#holo-network

what's CME?

If in doubt turn to google

That and/or do more enumeration

Task 37:
I got the hash and the username but after running crackmapexec on the subnet I see the S-SRV01 is the only one I can authenticate however the task says we can authenticate to the fire server as well. What am I missing?

I found nothing useful on Google

I'll help you out in a bit. Not home rn and I don't remember how I found what it was.

Why is holo so unstable?

I can't access right now

Hello All, What does the 7 days of access left mean? What happens if I do not finish it in 7 days. Do I start all over?
Thanks,

No. I forget the reason for giving a time limit, but you will not have to start over. (Even if you did, you should be taking notes so it would be easy to get back to where you're up to)

Speaking of holo, I gotta finish this sucker

reason being more networks means less aws instances available for the rest of thm

Ah yes. That was it lol.

Thanks for the information.

uhh little stupid thingy but i think colabcat and hashcat is not able to crack the hash

of task 22

it is giving error token value exceeded or the separator unmatched

Yea, I didn't use colabcat. Couldn't make it work. I just used hashcat. Do make sure to crack it on your gpu tho. It'll take forever if you dont

That means your formatting is not correct

yeah that what i want to know i am doing wrong

do i have to take the string till :::

or just stop at first /

I ran the gobuster command for the first question but got nothing positive

All I got was status code 400 size:442

somebody help me

I couldn't get gobuster or wfuzz to work for that and I still don't know why. I was able to guess what the vhosts are tho

Can you give me hint or clue or anything

Or just anyone who solved it

Honestly I just tried a bunch if common directories, that would make sense to be a vhost. Idk how to explain my thoughts process more.

Like, you should know what some common directories are to find on a website. Which if them would make sense to be vhosts?

Altho, if someone could explain how to do the vhost fuzzing that would be nice. Cuz I kinda wanna know what I did wrong

Did you use the same wordlist

Subdomains top 1million...

I didn't use a wordlist lol. Again, I couldn't get it to work with gobuster or wfuzz. So I litterwly just guessed

Hey guys, I have some technical questions about what I am seeing. Can someone help me out?

actually, that's exactly my issue as well

same issue here

PC-FILESRV01 on 10.200.131.35 rejects valid credentials with error message that its TRUST fails (needs to rejoin domain). Please fix it if possible. Thanks.

I have the same issue. You are not the only one.

gobuster -t 4 vhost -u ...

Yea I tried that. I didn't wanna work lol

It*

So?

The script was there

and now its not?

AWS makes me cry

decided to go back and try again. heres the error im getting

if anyone could explain what im doing wrong would be dope

Check vhost

Or replace it with url i guess

@solid timber

Wdym?

Have you tried using it with www. ?

Yea. But if you do it dosent change the www, it just tacks everything from the wordlist onto the front of it. (So you end up with www.www.holo.live and all things like that)

I believe you can try it with https instead of http

But not sure though

Also just to be sure, have you added the ip address etc/hosts?

why is it pointing at a home address

I don't know

Lmao

I genuinely have no idea

Yes

I can access the sites just fine. Like I said, I guess what the vhosts are. I just don't understand why gobuster won't work

I can tell you exactly why gobuster isnt working

its pointing towards a home address

Yes I know thag

But how do I fix it?

Lol

you can change that in the hosts file

and first making sure you"re connected to the vpn

I am

You havent given us any information to help you fix it other than it doesnt work

what does your host file look like?

can you give a screenshot of you /etc/hosts file? and your subnet your on?

Yea gimme a sec

you don't have the holo.live

you dont have anything for the domain

youre trying to point to something that to your machine doesnt exist

Ah

so its providing its best guess i.e. 192.168.1.1

Right. Ok. That makes sense

because the network doesn't resolves dns requests

from the outside

Yep. Got it.

Damn

Can't believe I overlooked thay

Thag

That*

ooh haha it happens to the best of us

sometimes i overlook the most basic thing or i mispell a word/ command with 1 letter, but i'd be bashing my head into my dry wall

Lmao. I did that last week. I was trying to crack a password with John and I left out = between --wordlist and the path to the list I was using

Spent a solid half hour trying to figure out what I was doing wrong

haha, had that also happen to me a few times by now xD, does the gobuster now work for you?

Yea. Thanks

np, how are you feeling so far about the network? i personally really enjoyed it, but boy windows AV will be a b-** :p

Haha. I'm in the middle of doing the AV evasion. I started holo a few weeks ago then stopped halfway through to go do wreath cuz I was just absolutley lost with this one.

The AV evasion is rough but I think I almost have it

I'm absolutley loving the challenge tho. I haven't had this much fun in a while

Yeah because you get to experience the whole kill chain of a pentest, but wreath indeed is a well written guide for learning pivoting, which you've obviously also gotta do in holo xd

Yea. Wreath pretty much filled in the gaps I was missing.

I still can't get covenant to work tho. Pretty much given up on it at this point

Might come back to it and play around after I finish the rest of the network

tbh, i did the network without covenant, but i'll link some yt vids if i can find them that aren't "tutorials" but they showcase covenant

Yea, I'm prolly gonna do the same thing. And yea, that'd be dope

https://www.youtube.com/watch?v=oN_0pPI6TYU&t=434s

Thanks sm

Gave +1 Rep to @night widget

no problem

are the feedbacks already sent or in the process.. ?

I still cannot get to PC-FILESRV01 on 10.200.131.35 due to the following issue: STATUS_TRUSTED_RELATIONSHIP_FAILURE. The domain user cannot get authorized against domain when logging into PC-FILESRV01. Can somebody help with that?

I am facing the same problem as well

There’s been a lot of ppl saying that, so is someone gonna fix it ? Or its intended and we are just complaining for no reason ?

you're complaining for no reason lol.
cry pushed the fix and is waiting on Skidy to clone and push the change

Thank you for the update.

Gave +1 Rep to @wind bobcat

Anyone know how to fix this? trying to get covenant to work. Getting this error when trying to execute the launcher

Cant figure out how to fix it

Ok, so i pulled it up in visual studio to tyr to figure it out and now its giving me this error. Again, im not sure how to fix it. Any help would be dope, im not fantastic at C# which is prolly why i dont understand

I've come to the conclusion I spent wayyyy too long trying ti get covenant to work

AV bypass took litteraly 15 minutes with a simple rev shell

Did you get covenant to work?

Nope

Gave up

I don't understand enough c# to make the code work

yeah

there's this one article

but even after you rebuild it defender still detects the grunts for some reason

Weird. Can you send me the article? I'm curious to see it

sure

Thanks!

https://offensivedefence.co.uk/posts/covenant-profiles-templates/

Oh that's the one that it links to in the AV part. I understand that part of it. I know enough to understand the obfuscation. I can't get the grunt binary to run tho and idk why.

yeah i've also wasted a lot of time trying to get that to work but didn't unfortunately

Yea. Altho, now that I think about it I probably could have gotten the powershell launcher to run but this way worked just fine lol

Question, is PC-FILESRV01 broken?

I saw some people saying they were having issues with it earlier

im having the same issue now

current update

skidy couldn't clone the vm

cry is looking into it

ah ok

thanks

well, guess im done for now then

Thank you for the update.

Gave +1 Rep to @wind bobcat

Update - machine dead

Oh that's fun

what did you do to it

S..t happens 🙂. Take care!

having trouble getting the RCE to show...i know what the vulnerable page is and the parameter, but getting a 302 redirect, any help?

i think i figured it out......the CURL command didn't work for me.....but opening the page in the browser I was able to get RCE.....

the lab said i had 1 day left for access....now it doesn't anymore....

you likely forgot a cookie

temporary access of 7 days is granted so the number of networks is limited to only the active users

so i can renew it?

you just leave and rejoin the room

ahh....cool!

thanks!

Hi there 🙂
I have a general question: Do you guys have a dedicated machine you use for Holo (9 days time) you leave running during the night, or are you securing the access with persistent backdoors?

For Wreath and Throwback, I used a dedicated instance of Kali.
If you document your steps well enough, it should be fast to regain access

A dedicated instance as in a seperate, let's say latop that you kept running till the finish line?

Virtual machine, that I shut down as appropriate

No point keeping it on as the network will sleep and reset

Okidoki, that makes sense... Thanks 🙂

Gave +1 Rep to @quiet raft

Is PC-fileSRV01 still down? I am not able to move forward from task 37

I just take good notes. There are also certain points of both wreath and holo where you find credentials that will allow you to skip a lot of steps you previously had to take

is anyone able to get to holo.live? i can ping the address, but no web page comes up and connection is refused on port 80

Did you add it to you /etc/hosts file?

the graphic didn't update when i refreshed everything, so its back to the other IP, but still shows the old IP

The ip won't change. Even after a reset

Can you send a screenshot of what you get when you try to access the website?

discord won't let me paste any pictures in the chat

!docs verify

Read that

Follow the steps

Then send your screenshots

now that i've changed the IP, i can access the website...but i wouldn't have known about the change in the IP if I hadn't tried it before

the proof was in the route that was given to me when I refreshed my VPN

Oh thank goodness lol

Gave +1 Rep to @solid timber

@severe vale probably just a caching issue

Any update on PCFILESERV?

i have a problem in scalation with docket suid. I manually set ubuntu image because is the one that have the machine locally and we i run the gtfobins command, it show an error that not find that image.

www-data@ip-10-200-109-33:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
<docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Unable to find image 'ubuntu:latest' locally

You cant just copy and paste the gtfobins command

yes, i modified i little bit. i undertand that that mount a new container "ubuntu" and in that root process spawn a shell.

I've gotten a little lost. Any help?

Your still not putting the correct information into the command

youre not mounting a new container youre abusing one

aaaa

mb

thanks

having trouble with the privesc on the first server...i think i know the what, i just don't know the how

Feel free to dm me if you need help

Any update on the broken machine?

``` I'm getting this error on task 18, any tips?

Oops thats my bad ignore this

can anyone dm me and help me with the privesc?

Sure

Dm me what you need help with

Im kinda stuck on the docker suid bit

its isn't pulling alpine what soever

You can't just blindly copy commands from GTFO bins

You need to understand what it's doing to make it work

I tried changing tons of stuff in it

Such as?

mainly like dir and the alpine and the shell type

What did you change alpine to?

debian,ubuntu

alpine:latest

debian:latest

and same for ubuntu

Those won't work

In order to use the exploit you need to supply to name of an image that already exists on the machine

Maybe you want to look into how to check docker images

oops

my bad lol I avoid docker as much as I can lol

Np

Docker is a very useful tool. Would recommend trying to learn a bit about it

Yeah Im gonna do the docker room after holo

anyone stuck with threat checker part?

it keeps giving me a System.ArgumentException error

Nope. I didn't have that error. Just double checking, the exe, dll, and the 3rd file (can't remember what kind of file it is), are all in the same folder?

yep

Hm. I got nothing then.

this is what I execute

Idk. I had a lot of issues with the grunt files. Ended up not using covenant

Hi there 🙂
I'm a bit stuck at task 28. I can scan S-SRV01, but I can't access the website.. What am I missing??

Have you set up your pivot properly?

yeah, I guess. With chisel... From my attacker to the L-SRV01.

You have to route your browser through the proxy then

facepalm

Looool

I did that the first time I used chisel

Don't worry

Everyone makes that mistake

Man this holo thingy is just awesome, I learn soo much 🙂

Ikr. I need to finish it. Assuming the broken server is fixed

I pray it is, when I get to that point hahaha

Fingers crossed

https://www.youtube.com/watch?v=ySDX02WD0og

This is how I feel debugging the network

🤣

Hello, is it normal that I can't access with evilwin-rm or/and rdp PC-FILESRV01 with the credentials discovered in the previous task or am I doing something wrong?

the network's having some issues right now. theyre looking into it

Thank u for the heads up, so is it the right path to log in using ||watanet credentials||

Gave +1 Rep to @prime verge

yes ig. crackmapexec should show it when they fix the network : )

also better to hide the username so it doesnt get spoiled for others

thanks

this is what I get when rdesktop the machine, for anyone who has the same problem on .35

Did your AI also send you meat paddies??

@lone spruce dork stork server bork

fix

fix

fix

skidy bork

any updates about reports 👀

We’re done analyzing just writing feedback for each

Changes should be made. Reset your networks and it should be pushed. If the patch did not work let me know

Will take a look when I get home

Oh right. Need to reset it. Lol. Guess I gotta wait another 4 hours

may I ask what is the patch about?

still can't access the fileserver using ||watamet|| credentials

Did you reset the network?

yep

https://tenor.com/view/banging-head-bang-gif-12070477

also dont know if it is useful info, but the AV is killing all the covenant binary now

it give me the session once I execute the php file, but after few second the .exe gets removed and the session killed

before it did not happen

Yes because I fixed the AV

👀 I thought that I did the obfuscation right, since threat check gave me a clean result

Oh... I think it kills the session once I execute mimikatz inside covenant

Okay

I fixed one problem

now theres another one

blame @wind bobcat

I can no longer ping the network

I get a 10.200.114 IP however I cannot connect to any machine, it works from Attack Box however

Hello. I'm having issues with L-SRV01. /robots.txt is retrieved immediately, but nothing else is on the server loads. I missed something or is a issue with the machine?

Is PC-FILESRV01 still broken? I keep getting the same error regarding "trust" that I got over 2 weeks ago.

yes

We think we know the issue and have resolved it. We are watching for our patches to be pushed onto AWS

@harsh pier

Great! Thank you for good news!

Gave +1 Rep to @lone spruce

Did you find the solution for this?

Yes, I ended up reloading my vm

I have the attackers IP but I don't know my local IP I should use for reverse shells

Ah I think I have a different problem then

Why don’t you know your local ip?

I think I found it in the access tab

When doing other machines the ip stands here

But I found my ip in OpenVPN Access Details

just use an ip a

Or ifconfig

Ah nice I see its under tun0

Thanks for the tip

Never knew that

I can't upload the mimikatz to the server. I have the nt authority/system, but I'm getting a message of denied...

using the covenant upload task

NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE .. i cant connect on PC-FILESRV01 becouse of this error.

av envasion

Yes, this is the known issue with PC-FILESRV01 that @Cryuiri has been working on. Please scroll up to see more information on this topic.

anyone else having issues connecting to Holo?

currently not, but weird things happen at times..

Yeah, I can't connect to anything using my holo VPN (DC or Linux server). Just going to wait for the network to get reset and see if that helps

I already did the av evasion step, my grunt was uploaded and activated. The problem is access denied writing to a folder.

What happens, if I would not be able to complete holo in 9 days? Is it possible to attempt it again?

You will be kicked off the network, just rejoin when you're ready.

Oh thank goodness lol

Gave +1 Rep to @earnest hornet

You will be desintegrated 😉 Just kidding. You will be able to rejoin and your progress will be retained.

And another question: Is it better to use a 32 or 64 bit machine to compile the exploits with Visual Studio?

It depends on the architecture of the victim

S-SRV01 would be the victim.. Or any Windows machine in the holo network. But 32 bit will (still) run on 64 bit, right?

I believe so.

You can use 'systeminfo' to check the architecture. Also it depends what exploit is designed to impact.

The Av wasn't working properly before. It is now tho so you'll likely need to redo your evasion

I was just thinking about S-SRV01 and the rev-shell.exe that's supposed to be uploaded and if it is a better idea to work with VS on a 32 bit machine.. ¯_(ツ)_/¯

The best way to find it out is just to try it. I used to have problems with metasploit mulit/handler to get rev shells that were not matching the architecture.

Ok, thank you!

Gave +1 Rep to @solid timber

Do you mean target 32 and msf 64 bit, or the other way around?

The mistmatch between multi/handler payload and the rev shell e.g. windows/x64/meterpreter/reverse_tcp and 32 bit rev shell generated with msfvenom. That's why the best way is just to try it. If it fails than I would go with the same architecture on both end and also I would not use the staged payload. You need to try.

PC-fileSRV01 still not working ... NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

@lone spruce dork stork server bork

Is it normal to have issues with understanding the AV evasion part?

I have a lot of programming experience but this feels like rocket science

AV evasion is an art. If you haven't done wreath yet I'd go do that first. It goes much more in depth on it

Oooh okay.

I was stuck at the empire part in wreath, so you might be getting at something

If you need any help understanding lmk

any news about pc-filesrv01?

@lone spruce

dork stork

server bork

how long does it take to crack the password in task 22

On 16 CPUs using hashcat it took me about 30ish minutes with rockyou

Cracking on my GPU with hashcat it took about 15 minutes. Cracking on a strong CPU would probably be about double that

yup got it crack with john in 31mins hahaha dont know how to set threads or to make my hashcat do it faster

Rip

is it only me or you guys cant see picture also

could someone reset in 10.200.109/24

it just get down

does anyone have a hard time connecting with evil win rm for task 37

Unless cry fixed it and didn't tell anyone, PCFILESERV is dead

i see thats why i cant connect does it help if the machine gets reset ?

Can anyone help me with task 23? I followed the steps for the chisel server/client but not really sure what the point of it is

its for port forwarding just use sshuttle much easier

theres also a same task in wreath network for port forward and pivots

I get that but how can i see what internal ports LSRV01 can see?

like in task 28 it says ' have identified a new target, S-SRV01. We know that S-SRV01 has an open web server '

how would i know that?

sorry if its easy just been confused for a while sure theres one little thing i'm missing

look at the /usr/bin i think

theres something you can use there

if you dont like that just upload network enum tools then run it or just use linux commands

ok thank you

you have the same error?

yup some guy said pcfileserv is broken

Latest update was that the machine is dead

Cry is working on it

nice

Which extensions am I supposed to look for in task 10?

I think I am doing something wrong because I am getting multiple hours as estimated time

What did you use to look for directories?

feroxbuster

and gobuster before that

Let me see the command u used

gobuster dir -u http://www.holo.live -w /usr/share/wordlists/Seclists/Discovery/Web-Content/big.txt -x txt,php,html,js,cgi,asp -t 30 | tee fuzz_www.holo.live.log

Is that the only one you used?

feroxbuster -u http://www.holo.live -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -x php,txt,js,html,cgi -o fuzz_www.holo.live.log

I did the same for dev.holo.live and admin.holo.live

Then you should have found what you need

You can dm the results you found if you want and I can take a look real quick if you want

I stoped the scans because they ferox predicted 6 hours

Nah. I found all the answers because I checked robots.txt anyway

That's what you were supposed to do lol

oh ok. then why all that stuff about bruteforcing?

Cuz you can find the answers with brutefircing too

okey dokey

what I did not find is img.php

Huh. You should have I believe.

it's not in robots.txt. I only scanned for directories after that without -x

Ah

Well thats why

It's. Php

You won't wind it unless your scanning for the php extention

yeah. I guessed the answer

Ah lol

That's what I did for vhosts originally cuz I couldn't get it to work

its holo fixed now?

Haven't heard any updates so I'll assume no

from dev chat -
Cry is testing, you can try resetting

Cry is bogged down with school work for the next hour and hasnt had a chance to test

the patch is pushed if you want to see if it worked

If it doesnt work I will just go crawl into a hole

Lmao. If you can reset the .112 subnet I can test it now. If not then you'll have to wait 3 hours

creators can't issue/force resets

a network is a fancy room

Yea I figured as much lol

dunno if I'm missing something, but I've reset the network and now everything doesnt work

the hosts alive are only .250 and .33 alive

As it should be

this is what I got with nmap

so sorry, Cry

youre seeing exactly what you should be?

what about it?

you dont have access to the rest of the network yet as you should

port 80 should be open to access admin.holo.live

We didn’t touch that machine. I’ll check but nothing changed there

maybe Im just doing something wrong, gonna check it later

Still waiting to reset my subnet lol. Forgot about it for a bit.

has anyone can connect to Holo room through VPN, i can't Download a configuration file , how can i download ?

404 not found

Click -> https://tryhackme.com/jr/hololive

Then go to https://tryhackme.com/access and press “download”

no, can't

404 not found

@outer junco Holo 404^

What’s your site username?

US-West-VIP-1

You said Holo?

yes, of course Hololive

I’m so confused

Have you selected the Holo network VPN from the networks drop down list?

VPN server US-West-VIP-1
Network VPN server Hololive

i known that bro

when i downloading configuration file, 404 not found

Uh-oh, this page has been lost in the matrix.

404 - an error occured , uh oh something has gone wrong

Can you give me an IP that is shown in the Holo network (found here: https://tryhackme.com/room/hololive)

10.200.119.33

IP L-SRV01

Can you try download your config file now?

is file serv work now ?

theoretically

its on my honey do list to test this morning

ill test it right now, hold on

just realized i showed the hash in that pic lol

there. looks to be all good now

delete it 😭

no i don't

Wreath is ok

hololive it doesn't work

can't download file

has anyone fixed it ?

I have downloaded it successfully . Thank you

lol yea i did

Im supposed to be able to use evil-winrm to connect to fileserv right?

or did i miss a step

is anyone on .115 subnet and cant access the web server .33?

ok, i still cant seem to connect to fileserv

theoretically you should be able to connect also using rdp with the clear text password

ah ok, lemme try. forgot that was an option

nope

thats not the same issue though

yea ik

im just trying to figure out what my issue is now

this is the error i get with winrm

but i know i have the right hash cuz i can winrm to .31 with it

win rm is wack

lol so what should i use to connect?

.33 is working as expected

yea, everything is working fine, but i cant connect to fileserv and i dont know why

Im working on it

please be patient

ah

my bad

didnt realize you were looking into

sorry

take your time

https://tenor.com/view/banging-bang-bang-banging-the-table-table-anger-gif-15405802

ill be back

😆

hmm do i have the chance to see yagoo somewhere in the network

what?

i have no idea what that means

cover corp CEO yagoooooo haha

okay

literally

where do these files go

it doesnt make sense

how do they just

...

lmfao

Okay

Ive fixed it, give it a second to clone over and push the patch

hey people. when I nmap the webserver I only get port 22. is it broken or smthn?

what subnet are you in?

10.200.112.33

got the same problem on 10.200.115.33

I'll take a look an a second. I happen to be on the same sibnet

Yea, seeing the same thing here

I can’t give any advice other than reset the network. I just went on today on a public network and the machine was running fine. Nmap can be really wacky, validate by navigating to the page itself

I tried. Page wouldn't load

Vote for reset

voted

I already reset it two times mine

not working tho

Alright. Hopefully reset will fix it. We can both vote again in an hour

im on 10.200.109

Well I can't help you there lol

it's working now for me

Im still getting the same error with evil-winrm when trying to connect to PC-FILESERV

same

rippppppppp

at least its not just me

yep same here

sadge

feel u

guess ill go back to doing malware analysis until its fixed lol

still same after reset, right?

yea.

can we file a bug or smthn?

Cry and Skidy are aware

tl:dr the people that have access to things are busy.

Its been broken for almost a month now I think. Itll get fixed when cry has a chance to fix it

its fixed.

servers have a mind of their own

so

its not fixed

shut up nerd, no one asked

What's up guys... been trying to log in to admin dashboard but for whatever reason its not working... My guess is that someone changed the hash on the DB for the admin user

try clearing browser cache

can i dm someone not sure why i cant still connect for task 37 i tried using rdp and evilwinrm to connect

I still can't access the webserver...

Cry said it was fixed but I still wasn't able to connect last night. Will reset my network and try again at some point today

I'm using sshuttle, and the crackmapexec on pc-filesrv01 is returning this: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE any idea about what would this be?

Reset your network

That's specific issue was fixed yesterday

you got connected to the file serv now ?

No

There's another issue with fileserv now

But the trusted relationship failure was fixed

Now it's NO_LOGON_SERVERS

i see gonna do other rooms for now i guess

I'm gonna try again later cuz to quote cry "it's fixed but the servers have a mind of their own, so it's not fixed"

Already did that. It's not a matter of cache, of that I'm pretty sure.

Happened to me yesterday, first time I tried the port 80 wasnt even opened, then I tried next day and guess what... httpd server was up and running...

#update So... host .33 port 80 still not working, it's closed

thank you!

Gave +1 Rep to @solid timber

I'm worried because the network had been restarted... still port 80 is closed on host .33

could someone help?

The people in charge of maintaining the networks are working on it however they also have other things they need to do. I'm sure they will help when they get a chance

Thank you! I will do other boxes/networks meanwhile

Gave +1 Rep to @solid timber

just reseted seems to work

nop. died

I just tested it today. The machine is working as intended now

Thank you!! will continue tomorrow then 🙂

It's working

Dope. I'll finally finish it up then 😂

Having the same issue with the webserver or 33, just not working sadly

I'm on the 122 subnet.

Reset the network

Everything is working fine now

nope 😦 .....80/tcp closed http

Not only that... when it was opened (2 days ago), the creds for the admin.holo.live dashboard didnt work at all... again, my guess is that someone changed the hash in the DB haha

yep, also me

Same here, just tried right now

segment 115

Hi, box DC-SRV01 is dead. segment 115

Can't evens start doing anything from the network

the DC isn't directly accessible from outside of the 10.200.x.0/24 address ranges

The DC is not your initial access to the network

I know, the initial access is L-Srv01, which doesn't have the port 80 open, so i can't redo my steps, and earlier when trying to go ping the dc was dead.

It’s not dead you don’t have access. I’m aware of the Linux issues I’m working to resolve

You likely won't be able to ping DC Serv. You need to pivot to reach it and you can't send ICMP packets over most pivots

resolved

could someone reset in .122 segment

i crashed a machine 😢

How'd you manage that?

Hello, when connecting to PC-Filesrv01 i get

Is this intented? because i know you have to logoff the user from the domain and then put him again to work with it.

reset your network

is there a way to do the dll hijacking with msfvenom?

I'm stuck on the AV part

I haven't gotten around to finishing it yet, but you'll likely need to do some AV evasion to get it to work

There are some interesting articles you can find via Google about how to evade AV with msfvenom

hmm all that I found was about .exe file, not for dll

You'd best be going back and done some more research then. I can link you a few things in dm if you want

sure, thanks

Task 43 literally tells you what to Google to do the DLL Hijacking

By the way, the box 33 is unreachable so I can't continue.

No way

Is your network running?

@lone spruce the network is running was 1 hour left, now 37m, uptime 52m. Tried regenerating the VPN and using the attackbox

I was waiting for the network to run off time to start it again.

My only advice can be to reset the network. I just verified everything last day

Yeah 1/5 to reset it. I'll wait the time and start it again.

I did reset on the network today and the problems I had were solved! thank you for the hints, guys!

ah

seems to be on your end

will check now

I thought so, but i started the thm web kali and wasnt working

@lone spruce this is opening the AttackBox directly, no ping and i am in the Holo VPN, tried regenerating my VPN again and nothing.

PING 10.200.123.33 (10.200.123.33) 56(84) bytes of data.
^C
--- 10.200.123.33 ping statistics ---
61 packets transmitted, 0 received, 100% packet loss, time 61442ms

Will leave it for now, i'll check again tomorrow.

Are you running the vpn and attackbox at the same time? Only one can be running at a time

Yeah that is indeed a nice one, lol...

I just started this network a couple of days ago and have not been able to successfully find any host that is up even though I know which should be by looking at the map. I guess I should reset the network?
Apparently I can discover it on the attack box but not when using VPN, is there something I'm missing?

are you connected to the correct vpn?

Networks have their own vpn file you need to download and use

oh damn, didn't notice, I skipped that part thought it was just the usual connect via vpn

thanks

Gave +1 Rep to @solid timber

Is someone avalible to help me with the NTLM relay part? Ive tried everything and I cant get it to work

Bruhhh, im sooo close

Can I access this network again if the timer expires?

yes, leave and rejoin the room

thanks

Gave +1 Rep to @lone spruce

A question regarding testing the amsi bypass:
Should it be enough to exclude the working folder from Windows Defender and just try to run a malicious file outside this very folder,
or is it better to test it on a seperate machine?

Its always better to test on a separate machine and I don't actually know how Defender would react to an exception

Always test on a separate machine. Defender is weird sometimes. Exclusions will stop it from scanning the files in the folder but sometimes it'll scan the file when it's run anyway

Running kavremover.exe even without administrator privilege and this raising an alert is able to activate de hijacked dll? Because I tried both methods (msf && covenant) and no one worked...

I'm not sure I understand what you're asking

I did the dll hijacking task and I'm not getting the reverse-shell/grunt, I tried ev evasion as well and didn't work

Are you sure you have the correct dll?

yes, that with ENU in the name

by the blog post searching on google

Where did you put it?

in the same place as the executable file

That's not the right place

There is a different dll that goes in the same folder as the executable

The one you have goes in a different location iirc

And I tried put in a place that isn't being affected by the group policy AppLocker

You have 2 option, 1, download the exe and do some testing on your own, or 2, do some more research on the exe.

Sure, thank you 🙂

There's a specific blog post you're looking for. I don't remember exactly what it's called, but you'll find it

Is someone available to help me troubleshoot the NTLM relay part? Im not enitrely sure what im doing wrong.

I posted some images earlier of what im doing. If you need any other info tell me what and i will provide it

Hello, last time I got stuck on the PCFILESRV machine (no WinRM protocol). Does anyone know if that issue is fixed?

Pcfileserv is up and running as intended now

@lone spruce did you ever pick a winner for osep

You haven’t answered me!

I have your DMs muted

there's no scheduled task in PCFILESERV for administrator

you're not meant to see/know it's a scheduled task

it's "simulated user interaction"

whats the point of enumeration if theres no indication of 'simulated user interaction' how am i suppposed to know which applications to
hijack ? just guess ?

Being able to spot applications that aren't natively installed on Windows is huge for priv esc

ive uploaded the dll to the correct path, but i didnt get a callback

Then you did it wrong

is pcfileserve working ?

i still cant connect trough evilwinrm or with rdp

See, you kinda cut all the relevant information out of the pictures, so it's a little bit hard to help you figure out what you're doing wrong

i just cant connect to pc file serv

using evilinrm or with rdp

if you enumerate smb with crackmapexec it should show the fileserv in the output right but when i used that it dosnt showw anyfile serv so i ran nmap to check if port 445 is open but apparently its closed

is that the reason why i cant connect ?

It shouldn't be. Altho, I can't see any of your commands so I can't tell you if you did something wrong or now

Not

can i send you dm

Sure

I'm having an issue where the web server on the .33 IP didn't restart I guess when I reset the network. Anyone had this happen, and do I need to just reset the network again or something else? It's been like an hour since I did the reset.

Wdym it didn't restart?

I mean there is nothing running on port 80 after I reset the network

I was getting connection refused errors but I could ping

Can you send a screenshot?

Weird. I guess restart the network again.

Did you try browsing ti it anyway?

Yeah that's where I first noticed it, I only ran this again as my latest step, retracing after I could ping but not get anything from holo.live

Yea. Thats odd.

I'll just reset and see what happens, I was really confused why it stopped working till I checked the scan again

Yea

i got a shell out of the docker container, but when running the GTFObins cmd i get an error

it's task 20 thanks in advance

read the command and read the error

Thank you very much for the response. I am very new to docker. Do I need to provide the image alpine?

No. Read up on the command your using a bit

Don't just copy paste. Understand what you're doing

i know I have to run the command in /usr/bin, trying to mount /mnt. i guess.

What does alpine represent in that example command?

it's confusing for sure 😆

Sos. I'm still stuck on this, like i said docker is a weak point. if anyone could suggest any good reading on it? Or please DM if you have a few mins to explain what im doing wrong. Cheers.

That image doesn’t exist on the box

look for ones that do

okay I had an ideal like that thank you for shedding some light on the right direction.

Gave +1 Rep to @lone spruce

i just broke back out of the container, any clue to where i can start looking for the image that does exist?

I got something to happen, am i on the right track with the img name or not so much? thanks in advanced.

You're on the right track. But that's not the right image.

hello

sup

great network, trying to wrap my head around AMSI and evading AV.

Yep suffering along 🙂

lol glad to know im now alone. i got to where i can upload to the web server, but ive not gotten a shell back that passes.

You'll get one. It just takes a bit of effort

Likewise lol... But I bet we're overthinking the stuff. Like I always do sigh ...
But yes @solid timber , I know for sure I'll get there 🙂

If you want I can give advice but you'll have to tell me what you're trying ti get passed the AV. I did it a specific way and can only help if you're trying to do the same thing

Thanks, but for one I have this stuff on an other machine, and secondly, I don't think I've tried everything I got at my disposal.. I'm still playing around with the obfuscation.. But if you have any additional links that wouldn't spoil anything, I would very much appreciate you sharing this stuff 🙂

Gave +1 Rep to @solid timber

Nah. I pretty much only used the info provided in the tasks. I will say tho, I couldn't get covenant to work no matter what I tried

Okay, than I should have everything I need..
Covenant itself, or anti-amsiing the grunts?

Can someone explain how DC-SRV01 IP address can just change in the middle of things?

Shouldn't we get a bloody warning?

Covenant in general. The code is broken and errors when I try to run any of the launchers.

It shouldn't

Only way up changes is if you left then rejoined the room

It*

Ya. I dunno what happened. It definitely changed though. I decided to walk away and come back with a fresh network when things don’t have gremlins in the wire.

Weird

Well, if any if you get the NTLM relay working (the last attack after rooting pc fileserv) lmk. I can't get it to work and don't know what I'm doing wrong

And every time I post about it here nobody answers lol

low-key bet when cry made Skidy reclone everything, shit broke

in the meantime, just print nightmare the dc

ez clap

https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ you can read about Rasta doing it with cobalt strike if you want to learn more

i copied the wrapper from task 35, changed the IP adress but when i upload it it never makes a call to my waiting http.server. I've checked for typos but dont see any. anyone have any idea what up? I just turned off javascript to bypass the client side.

iirc that's the AV

Could be wrong but I vaguely remember having that problem

That bypass is a nasty one.

are you actually executing the php or are you just uploading it?

you can just upload a file and expect it to execute itself

fair enough

thanks for responding, how can i execute it? finding and going to the url?

Gave +1 Rep to @lone spruce

yes

okay thank you for the direction. I need to straight up fuzz for the right url?>

its not that hard to find

i tried like /uploads and a few others like ip/nameoffile but no luck, got dirb on it now..

How? I can't even connect to it

you've pivoted through the network, right?

Yea. I've done everything up to the NTLM relay

I just can't get that last bit to work

okay thank you mucho it's hitting my box now atleast XD

thx a ton

Gave +1 Rep to @lone spruce

Going to just roll into a ball and cry if it did

Idk man. I tried just about everything with the relay and It refuses to work

Don't you need at least low level creds on the machine to use print nightmare? I don't have creds that I can log onto DC with

no

Oh? I guess I have to do more research then

Still can't figure out how to do this. Can you point me in the correct direction?

Decided to try relaying again now now im getting this error when stopping the services. Am i doing something wrong?

🙃 still waiting for reports review

been a long time

Blame @wind bobcat

Hmmm. Did you encounter this issue in general, or "just" with holo?

In general

I've tried playing around with the code but I can't get it to work

These were the errors. Don't know how to fix them

are you trying to build that outside of Covenant? in VSCode? You cant build the agents outside of Covenant

No. I pulled it up in vs to try to figure out what was up with it

This is the error I got originally before opening anything in VS

can i use the wrapper like this with the .ps1?

I think that should work. Been a while since I was at that part but I think it looks good

two problems, 10.x.x.x needs to be changed.
when defining you payload ".\notashell.ps1" you need to escape the backslash

i put in the x's to hid my ip

but thank you very much that makes sense

Gave +1 Rep to @lone spruce

about escaping the backslash

passed amsi and got my call back!! thank you so much escaping the \ did it trick!!!

Gave +1 Rep to @lone spruce

https://tenor.com/view/pokemon-anime-bulbasaur-squirtle-cute-gif-17788585

https://tenor.com/view/pokemon-squirtle-sunglasses-deal-with-it-gif-5634922

I'm still stucked on task 43... Any hints on how to figure out the scheduled task for the vulnerable application? Commands, etc...

You will need to use further information. The scheduled task is there you just can’t see it

Sure, thanks!

Anyone could sanity check me on task 43? Been stuck here the past 24 hours and reset the network like 4 times. Payload dll is crafted, with encoding, and on the machine in the right location; metasploit handler up on my box and options match the payload. But I can't get the shell, it's like the task isn't running or something, but I guess it is and I've just messed up on something. It's been about 40 minutes since I dropped the dll last after a fresh network reset...

@solid timber this work for you? Ive been messing with that script a bit so.

did you also test that your dll works off of the production machine

Ok I just went back and checked and yes it does work, I got a shell from my own windows vm changing only the IP in the msfvenom command

I'm not above having messed it up a 9-10th time though, so I'll reset again and see. I suppose I could have messed up my listener this last time even though I put the dll in the proper place

Anyone available for a reset vote on the 10.200.126.0/24 network? L-SRV01 seems to have become completely unresponsive.

to get a empire agent on the win web server would i need to set up an http_hop on the lin box? I pivoted with chisel, can get a powershell reverse shell but not been able to get empire set up, i dumped sam.bak and system.back, hit with impacket secrets but it only gave me hash for local users didnt seen aything about the domain, figured need mimikatz.

task 36 asks for a domain users creds i didnt not see

an empire agent*

The scheduled task? No it didn't work for me. I used printnightmare to get admin. And I know that I had the right dll cuz I used it after I got admin to get a meterpreter shell for easy portfwd.

Yea. You'll need a hop set up on LSERV

Oh and I still haven't been able to finish the network btw. I'm certain that the NTLM Relay is broken and I can't figure out how to print nightmare the DC without being able to log on to it

If anyone could point me in the right direction that would be nice

no you don't - outbound traffic is not filtered afaik, only inbound. I also used empire - I only had my struggle with the AV evasion

In the task 8 ,it asks for the version of the CME, i checked it manually and also did a wpscan , both show 2.4.2 but when i submit it shows wrong answer. Why is it?

it's not that right answer, keep looking

empire has the rastamouse you can put in stagers and stuff

Alright. Thanks.

you got it working without a http_hop tho?

and thats good to know about outbound traffic thank you

yes

great thank you

Gave +1 Rep to @undone rune

i didnt think so, ive been able to get a powershell reverse shell back, but nothing else, glad to know what to work on tho

I noticed, that my av evasion worked on my local windows dev machine but not on the server in holo - had to tweak it a bit. so maybe that's the issue

word, i'm still newish to empire but I wanna get better. I know they obviously pushing ya toward cov

definitely recommend you this video: https://www.youtube.com/watch?v=F_BvtXzH4a4i explains the AMSI bypass and stuff pretty good.

Oooooh, thanks for sharing!!!! This will maybe eventually be a life saver for me 🙂

Gave +1 Rep to @undone rune

they rec that video in the task, but yes def great

i wateched it twice atleast lol

this is what pushed me over the edge to win

https://www.offensive-security.com/offsec/powershell-obfuscation/

oh yeah - that's also a great article!

@solid timber any update? I'm stuck at the same situation like you.

you guys still a step above me, i got a powershell reverse back from s-srv-01, but cant get mimikatz to run no matter what I do. I've tried to obfuscate meterpreter payloads, empire agents with amsi blocks in front, i dumped sam.back and system .back and did secrets but every user but watamet dumped. anyone got a road they can heaed me down. every thing i find online and try is dated 18-20 and no longer works. im system on the box its frustrating i cant get anything to work.

cant i just turn off amsi at this point?

sam.bak system.bak* lol

as you should have the highest rights - try it with AMSI disabled. I was able to use mimkatz within Empire with and without AMSI enabled - but this was some weeks ago 😄

ive was trying to get a damn emprie agent all day on the box, still a working progress. like i said i have a shell on the box so im trying to even run em from there and not having luck

how are you disabling amsi, with a .dll?

as you have a working shell - disable AMSI. You can do this very easy via powershell

and you are right i got a shell with the highest rights

[Ref].Assembly.GetType ('System.Management.Automation.AmsiUtils').GetField ('amsilnitFailed','NonPublic,Static').SetValue ($null,$true)"

?

Set-MpPreference -DisableRealtimeMonitoring $true

this not what i wrote?

more or less 😄 but I was to slow with pasting and sending - sorry

no you are fine im thankful you helping me

https://www.windowscentral.com/how-manage-microsoft-defender-antivirus-powershell-windows-10 as a reference which sometimes could be helpfull

thank you very much

thank you very much

Gave +1 Rep to @undone rune

your are always welcome!

thats cool, and i see on next boot it comes back so everyone can have fun XD

that's right! - or you will have some fun again as you forgot about that and nothing worked again 😄

can you get xfreerdp to work with proxychains? evil-winrm does work for me, but it would be sweet if xfreerdp did too lol

yes - xfreerdp work for me like a charm - I also tested rdesktop wit sshuttle which also worked great

hmmm...i just tried it once the other day and it didnt work. i was working on all the amsi shit so didnt take on another task. but thats great to hear i def will try again

i used chisel to pivot, you think i should trans a pubrsa and sshuttle?

i didnt even think to try rdesktop atm

you can use sshuttle with the normal login like SSH

I also tried it only as it was a tip within on of the ntlmrelay tasks 😉

haha nice. well thank a bunch, ima go try some new tricks. good luck with the DC!

Gave +1 Rep to @undone rune

thanks! happy to help

Gave +1 Rep to @austere grove

Nope. Still stuck. Someone said you can print nightmare the DC without logging into it but i can't figure out how to pull that off

Same for me. I got the response that the spool service is not running - maybe it got fixed with the latest update on the network

Yea. Idk

Can you dm me how you were trying to do it? Cuz you got farther than me 😂 😂

Hello, I'm still stuck with PC-FILESRV01 (I get an authentication error despite having the correct NT hash). Can you check if it works on your side?

I just did it the other day

It most definetly does

Can you send some screenshots?

Yeah, sending you a PM

hey i know you said you used empire too, what kinda stage did you use?

I used multi/launcher (sorry had to look into my notes)

@lone spruce it seems like s-srv02 broke kekw

you are fine thank you very much, ive tried many but its nice to run with one i know someone had luck pushing though.

Gave +1 Rep to @undone rune

evil-winrm did not work for me as well. I used other way to get in with the available credentials.

Have any of you managed to privesc with DLL hijacking on PC-FILESRV01? I cannot find any unique application connected to any scheduled task endpoint that would make sense. I'm on 10.200.128.0/24.

You won't be able to see the scheduled task. The idea isn't that it's a scheduled task. It's designed to simulate a user accessing an application. You should be able to find the file you need without seeing the task

Gave +1 Rep to @solid timber

Thank you!

tree /f is super useful btw

how are yall building AmsiTrigger on linux? I cant really figure it out.

You’re not supposed to?

It’s a Windows thing

im guessing you dont know you can run powershell on linux?

i cant get it to work on my winVM, it just says that active scanning off

You have to build AMSI trigger in VS code

Or VS studio

it's def studioj

you dont build in code

Yea

That's why I said bith

Can never remember which is which

im so freaking over it really, been trying to get dump creds on a box i have a system shell on

Wait, what are you stuck on?

If you have system shell, just disable av and upload mimikatz

i cant, or cant figure out how

i dont get it

Ah. I litteralt just close my laptop. Hold on, lemme grab my notes

blah, thanks man. Im def feeling beaten

Gave +1 Rep to @solid timber

Just because you have Powershell does not mean you can suddenly check for AMSI triggers on a Linux host

Defender/AMSI have to be on to use the tools mentioned in the tasks, that’s how the checks are made. Unless you know how to get either of those things on Linux, they won’t work

Also, afaik, Powershell, like any other shell (e.g. bash, zsh) is simply a means to interact with your operating system. Just because you have Powershell on a Windows machine does not mean you can suddenly make Windows API calls, and just because you have bash on Windows, that doesn't mean something like /etc/passwd just exists on your Windows machine

Powershell might be different because it functions differently than the *nix shells, so I very well could be wrong, but I know for certain AMSITrigger and DefenderCheck cannot work on a Linux machine

Kekw

the funny thing is Defender is on Linux now

I don’t know if the AMSI hooks are in place though

Is it actually? Lmao

Hey! Is 10.200.123.X Up?

Huh I guess you're right
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide

It's still a lot of effort to try and get all of this on one machine when you can just spin up a Windows machine.

can anyone help reset 10.200.111.x? only way to get past this on the filesrv right?

reset worked fine. all is well.

hi boys... the lab doesn't work...it don't respond to my ping...can anyone help me?

Are you on the correct vpn?

yes in the holo network....i don't understand why

Which machine are you trying to ping?

L-SRV01

but any machine doesn'trespond me

Is the network on?

yes i've tried all

You're sure you're using the correct VPN? Networks have their own VPN that is separate from the one you would use to do normal rooms

It seems to be there are some network problems - ssh: connect to host 10.200.128.33 port 22: No route to host. I've regenerated my vpn config file for hololive but it did not help.

Did you reset the network?

i've reset the network and i have the corret VPN but all didn't work

10.200.128.35 PC-FILESRV01 does NOT have an application vulnerable to dll hijacking installed/present. It is just not there. I know what this application should be. Can somebody from THM fix that? Thanks. Also there are still problems with accessing 10.200.128.35. When the network stops running and then starts again all servers stop to be accessible.