How I Pivoted Through TryHackMe's Wreath Network

In this post, I detail how I used existing utilities on the target hosts on the Wreath network to live off the land and pivot between hosts.

6 months ago   •   2 min read

By 0xBEN
Table of contents

As I continue to prepare for the OSCP, and continue to look for ways to improve my pivoting and network pentesting skills, I approached the Wreath network with two things in mind:

  • Try to use as little tooling and automation as possible and force myself to think outside the box
  • Try to "live off the land" and use only binaries on the host that are at my disposal and avoid transferring tools to any extent possible

Keeping Details Brief

This is not a full write-up of the Wreath network, just a summary of the targets and the steps I took to pivot through the network.


A Linux host running a vulnerable web server. Once the vulnerability is identified, it's incredibly trivial to get a reverse shell. Once obtained, you can find an SSH key to maintain persistence. This is the SSH key I use to create SSH forward and reverse proxies.


The next target on the network. To reach this host, I'll need to "jump" through I create a forward proxy from Kali using SSH.

ssh -i id_rsa -fND 50001 root@

Now, I can reach through is a Windows Server box running a vulnerable webserver with an unauthenticated RCE bug. I know that can talk to, so I transfer a bind shell payload to the target and connect to it.

Now, that I have a shell, I add a user account for persistence and RDP to the host.

3. Create a Reverse Proxy via

I used this command to RDP to

xfreerdp /proxy:socks5:// /u:tempuser /p:T3mp_Adm1n! /v: /drive:.,kali-share +clipboard
  • Connect via my original SOCKS proxy
  • Map a local directory as a UNC share on the target

With the share mapped to the target, I can put files in the local folder and they can be easily transferred to the target. I transfer the SSH key to the target and create a SSH reverse proxy.

ssh -i id_rsa -fNR 50002 root@

Now from Kali, I can proxy through to reach


Access to allows us to do static code analysis on the development server running on We find a file upload vulnerability and create a web pseudo-shell. can call back to Kali, so we can easily transfer files to this target using the pseudo-shell. I run a Python web server and transfer a statically compiled version nc.exe.

I start a listener on Kali and use the pseudo-shell to connect back to my listener and get a foothold on the target and escalate privileges.

Spread the word

Keep reading