June 3, 2026
How I Pivoted Through a Three-Machine Network on TryHackMe: A Wreath Walkthrough
Wreath is not a room. It’s a network. Three machines, each isolated from the other, and your job is to get through all of them using only…
Soumyadipta Birabar
4 min read
Wreath is not a room. It's a network. Three machines, each isolated from the other, and your job is to get through all of them using only what you can find and what you can build. No hand-holding after the first few tasks. That's what drew me to it.
I had the basics down before starting: Nmap, basic Linux, some CTF experience. But Wreath exposed every gap in my methodology. This is a walkthrough of how I actually did it, including where I got stuck and what it taught me.
The Setup
You're given a scenario: Thomas Wreath runs a small internal network. There's a public-facing Linux web server, an internal Windows Git server only reachable through the first machine, and Thomas's personal Windows PC that can only be reached through the Git server. You can't touch the PC without owning the first two. That constraint is the entire point of the room.
Machine 1: The Web Server (Linux)
First thing I always do is Nmap. I scanned the first 15,000 ports with service detection:
nmap -T4 -p 1-15000 -sV -sC 10.200.x.200nmap -T4 -p 1-15000 -sV -sC 10.200.x.200Four ports came back open: 22 (SSH), 80 and 443 (Apache on CentOS), and port 10000 running MiniServ 1.890, which is Webmin. That last one caught my eye immediately. Old version of Webmin on a public server is almost always bad news for the defender.
A quick search confirmed it: CVE-2019–15107, an unauthenticated remote code execution vulnerability in Webmin versions up to 1.920. The vulnerability exists in password_change.cgi, where the old parameter is passed directly into a shell command without sanitization. No authentication needed. That's as critical as it gets.
I cloned the public exploit, set up a netcat listener, and ran it:
git clone https://github.com/MuirlandOracle/CVE-2019-15107
./CVE-2019-15107.py 10.200.x.200git clone https://github.com/MuirlandOracle/CVE-2019-15107
./CVE-2019-15107.py 10.200.x.200I had a root shell. First thing I did was grab the SSH private key from /root/.ssh/id_rsa, copy it to my machine, chmod 600, and establish a proper SSH session. A stable shell beats a fragile reverse shell every time, and this is something that matters a lot in real engagements too.
Pivoting to the Git Server
Now comes the part most CTF players haven't practiced: you have a root shell on Machine 1, but the Git server is on an internal subnet. Your attack machine can't reach it directly.
I used sshuttle to route my traffic through the compromised web server into the internal network:
sshuttle -r root@10.200.x.200 --ssh-cmd "ssh -i id_rsa" 10.200.x.0/24 -x 10.200.x.200sshuttle -r root@10.200.x.200 --ssh-cmd "ssh -i id_rsa" 10.200.x.0/24 -x 10.200.x.200sshuttle essentially creates a transparent VPN over SSH. Once it was running, I could hit the internal subnet directly from my browser and tools as if I were sitting on the network. I then transferred a static Nmap binary to the web server and ran an internal sweep to discover the two remaining hosts: the Git server and Thomas's PC.
Machine 2: The Git Server (Windows)
The Git server was running GitStack 2.3.10 on port 80, only accessible from inside the network. GitStack at that version is vulnerable to CVE-2018–5955, which allows unauthenticated RCE via a malicious API request.
The exploit created a new admin user on the machine. I used Evil-WinRM to log in and grab the files I needed. Inside the GitStack directory, I found the repository for Thomas's website: Website.git. I downloaded the entire folder using Evil-WinRM's download command, extracted the commit history using GitTools, and analyzed the PHP source code commit by commit.
The most recent commit contained an image upload feature. Looking at the filter logic, it was only checking the file extension, not the MIME type or actual file contents. That's the kind of mistake developers make constantly, and it's exactly the kind of thing a code review in a real audit would catch.
Machine 3: Thomas's PC (Windows, with AV)
To reach the PC from the Git server, I needed a second pivot. sshuttle alone can't chain like that, so I used chisel, a TCP tunnel tool that runs as a client-server pair.
I uploaded the Windows chisel binary to the Git server via Evil-WinRM, opened the Windows firewall to allow the port, ran chisel in server mode on the Git server, and connected from my attack machine as the client. This gave me a SOCKS proxy through both machines, which I routed through FoxyProxy in Firefox to browse the PC's web server.
The site running on Thomas's PC was a dev version of the production website. Same upload feature, but this time with antivirus running. Uploading a raw PHP webshell triggered the AV immediately.
The workaround: I embedded a PHP webshell into the EXIF metadata of a legitimate .jpg file using ExifTool. The file looked like a valid image to the AV scanner. The server executed it as PHP because the upload filter only checked the extension, not the content. The reverse shell came back clean.
Privilege escalation on the PC came through an unquoted service path vulnerability. When a Windows service executable path contains spaces and isn't wrapped in quotes, Windows will try to run executables at each space-separated segment of the path. I compiled a small C program that spawned a system shell and placed it at the unquoted path location. When the service restarted, I got a SYSTEM shell.
What This Room Actually Teaches
The technical skills are real: pivoting with sshuttle and chisel, exploiting known CVEs, analyzing source code for filter bypass logic, AV evasion via metadata injection, and privilege escalation through misconfigured services.
But the bigger lesson is methodology. Each machine was only reachable because of what you found on the previous one. Lose your notes, miss a credential, skip reading the source code properly, and you're stuck. Wreath taught me to treat a pentest like a chain, not a checklist.
If you're preparing for OSCP or just want to understand what network pivoting actually looks like in practice, this is the room. It's long. It's frustrating in the right places. Do it.