

not sure if this help
you can try out
as I reproduced multiple time, it succeeded

I'm not having any issues lol

you're missing the context of the conversation

😆
sorry about that
just jump in this morning

😛

@wind bobcat what's a good framework for a report for this 🙂

i exclusively write reports in ms office

html ftw

🥲 😅

@timid coral now that you are done with holo - did task 37 work for you with the hash/credentials you have found + evil-winrm?

cme smb 10.200.137.XX -u <redacted> -H <redacted> 
SMB         10.200.137.XX   445    PC-FILESRV01     [*] Windows 10.0 Build 17763 x64 (name:PC-FILESRV01) (domain:holo.live) (signing:False) (SMBv1:False)   
SMB         10.200.137.35   445    PC-FILESRV01     [+] holo.live\

# -> CME smb works but trying evil-winrm against the same host fails 

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

smb will works no matter what user you using

yes but I can connect to smb using the credentials I have found, while the same credentials dont work for psexec/evil-winrm/winexe etc

yep the user account dont have the right privilege

you should try other way to use the credential

then I dont understand why task 37 mentions evil-winrm 😮

I think it is a joke

LUL xD

because I found the account dose not belong to the group

5985 also seems to be only open internally on the machine but w/e thank you @sudden grove I have access to the machine I just wanted to figure out if the way I got it was the "expected" way

Gave +1 Rep to @sudden grove

What happens if we reach the end of our Holo access?

You'll have to join again

And you might get a different network instance when you reconnect

Ah, but it's not an additional charge?

No, it's not a charge in the first place.
I think you'd still need to be a subscriber though.

Thank you. Subbed until Oct3 but my lab access runs out in 2 days. If it all resets I can just get back to where I was

Yeah, you won't lose room progress but you will most likely have to re-exploit machines

I think somone has fucked with the initial rce? Can't reach dashboard.php looked like action_page.php may have been timing out?

try opening an incognito tab and attempting to access the page.
If you can't reach it still, on the dev subdomain, there's a way to gain rce as well.

Incognito worked. Cheers. Embarassing

no worries

i'm not able to ping holo netwok ?

is anyone facing the same issue ?

Its showing me this IP and i scanned the whole subnet but it shows 0 hosts alive

Hey did u solve the issue I'm facing the same issue

You on the holo live ovpn?

yes

i have connected to holo vpn network

You have to scan 10.200.129.0/24

You put x

how did u know its 129?

Because you can see it on L-SRV01

129 is your specific lab range

ohh my i was trying to scan whole subnet

192.168 is an internal subnet

so im in 192.168 network?

What’s your ip? Do an ip a

You will be on a 10

yes

its 10.x.x.x

So you are on the same subnet as LSRV01 that’s the range you need to scan to identify hosts that are up and services etc

so do i have to pwn 192.168. network which show docker image?

I’m not giving it away lol but you will need to do your enumeration etc.

okay

so just one question

Ok

im able to ping LSRV01 but not LSRV02 so i have to own LSRV01 and then move to LSRV02 correct?

Yes

like wreath network

It will all make sense

yes

I have not done wreath yet

now it does

thx mate

Yeah with any pentest it’s about identifying your foothold/entry point then moving and pivoting internally to enumerate and compromise

thx

Np mate enjoy and happy hacking 🙂

Just an opportunity to learn

Has anyone tried the covenant thing?
i've tried the binary launcher and customise the listener but no luck.
any nudge if there are options other than covenant?

sure

This part lead you to know C2. But it is not necessary for complete the network.

You can check your listen ip address and port

I've set my listen ip and port same with the bind address.
Seems AMSI thing but i never tried the bypass yet.
well i'm stuck to this bypass thing.

i have a few days stuck there

have you tried it too?the covenant?

You can test it on your local environment

@sudden grove can i DM you?

sure

Yes but the problem it’s I don’t know where to start to the amsi bypass 😭

yes there are

options other than covenant

like u can use a simple powershell payload

and reverse shell

Has anyone cracked the root password from the shadow file in Task 21??

I tried cracking it but the whole rockyou.txt got exhausted and still couldn't crack the password

moment of truth --> u dont have to crack root password but some other user
💀 yea ik I did the same in past and its irritating

I tried cracking for straight two hours before jumping to the correct user. Now I want to cry 😭

😭 ikrrr I did cry too lol

Thanks for the heads-up btw. Really appreciate it

Hey guys silly question but should I be seeing results from my initial nmap scan as per the material ? i.e. nmap -sV -sC -p- -v 10.200.138.0/24 --min-rate 5000 and the same for 192.168.100.0/24 ?

That second range won't work unless you're pivoted

And are you on .138?

yeah thats the range thats populated in the little network diagram at the top of the page anyways, thing is im getting nothing back at all, hence the question.

Ok, are you connected to the holo specific VPN?

yeah my ip is the same as the one shown in the web page

fyi you're pushing out 5k packets per second which is an incredibly large number.

says im connected

just following the documentation right now

10.50.x.x?

reeeeee

I have an ip of 10.9.1.x

I'm gonna kill cry

so this is the documentation on the site

Nmap is a commonly used port scanning tool that is an industry-standard that is fast, reliable, and comes with NSE scripts. Nmap also supports CIDR notation, so we can specify a /24 notation to scan 254 hosts. There are many various arguments and scripts that you can use along with Nmap; however, we will only be focusing on a few outlined below.

sV scans for service and version
sC runs a script scan against open ports.
-p- scans all ports 0 - 65535
-v provides verbose output
—min-rate change the minimum number of packets sent

Syntax: nmap -sV -sC -p- -v 10.200.x.0/24 --min-rate 5000

Once you have identified open machines on the network and basic ports open, you can go back over the devices again individually with a more aggressive scan such as using the -A argument.

thats what im doing, says im connected, obviously swapped the ips out for what I have in the network diagram at the top of the THM page

yeah that's been removed

the min rate flag should rarely ever be specified

still live for me 🙂

it's cached.

hahaha spot on, just refreshed the page and its now gone

but I should be getting some results right from my scan ?

tldr you were likely sending more packets than could go through the VPN tunnel which likely lead to packets being dropped

if you scan again without specifying a minimum rate, nmap should do math to figure out the best rate to scan at

okay cheers, ill give it another shot

yeah still nothing

guess ill reboot and try again or something

oh sheesh 5000 omg
I can say that command which I use and generally works ( and worked here as well ) was
nmap -sV 10.200.x.0/24
just this should work. You can do a full port scan as well and keep it running in background if something strange comes up

btw 2 days for the report competition to end omg excited

Thank you, Im still not getting any results back so there must be something wrong

Gave +1 Rep to @livid shoal

reset the network I would say

Make sure u are really connected to the vpn

yeah I have voted for that but you need 5 by the looks of it, sucks as ive only just signed up too

ahh

every hour u get one

@stiff geode check this maybe. It should show initial sequence completed

and also try doing a ping test as well

on my VPN connection, yeah it says that, pretty confident im connected fine

strange.
try pinging the machine first if nothing comes back then try restarting your vm idk why it works but it does sometimes It did for me sometimes. If everything fails then yea wait for the reset.

cheers buddy much appreciated

Hi Everyone, on the 16th I will confirm the receipt of all the reports. If you have entered and don't receive a confirmation, please resend it. I will leave another message in here after confirming the receipt of all the reports.

So until 15 we can send right ?

correct, 15 will be the deadline, on the 16, you'll receive a confirmation that we've received your report, we'll allow an additional day (the 17) for anyone who sent it, but never received confirmation.

over the Weekend, Cry and myself will select the best (in our opinions), and if we can't come to a compromise, will pass it to the Admins to review and come up with a final decision

as a reminder, Winners will be contacted via email

👀 gib reports

How many reports have been submitted 👉 👈

I'm not disclosing it

though half the reports we've seen are highly competitive.

https://tenor.com/view/hololive-minato-aqua-watermelon-2d-eating-gif-16712019

There goes my hopes and dreams

oooo 👀

lets hope for best. either we win or we learn

Hey can someone advise what im doing wrong here ? - wfuzz -u 10.200.138.33 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.10.200.138.33" --hc 404,400

Yeah man. Every small win in life matters. But Holo was a lovely one <3
(Also, we have szy so we already know who got the best report xD)

he isnt participating

btw

https://tenor.com/view/worried-heckin-big-concern-doin-me-a-concern-stiff-astonished-gif-14557794

Sorry for bothering you, when the write-ups can be uploaded?

Formal reports for the contest close on the 15th, if I had a guess I would say they would begin accepting writups at that point. Or they'll go on vacation anywhere in the world that doesn't have the word "holo" in it.

I'm going to submit my report today hope I'm not to late 0>o

We’ve been on vacation sipping mojitos. We just toss your reports away

I'll give you $10 for actuall real cc

D:

but today is the last day?

don't tell me this is over another time zone

I think tomorrow, london time, is the deadline

D:

they just said the 15 but no time zone

I'm going to send mine anyways

CRy

I assume THM uses BST as they're bitish

well it was 145 pages long lUL

that's double mine

mine is my first, I would do it differently in the future

idk my report is probably going to lose to some pro hackzer here

and sent 0>o

well they wanted verbose. However I beat your report is so much better than mine ;'..;'

I doubt it. I'm bad with reports 🙂

EST is the only real time zone

I just hope Cry and spooky like my use of dns beacons

reset? shell broken after failed stabilization

@stark lintel you need to specify the subnet

and that's not really something you need to reset over tbh

Why do you need a reset for that? Can you not just get another one?

no

Why not?

im not getting it anymore.. it just hangs

clear cache

did that ^

incognito tab

im talking about stabilizing the shell

so after it dies, you're not getting any callback?

nah

what shell are you using?

nc

that's not a shell

oh .. lol

zsh

control + z
<enter>
stty raw -echo;fg
<enter>

i cannot catch the shell the again

to do all that

are you trying on the same port

it just hangs as i said yea

if so, try it on a different port

there's a likely chance that socket is still open on the victim machine

samething

doesnt work

then you'll need to post the subnet for users to vote to reset

also on the topic of c2 communications, historically DNS is an idea, not a great one because communications aren't encrypted which is an opsec fail

not to mention null records are a huge indicator

.33

anyways, encrypted protocols like https are preferred.
Bonus points if you use encryption methods like DHE where theres a random value, the premaster secret, that are only stored in memory and cleared after the connection closes

are you sure that's the subnet and not the machine?

10.200.107.0/24

?

107 is the correct subnet.

ah

I give bonus points if you copy each bit by hand and fax it onto the target machine

AH and HIP

Uh, in task 29/30 (WebApp Exploit/AV Evasion), you shouldn't be able to get a shell on that box just yet, right? Like the lesson says, AV is supposed to catch them, right?

depends on your technique.

Just bypassed the filter and then uploaded netcat, then executed that in the URL. I thought it would get caught 🤷‍♂️ . I didn't bother with any AMSI bypass stuff yet, though I can't remember where I found this particular netcat

I'd probably do exactly what you did tbh

yeah, Netcat can bypass Defender if you get a nicely compiled binary

it’s just not consistent

Thought so. This one seems to be a miracle - it's never been detected. But I know nothing about AV evasion so I'm gonna go do things the intended way, even if it takes a lot longer

Hey guys any hint for lateral to the S-SRV02 ?
Own the domain admin but seems I cannot access S-SRV02 ?? It is strange.

just search in chat for S-SRV02.

👀 omg I still wonder how u made it 145!!?? I would have died by now

lol

I should practice more report writing in future

I kept my report short, I guess around 20-30 pages at best. Is that not correct?

Depends tbf

If your report is big but the info you placed there is actually useful and not random ramblings/just walking through the boxes then it's not a bad thing imo

Hey! Can anyone guide me through the AV Evasion part?

Hey you can DM me.

Hi, need little help in task 37-38, someone is available?

yup same it was 25 pages for me

hey, what's a difference between a report and writeup in terms of attack methodology section. Like in report can we assume some things ? like the person would know what is a nmap scan doing. how one uploads or downloads the files

Well, either way man. It was fun.

I have the hashes and usernames but unable to login to .35

Solved

anyone having problem to reach the .33 now?

Were unable to determine that given the information you provided

ITS THE LAST DAY TO SUBMIT REPORTS

get your reports in tonight by 11:59 PM EST or face Defender's wraith

Were providing feedback to all reports. Even if you don't think you'll win the competition we encourage you to submit a report to receive feedback from the finest prince and princess

I'm gonna accept submissions until midnight last timezone

dude heck southern us. I'm moving to Samoa

That would be great :))

👀 gib reports

Thats so great that we would atleast be getting feedback for our reports. Thanks so much

Gave +1 Rep to @lone spruce

szy fishing for writeups, whats new

Can j send the report now 9

Can i send the report now?

Tnx

gl anyone

Someone remind me to unpin that in like 18 hours

sure sure :)

I’ll take care of it don’t worry about it

As we reach the end of the competition don’t forget, we have a feedback form! https://forms.gle/emezVyqnw7yxhT7m7
We value all of your feedback and are looking to improve Holo the best we can.

gib reports

Sorry they’re business confidential please apply for a position at Hololive and we can get you a copy

i already have a job at black sun security tho

lol

Hey guys!! Can someone help me through the AV evasion part?? Can't seem to find a way through

where are u stuck exactly?

Don't bother. The payload needed some cleaning. Found a way 😀😀

https://tenor.com/view/antivirus-unprotected-useless-unsecured-fail-gif-16196578

😂😂😂😂😂

😂

Little bit stucked in dll hijacking (task 43), someone can give me a nudge?

I would appreciate it

all email acknowledgements have been sent out.

Find-ProcessDLLHijack not helped

Know the vulnerable app but it is not running, completely stucked

received :)

I hope there will be walkthrough soon because really frustrating that I stucked

Received and just the mail itself felt good :)

Hey guys, I am on Task 20 and trying to run the GTFO bins command in the L-SRV01 to get root. But I keep getting an error after I run this command:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

The error is:
the input device is not a TTY

But when I remove the -it switch, I get a different error:
Unable to find image 'holo:latest' locally

Not sure what I need to modify in the GTFO bins to get this to work.

Thanks in advance.

Correction. The error I get is "Unable to find image 'alpine:latest' locally

For the first error, you need to 'upgrade' your shell. For the second one, try looking into docker commands (run 'docker --help' or 'docker -h'). Remember that the box doesn't have internet access

thanks appreciate it will try again

Ok, I am getting a different error now. I was able to upgrade with python commands but now I get this:
Unable to find image 'alpine:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).

Exactly, the box cannot grab any docker images from the web. Try checking if there is any kind of docker image already on the machine

I did "docker image list" and found a bunch of images. I am planning to run the following command, just want to confirm if it is ok to run and not crash the server lol please advise:
docker run -v /:/mnt --rm -it <name of image> chroot /mnt sh

😉 I hope you choose the right image

here goes

HOLY CRAP IT WORKED!!

THANK YOU!!

I was stuck on this for the last 3-4 hours OMG

Awesome, good job!

seriously determined to finish this

It's a great feeling when it finally clicks

lol indeed thanks

was scared I was gonna break something

Hey guys, I am currently stuck on Task 22 - Crack all the Things.

After I got root on previous task and got the shadow file which included the non-default user, I ran John after I unshadowed the passwd and shadow file. I am using Rockyou-75 wordlist as well.

That didn't seem to work, so I just ran a dictionary attack on the hash directly using hashcat with the following command:
hashcat -m 1800 shadow_to_crack.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt -v

However, I have still not been able to crack the hash with any of the methods. I am thinking of using a different wordlist but from what I understand the password should be in the rockyou wordlist.

Any suggestions?

rockyou75 != rockyou

theyre very different wordlists

wow ok thanks I'll try again

would love some help with the dll hijacking step. Ive got the right app. Im struggling with the location to place the dlls. Is it in the same location as the app? thats what it seems like...

No it’s not

it’s the location of the original dll

basically the one from which the process is running

Webserver down ?

port 80 closed?

You've redacted the section that is kinda crucial for troubleshooting. There's a whole bunch of Holo instances and they can't check them all

oh hey thats my subnet lemme check

@runic ocean

waigt

wait

whats on 250?

thats thm infra iirc

yes but 33 is down as well

try resetting

the network

Not enough vote

I can vote if u want

done

only one needed now

yes, please

hey guys i dont get what i need to do on task 28

where the hell is this damn username?😅

Did you finish information gathering on the first host?

uhm i think so yes

i was trying to do it without the task so more on my own but now i am stuck hehe

so maybe i missed something on the first S-SRV01?

Yes

thanks. just funny that every walkthrough on this dll hijack has the placement of the hijacked dll together with the app

Gave +1 Rep to @lone spruce

for this "What is the size of the cookie intercepted on S-SRV01?" in Task 28 - I've tried the answer in as many ways as I can think of it, but it's not accepting it

It's always the exact same size every cookie that I get so I'm pretty sure I have the right answer since the answer before it was correct

and the answer after it as well

it might be THMs anti brute forcing, could you try a shift+f5?

if not, cc @lone spruce

so.. the name of the cookie + the cookie, but no equals sign...

thanks @quick island

Gave +1 Rep to @quick island

hey dont tell the answers like that

please

removed it. Sorry.

||Hi, look in your FF developer options, that is the number you're looking for...||

Anyone having trouble with the network? I stopped halfway, and now want to start again, but all systems are (of a) down

BTW, really annoying you have to redo everything all over to get at your last 'savepoint'

not cool

What do you mean by that?

You have persistence on the Linux machine you don’t really need anything else

Got it working now

Is ||kavremove|| still broken on .69?

.69 is broken period

yeah

seriously broken

left en rejoined

I think there is broken on the privilege escalation box

I think it's similar to what ya'll are saying @lone spruce / @median nest

the thing that is supposed to run, doesn't because it's already running

really kinda sucks to be stuff at this point :/

without a way to fix it

It shouldn’t affect you unless you’re on that specific subnet

I can send you a screenshot of what I'm dealing with

if the “user” (scheduled task) is not running the application I would start with a network reset then re assess

That would be great!

sent

thanks for taking a look 🙂

👀 weekend's over 💀 moment of truth now #reports 👀 scared

Cry & I are just over halfway don

e

we'll be providing a generic checklist of things we observed from the reports (ex. a cover page and an ending page) along with more detailed feedback (ex. Timeline section isn't a timeline section, it didn't outline the beginning, middle, and end of engagement with levels of access gained, etc)

thats what I am really waiting for. Thanks for all the efforts u guys are making in reviewing each report. :) 💙

Gave +1 Rep to @wind bobcat

Yes. It is a lot of work and we're both attempting to squeeze it into our current schedules. Please just be patient as we get through all of them

yessir thanks again

Gave +1 Rep to @lone spruce

Cheers to the mods who have to go through our disaster-of-a-report.

https://tenor.com/view/nope-monkey-laptop-angry-furious-gif-7316263

^Mods after going through the absolute trash I wrote.

Cry and spooks aren't mods lol

They are "Moderating" the competition in a way. Sorry I couldn't think of a better word atm :)

I moderate you to tell muiri he’s a bean

spooks was a mod :/ now mod emeritus
cry ( he is staff now lmao 🤣 😎 just for some time but still )

I wish someday I can meet some of the THM staff and treat them to pizza in person :D

completed! very fun network

thank you @wheat osprey00ky

Gave +1 Rep to @wheat osprey

thank you @lone spruce

you tried lol

there was effort made at least

?

@wind bobcat = Sq00ky

Ah, I did not know that

Thank you @wind bobcat

Gave +1 Rep to @wind bobcat

Hello everyone, I am on task 28 and I am trying to access the web application. I am entering the ip of the S-SRV01 on the web browser but it does not load. When I ping it, it says it is down.

I already task 23 and am pivoting with sshuttle with the following command "sudo sshuttle -r USER@MACHINE_IP 0.0.0.0/16 -x MACHINE_IP" and when it asks for the password I get a message saying "c : Connected to server"

Not sure what I am doing wrong. Any tips would be appreciated.

*I already did task 23

I am not sure why this is happening, if it is connected it should route all the packets to destination. Are you sure the routing subnet is the right one? Try with -N switch, it automatically detects and routes.
sshuttle -r demo@IP -N

I'll try that thanks

OMG it worked. You are awesome. Thanks for the hint

Gave +1 Rep to @quick island

NP, happy to help. Happy Hacking.

thanks again

hi

i'm stuck at holo network! can anyone help please?

[Task 36] Passing the Hash to PC-FILESRV01

dumped credentials using mimikatz and passed the hash PC-FILESRV01 but the account can't access admin$ share

Why does that matter?

?\

why do you need access to the admin share?

https://adamtheautomator.com/psexec/

proxychains xfreerdp /u:<user> /p:'<password>' /cert:ignore /v:10.200.110.35 <= answer for [Task 36]

finally found

stuck for 2 days 😦

I am stuck at rev shell tried all payload but not getting shell back any suggestions

Hi I'm stuck at task 37 need help

Where

Hi guys - The network I'm on for Holo (10.200.131.0/24) seems to have died - I can see someone else has also voted to reset it - Is it just a case of waiting until we have enough votes? At the moment it's stopping me getting any further

I gave a vote, only one vote you need now.

Thanks 🙂

Are you on the same network as well then? Same issue?

I just saw your post and gave a vote. I am not working on that room.

Ah ok, thanks

I'm currently stuck on task 28 where it says you can find a valid username somehow, I just couldn't find it. Do I get it from fuzzing or ?

And the username apparently isnt admin

Have you tried looking at the somewhere else 😋

Havent looked at .30 and .32 yet

I’ll try looking into those next

You could grab it during the earlier MySQL stage - If you've done Task 17 you've got it

@wind bobcat i could use some help on holo. can I dm u

Did u get any sort of timeout error

Hi

Gobuster error ?

https://i.ibb.co/mGQTJmh/IMG-20210925-221321.jpg

How to make tunnel that sends and receives data?

Flow: attacker ---> machine 1 ---> machine 2

i've used chisel server on attacker PC and machine 1 as chisel client so now i can access machine 2

https://superuser.com/questions/96489/an-ssh-tunnel-via-multiple-hops

Hope this helps

Any chisel example?

Haven't seen any but this logic could be used in chisel as well

Hi there! First time asking, hope don't violate any rules. I stuck on Task 10. I used both gobuster and wfuzz to evaluate the web server. I found the *.txt file which describes the structure. I cant figure out file load images as well as next question with the path. Another problem that I can't start the Apache server. Even after modifying the /etc/apache2/ports.conf to listen port 8080

also I can't open the website, even though I modified /etc/hosts, firefox can't resolve dns request

Something's already using 80 (and I think 8080) on the attackbox

Guys, I am having issue with Gobuster

I am stuck on task 9

@dreamy plover What's wrong?

I want to know if I have to update the host file with the IP address and the doamin prior to running the gobuster ?

?

gobuster vhost -u 10.200.107.33 -w subdomains-top1million-110000.txt

Am I on the right track ?

you have to change the 10.200.107.33 to holo.live and add it to /etc/hosts

and what list its too much

thank you!

np

Hi, I'm currently working on AV evasion. I successfully obfuscated a couple of signatures in Covenant, but then I got the following from DefenderCheck.

Target file size: 12288 bytes
Analyzing...

[!] Identified end of bad bytes at offset 0x2C90 in the original file
File matched signature: "Trojan:Win32/Sabsik.TE.A!ml"

00000000   E5 06 20 00 1D 12 80 E9  06 20 02 1C 1C 1D 1C 05   å· ···?é· ······
00000010   00 00 12 80 F5 06 00 03  0E 0E 0E 0E 09 07 02 12   ···?o···········
00000020   3D 15 12 1D 01 0E 04 00  01 0E 0E 04 20 01 02 0E   =··········· ···
00000030   05 20 01 12 3D 0E 05 20  00 12 80 FD 06 20 01 12   · ··=·· ··?y· ··
00000040   81 01 0E 05 20 01 01 13  00 06 20 02 01 12 4D 0E   ?··· ····· ···M·
00000050   04 07 01 12 55 06 20 01  12 51 12 4D 05 20 01 01   ····U· ··Q·M· ··
00000060   12 49 03 07 01 02 08 B7  7A 5C 56 19 34 E0 89 03   ·I······z\V·4à?·
00000070   06 12 49 02 06 02 02 06  0E 03 06 12 18 07 06 15   ··I·············
00000080   12 65 02 0E 0E 05 00 01  01 1D 0E 03 00 00 01 09   ·e··············
00000090   00 02 15 12 1D 01 0E 0E  0E 04 20 00 12 49 0A 20   ·········· ··I·
000000A0   04 02 1C 12 59 12 5D 11  61 03 08 00 0E 04 28 00   ····Y·]·a·····(·
000000B0   12 49 08 01 00 08 00 00  00 00 00 1E 01 00 01 00   ·I··············
000000C0   54 02 16 57 72 61 70 4E  6F 6E 45 78 63 65 70 74   T··WrapNonExcept
000000D0   69 6F 6E 54 68 72 6F 77  73 01 08 01 00 02 00 00   ionThrows·······
000000E0   00 00 00 04 01 00 00 00  A0 4A 00 00 00 00 00 00   ········ J······
000000F0   00 00 00 00 BA 4A 00 00  00 20 00 00 00 00 00 00   ····ºJ··· ······

Any advises on how I should approach this? Because it seems like there's not much plaintext code there.

Someone please help to reset Holo fuck this shit is slow

😆 😆😆😆😆

well it'd be helpful for others if you mentioned what subnet you're in so people in the same network can vote too

I'm on 10.200.119.0/24

Hi there, I struggle with Task 37 - as I could not get it work and get for the relate machine an STATUS_NO_LOGON_SERVERS which I think indicates a broken AD connection - or?

any updates on reports review 👀

none ATM, Cry was on holiday this past weekend

no thx im good

Gave +1 Rep to @deft belfry

ah np

Hey guys - I'm having some issues with the .DLL hijacking. I've got the .DLL in the same folder as the vulnerable app "\Users\<user>\Applications" - But I'm not getting any ping back and I can't see a scheduled task / associated process. (subnet 10.200.131.35)

Can someone help me with pivoting? I got root on 10.200.111.33 and using sshuttle the machines don't respond

Idk what i'm doing wrong. I did the same for wreath and it worked fine

Hi, have you been able to resolve this? I'm having the same issue here. No luck with rdp/winrm/psexec... not sure what went wrong

Hi, no - I also tried to switch do a different environment and we did a reset of the whole lab but no luck.

In wich environment/Subnet are you?

I'm in 10.200.129.x

@lone spruce it sounds like you broke something when you updated the machines the other day lol

Ok - I‘m in the 10.200.110.X so then it‘s getting curious

O no

Wait

I thought I replaced the DNS script

ree

Let me take a look once my body stops fighting itself

@lone spruce take your time!

gws

Any news on the report feedback ? Thank you in advance for your efforts

Were working on them just give us some time. Its only two of us with very busy schedules and some other things that have come up

No I didn't said anything lol just asked ..

Thank you

Same here. Did you fix it?

Cry is working on a fix

a recent update broke some things

Oh gr8 then

Guys just a quick question
Does task 20 priv esc would ask for sudo password

Or not I am doing something stupid

No it should not ask for a sudo prompt if you’re using the correct command

Ok let's check what I am doing wrong then

Has anyone tried cleaning mimikatz binary recently? After building mimikatz, I'm chunking mimikatz to the first 540000 bytes and then run ThreatCheck to get the first bad byte which happens to be E8:

[*] Testing 539993 bytes
[*] Threat found, splitting
[!] Identified end of bad bytes at offset 0x83D59
00000000   00 E8 49 75 F8 FF 48 85  ED 74 09 48 8B CD FF 15   ·èIuoÿH?ít·H?Iÿ·
00000010   2B F1 05 00 49 8B CC FF  15 22 F1 05 00 48 8B 5C   +ñ··I?Iÿ·"ñ··H?\
00000020   24 70 8B C6 48 83 C4 30  41 5F 41 5E 41 5D 41 5C   $p?ÆH?Ä0A_A^A]A\
00000030   5F 5E 5D C3 CC CC CC 40  53 48 83 EC 20 48 8B DA   _^]AIII@SH?ì H?U
00000040   83 F9 03 75 3B 48 8B 4B  18 48 8D 15 27 DD 08 00   ?ù·u;H?K·H?·'Y··
00000050   E8 62 45 04 00 85 C0 74  14 48 8B 4B 18 48 8D 15   èbE··?At·H?K·H?·
00000060   23 DD 08 00 E8 4E 45 04  00 85 C0 75 13 45 33 C9   #Y··èNE··?Au·E3É
00000070   45 33 C0 33 D2 B9 85 04  00 00 FF 15 6F ED 05 00   E3A3O1?···ÿ·oí··
00000080   33 C0 48 83 C4 20 5B C3  CC CC CC 40 55 53 56 57   3AH?Ä [AIII@USVW
00000090   41 57 48 8D 6C 24 C9 48  81 EC 00 01 00 00 48 8D   AWH?l$ÉH?ì····H?
000000A0   45 07 48 8B D9 48 89 44  24 20 48 8B D1 48 8D 05   E·H?UH?D$ H?ÑH?·
000000B0   73 6F 0D 00 41 B8 30 00  00 00 48 8D 4C 24 20 48   so··A,0···H?L$ H
000000C0   89 44 24 28 E8 D6 6A F8  FF 85 C0 0F 84 F3 03 00   ?D$(èÖjoÿ?A·?ó··
000000D0   00 8B 45 33 41 BF 2C 17  5A E3 49 33 C7 48 89 03   ·?E3A¿,·ZaI3ÇH?·
000000E0   0F 84 DE 03 00 00 48 8D  45 77 BE 08 00 00 00 44   ·?_···H?Ew_····D
000000F0   8B C6 48 89 44 24 20 48  8B D3 48 8D 4C 24 20 E8   ?ÆH?D$ H?OH?L$ è

I was anticipating it would find a string it didn't like not just a byte. If I change E8 to something like AA it will spit out a clean result. For learning purposes any ideas on why E8 is being flagged or is maybe my approach prone to errors somehow? I tested compiling with an earlier version mimikatz-2.2.0-20210709 and got the same byte being flagged

interesting

I assume E8 has something to do with the fact that the authors name itself is a signature

@sterile epoch you know anything about this. Mimikatz hasnt really been one Ive attempted to clean recently

hmm. Im not entirely sure. Why is it not showing cleartext anyways? Is that the release or something?

Yea I'm not sure why I'm not getting cleartext. This was a fresh pull from the master branch and using VS2019's "Build Solution", the editor feels a bit hectic but maybe there's like a default flag somewhere I need to uncheck.

This first half of the file seems random like this, maybe its an indicator on one of the libraries its using 🤷‍♂️

I mean ippsec released a video on how to manually do it which is where I would go next but Ive never run into that issue with threatcheck

Bit of a noob question here: on Task 27 (the C2 and building tasks in Covenant), I've imported the sample yaml file into the tasks directory and restarted Covenant. But I don't see a new task in the tasklist. What am I missing here?

hmm

I can’t exactly remember what all the prerequisites for that are

I’ll take a look when I get a chance

Thx. I know you have been busy so no worries

I don't think threatcheck can decompile machine code binary to plaintext

it's able to normally because .Net assemblies are easily reversible

That makes sense, i was watching ippsec's video and it was only flagging the strings so he made it look easy, its also from 2018 :/

and I don't think that it's flagging on E8 itself that's the start of the bad bytes. @tacit cedar does the binary still run when you make that change? I would suspect that it doesn't and Defender may not flag on it because it identifies on it as inoperable code. Also which detection engine are you using the on disk scanning by defender has significantly weaker detections than teh AMSI engine

Is this just the plain mimikatz binary or is it wrapped in an assembly

just plain mimikatz

and yea it was using defender

well if it's only the plain binary then AMSI probably won't be too much different

how are you compiling it?

just using visual studio's "build solution" ez button

ahh hold on one sec let me see if I can find an article for you

are you moving the binary from the compiler location before scanning it?

following the suggestions in here

https://stackoverflow.com/questions/41908940/how-to-set-c-compiler-flags-in-visual-studio2015

you can set some of the compiler flags and use things like /0s

which will favor smaller code vs speed but results in a different binary signature

Very interesting, i will play around with some of this thank you!

Can anyone let me know what I am doing wrong in task 20

Should I just copy paste gtfobin cmd to get priv esc

Or I change something extra

And yes I have changed alpine to bash

So update on it L server 01 is rooted

Is anyone else having problems accessing webserver on SRV01?

Seems that for me the port is closed 🤔

If someone is working on subnet 10.200.119.0/24 please hit reset *

Cause it seems that web server on SRV01 is completely dead.

Kk helping u

I am at 3/5 alone xD

and after 4 hours still can't access web server

kind reminder * if someone is in this (10.200.119.0/24) subnet please hit the reset button

And now someone changed the password for the admin page, really? Probably redirecting the action to login form instead dashboard

If it's possible to look into it @lone spruce thank you.

Facing issue with pivoting part, I used Chisel for port forwarding

And successfully able to the nmap scan from my attacker machine (through proxychains)

But not able to access the Webpage on .31, either using proxychanis or foxy proxy

thats not how proxying web traffic works

you cant just run firefox through proxychains and have it tunnel the traffic

you need to use something like foxyproxy or create the proxy

Try sshuttle is great

I already mentioned that I used foxy proxy as well still it's not working

Yeah sshuttle will work in this case but i want to figure out where I am missing exactly with 'Chisel'

Foxyproxy should work 100%. I can’t help without more information of your configuration though

@lone spruce did you fix the part where you have to use crackmapexec to pass the hash?

This is the correct configuration, right?

@lone spruce Or do i need to change it to Socks from HTTP?

I believe it prefers socks

also looking back at your screenshot its making my head go in circles

you go back and forth between running the client and server on both machines and never actually get a solid connection

OK, so to get a stable connection what would you suggest exactly?

@runic ocean if you have configured the chisel tunnel as a socks5 in the proxychains config, change your foxy proxy config also from HTTP to Socks5.

Yeah sure, will do that

Hey can someone help me to understand better exactly whats going on in task 13, I feel a little slow and don't exactly understand the logic

I don't really get what the ls+-la is doing

Is that a parameter value in a URL?

so yeah, I'm fuzzing http://example.com/?FUZZ=ls+-la

I found what to use

but not sure what the la+-la does

So you're running ls -la

ohhh

• is a way of representing a space

Either + or %20

is that like because of url encoding

i see, thanks lol

%20 is the URL encoding really, + isn't exactly URL encoding but works similarly

that explains why my rce wasnt working too

can I dm someone about holo task 13

what am I missing here?

is this supposed to be commented out? || <!-- //if ($_GET['cmd'] === NULL) { echo passthru("cat /tmp/Views.txt"); } else { echo passthru($_GET['cmd']);} -->||

yes.

10.200.126.0/24 lsrv01 is down

I am facing issue while getting a rev shell back in task 14. It was working fine till the time I left it last night. Double checked everything. Is there some catch here to get rev shell?

The server might have still been down if you were on my subnet

holo back online 😄

rip, holo is responding but the ||dashboard.php|| is not

cleared cookies, works now- weird

i can't get ntlmrelay hash

any idea ?

That doesn’t give us any information to work off of

we can’t help you if you don’t give information to help with

so im in the last part NTLMrelay and i m using sshuttle i disabled all smb in target machine and upload shell got meterpreter start ntlmrelayx but there no nbound SMB connections from NTLMRelayX

what exactly have you tried in the way of troubleshooting?

let me explain more

not seeing the ntlmrelayx command doesn't help either

ntlmrelayx.py -t smb://10.200.110.30 -smb2support -socks

im using rdp to the machine and rdp to target machine

i executed all sc command with succes

i reboot the target machine

i checked the 445 port was closed then after forwrd is open

i wait a lot

no smb connection

i took very well the note that should start ntlmrelayx before forwarding the 445 port

and i have connection between my machine and the AD target

im really confused cause should work very well

this when im doing this manual from the other machine

maybe something was wrong with the script

i think there is script allow the SRV-ADMIN user to do this from ad target

no other way to access this AD 😆 i was trying different methods

Question, is the first Nmap scan supposed to take over an hour or am I doing something wrong?

Nvm, I'm dumb and connected to the wrong vpn

Am I supposed to add anything to /etc/hosts prior to the initial fuzzing? I'm not getting any results with gobuster and wfuzz

i assumed i was supposed to add holo.live

can someone tell me if im doing this correctly?

/gobuster vhost -t 20 -u www.holo.live -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -o ../gobuster/vhosts.txt/

cuz i dont think thats right, but doing it without www dosent work

I believe you do not add the "www" while using Gobuster since it adds the fuzz parameter before the url you enter

i tried that but gobuster wont run then

Someone else can feel free to jump in since I haven't gotten any results

Did you try it with http:// instead?

Are you connected to the VPN?

yep

i can ping the machines

and access the web app

it just dosent wanna work

and idk why'

Heres my hosts file

i dont think i did anything wrong

but idk why it dosent wanna work

That's weird

Did you try with wfuzz?

Pretty sure that isnt supposed to happen

right?

or did i do something wrong

You can use --hc to hide status codes

So I should be hiding 200?

Well 200 usually means "success"

Yea ik

But all of those are 200 lol

Which is why I don't think it worked correctly

Or maybe it is 🤔

Ok, now you're confusing me. Those are all supposed to be successful?

Like I said before, I haven't gotten any results yet. I'm just throwing it out there that you may have been successful. You're just assuming it's wrong.

Well, the task asks for "the 2 other domains"

So I'm gonna assume if I'm getting more than 2 something is up

Especially if im getting over 1000

I'm still not getting any responses. Hopefully someone reads all this and can help us out tomorrow morning or something.

task 23: after getting sshuttle to work how can we check for alive hosts on the network?
Heres the sshuttle command i used:

sshuttle -r linux-admin@10.200.131.33 10.200.131.0/24 -x 10.200.131.33

should

nmap -sn 10.200.131.0/24

work?

Yes, it should work. If you are getting any errors then check the IP.

im getting almost all ips up

Don’t just look for IPs, scan any one or two common port.

oh okay

thanks

Guess some dumb luck goes a long way. I guessed what they are. Would still like to know why I can't fuzz for them tho

guys what is this problem ?
TATUS_TRUSTED_RELATIONSHIP_FAILURE
i know the cause is because the password change every 30 days , but i reset all the machine and upload mimikatz again the password didn't change and the credentials seems ok, cause when i tried wrong password told me password is wrong

its so long to wait 5 hours to reset the machine again haha

me right now trying get ntlmrealy and face this problem

access to .35 has nothing to do with NTLMRelayX

and .35 is pc-filesrv01

sure but that has nothing to do with access

you stated like 5 different things and Im still not sure what your question is

i have to access to this machine to execute my shell

to portfwd the 445 with meterpreter

i tried also disable SMB in .31 and executed all sc with success

and i accees .31 with ssh

and portfwd 445 but no hash or ntlmrealy

ok

look thanks for your support a really appreciate, i will upload my staff in .31 machine and disable SMB and get meterpreter and i will access with ssh to execute my shell and setup ntlmrealy i will feedabck you

so look i upload shell and disable SMB that mean i cant access with rdp so im using ssh

so i got meterpreter and the port 445 in machine .31 is closed

i will start ntlmrelay

i will wait about 5 min

the port 445 is open now that mean im using the command with no error

1

after 5 mins no thing

im really confused about this

or am i doing something wrong !!! please help

Insane

HI sorry again 🙂 please i tried something i tried to force the ntlm by my self and i access with rdesktop and type my adress and that what is got, so please just helpme for this i have to wait for this response or i force like this

im so close

it's look like the spook blog

im pretty sure that i have problem with my machine? how can i reset all machine, i voted 5 times every hour but the problem is the same

Best room ever thanks to the creators. Thanks for every one helped me i learned a lot of new things. And i discovered many interesting tools. Good Luck

Can someone help with task 20. I am facing issues with privesc.

can you post what you've tried

Yea. Can't send you in the right direction if we don't know what you've already tried

Reports have been assessed we will be sending feedback shortly

It got resolved. Thanks :)

thats great! thanks in advance.

Gave +1 Rep to @lone spruce

when using sshuttle for pivoting. It is not forwarding traffic to s-srv-01. I used this: sshuttle -r linux-admin@10.200.128.33 0.0.0.0/0 which gave output: c : Connected to server.

That syntax is not correct

you’re missing a flag and your CIDR range is inaccurate

If you need help with that feel free to dm me. It took me a bit to wrap my head around it

I feel like I'm missing something fairly simple, but my proxy through SRV01 doesn't seem like it's being used. anyone got any ideas? using kali 2021.3. I have chisel running on both the client and server and have verified connection. Also I have updated the proxychains.conf file.

┌──(kali㉿kali)-[~]
└─$ proxychains ping 10.200.100.31 1 ⨯
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
PING 10.200.100.31 (10.200.100.31) 56(84) bytes of data.
^C
--- 10.200.100.31 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2052ms

afaik you won't receive icmp traffic over proxychains

yeah, icmp traffic isn't forwarded through proxychains

damn. I didn't know that. Been troubleshooting it for awhile now lol

🤦 just ran an nmap and it worked. Thank you

now that the tunnel is there, shouldn't I be able to access the webserver on S-SRV01 though? I tried setting up a proxy on my browser and also tried opening firefox with proxychains but it didn't hold the connection. Any resources to point me in the right direction?

iirc you want to make sure the proxy options are set correctly in foxyproxy

im not sure if it's a SOCK4 or 5 proxy, but that bit is important

I have mine set at SOCK5. I curled the page and see it's a login. Just can't quite get it connect to the webpage

thanks again though.

definitely user error I am assuming, just need to find it

got it, 100% user error.

Hi all, I need a bit of help with attacking the PC_FILESRV01 in the Holo lab.

I got my access on S-SRV01 and was able to find both the password and the hash for the domain user. However, I don't think my PC_FILESRV01 machine is currently domain joined?

Running nslookup PC_FILESRV01 gives me 10.40.100.35 from the domain controller but my lab notes indicate it should be 10.200.115.35. A portscan shows that 135,139,445,3389 is open on 10.200.115.35, so that seems to be the correct one.

However, when I try to authenticate with the credentials, I get a windows message stating: "We can't sign you in with this credential because your domain isn't available....". Before I go down a rabbit hole, I just want to checkin and see if this is expected?

Okay, so I went down the rabbit for a bit and is fairly lost.

I'm fairly certain there may be a lab error, but would just like to verify.

All of the below I've tried with to different socks proxys namely:

• SSH local port forwarding - (L-SRV01 as proxy host)
• Beacon SOCKS4 - (S-SRV01 as proxy host)

I then use proxychains for connections.

What I've tried:

1. RDP to FILESRV01 - I get a timeout error from xfreerdp. I can verify that the credentials are working since when they are not correct, I get a NT LOGON ERROR
2. Evil-winrm - Get an authorization error here
3. SMBClient - Can't list the shares on the file server

If RDP is the route, has anyone else experienced an issue with timeouts? I've tried to set a longer timeout in xfreerdp but still no dice even when set to 10 seconds.

Why in the world is it 10.40

huh

I’ll take a look at it again today. I swear I just fixed this

Thanks @lone spruce , I was going crazy this side thinking I'm overcomplicating this completely.

Gave +1 Rep to @lone spruce

Just to check that lab has been reset recently correct?

Correct, I had to regain a bunch of my footholds yesterday after the last time I worked on it was at the start of the week. So there was a lab reset inbetween, but I haven't seen another lab reset after yesterday or this morning.

Hello guys! I was doing the AV part. I've managed to do AMSI bypass and obfuscated the Covenant Grunt as well. But I'm not able to understand the ThreatCheck.exe part and how to eliminate bad chars?

or bytes

Have you compiled your ThreatCheck.exe binary and executed it against your Grunt file?

@rain mirage this guide explains what to do quite well: https://offensivedefence.co.uk/posts/covenant-profiles-templates/ - It's one of the links from the lab section

Hi @dusty forge. I'm almost done. I'm just struggling compiling ThreatCheck.exe as it requires Virtual Studio and I'm on a limited hardware with Kali on host. Can someone please provide me compiled binary of ThreatCheck?

https://github.com/Sq00ky/Compiled-Binaries

Is anyone having troubles with Holo? I can't login to the dashboard of admin.holo.live for some reason. It just hangs.

incognito tab/clear cache

@wind bobcat I did that first, but thanks for the suggestion.

Gave +1 Rep to @wind bobcat

hi guys I am locked in question 13: Task 13 Web App Exploitation Remote Control Empanadas.
I could not understand it

What do you mean you couldn’t understand it

we need more information to help that isn’t vague