TryHack3M: Bricks Heist
Crack the code, command the exploit! Dive into the heart of the system with just an RCE CVE as your key.
November 4, 2025
•
July 14, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
$ sudo nmap -sV -sC -vv bricks.thm
22/tcp open ssh syn-ack ttl 60 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 32:f1:8b:cf:9c:0c:8d:7f:9a:6a:d4:74:c1:6e:5b:86 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHpSx/ObBHDLArrv5ebwhmYPofN08mFzwHfCVy5Ixeh8p+HNqvZUiuf1ovnwRKr5ufJZxOkHhl5/FbwwonK0NgJCf2020TgM+XgFEXfw9ddJ8kGsLwhB0ukJ1t4650OJ+Yms36ePzZb/0BsejaXY0/UHandO1gFwcim2R3cLxYUfbh/g6QLx2xbuu41ANjss7WyKl38LwhYdH/4yDUt0GhcvfEHZF3xW/j8J3ClYwanE265c1ALBmgivKc5ACemki774N0vMBi8VK+bqlijy1msa3Im+O9bfhTxCVXAwxruU04dCUvKsY94e6NrTdrofKaIITVMTc28u5NKtKAAUN3mNLYroIguVs7xj6hNj8nlFLX0UvOHYCuuzPeVuNSUQJPXIn7J12oBU+mUYIGn4QwKkzJkH7fWzi1CgPl7WUt3fF6ClLRVT87hvvQiCgS0Nhm+nrfUqi1kiZA491jWG+50V8ZE9V1l9xAT+q/wjveCaPB1icBiZwjKvGYDBaU1oE=
| 256 40:3e:52:48:aa:8e:48:87:35:06:ca:cf:53:61:1c:3a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC5SDEMQbv+jaWJ+5LlGedZOAhhuIB7VmJACDgNOdzsHrQiylYgp6G4rFJ+Jn4URnvsf67JIYQ5YN95h+Dl8M0E=
| 256 8a:7e:18:19:30:fd:3a:96:14:bb:69:a5:69:29:26:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMH63NzeHB/TqloQ5bV586YqZ6WtGKDYUDtQ15zqdcpM
80/tcp open http syn-ack ttl 60 Python http.server 3.5 - 3.10
|_http-title: Error response
|_http-server-header: WebSockify Python/3.8.10
443/tcp open ssl/http syn-ack ttl 60 Apache httpd
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-04-02T11:59:14
| Not valid after: 2025-04-02T11:59:14
| MD5: f1df:99bc:d5ab:5a5a:5709:5099:4add:a385
| SHA-1: 1f26:54bb:e2c5:b4a1:1f62:5ea0:af00:0261:35da:23c3
| -----BEGIN CERTIFICATE-----
| MIIDazCCAlOgAwIBAgIUPbOGG+Xi6dsd8rNRzG/wI3DvA8MwDQYJKoZIhvcNAQEL
| BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
| GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA0MDIxMTU5MTRaFw0yNTA0
| MDIxMTU5MTRaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
| HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQCtzw+eboW61zIzd/tl7LdrZCO86nc/MN0DkZfTngO7
| lJq/VQgR617FfExm26yI+wZSEkUWO5dg+1BYJbkYlayzr0Dyor3E2l73dIsM2Ur4
| s6hET6gYFD8pCu9z6YvMqxcq/1YWN+pOGsicAFeT6t8uQBYyA9NZZXSAISnorUbV
| aRW/Z8cwijQquIfwIiBaVhOnqBAqoudHQ5yLb461PGgVpioNeS9DDe3I7+J5LPe7
| va5wcnTJ2xfKrCHIPipuAgj5lCJ7lihlvT0KDB1elFxy5yIPABR5MthRs36eiO4+
| 1AKfPDVrvC5IpBvycgT95qhR0AnS+N9CwmO4HUWq5AJtAgMBAAGjUzBRMB0GA1Ud
| DgQWBBQHb6dwgvFLizbay0+nIgxlfzZYtjAfBgNVHSMEGDAWgBQHb6dwgvFLizba
| y0+nIgxlfzZYtjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBJ
| gjQinsS5AIb/LJT4KVhHgDAVezICOx3kg6foyMV3z6CcU9e6QLuMpyMCR/UGqUqs
| m0iJH8sR1jJdS3tDPTEmJXW8gBux3Y4xl9/A1sMhm97O5O7KHiBiwiW47Pwfo4/a
| wchcSEcU/4jfivY7ifGcIBSN4GInUHjwfD63J0/LHh1GPEo/Wsoekk0586psicaV
| dv3UqrFcLFztwKGDgs+51Oc9a70xT96bko0huCZ1NFOh4zchZ3kno9mueURi/SJO
| ibgwFMBWO7mQHKnlnQxxQwxER+QyftgnO+gXvkPGQU+o4rMnjHX5EAjyfoutRjjN
| tQWUR7AJRMC+3VGdRcVV
|_-----END CERTIFICATE-----
|_http-title: Brick by Brick
|_http-generator: WordPress 6.5
|_http-favicon: Unknown favicon MD5: 000BF649CC8F6BF27CFB04D1BCDCD3C7
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
| tls-alpn:
| h2
|_ http/1.1
3306/tcp open mysql syn-ack ttl 60 MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNmap scan cho ta thấy các port quan trọng như port 22 chạy SSH, với thông tin phiên bản cho thấy hệ điều hành là Ubuntu. Port 443 chạy Apache HTTPD kèm SSL, header trả về tiết lộ rằng server chạy WordPress 6.5, và có thư mục /wp-admin/ được bảo vệ bởi robots.txt.
Port 80 thì respond về lỗi, và port 3306 chạy MySQL, nhưng ở trạng thái “unauthorized”, nghĩa là từ xa không thể truy cập trực tiếp mà không có credentials.
HTTPS 443
Directory Enumeration
Chúng ta sẽ sử dụng gobuster để quét những thư mục và file ẩn trên web server này:
$ gobuster dir -u https://bricks.thm -w /usr/share/wordlists/dirb/common.txt -t 32 -k -b 404,405,403
...
/admin (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/]
/atom (Status: 301) [Size: 0] [--> https://bricks.thm/feed/atom/]
/b (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
/B (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
/br (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
/dashboard (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/]
/embed (Status: 301) [Size: 0] [--> https://bricks.thm/embed/]
/favicon.ico (Status: 302) [Size: 0] [--> https://bricks.thm/wp-includes/images/w-logo-blue-white-bg.png]
/feed (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/index.php (Status: 301) [Size: 0] [--> https://bricks.thm/]
/login (Status: 302) [Size: 0] [--> https://bricks.thm/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> https://bricks.thm/]
/phpmyadmin (Status: 301) [Size: 238] [--> https://bricks.thm/phpmyadmin/]
/rdf (Status: 301) [Size: 0] [--> https://bricks.thm/feed/rdf/]
/robots.txt (Status: 200) [Size: 67]
/rss (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/sa (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/sample (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/sam (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/s (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/rss2 (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/S (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/wp-admin (Status: 301) [Size: 236] [--> https://bricks.thm/wp-admin/]
/wp-content (Status: 301) [Size: 238] [--> https://bricks.thm/wp-content/]
/wp-includes (Status: 301) [Size: 239] [--> https://bricks.thm/wp-includes/]WordPress Enumeration
Bởi vì website đang chạy WordPress, ta có thể sử dụng WPScan để enumerate nó:
Interesting Finding(s):
[+] Headers
| Interesting Entry: server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: https://bricks.thm/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://bricks.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://bricks.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://bricks.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.5 identified (Insecure, released on 2024-04-02).
| Found By: Rss Generator (Passive Detection)
| - https://bricks.thm/feed/, <generator>https://wordpress.org/?v=6.5</generator>
| - https://bricks.thm/comments/feed/, <generator>https://wordpress.org/?v=6.5</generator>
[+] WordPress theme in use: bricks
| Location: https://bricks.thm/wp-content/themes/bricks/
| Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt
| Style URL: https://bricks.thm/wp-content/themes/bricks/style.css
| Style Name: Bricks
| Style URI: https://bricksbuilder.io/
| Description: Visual website builder for WordPress....
| Author: Bricks
| Author URI: https://bricksbuilder.io/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.9.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:48 <=================================================================> (652 / 652) 100.00% Time: 00:00:48
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:05 <========================================================================> (75 / 75) 100.00% Time: 00:00:05
[i] No DB Exports Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <===================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] administrator
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - https://bricks.thm/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)Kết quả cho thấy theme đang được sử dụng là Bricks phiên bản 1.9.5, và chỉ có một user duy nhất là administrator.
Shell as apache
Sau khi tìm kiếm nhanh trên Google, chúng ta phát hiện theme Bricks tồn tại lỗ hổng Unauthenticated Remote Code Execution (RCE) với mã CVE-2024-25600.
Khi chạy exploit, chúng ta thành công truy cập vào hệ thống dưới quyền user apache.
Hidden .txt File
Trong thư mục hiện tại, có một file .txt với tên giống như một chuỗi hash, bên trong chứa flag ta cần tìm.
Suspicous Process
Tiếp theo, chúng ta sử dụng systemctl để grep các service đang chạy và phát hiện một service thú vị có tên TRYHACK3M.
systemctl | grep running
Khi dùng systemctl status để kiểm tra chi tiết, chúng ta thấy có một binary đáng ngờ tên là nm-inet-dialog nằm trong /lib/NetworkManager/.
systemctl status ubuntu.service
Miner’s Log File
Đi tới thư mục /lib/NetworkManager/, chúng ta tìm thấy một ID được mã hóa dưới dạng hex trong file inet.conf.
5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303dDecode the ID:
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qaOSINT
Bitcoin Wallet
Sau khi decode ID này bằng cyberchef, kết quả cho thấy đây thực chất là sự kết hợp của 2 ví Bitcoin. Tuy nhiên, chỉ có ví đầu tiên là tồn tại thật sự.
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa
bc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
Khi xem xét kỹ giao dịch đầu tiên đầu tiên, chúng ta phát hiện đó là một giao dịch với số lượng coin rất lớn.
Threat Group
Một tìm kiếm nhanh trên Google dẫn chúng ta tới một bài viết về các chỉ định liên quan đến tấn công mạng.
Trong đó, chúng ta nhấp vào mục Release Link, và biết được threat group đứng sau chính là LockBit.
