Wreath is a network on TryHackMe. The network contains one public facing web server and two other clients inside the internal network. The goal was to perform a penetration test against this network and write a report. Initial foothold inside the network was done by exploiting a vulnerable Webmin version. After that the attacker could pivot to another server, that was running a vulnerable version of GitStack. From there the developer machine could be compromised by exploiting a unrestricted file upload vulnerability. On the developer machine, the privilege escalation to SYSTEM has been done by abusing an unquoted service path.
As described earlier the last challenge was to write a penetration test report. Medium does not allow it to upload PDF files, so you can download the final report from my Dropbox.
Out of the blue, an old friend from university: Thomas Wreath, calls you after several years of no contact. You spend a few minutes catching up before he reveals the real reason he called:
“So I heard you got into hacking? That’s awesome! I have a few servers set up on my home network for my projects, I was wondering if you might like to assess them?”
You take a moment to think about it, before deciding to accept the job — it’s for a friend after all.
Turning down his offer of payment, you tell him: I’ll do it!
Thomas has sent over the following information about the network:
There are two machines on my home network that host projects and stuff I’m working on in my own time — one of them has a webserver that’s port forwarded, so that’s your way in if you can find a vulnerability! It’s serving a website that’s pushed to my git server from my own PC for version control, then cloned to the public facing server. See if you can get into these! My own PC is also on that network, but I doubt you’ll be able to get into that as it has protections turned on, doesn’t run anything vulnerable, and can’t be accessed by the public-facing section of the network. Well, I say PC — it’s technically a repurposed server because I had a spare license lying around, but same difference.
The Penetration Test report: https://www.dropbox.com/s/d4x2sdu92xn5vr7/Wreath-PenetrationTestReport.pdf?dl=0