How I Pivoted Through TryHackMe's Wreath Network

In this post, I detail how I used existing utilities on the target hosts on the Wreath network to live off the land and pivot between hosts.
How I Pivoted Through TryHackMe's Wreath Network
In: TryHackMe, Attack, Computer Networking

As I continue to prepare for the OSCP, and continue to look for ways to improve my pivoting and network pentesting skills, I approached the Wreath network with two things in mind:

  • Try to use as little tooling and automation as possible and force myself to think outside the box
  • Try to "live off the land" and use only binaries on the host that are at my disposal and avoid transferring tools to any extent possible





Keeping Details Brief

This is not a full write-up of the Wreath network, just a summary of the targets and the steps I took to pivot through the network.

1. 10.200.96.200

A Linux host running a vulnerable web server. Once the vulnerability is identified, it's incredibly trivial to get a reverse shell. Once obtained, you can find an SSH key to maintain persistence. This is the SSH key I use to create SSH forward and reverse proxies.





2. 10.200.96.150

The next target on the network. To reach this host, I'll need to "jump" through 10.200.96.200. I create a forward proxy from Kali using SSH.

ssh -i id_rsa -fND 50001 root@10.200.96.200

Now, I can reach 10.200.96.150 through 127.0.0.1:50001.

10.200.96.150 is a Windows Server box running a vulnerable webserver with an unauthenticated RCE bug. I know that 10.200.96.150 can talk to 10.200.96.200, so I transfer a bind shell payload to the target and connect to it.

Now, that I have a shell, I add a user account for persistence and RDP to the host.





3. Create a Reverse Proxy via 10.200.96.200

I used this command to RDP to 10.200.96.150:

xfreerdp /proxy:socks5://127.0.0.1:50001 /u:tempuser /p:T3mp_Adm1n! /v:10.200.96.150 /drive:.,kali-share +clipboard
  • Connect via my original SOCKS proxy
  • Map a local directory as a UNC share on the target

With the share mapped to the target, I can put files in the local folder and they can be easily transferred to the target. I transfer the SSH key to the target and create a SSH reverse proxy.

ssh -i id_rsa -fNR 50002 root@10.200.96.200

Now from Kali, I can proxy through 10.200.96.200:50002 to reach 10.200.96.100.





4. 10.200.96.100

Access to 10.200.96.150 allows us to do static code analysis on the development server running on 10.200.96.100. We find a file upload vulnerability and create a web pseudo-shell.

10.200.96.100 can call back to Kali, so we can easily transfer files to this target using the pseudo-shell. I run a Python web server and transfer a statically compiled version nc.exe.

I start a listener on Kali and use the pseudo-shell to connect back to my listener and get a foothold on the target and escalate privileges.

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.