That's a great shout too. If you are proxying through burp this will all not work though!

You can setup an upstream socks proxy in user options tab in burp

Does this lab block ips in the event of too much fuzzing from a unique one ?

nope

Aight so the serv is just down

Great

How do you find the username for task 28? I feel like this is obvious and I'm just overlooking something simple

I feel like my network is broken. It just shutdown cuz I forgot to extend and since the restart the linux host is not reachable

$ ping 10.200.107.33
PING 10.200.107.33 (10.200.107.33) 56(84) bytes of data.
From 10.50.103.1 icmp_seq=1 Destination Host Unreachable

Does the amsi bypass run within the shell code? Or do you run it prior to the revere shell callback to disable Amsi? I'm getting a bit confused

You need to run it before calling your shell

Hello anyone available to talk about holo ?

Especially about privesc part on .35

Is that around Task 43?

Hey...I think I'm stuck on task 37...

I can't seem to authenticate to the fileserver 01 using the syntax given....tried running evil-winrm with proxy chains... didn't work..

Tried RDP.... I'm getting "account restrictions are preventing this user from signing in. For example blank password's......"

Anybody got past this point?

Oh snap...I realized my mistake😹

Hi, it's been like one hour that i cant access the holo web server wordpress site, is that normal ?

is it because of other people spamming wfuzz ?

#holo-network message

😢

ill just wait i guess

Hey are you on task 43

Can we get a reset on this?

Anyone on the network?

Uptime is 30minutes and nothing is working

I found there wasn't a scheduled task, had to use print nightmare to priv esc

What did you put fown for the dll and executables then?

So I ran through the steps as admin user and worked it out. Procmon works as an admin, so run print nightmare. Then follow the guide

Perfect thank you

Gave +1 Rep to @minor flax

yes i complete it

Can someone shed some light on: Task 38 Post Exploitation Watson left her locker open

I created a payload ||kavremoverENU.dll|| and copied to the same directory where the ||kavremover application|| is located at; ||C:\Users\watamet\Applications||

I setup a multi handler on Metasploit. However the reverse shell is never caught by the handler.

Unless I misuderstood something the trigger to run ||kavremover|| is a ||scheduled task||. Am I missing something?

Hey, i'm also stuck here.

Anybody help?

Quick question on task 47/48....
would adding both socks 4 & 5 be affecting my ntmrelayx session?

i have 3 days left on holo network. I think in finish in time. but if not, can i do it again ?

You will be able to rejoin, they just have the 10 days to they can lighten the load on the networks

cool thanks @cinder notch

Gave +1 Rep to @cinder notch

I had to escalate with print nightmare as the scheduled task wasn't there

Looks like the address is in use. Try changing the port and setting up a new line in proxychains config

Awesome....Thanks , let me try that

I'd also recommend looking at sshuttle as a tool for pivoting, it makes life a lot easier

Nice..
sshuttle on task 23 or in task 47 where you setup socks4

Sshuttle through to get to the .35 box. Then that leaves the ports available for the local pivot for the ntlmrelay

Thanks, that is what I did

Gave +1 Rep to @minor flax

did someone on the 10.200.95.0/24 network change the password of linux-admin account 10.200.95.33?

I cannot use sshuttle anymore with the usual credentials

if its still like that. Re-pop it and add an ssh key into authorised_keys then you can sshuttle as root 🙂

Thanks Yekki 🙂

Gave +1 Rep to @minor flax

Getting the following messages from ntlmrelayx for task 48:

Is there a switch to use a compatible version of kerberos?

I had that but it worked anyway. The second error looks like the port forward is the issue @clever sky

why doesn't this command work sc config lanmanserver start= disabled

Also, how in the hell do you get sshuttle to work. I run the command and get "connected to server". However I can't navigate to any of the devices

@minor flax Any chance you can help with this?

That sounds right. What's your sshuttle command? Have you included the target range to pivot too?

Sshuttle -r linux-admin@10.200.110.33 10.200.110.0/24

You might need to add -x to exclude the host you are connecting too. But from memory that looks right

sshuttle -r root@admin.holo.live --ssh-cmd "ssh -i /home/yekki/.ssh/id_rsa" 10.200.142.0/24 -x 10.200.142.33

That's the command I had that worked @timid moss

I can't wait to finish this room. It has been a major pain in my ass

This is what I get everytime

Nothing after the connection and I can't ping anything

@minor flax You ran this command sc config lanmanserver start= disabled on the PC server as admin, correct?

ICMP is its own seperate protocol and doesn't proxy through sshuttle

Thank yuou

Gave +1 Rep to @wind bobcat

Is holo the continuation lab after Throwback?

Is it more complex?

Ah yeah sshuttle doesn't handle icmp (ping), this took me a while to find out.
Also on the sshuttle command you can add -v for verbose, gives a bit more info to make sure the iptables are being set correctly

Hey, I just wanted to know if we have limited days of access to the Holo Network?

I think it's like 10 days, but after that you can just rejoin the room.
The only difference is the network is reset and you get a new subnet, so you have to re-do all your pivoting etc

Okay thanks so, after 10 days I can re-do thanks, I had to complete a few AD rooms first before diving into this.

Gave +1 Rep to @minor flax

Yeah can just re-join as many times as you want. Think it took me 3 rounds of rejoining the room 🙂

hello. what does the "9 days left" mean?

prolly, your subscription ends in 9 days, holo is a subscriber only lab

but I still have more days till the next subscription date, so...

You have 10 day(s) until you're removed from the lab.

So you have 9 left.

That was for you.

oooh I get it now. thanks @zenith delta

Gave +1 Rep to @verbal prawn

I'm returning to holo after a day offline, network uptime is 23m and I can ping L-SRV01 but no other ports are open, is this normal?

Anyone know why this happens? https://cdn.discordapp.com/attachments/943699891497103372/945744805995114566/unknown.png

Yes, it's because your in a reverse shell. I would recommend trying ssh

I don't think I can ssh....

it's a connection between compromised host to internal target. I can get the internal target id_rsa but the compromised host doesn't have ssh installed.

perhaps meterpreter will make it work. (UPDATE; has not worked.)

Do you know any way to fool the system and make the input device tty? (solution: stty on sh shell)

having a hard time finding which application is vulnerable on PC-FILESRV01. Any suggestions?

I assume you've used python pty;pty.spawn to upgrade your shell?
I thought it worked after doing that

ye I did, but you also had to run stty. and if it was a bash shell it gives a error after stty command, so i tried sh

Looking through my notes I had a meterpreter session and dropped into the shell to run the breakout. How have you got your shell?

@minor flax did you ever find a way to locate vulnerable APP on PC-FILE endpoint?

I identified the program but the scheduled task wasn't there. I had to use the print nightmare priv esc. Then when I was admin I ran through the tasks and added the scheduled task

Yup. I was about 2 seconds from doing that exact same thing. I figured I would give it a chance and find the vuln app. I'll try your way. Thanks!

No worries. Was super frustrating to be honest. I raised it in the room bugs channel but nothing

You mind if I DM you?

I used a netcat listener to get the shell, then I ran sh and stabilized the shell. I also tried the meterpreter method, but it wasn't working, not sure why.

Sure thing

Super frustrating! Not sure what's happened there

The good thing is that it's working right now 🙂

Oh brill. What was the fix?

Stabilizing sh shell

Like I said here.

Ahhh cool. Odd though!

Anyone got problem with holo network ?

in the kali browser of tryhackme i got this

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.50.108.120/24 brd 10.50.108.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9105:2bc7:a0f0:98b6/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
root@kali:~# ping 10.200.111.33 
PING 10.200.111.33 (10.200.111.33) 56(84) bytes of data.
From 10.50.108.1 icmp_seq=1 Destination Host Unreachable
From 10.50.108.1 icmp_seq=2 Destination Host Unreachable
From 10.50.108.1 icmp_seq=3 Destination Host Unreachable
From 10.50.108.1 icmp_seq=4 Destination Host Unreachable
From 10.50.108.1 icmp_seq=5 Destination Host Unreachable
From 10.50.108.1 icmp_seq=6 Destination Host Unreachable
From 10.50.108.1 icmp_seq=7 Destination Host Unreachable
From 10.50.108.1 icmp_seq=8 Destination Host Unreachable
From 10.50.108.1 icmp_seq=9 Destination Host Unreachable
From 10.50.108.1 icmp_seq=10 Destination Host Unreachable
From 10.50.108.1 icmp_seq=11 Destination Host Unreachable
From 10.50.108.1 icmp_seq=12 Destination Host Unreachable

it was working super yesterday

Have this happened to any of you?

I was getting mimikatz for the S-SRV01

Well, yeah.

It says dangerous programs

Mimikatz is a hacking tool

I find quite funny how people report the github repository, and tag it as a malware. Just because its a hacking tool doesn't mean its going to be used in ilegal or malicious ways. Lol

is holo-network bugged or is it just me? I tried a couple of things but I might just be tired lol

At what point?

hey I'm not able to get the DC to connect to ntlmrelayx, i have admin access to it and set up the port forward on meterpreter ... no errors but for some reason, it won't send the hash

I am having trouble with initial recon

I guess I am supposed to do the following but

Pulling out the IP is not working for me. I have network set as 10.200.119.0/24

Is the address 10.200.119.30 supposed to be ping-able?

I have the same issue with this holo network, its a pain

Is there any admin on this channel?

.NET 3.2 for Covenant ,
.NET 4.7.2 for ThreatCheck/DefenderCheck
.NET 6.0 default microsoft page

once this network finishes i shall become a .NET developer

No it's not there is only I think one box ping able initially

What you mean? becoming a .net developer

I scanned the whole /24 and the IP come filtered 10.200.119.0/24

@summer flame can you check your ip routing table (cmd: ip route) and see if there is a route to 10.200 .119.0/24

if you can then just reset the room it should be working after that

I can't evil-winrm with the hash/password access to the PC-FILESERV
crackmapexec found it with winrm extenson , but not smb , and i scanned with nmap , smb and rdp port are open , but no response . anyone have a solution ?

i had to install 3 version of .NET to finish the AV evasion part of the network 🙂

did u try it with socks proxy

i used rdp to login to the fileserv

used it with socks

sshuttle , and chisel

i will check socat i guess

by the way L-SRV01 is vulnerable to Pwnkit

https://gist.github.com/Ayoub-2/9f52583daec92ba2d81b4c4b4cbfe902

Chisel or sshuttle should be more than enough

Make sure in your rdp client u specify socks proxy

I don't think u need to try socat

it's fixed , thanks

so no matter what i do I can't get holo to kick back a shell. I know i'm doing it right because i've had shell before but it won't give me one now. not sure what to do I've tried

1. attack box - no luck
   2.Openvpn - No luck
   3.resetting server - No luck
   4.resetting room - no luck

nvm solved it

care to be nice and state what you did to solve it for future souls stumbling in a similar problem???

lol yeah it was me just being dumb. I was using the attackbox listed IP and when i checked ifconfig i found it was running the other ip i had and it worked. so i'm betting the reset of the room is what did it because it fixed the ip addreses that were listing with the internal ip on the main netowkr infographic. (hope that helps)

same problem here !! ; i cant evil-winrm into PC-FILESERV !! ; you got any solution ?

Am I missing something or is it nowhere stated that the third octet ("x") is meant to be the third octet of the L-SRV01 and DC-SRV01 machines?

use rdp , evil-winrm still doesn't work for me .

curl: (7) Failed to connect to 192.168.100.1 port 8080: Connection refused

anyone can help on this...

nvm got it

one thing, S-SRV01 with proxy-chains through chisel is very slow, any way to make it faster?

hi

Hi, HOLO guides say: nmap -sV -sC -p- -v 10.200.x.0/24
My network is: Internal Virtual IP Address 10.50.112.163
Not sure what should I scan... ? What should I type instead of 'x'?

VPN Server Name Hololive
Server Status
Connected
Internal Virtual IP Address 10.50.112.163

One of the tasks should tell you what your scope is. The VPN subnet is different from the target network.

task? I'm not seeing it..

Idk I’m on mobile right now

Are you in the room?

yes

Read through the first few tasks carefully. Also it should show you an IP address on the network topology screen-area-thing

yes, on the screenshot I can see but I was not sure if it is just static screenshot 🙂 I'll try

I don't think it is correct. I have one server found ..

I am trying my subnet now but oh god, it is 15 minutes and still scanning..

It's a big scan that you're doing. -p- -sC -sV is a lot.

Try doing a small scan to identify the up hosts. A ping sweep or top 10 ports. Then a sS then a full port scan. Then script scan the specific ports that are up. Otherwise everything will take you ages and won't let you do anything while that one giant scan is running.

Anyone else having issues logging into the dashboard on the admin instance?

I get the login prompt but after submitting the username/password, it just hangs

clear cache + retry!

thanks @wind bobcat! I should be ashamed...

Gave +1 Rep to @wind bobcat

Hey, so i've got through to rdp on PC-FILESRV01 and i'm trying to do the dll hijack, but even if i copy the executable to an executable permission directory, and the dll in the same folder, I find that my msfvenom dll doesnt connect back to my host, and there doesnt appear to be a scheduled task or service that references it so i don't understand why its not triggering for an admin user or for the low priv user

im in the container machine ,am i supposed to be able to connect to the sql data base in 100.1 or not ?

Yes you should be. Did you check for creds in the web server files?

yes i already answered the questions so they should be correct

i try to connect with this commands but no respond " mysql -u **** -p -h 192.....1

is it right ?

Yeah, it looks correct

can i avoid this step or no way around ?

i think i need to wait until next reset

What are you getting as the error?
Cannot connect, or Wrong password or anything else

no respond at all

im using meterpreter

And is the port open?

3306/tcp

i should specified the port ?

Oh, perhaps because of your shell.
Try to get a stabilized reverse shell

okay i will try

thank you ❤️

No, if not specified the default 3306 is used.
You are connected!!

it works now

thank bro ❤️

hello guys! i am stuck at obfuscating the payload. can anyone help me with this ? thank in advance.

Is this network down? I'm unable to ping or reach anything here?

no bro. the network is up

Weird, I'm connected with holo vpn but unable to reach anythin. I tried from attack box as well, same thing there.

you need to start the network bro

click on the start button

Well it's already started with 50 mins left on the clock?

Network state: Running

same issue since yestarday ,i waited for reset and still ,also the attack box ping no respond

i'm now attacking and the network is fine

Hey guys, got a question around shell stabalisation. I did ask this in #general but no reply and as I'm on having this issue on holo network I thought I'd try my luck here too...

Whenever I try to get a stable shell I can never seem to get the special characters working. My user and root both have /usr/bin/zsh set as their shell in /etc/passwd so I tried chsh to /bin/bash for both but that didn't help. Tried running /bin/bash before starting the whole process but that didn't help. Commands I'm using seem to be standard i.e.

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg; export SHELL=/bin/bash; export TERM=xterm-256color; stty rows 29 columns 116; reset

So I get a shell back and its aligned OK but TAB completion and cursor keys for history etc don't work. Can't seem to find the answer on google so hoping someone can point me in the right direction

2 days passed and still cant ping the machine

yeah, I'm having issues on and off too

I think people are ignoring the warning about thread counts

the problem is ,other rooms are fine ,only this network im not able to connect to it

You are connected OK. Like I say, under task 10 people are warned that the machine will go unresponsive if they don't reduce the thread count on gobuster when fuzzing. Too many people fuzzing without reducing the thread count must be killing the machine

maybe not, I get a ping reply

ahh ,but even after reset immediately i tried to ping ,samething

ip is the same or changed ,for the machine 192.168.100.100 ?

I can ping it and hit the admin.holo.live login page but can't log in. It just hangs

10.200.109.33

You must be ahead of me

i meant docker machine " L-SRV02 "

looking at the map, the connection goes via L-SRV01 which is fecked at the moment so I'm not surprised you can't access 02

:S

maybe an admin can see who is hitting the box hardest and have a quiet word with them but otherwise I guess we do another room for now

im waiting for admin to check and help ,but been waiting for 2 days

is there anyone to DM ?

Sorry, I don't know :/

I've been stuck on my little issue for a few daaaaaays and what you're experiencing has been a recurring issue for me

So I just did:

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg;

without setting the environment variables and now TAB completion and history are working!! Would like to know how/why but I guess I should just be glad its working

I think the way bash is interpreting that is export the environment variables on your host and not on the victim machine

I've never done that before, always
pythons -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo;fg
export TERM=xterm

Sorry but it seems like we're doing the same thing, aren't we?

interestingly I just had to reconnect and first time I couldn't TAB or get history. Connected again without the space between "pty; pty" and its now working

don't think I changed anything else

Nah its got nothing to do with the space

this time I was able to get everything just with:

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl+Z
stty raw -echo; fg
stty rows 29 columns 116

I didn't even need to set the environment variables

so I dunno what is going on

difference being the stty raw -echo;fg;stty rows 29 columns 116

vs
stty raw -echo;fg
<enter>
export term=...
<enter>
.....
<enter>

last night, i got the same problem too, after someone resetting the network. Now it works fine

Sorry maybe I'm being a bit stupid...

So I am running:

stty raw -echo; fg
<enter>
export term=xterm
<enter>
stty rows 29 columns 116
<enter>

but you're saying it should be:

stty raw -echo; fg; export term=xterm
<enter>
stty rows 29 columns 116
<enter>

either seems to work fine now

I have made it fail by using python instead of python3 or by not running nc with sudo but in the cases the result is that it just hangs completely. I can't seem to make it behave the way it was before i.e. no tab completion and history now which is odd because that was the result before no matter what I tried

scratch that, its not hanging when I don't run nc with sudo

no env vars are needing to be set at all

on the victim I mean

actually new lines work better with the TERM var set

People reading this are probably thinking "why does he keep going on about this?!"

its simply that I was getting the same result for daaaaaays and now its just working as it should and I'm not doing anything different so I'm just curious to know what it could have been

anyway, I'm moving on! I'll shut up about it now

ssh -R 10.200.101.200:16001:127.0.0.1:4444 -i id_rsa root@10.200.101.200
[root@prod-serv ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1827/perl
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 853/sshd
tcp 0 0 *127.0.0.1:16001 ** 0.0.0.0: LISTEN 2121/sshd: root@pts

Anyone know how to make the one in bold** 0.0.0.0**

I don't see anything in bold but is it the listen address set in /etc/ssh/sshd_config?

edited

Yes it is. I am trying to use 16001 as a port to listen to reverse connection and forward to 4444, it is a wreath machine I am asking in general how do we do this for SSH

Sorry bud, not sure myself. If its not in a config file, I guess its the command you're using that limits it to localhost

Please don't ask the same question over multiple channels

got it

completed wreath so I guess I must have done it at some point but I can't remember :/

guys , i am facing the problems on dll hijacking. Can anyone help me with this? I can't even run proc monitor.

Hey all, curious if things are working properly with the network at the moment? Seems to be broken but please correct me if I'm wrong.

Had a team go through it and find that there were some issues across everyones experience. From Applocker disabling to NTLM.

the only thing I'm aware of being broken at the moment is DLL hijacking

how did you proceed, do we need to run kavremover.exe by ourself and wait for reverse connnection?

TL:Dr print nightmare

running karemover yourself will result in a session from your current user

hello i can't even remote desktop on .30 machine. I restart it for ntlmrelayx and it failed and then now it does not work

@crude jewel may be depend on your connection ... can u ping this machine?

I already have a session as an administrator on SRV02, but in THM's pivot graph, I can't see it as compromised machine.

can anyone help me resetting the network plz?

i need votes

When you're asking for a reset, you need to specify what instance you're on.
The third octet of the machine IPs

10.200.95.x

previously, it was not possible to compromise s-srv02, due to a recent update, that was patched. You can now compromise it.
The flag submission to update the network map was not likely updated

its been a week ,and im still not able to ping the L-SRV02 yet through the attack box or either my pc ,i sent an email to support email ,but unfortunately it passed the 3 WD with no respond

any problems with the network? i lost connection from one moment to the other to L-SRV01

L-SRV01 seems to be down, can anybody from the Staff please have a look at it?

Instance is the 10.200.107

we are already only one reset vote away

Reset is done, thx to whoever 👍

i cant escape my privileges for some reason, when i start the docker container it fails

nvm i got it

allo all. does the final ntlm relay thing still work?

all i get is this

thats using meterpreter to port forward off a nt authority/system session, and impacket 9.22

if you run socks, do you see
Protocol Target Username AdminStatus Port

SMB 10.200.x.30 HOLOLIVE/SRV-ADM TRUE 445

er, let me try. just closed it briefly

nope (sorry for the delay, had to reboot all the things)

could it be that the attack box needs to be able to reach 10.200.107.30?

yes thats in the solutions. hmm

oof that was a tangled web of proxy chains and the like haha. i did the entire room with a tool a colleague of mine made, sort of super chisel: https://github.com/NHAS/reverse_ssh

ended up using proxychains ntlmrelayx.py over a ssh socks proxy through to the pc file serv machine, in order to allow it to attack 10.200.x.30

hey

need some help with a certain shell upload for S-SRV01

started the network 20 minutes ago, still cannot reach 10.200.111.33 - is there anything I could do except for waiting for others to vote for reset?

@midnight condor wanna vc?

sure

same issue, cannot connect to any host in any way

try to ping LSrv01

i mean LSrv02

the docker machine

the docker machine cannot be pinged as ICMP is being answered on L-SRV01

not Lsrv01

you are able to ping Lsrv02 - docker machine

if the network works with u

its NATed..

holo-vpn is up though (and the network is running)

-> the network bridge cannot connect to the holo-network after a fresh reset

Is there anything I can do about L-SRV01 crashing?

I cant access it anymore for some reason

I can't access admin.holo.live idk if that has anything to do with it

but I can access dev.holo.live and www.holo.live

Hi there. Did clearing the cache worked for you? I can see the 'valid' response in Burp but it just hangs. Tried chrome & mozilla. Even the AttackBox in thm. Thanks in advnace.

Gave +1 Rep to @proven falcon

Hi All, is there any Network Security expert?

I started doing Holo. During the first enumeration, the machine has only port 22 open and no web server running.

reset the network

This channel is dedicated to the Holo network on tryhackme - if you'd like to discuss network security in general then please use #infosec-general

Is there any way to download Holo Network image? The network is unstable

No.
The network should not be unstable, check your VPN connection.

There is some un-stability atleast for 33. gobuster shows no results tried with threads set at 4. many times only 1 port is open.

I was getting the same issue.

in that the network is being unstable. However - my issue was with the dashboard whereby clearing browser cache seemed to resolve the issue. Perhaps this knowledge may help you @mental lichen

keep getting this error:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.109.30:5985  ...  OK


Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

i swear this is supposed to work... and yes im using the right password/user combo

Is there anyway i can crack the hashes for the l-srv01 without the using collab

Or for someone to just tell me the password

In dms

Nvm got it

💀

Hey guys webserver port 80 is not opened at all

Yeah, It's bugged for me as well

maybe it needs a restart or sum

If you're asking for a reset, please specify the subnet that you're on

I'm on the 100.200.110.0/24 Subnet

Hey actually no need already port 80 is opened

Somehow

My PowerShell grunt dies almost immediately after getting a connection, any tips on how I can make it not die instantly?

having trouble with the hijacking ...can someone help?

#holo-network message

can someone help me please...trying to set up a meterpreter shell at PC-FILESRV01 but not getting a call back

can someone go in vc for a chat about it?

been googling for hours

right...need help with the NTLM relay attack

im 95% of the way there...help me root this damn network plz

i'll be on 2pm UTC

is the NTLM relay even working right now?

can someone run through this with me?

can anyone give me any tips for obfuscating a grunt to bypass windows defender

I alr have the amsi bypass but can't get the grunt past defender

@shadow quest if ur free could u help me since ur alr past the stage im on?

for some reason everytime I try to change code of one of the grunt templates covenant just stops working.

@fast sparrow sure

still need help?

@fast sparrow The grunt is pretty outdated and has a lot of signatures, obfuscating it in 2022 is just too much effort imo. What worked for me was making a obfuscated powershell reverse shell script. It did the work flawlessly

Thanks a lot

I'll try with a different C2 like Empire and use a powershell laucher or whatever and see if that works, so nah im good.

Sorry to ping you, but I have one last question. Is it necessary for me to use a C2, or will I be fine without one?

You're fine without

and dw about the ping, it's fine

Hey, did you manage to get the relay working? I tried it like 7 times and I never got any connection

got it working...but damnnnn its so hard to 😦

JUST got DC

@limber oasis

@shadow quest Ayye congrats my dude

still need help

?

Yeah, still didn't manage to get it working

right...wanna vc?

Sure

small study room?

+rep @shadow quest ty dude

Gave +1 Rep to @shadow quest

np 🙂

Ayo can u also tell me how to do it for when I get to that part

pls

lmao idk have to get stuck on it

i only got 5 days left for my vip sub so gotta hurry to finish this yk

@shadow quest got DC

niceeee

We basically juggled multiple proxychains at the same time instead of shuttle

Shits weird

the way i told you?

@limber oasis

More or less

I kinda forgot midway but I think I figured out what you did

I'm still kinda confused

But it worked

So I'm happy

im still stuck on makin a damn script to actually get me a foothold

i prob sound like a script kiddie rn but can I see the php payload u used

actually nvm

I think Ik a way

Good luck

If you're getting close to the end of your sub you can ping me and I'll send u the payload I used

But I believe in u

U got this!

thanks!

so far I have my powershell script that gives me a connections and bypasses av

now I just need to see if it works

on the network (it works les go)

.109 network - someone has filled up all space on the first box somehow which means the sql file write totally fails

I havent even touched the domain controller

but apparently I just rooted it

I would send a ss but cant

Im on the NTLM relay section, specifically task 46 where you have to run responder, but it isn't working because port 53 is already taken.

I've tried killing the process running it but it doesn't change anything.

I don't want to mess up my VM in case it happens to be important, so if anyone could help me that'd be n o i c e

nvm I'll just go on without it

How long does it take to get a connection from smb for the ntlm relay section?

nvm

Am i too dumb? I connected to the holo-vpn but the webserver isn´t reachable in my subnet (10.200.111.0/24). The only system is the 10.200.111.250

vpn connection is up and running.

Have the same problem on 10.200.111.0/24, I hope a reset will fix it.

unfortunately they´re only 2/5 resets :/

Yeah, we can add one each every hour 😄
I can again at around 22h

didn´t know that 🙂 only 1 vote left 🙂

Does it work again? 🙂

I´m working on Wreath at the moment (Task 28) will give it a try later.

same for me even after reset, gave up on holo for that

Hi, i am doing Holo live, i have to the admin password (from supersecretdir), but its not working to admin portal... can you please help to fix it...

hello guys

same to me

the lab reset did work for me...

Is this an error in my syntax, or is the machine borked?

elliamy@pop-os:~/Downloads$ gobuster vhost -u holo.live -w subdomains-top1million-110000.txt
2022/04/21 20:40:44 [!] 2 errors occurred:
* WordList (-w): Must be specified (use -w - for stdin)
* Url/Domain (-u): Must be specified

also tried with the http:// infront of the url

I think you've got an ancient version of gobuster

Did you install it with apt?

yup

That is a syntax error, it can't be an error with the remote machine

Install it from github

Ah, will do

Or use Kali for up to date security tools

Cheers, didn't realise the apt version was so out of date

Apt takes it's packages from your distro's repositories or other repos that you add

The problem is with those repos, not apt itself

Packages are different between Kali, Debian, Ubuntu, PopOS, even though they all use apt

Yeah, been trying to keep on top of it, but clearly messed it up there. I have Pop as I'm doing a physics degree and it works well for that, and win11. Maybe I need to learn how to Tri-boot for Kali

Make a VM

True true!

What proportion of ram and cpu threads do you reckon I should allocate?

¯_(ツ)_/¯

I usually run kali with 4g and 2-4 threads

Thanks!

Hi,
I think Holo network is down (and as no one is using it so no one try to reset it ?)
I cannot ping while being connected to the VPN or on attack box (none of the (visible) machines reply).
Is it possible to reset it without waiting 5 hours ? (1 vote per hour if I'm the only one here)
Thanks !

(PS : does not ping even after > 15 minutes and not really urgent since I probably won't have the time to continue tonight, just saying in case someone wants to do it)

You can't be connected from both the attackbox and your parrot at the same time

The VPNs will conflict as your account only has one IP

Well yeah but I tried at first with the VPN and it did not work, then I tried with the attack box

I'm going to try with the attack box only, might be a issue from my vpn

Just tried with only the attack box (no vpn), does not ping neither

Did you try the initial machine? Windows machines often don't respond to pings

In fact, you know one machine is running a webserver. I'd suggest trying to interact with that

Well I initially tried to ping because the web server did not respond, but now it seems to work so... my bad 😦

Sorry

guess I'm dumb 🙂

Hello I have a similar problem, I am in the initial recon phase, I know the ip of the web server but it doesn't respond to anything, I have tried ping, nmap, browser, curl, nmap with -Pn and still nothing

I am connected to vpn also

I am stuck at this problem since yesterday

If anyone could help I would really appreciate it

Which room?

Which room are you doing?

Holo, that's why I sent it here

Sorry, I clicked in the channel and didn't notice.

it's ok

does anyone know why isn't it working?

Well done ya muppet...

Hi all, hoping someone can help as I've been stuck on this for hours. On my attacking machine I have no issue with chisel, however on the remote machine I keep on receiving the following error:

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)

I'm up to Task 23 and cannot proceed any further, any help is appreciated.

Try it with a static chisel binary.

How would one go about that? Fairly new to a bit of this stuff and my brain is fried after battling with it so long today

You can download it from the official github releases. https://github.com/jpillora/chisel/releases

Perfect example of why it's always good to take a break and sleep on these things! You're a champion, many thanks for pointing me in the right direction.

Gave +1 Rep to @timid current

hello guys

someone in the network? I need a reset

the login page stop working

If you're asking people to help reset the network, you need to specify what network instance you're on

it's working now, just my host wasn't up

mb

Anything wrong with the network got booted off from my shell. Dropped and reconnected the VPN still unable to see any hosts.

Remember there's several instances

There is something wrong with this network. Every time I go to this room shows that the network is up even though I didn’t start it. And now I am not able to connect to the host 10.200.111.33

I'm going to struggle explaining this, so please be patient. Once I escape the docker container and get www-data on L-SRV01, there is a bash error bash: cannot set terminal process group (2041): Inappropriate ioctl for device bash: no job control in this shell which i believe is whats causing the privEsc to root to fail. I'm following the tips and guide in TryHackMe so I'm attempting to abuse the privEsc it suggests. The session I have in the docker container is stabilized like the guide suggests, with bash. I'm having a hard time even wrapping my head around the connection from the Remote host w/container and how its able to connect back to me if they aren't on the same subnet. I see that the shell relies on command injection with curl.

I solved my problem

this error is basically not important

There's a lot of stuff like that in the room since stuff was moved around a lot in the editing from my understanding. Tasks 1-8 are initial setup tasks, everything onward is in order.

Gave +1 Rep to @cinder notch

Is anyone else having pivot issues in the 112 instance? I think it might need reset

the remote webservers don't finish loading

same here dude

once i login on the admin panel . the server hangs on the redirection phase

Hi guys

when i solve the holo i get access to 10.200.110.35
but After resting the same credentials didn't work so i can't access the machine

any one faced this problem

I've had some success with deleting the holo.live cookie

@blazing cedar Great advice

hello guys

can't communicate with hosts

Hey Guys, does the L-SRV01 respond to ICMP by any chance

L-SRV01 - crashed, need one more vote to reset the machine

Please specify what network you're on if you're asking for a reset

There's several instances of holo, each with totally separate networks

Someone correct me if I'm wrong, but the AV evasion on this network will get easier the older this network gets since Defender can't pull new signatures/updates from the internet.

iirc the DumpStack.log trick that mr.d0x tweeted a while back worked to get past an initial static scan in this network months later

@unreal hemlock man me too hahaha thanks for recommending a room for it, legendary for that

Gave +1 Rep to @unreal hemlock

Can a mod or whomever restart the 10.200.19 instance. The network stopped, i started it up again but its been 24min and the .33 machine never came back online

same happen to me right now

Anyone having issues spawning a tty shell ... I run the python one liner & it does nothing no responce/change? I have never encountered this issue before?

I'm on hololive task 14 ..... I'm not sure with this machine what's going on It won't give me a reading when I tried to fuzz it, it also didn't want to give anything on dir busting. I just got in through some trial & error. So for what ever reason it's not doing things it should.... Now I'm at the part of getting the tty ...I did get a net cat shell and I could load up linpeas to do a scan but it won't take the python one liner. I also tried the socat & that have way works... Showing that the port is being used but won't give me a shell

So I got a dimb shell with nc but It doesn't want to respond to the python script for me to continue getting a stable shell

I have a screenshot for you, but I have never posted one on this platform before. Just getting that figured out

┌──(root㉿kali)-[/home/kali]
└─# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.50.152.26] from (UNKNOWN) [10.200.155.33] 60172
whoami
www-data
pwd
/var/www/admin
python -c 'import pty; pty.spawn("/bin/bash")'

pwd
/var/www/admin
whoami
www-data

python's in the /usr/bin I just tried running it from the bin dir & nothing ...looking for bash ... there is a bashbug in bin ....I'm guessing it would be in root

bash is in the other bin

I'm no expert by any means, Ive done the other networks(wreath,throwback) some linux priv, general stuff. this machine is doing wierd stuff python -c 'import pty: pty.spawn("/bin/bash")'
^[[200~python -c 'import pty: pty.spawn("/bin/bash")'^[[201~ I type in the one liner , then I try to copy and paste & it gives me that wonky read ..... I wonder if reseting the network would help

No I wouldn't think there should be .... I also tried a docker one liner from GTFO bins & got nothing

Thanks for the help either way

hi guys i have been tryng for days to root into Linux Server but with no sucess. could anyone help me out a bit i would be very grateful

I seen the python3 I just typed python my mistake should have been better at relaying back the info.... I'll try and see if it will take a python3 instead of just python...... Learned something new python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@6338e635a442:/var/www/admin$ I haven't encountered that before Thanks

can we get a reset on 10.200.112.0/24? the S-SRV01 machine is completely borked (at least for me it is) : (

it does? hmm.. i'll check it again. perhaps it's a problem with sshuttle

i'll try autoroute + socks server instead, thank you! : )

sshuttle -r user@$ip x.x.x.x/24 -D

although now that i think about i, i think i may have used the wrong ip for the pivot since i export ip’s with bash so it could’ve been pointed to the container LOL i’ll double check that just to make sure

solved! it was a thing with sshuttle, i don't typically use it so i went back to the msf way of pivoting and everything's working normally. thank you for the help tho! : )

same! 😈

It looks like getting an RCE in task 15 doesn't work. Signin with credentials or other access to the dxxxxbxxxx.php file gets redirected.

back to index.php
Now when scanning the box, it only has port 22 open..

10.200.107.0/24

Np. Thanks though

Gave +1 Rep to @unreal hemlock

no!! XD not at all haha i'm very careful to not barrage packets especially when proxychains are in use since they can be pretty brittle. I've noticed it as well, I think it's just people who are scanning the host or a lot of people accessing a specific resource at once : )

dont worry! you'll get there! ik i said i was gonna root this today as well but i havent even opened a terminal yet. but we'll see what happens : -}

HOW I send the android app file format .apk to anyone from my VirtualBox kalilinux.

@hoary crest This channel is for the holo network in tryhackme.

what is this holo network

Hi Guys, can anyone help me with AV evasion section. I am able to bypass AMSI but I am facing issues with AV.

Yes. I was following rasta mouse blog. I generated a binary from covenant and with the help of threat checker, i was iteratively removing all the bad bytes but at later point, the output of threat checker was very vague and I couldn't figure out whats going on. It was 3 am in the morning so I shut down everything because I was frustrated. At the moment I am going through BCSecurity 's webinar on evasion. I hope it has something to offer. I was thinking instead of using a C2 agent, I will obfuscate a powershell reverse shell combined with amsi bypass. What do you think? Any suggestions?

Yeah Even I am doing everything on win 11 dev machine. I was also thinking of using some other c2 like empire which I learned in throwback network. So what you are saying is, if I am able to bypass Amsi, then there is no need to obfuscate my powershell reverse shell, but will defender not catch it?

I think it makes sense, as long as I am running everything on memory, AV won't catch it. And when I get admin privileges I will immediately turn off real time monitoring as it is a headache lol

Yeah sorry. Makes sense. I won't do it.

Anyways thanks for the heads up man. Really appreciate it.

Yo, what to do if someone changed to way for the RCE?

Reset the network?

seems im alone 😛

You can add a reset vote every hour.

cool, thanks

Can anyone help me with the ntlm relay section? My ntlmrelayx.py is not receiving any smb connections. I have tried to replicate the steps numerous times but no luck. I even downgraded impacket to 0.9.19 using pimpmykali, but still no luck. Any help would be greatly appreciated.

same here

Use proxychains along with ntlmrelayx.py

Hey everyone

Idk why my proxychain not working

Its showing connected but whenever i try to run nmap or check if machine is accessible or not it shows host seems down

Yeah that i know but simple nmap scan also not working

https://nmap.org/book/man-host-discovery.html this will be useful

Its probably dumb question to ask but

Why we bypass amsi rather then just connecting it with rdp and turning off the windows defender

Nope

O got it

So in oscp we need to bypass that too?

IIRC OSCP AV Evasion is very simple in comparison

Is it necessary to learn c2 framework for oscp ad

nope. i did the ad part completely without any c2 framework.

The ad which is there in holo and the ad comes in oscp exam as compared to holo is it difficult?

i'd say, that in my case, the ad in holo asks more of you than the ad in the oscp. i found the oscp ad part easier but that's just me and it's different for everyone

No thats probably all are saying that holo ad part is overkill for oscp

aaaand rooted! fun network, i definitely learned a lot from this room

any idea how to bypass the amsi and do a reverse shell to windows with ip address x.x.x.31? I'm following the steps of tryhackme but it doesn't work

Is the HTTP server on L-SRV01 down?

Can someone please hit the reset? Been waiting for quite a while...

Remember there are several instances of the network.
If you're asking for a reset, you need to say what instance you're on.

Anybody faced the port forwarding issue in task 47? I have set up everything as expected (turned off services on PC-FILESRV01, checked that 445 was closed, started ntlmrelay.py-0.9.22 prior executing portfwd, netstat shows that port 445 is owned by my payload on PC-FILESRV01, on kali port 445 is owned by ntmlrelayx.py and I use shuttle) and I cannot get SMB traffic redirected to ntlmrelayx. PC-FILESRV01 receives connections from S-SRV02 (confirmed by wireshark) but they are not routed to port 445 opened on kali by ntlmrelayx.py. I even managed to reset the network but it did not help. Anybody faced such issue? It seems to be related to MSF.

Can anyone help , I got SYStem on PC-FILESERVER01 but i made a huge mistake while doing the task 47 , I sent the shutdown /r command in meterpreter instead of reboot . I cant wait for 4 hrs to reset network every once in an hour . My network is 10.200.95.33 [DC-SRV01]

shutdown /r reboots your system only. It does not power it off.

I guess in meterpreter if we write shutdown /r it sends the shutdown comand only , i googled and found that we need to type reboot in meterpreter for rebooting

I see. I did not know that.

Can anyone help in last task , got system , did port forwarding , no traffic comming in my ntlmrelayx.py

I have the same problem.

Anyone not able to reach the Holo boxes?

Yeah, realised this soon after asking lol

Been working on Holo throughout the day and I didn't notice the timer run out, since starting it back up again, I've not been able to do anything, can't load a page, ping...nothing

similar problem hear, after switching off smb on fileserver, i am unable to reconnect to it....(xfreerdp/kali) ... 😕

hey, what knowledge do i need to have in order to start with holo?
or is there any recommended rooms that i should complete before?

I'd do wreath first at the very least

Is 10.200.x.0/24 where x is typo or intended

Each instance of the network has a different value there

Will it be same as dc in the picture above (room)

Hello everyone, I am having trouble reaching the network, it shows that it's started but I launched the nmap scan and I got nothing

Anyone doing holo here

Pls let me know if you are able to login as it seems broken now

Can anyone please help me to reset only one vote required.

It seems the network is broken.

Remember there are many many instances, specify which one that you are on when asking for a reset

You can add a vote to reset every hour

I'm in 109

Thanks someone voted

Again facing same issue and I lost my shell

Is someone messing with the machine 😫

Any admins here

@help

The network crashed again for me, I need 4 more people to vote on the reset

or you can vote on the reset multiple times with the time delay between each vote

I didnt know that was a possibility, I will do that tomorrow. Thanks for the info

Gave +1 Rep to @iron galleon

Same here my network crashed , mistakenly closed the reverse shell terminal😩

anyone in 111 need 2 more votes

I don't know why but why she'll is continuously freezing

@anyhelp

Also voted for reset. Only one vote need to reset.

just so you know there are multiple holo subnets which could need resets

a quick question , Im on dll hijacking task , and ive done everything accordingly , but scheduled tasks are not showing the particular application which we are looking to hijack. Been running the listner for 5 mins now but no connection yet , Any suggestions ? I looked over the internet but I wanna know what wrong Im doin since i followed the path from THM only

Hello, at the moment, I can ping the linux web server but I can't access the admin.holo.live dashboard. This happens to me multiple times, and I always have to wait for the network to stop (due to inactivity)

This is really annoying, I have been stuck at the same step for two days now for this exact reason

Same here, its been 2 days

I had gained initial foothold and now the port is closed -,-

Welcome to the team. I had same issue and used other vulnerability to get NT AUTHORITY\SYSTEM.

so were you able to do anything related to NTLMrelay ??? or im the only one banging my head on that topic , coz I did go through other things but neither port forwarding nor the hijacking thing worked for me

Is someone bruteforcing the webserver? If so could you decrease the threads?

10.200.95.33

Landing page is working fine, but authenticated resources like /dashboard.php is not working

It did not work for me at all.

same for me. The scheduled task mentioned in the task description simply does not exist 😄 even after resetting the network. But, fortunately, there is another way to elevate privileges

I lost access to public IP 10.200.95.33, how can I execute shell again and try lateral movement and breakout?

nmap -sn 10.200.0.0/16 --min-rate 2000
Nmap done: 65536 IP addresses (0 hosts up) scanned in 139.66 seconds

Regened ovpn config -,-

nvm fixed for now

Hi can't login in the dashboard anymore, anyone else with the same problem?

hello fellow hackers

anyone has trouble pivoting through the network

I mainly use sshuttle for pivoting

tried different commands with different parameters but still can't reach the internal network

Ok chisel doesn't do either

yes its working with me

use chisel to portforward a specific port

really great room ,i have learnt a lot of new things
really grateful guys ❤️

Network broken?

10.200.109.30

can we still submit our reports for it ?

how do i install chisel on the target machine?

I'm pretty sure you don't install chisel. You compile it (on your attack machine) and then ship the binary there. You can then execute it on the target machine.

Ok thanks

My pings and nmap scans are getting rejected when I try to recon the network

OVPN is connected

!vpnscript

just to be sure it is not the vpn being the problem

Are you a free user?

Holo is a sub only room ( unless it's changed) and has it's own VPN script to download.

Im a sub. Trying to connect from my OSX, i’ll try the script on my kali machine later

I had the same issue earlier.

How did you fix?

Haven’t looked into it yet

I didn’t. I re-downloaded the vpn a few times and that didn’t fix it

Is anyone here to help HOLO NTML Relay?
I disabled netlogon on 10.200.XXX.35 and restart.
but now I cannot login or RDP to this machine.
Any idea on this step please?

I have the same issue as @woven quiver , machines seem to be down, (I moved to another room, so its not the vpn)

Thanks for your answer.... you are absolutely right ! Sorry for the inconvenience

Gave +1 Rep to @unreal hemlock

It worked yesterday so I’d guess the machines were down for when I tried

I can't access HOLO machine

Can anyone vote for reset

It's been half and hour

I have a Q about holo. Is there a dns server i should be pointing at so I can resolve www.holo.live?

Your hosts file

ok cool thats what i was thinking, just wanted to confirm I was supposed to use some other dns. thanks!

or is not something actively being looked at?

Unable to root the DC or even attempt to due to some sort of issue with how the environment is setup. I believe it's a DNS issue. Was the DC purposely configured to prevent exploits such as Sam the admin or ADCS?

If the purpose of this room was for pivoting then someone should have a closer look at how ntlm relay attack is working. Disabling lan man services on PC FileSVR breaks any means of getting a call back if you don't lay some sort of startup persistent to call back once you reboot.

Even using KrbRelayUp with valid low priv user account doesn't work. Literally nothing works when trying to root or even gain a shell on the DC.

Is it me or why can't I fuzz for different vhosts when I try to fuzz holo.live?

tried both gobuster and wfuzz

I tried guessing admin and dev and they were both correct

why didnt the fuzzers find them?

anyone else having problems accessing the webserver on the .107 subnet?

In the final tasks, is the ntlm relay working, (10.200.107.30) I think I've got the setup right but can't receive anything with ntlmrelayx

Yeh, they say to use shuttle as its more stable or something and I've used it but still nothing

I think, I've read in here that the ntlm relay was broken but wanted to confirm if others could get it to work

oh noes not broken network stuffs.... as shadow wants to do this eventually

Well, it's hellish to setup correctly then if it's working

is there anyway the L-SRV01 machine can be rebooted ? ... the admin panel isn't working for me ... it's stuck here with no response

if you specify the domain ip, people could vote for resets :)

10.200.155.33 ... already 4/5 requesting reset ... we only need one lol

it is time to shine chosen one

It’s doing the same for me now

I was signed into it earlier and now when I login it just spins

10.200.110.30

I’ve even rebooted my machine just to make sure. Admin page loads but won’t let you login

2 more resets needed unless an admin or someone can go ahead and reboot L-SRV01

you can vote for more resets every half an hour or so

I think it’s ever hour. I’ve done 2 of the 3….

i.e if shadow recalls correctly you your self can reset the network given enough time

ah okay

Wish there was a better way of catching these machines freezing

Sucks having to wait

1 more!!!

I do have a question about task 13. I saw the rce in the source code first but when testing with wfuzz it won’t find it and i think it’s because to get to dashboard.php you need to be signed into the admin panel.

Did anyone get the NTLM Task?

I think that network is broken

Can you guys help me reset 10.200.110.x!

Smash that reset button 😄